diff options
| -rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 37 | ||||
| -rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 70 | ||||
| -rw-r--r-- | source4/auth/kerberos/clikrb5.c | 100 | ||||
| -rw-r--r-- | source4/auth/kerberos/config.m4 | 3 | ||||
| -rw-r--r-- | source4/auth/kerberos/kerberos.h | 16 | ||||
| -rw-r--r-- | source4/auth/kerberos/kerberos_util.c | 22 | ||||
| -rw-r--r-- | source4/kdc/hdb-ldb.c | 2 | ||||
| -rw-r--r-- | source4/kdc/kdc.c | 15 | ||||
| -rw-r--r-- | source4/kdc/kdc.h | 2 |
9 files changed, 167 insertions, 100 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 314f76038b..c6a16cdf33 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -43,7 +43,7 @@ struct gensec_gssapi_state { DATA_BLOB session_key; DATA_BLOB pac; - krb5_context krb5_context; + struct smb_krb5_context *smb_krb5_context; krb5_ccache ccache; const char *ccache_name; @@ -98,9 +98,6 @@ static int gensec_gssapi_destory(void *ptr) if (gensec_gssapi_state->client_name != GSS_C_NO_NAME) { maj_stat = gss_release_name(&min_stat, &gensec_gssapi_state->client_name); } - if (gensec_gssapi_state->krb5_context) { - krb5_free_context(gensec_gssapi_state->krb5_context); - } return 0; } @@ -129,8 +126,6 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) gensec_gssapi_state->session_key = data_blob(NULL, 0); gensec_gssapi_state->pac = data_blob(NULL, 0); - gensec_gssapi_state->krb5_context = NULL; - gensec_gssapi_state->cred = GSS_C_NO_CREDENTIAL; talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destory); @@ -161,29 +156,13 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) gensec_gssapi_state->gss_oid = gss_mech_krb5; - ret = krb5_init_context(&gensec_gssapi_state->krb5_context); + ret = smb_krb5_init_context(gensec_gssapi_state, + &gensec_gssapi_state->smb_krb5_context); if (ret) { DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n", - smb_get_krb5_error_message(gensec_gssapi_state->krb5_context, - ret, gensec_gssapi_state))); + error_message(ret))); return NT_STATUS_INTERNAL_ERROR; } - - if (lp_realm() && *lp_realm()) { - char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm()); - if (!upper_realm) { - DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm())); - return NT_STATUS_NO_MEMORY; - } - ret = krb5_set_default_realm(gensec_gssapi_state->krb5_context, upper_realm); - if (ret) { - DEBUG(1,("gensec_krb5_start: krb5_set_default_realm failed (%s)\n", - smb_get_krb5_error_message(gensec_gssapi_state->krb5_context, - ret, gensec_gssapi_state))); - return NT_STATUS_INTERNAL_ERROR; - } - } - return NT_STATUS_OK; } @@ -216,7 +195,8 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi gensec_gssapi_state = gensec_security->private_data; - name_token.value = talloc_asprintf(gensec_gssapi_state, "%s@%s", gensec_get_target_service(gensec_security), + name_token.value = talloc_asprintf(gensec_gssapi_state, "%s@%s", + gensec_get_target_service(gensec_security), gensec_get_target_hostname(gensec_security)); name_token.length = strlen(name_token.value); @@ -231,7 +211,8 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi return NT_STATUS_UNSUCCESSFUL; } - name_token.value = cli_credentials_get_principal(gensec_get_credentials(gensec_security), gensec_gssapi_state), + name_token.value = cli_credentials_get_principal(gensec_get_credentials(gensec_security), + gensec_gssapi_state), name_token.length = strlen(name_token.value); maj_stat = gss_import_name (&min_stat, @@ -249,7 +230,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi nt_status = kinit_to_ccache(gensec_gssapi_state, gensec_get_credentials(gensec_security), - gensec_gssapi_state->krb5_context, + gensec_gssapi_state->smb_krb5_context, &gensec_gssapi_state->ccache, &gensec_gssapi_state->ccache_name); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 1ac46f3ac9..d633794e1c 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -43,7 +43,7 @@ struct gensec_krb5_state { DATA_BLOB session_key; DATA_BLOB pac; enum GENSEC_KRB5_STATE state_position; - krb5_context context; + struct smb_krb5_context *smb_krb5_context; krb5_auth_context auth_context; krb5_ccache ccache; krb5_data ticket; @@ -67,7 +67,7 @@ static NTSTATUS gensec_krb5_pac_checksum(DATA_BLOB pac_data, cksum.checksum.data = sig->signature; - ret = krb5_crypto_init(gensec_krb5_state->context, + ret = krb5_crypto_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->keyblock, 0, &crypto); @@ -77,7 +77,7 @@ static NTSTATUS gensec_krb5_pac_checksum(DATA_BLOB pac_data, } for (i=0; i < 40; i++) { keyusage = i; - ret = krb5_verify_checksum(gensec_krb5_state->context, + ret = krb5_verify_checksum(gensec_krb5_state->smb_krb5_context->krb5_context, crypto, keyusage, pac_data.data, @@ -88,7 +88,7 @@ static NTSTATUS gensec_krb5_pac_checksum(DATA_BLOB pac_data, break; } } - krb5_crypto_destroy(gensec_krb5_state->context, crypto); + krb5_crypto_destroy(gensec_krb5_state->smb_krb5_context->krb5_context, crypto); if (ret) { DEBUG(0,("NOT verifying PAC checksums yet!\n")); @@ -235,22 +235,19 @@ static int gensec_krb5_destory(void *ptr) struct gensec_krb5_state *gensec_krb5_state = ptr; if (gensec_krb5_state->ticket.length) { - kerberos_free_data_contents(gensec_krb5_state->context, + kerberos_free_data_contents(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->ticket); } /* ccache freed in a child destructor */ - krb5_free_keyblock_contents(gensec_krb5_state->context, + krb5_free_keyblock_contents(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->keyblock); if (gensec_krb5_state->auth_context) { - krb5_auth_con_free(gensec_krb5_state->context, + krb5_auth_con_free(gensec_krb5_state->smb_krb5_context->krb5_context, gensec_krb5_state->auth_context); } - if (gensec_krb5_state->context) { - krb5_free_context(gensec_krb5_state->context); - } return 0; } @@ -267,7 +264,6 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) gensec_security->private_data = gensec_krb5_state; initialize_krb5_error_table(); - gensec_krb5_state->context = NULL; gensec_krb5_state->auth_context = NULL; gensec_krb5_state->ccache = NULL; ZERO_STRUCT(gensec_krb5_state->ticket); @@ -277,32 +273,18 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) talloc_set_destructor(gensec_krb5_state, gensec_krb5_destory); - ret = krb5_init_context(&gensec_krb5_state->context); + ret = smb_krb5_init_context(gensec_krb5_state, + &gensec_krb5_state->smb_krb5_context); if (ret) { DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n", error_message(ret))); return NT_STATUS_INTERNAL_ERROR; } - if (lp_realm() && *lp_realm()) { - char *upper_realm = strupper_talloc(gensec_krb5_state, lp_realm()); - if (!upper_realm) { - DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm())); - return NT_STATUS_NO_MEMORY; - } - ret = krb5_set_default_realm(gensec_krb5_state->context, upper_realm); - if (ret) { - DEBUG(1,("gensec_krb5_start: krb5_set_default_realm failed (%s)\n", - smb_get_krb5_error_message(gensec_krb5_state->context, - ret, gensec_krb5_state))); - return NT_STATUS_INTERNAL_ERROR; - } - } - - ret = krb5_auth_con_init(gensec_krb5_state->context, &gensec_krb5_state->auth_context); + ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context); if (ret) { DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n", - smb_get_krb5_error_message(gensec_krb5_state->context, + smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state))); return NT_STATUS_INTERNAL_ERROR; } @@ -351,10 +333,10 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security TODO: If the user set a username, we should use an in-memory CCACHE (see below) */ - ret = krb5_cc_default(gensec_krb5_state->context, &gensec_krb5_state->ccache); + ret = krb5_cc_default(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->ccache); if (ret) { DEBUG(1,("krb5_cc_default failed (%s)\n", - smb_get_krb5_error_message(gensec_krb5_state->context, ret, gensec_krb5_state))); + smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state))); return NT_STATUS_INTERNAL_ERROR; } @@ -363,7 +345,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security krb5_data in_data; in_data.length = 0; - ret = krb5_mk_req(gensec_krb5_state->context, + ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context, AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED, gensec_get_target_service(gensec_security), @@ -377,7 +359,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security return NT_STATUS_OK; case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n", - hostname, smb_get_krb5_error_message(gensec_krb5_state->context, ret, gensec_krb5_state))); + hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state))); return NT_STATUS_ACCESS_DENIED; case KRB5KDC_ERR_PREAUTH_FAILED: case KRB5KRB_AP_ERR_TKT_EXPIRED: @@ -387,7 +369,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security case KRB5_KDCREP_SKEW: { DEBUG(3, ("kerberos (mk_req) failed: %s\n", - smb_get_krb5_error_message(gensec_krb5_state->context, ret, gensec_krb5_state))); + smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state))); /* fall down to remaining code */ } @@ -399,7 +381,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security nt_status = kinit_to_ccache(gensec_krb5_state, gensec_security->credentials, - gensec_krb5_state->context, + gensec_krb5_state->smb_krb5_context, &gensec_krb5_state->ccache, &ccache_name); @@ -410,7 +392,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security default: DEBUG(0, ("kerberos: %s\n", - smb_get_krb5_error_message(gensec_krb5_state->context, ret, gensec_krb5_state))); + smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state))); return NT_STATUS_UNSUCCESSFUL; } } @@ -442,7 +424,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, { if (ret) { DEBUG(1,("ads_krb5_mk_req (request ticket) failed (%s)\n", - smb_get_krb5_error_message(gensec_krb5_state->context, ret, out_mem_ctx))); + smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx))); nt_status = NT_STATUS_LOGON_FAILURE; } else { DATA_BLOB unwrapped_out; @@ -478,12 +460,12 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, inbuf.data = unwrapped_in.data; inbuf.length = unwrapped_in.length; - ret = krb5_rd_rep(gensec_krb5_state->context, + ret = krb5_rd_rep(gensec_krb5_state->smb_krb5_context->krb5_context, gensec_krb5_state->auth_context, &inbuf, &repl); if (ret) { DEBUG(1,("krb5_rd_rep (mutual authentication) failed (%s)\n", - smb_get_krb5_error_message(gensec_krb5_state->context, ret, out_mem_ctx))); + smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx))); dump_data_pw("Mutual authentication message:\n", inbuf.data, inbuf.length); nt_status = NT_STATUS_ACCESS_DENIED; } else { @@ -492,7 +474,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, gensec_krb5_state->state_position = GENSEC_KRB5_DONE; } if (repl) { - krb5_free_ap_rep_enc_part(gensec_krb5_state->context, repl); + krb5_free_ap_rep_enc_part(gensec_krb5_state->smb_krb5_context->krb5_context, repl); } return nt_status; } @@ -512,7 +494,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */ if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) { nt_status = ads_verify_ticket(out_mem_ctx, - gensec_krb5_state->context, + gensec_krb5_state->smb_krb5_context->krb5_context, gensec_krb5_state->auth_context, lp_realm(), gensec_get_target_service(gensec_security), &in, @@ -521,7 +503,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, } else { /* TODO: check the tok_id */ nt_status = ads_verify_ticket(out_mem_ctx, - gensec_krb5_state->context, + gensec_krb5_state->smb_krb5_context->krb5_context, gensec_krb5_state->auth_context, lp_realm(), gensec_get_target_service(gensec_security), @@ -558,10 +540,10 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, } static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security, - DATA_BLOB *session_key) + DATA_BLOB *session_key) { struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data; - krb5_context context = gensec_krb5_state->context; + krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context; krb5_auth_context auth_context = gensec_krb5_state->auth_context; krb5_keyblock *skey; krb5_error_code err; diff --git a/source4/auth/kerberos/clikrb5.c b/source4/auth/kerberos/clikrb5.c index ec8f60fbb3..dc02cf7b01 100644 --- a/source4/auth/kerberos/clikrb5.c +++ b/source4/auth/kerberos/clikrb5.c @@ -3,6 +3,7 @@ simple kerberos5 routines for active directory Copyright (C) Andrew Tridgell 2001 Copyright (C) Luke Howard 2002-2003 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -475,4 +476,103 @@ cleanup_princ: return ret; } + +static int smb_krb5_context_destory_1(void *ptr) +{ + struct smb_krb5_context *ctx = ptr; + krb5_free_context(ctx->krb5_context); + return 0; +} + +#if defined(HAVE_KRB5_INITLOG) && defined(HAVE_KRB5_ADDLOG_FUNC) && defined(HAVE_KRB5_FREELOG) +static int smb_krb5_context_destory_2(void *ptr) +{ + struct smb_krb5_context *ctx = ptr; + + /* Otherwise krb5_free_context will try and close what we have already free()ed */ + krb5_set_warn_dest(ctx->krb5_context, NULL); + krb5_freelog(ctx->krb5_context, ctx->logf); + smb_krb5_context_destory_1(ptr); + return 0; +} + +/* We never close down the DEBUG system, and no need to unreference the use */ +static void smb_krb5_debug_close(void *private) { + return; +} + +static void smb_krb5_debug_wrapper(const char *timestr, const char *msg, void *private) +{ + DEBUG(3, ("Kerberos: %s\n", msg)); +} + +#endif + + krb5_error_code smb_krb5_init_context(TALLOC_CTX *parent_ctx, + struct smb_krb5_context **smb_krb5_context) +{ + krb5_error_code ret; + TALLOC_CTX *tmp_ctx; + + *smb_krb5_context = talloc(parent_ctx, struct smb_krb5_context); + tmp_ctx = talloc_new(*smb_krb5_context); + + if (!*smb_krb5_context || !tmp_ctx) { + talloc_free(*smb_krb5_context); + talloc_free(tmp_ctx); + return ENOMEM; + } + + ret = krb5_init_context(&(*smb_krb5_context)->krb5_context); + if (ret) { + DEBUG(1,("krb5_init_context failed (%s)\n", + error_message(ret))); + return ret; + } + + talloc_set_destructor(*smb_krb5_context, smb_krb5_context_destory_1); + + if (lp_realm() && *lp_realm()) { + char *upper_realm = strupper_talloc(tmp_ctx, lp_realm()); + if (!upper_realm) { + DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm())); + return ENOMEM; + } + ret = krb5_set_default_realm((*smb_krb5_context)->krb5_context, lp_realm()); + if (ret) { + DEBUG(1,("krb5_set_default_realm failed (%s)\n", + smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx))); + talloc_free(*smb_krb5_context); + return ret; + } + } + +#if defined(HAVE_KRB5_INITLOG) && defined(HAVE_KRB5_ADDLOG_FUNC) && defined(HAVE_KRB5_FREELOG) + /* TODO: Should we have a different name here? */ + ret = krb5_initlog((*smb_krb5_context)->krb5_context, "Samba", &(*smb_krb5_context)->logf); + + if (ret) { + DEBUG(1,("krb5_initlog failed (%s)\n", + smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx))); + talloc_free(*smb_krb5_context); + return ret; + } + + talloc_set_destructor(*smb_krb5_context, smb_krb5_context_destory_2); + + ret = krb5_addlog_func((*smb_krb5_context)->krb5_context, (*smb_krb5_context)->logf, 0 /* min */, -1 /* max */, + smb_krb5_debug_wrapper, smb_krb5_debug_close, NULL); + if (ret) { + DEBUG(1,("krb5_addlog_func failed (%s)\n", + smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx))); + talloc_free(*smb_krb5_context); + return ret; + } + krb5_set_warn_dest((*smb_krb5_context)->krb5_context, (*smb_krb5_context)->logf); + +#endif + talloc_free(tmp_ctx); + return 0; +} + #endif diff --git a/source4/auth/kerberos/config.m4 b/source4/auth/kerberos/config.m4 index 9cb66554ca..010a1c85da 100644 --- a/source4/auth/kerberos/config.m4 +++ b/source4/auth/kerberos/config.m4 @@ -260,6 +260,9 @@ if test x"$with_krb5_support" != x"no"; then AC_CHECK_FUNC_EXT(krb5_enctypes_compatible_keys, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_get_error_string, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_free_error_string, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(krb5_initlog, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(krb5_freelog, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(krb5_addlog_func, $KRB5_LIBS) LIBS="$LIBS $KRB5_LIBS" diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h index ec7df4c2f1..b65416e619 100644 --- a/source4/auth/kerberos/kerberos.h +++ b/source4/auth/kerberos/kerberos.h @@ -21,6 +21,12 @@ #if defined(HAVE_KRB5) +struct smb_krb5_context { + krb5_context krb5_context; + krb5_log_facility *logf; +}; + + /* not really ASN.1, but RFC 1964 */ #define TOK_ID_KRB_AP_REQ "\x01\x00" #define TOK_ID_KRB_AP_REP "\x02\x00" @@ -96,9 +102,11 @@ void kerberos_free_data_contents(krb5_context context, krb5_data *pdata); krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry); char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx); NTSTATUS kinit_to_ccache(TALLOC_CTX *parent_ctx, - struct cli_credentials *credentials, - krb5_context context, - krb5_ccache *ccache, - const char **ccache_name); + struct cli_credentials *credentials, + struct smb_krb5_context *smb_krb5_context, + krb5_ccache *ccache, + const char **ccache_name); +krb5_error_code smb_krb5_init_context(TALLOC_CTX *parent_ctx, + struct smb_krb5_context **smb_krb5_context); #endif /* HAVE_KRB5 */ diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index 55975b2594..7945094be9 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -29,19 +29,17 @@ #include "auth/auth.h" struct ccache_container { - krb5_context krb5_context; + struct smb_krb5_context *smb_krb5_context; krb5_ccache ccache; } ccache_container; -#if 0 static int free_ccache(void *ptr) { struct ccache_container *ccc = ptr; /* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */ - krb5_cc_close(ccc->krb5_context, ccc->ccache); + krb5_cc_close(ccc->smb_krb5_context->krb5_context, ccc->ccache); return 0; } -#endif /** * Return a freshly allocated ccache (destroyed by destructor on child @@ -50,7 +48,7 @@ static int free_ccache(void *ptr) { NTSTATUS kinit_to_ccache(TALLOC_CTX *parent_ctx, struct cli_credentials *credentials, - krb5_context context, + struct smb_krb5_context *smb_krb5_context, krb5_ccache *ccache, const char **ccache_name) { @@ -71,7 +69,7 @@ static int free_ccache(void *ptr) { cli_credentials_get_principal(credentials, mem_ctx), generate_random_str(mem_ctx, 16)); - ret = krb5_cc_resolve(context, ccache_string, ccache); + ret = krb5_cc_resolve(smb_krb5_context->krb5_context, ccache_string, ccache); if (ret) { DEBUG(1,("failed to generate a new krb5 keytab (%s): %s\n", ccache_string, @@ -80,13 +78,11 @@ static int free_ccache(void *ptr) { return NT_STATUS_INTERNAL_ERROR; } - mem_ctx->krb5_context = context; + mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context); mem_ctx->ccache = *ccache; -#if 0 talloc_set_destructor(mem_ctx, free_ccache); -#endif - ret = kerberos_kinit_password_cc(context, *ccache, + ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, *ccache, cli_credentials_get_principal(credentials, mem_ctx), password, NULL, &kdc_time); @@ -95,13 +91,13 @@ static int free_ccache(void *ptr) { time_t t = time(NULL); int time_offset =(unsigned)kdc_time-t; DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset)); - krb5_set_real_time(context, t + time_offset + 1, 0); + krb5_set_real_time(smb_krb5_context->krb5_context, t + time_offset + 1, 0); } if (ret == KRB5KRB_AP_ERR_SKEW || ret == KRB5_KDCREP_SKEW) { DEBUG(1,("kinit for %s failed (%s)\n", cli_credentials_get_principal(credentials, mem_ctx), - smb_get_krb5_error_message(context, + smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); talloc_free(mem_ctx); return NT_STATUS_TIME_DIFFERENCE_AT_DC; @@ -109,7 +105,7 @@ static int free_ccache(void *ptr) { if (ret) { DEBUG(1,("kinit for %s failed (%s)\n", cli_credentials_get_principal(credentials, mem_ctx), - smb_get_krb5_error_message(context, + smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx))); talloc_free(mem_ctx); return NT_STATUS_WRONG_PASSWORD; diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c index caa5a5c801..d4c281de82 100644 --- a/source4/kdc/hdb-ldb.c +++ b/source4/kdc/hdb-ldb.c @@ -1035,8 +1035,6 @@ krb5_error_code hdb_ldb_create(krb5_context context, struct HDB **db, const char } } - krb5_warnx(context, "hdb_ldb_create: hdb_name '%s'\n", (*db)->hdb_name); - (*db)->hdb_openp = 0; (*db)->hdb_open = LDB_open; (*db)->hdb_close = LDB_close; diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c index 21461c0f09..40250bbc3a 100644 --- a/source4/kdc/kdc.c +++ b/source4/kdc/kdc.c @@ -107,7 +107,7 @@ static void kdc_recv_handler(struct kdc_socket *kdc_socket) src_sock_addr.sin_family = PF_INET; /* Call krb5 */ - if (krb5_kdc_process_krb5_request(kdc_socket->kdc->krb5_context, + if (krb5_kdc_process_krb5_request(kdc_socket->kdc->smb_krb5_context->krb5_context, kdc_socket->kdc->config, blob.data, blob.length, &reply, @@ -157,7 +157,7 @@ static void kdc_socket_handler(struct event_context *ev, struct fd_event *fde, */ static NTSTATUS kdc_add_socket(struct kdc_server *kdc, const char *address) { - struct kdc_socket *kdc_socket; + struct kdc_socket *kdc_socket; NTSTATUS status; kdc_socket = talloc(kdc, struct kdc_socket); @@ -251,7 +251,7 @@ static void kdc_task_init(struct task_server *task) initialize_krb5_error_table(); - ret = krb5_init_context(&kdc->krb5_context); + ret = smb_krb5_init_context(kdc, &kdc->smb_krb5_context); if (ret) { DEBUG(1,("kdc_task_init: krb5_init_context failed (%s)\n", error_message(ret))); @@ -259,9 +259,7 @@ static void kdc_task_init(struct task_server *task) return; } - /* TODO: Fill in the hdb and logging details */ - kdc_openlog(kdc->krb5_context, kdc->config); - + kdc->config->logf = kdc->smb_krb5_context->logf; kdc->config->db = talloc(kdc->config, struct HDB *); if (!kdc->config->db) { task_terminate(task, "kdc: out of memory"); @@ -269,10 +267,11 @@ static void kdc_task_init(struct task_server *task) } kdc->config->num_db = 1; - ret = hdb_ldb_create(kdc->krb5_context, &kdc->config->db[0], lp_sam_url()); + ret = hdb_ldb_create(kdc->smb_krb5_context->krb5_context, + &kdc->config->db[0], lp_sam_url()); if (ret != 0) { DEBUG(1, ("kdc_task_init: hdb_ldb_create fails: %s\n", - smb_get_krb5_error_message(kdc->krb5_context, ret, kdc))); + smb_get_krb5_error_message(kdc->smb_krb5_context->krb5_context, ret, kdc))); task_terminate(task, "kdc: hdb_ldb_create failed"); return; } diff --git a/source4/kdc/kdc.h b/source4/kdc/kdc.h index 2e81679e57..d766e21e6e 100644 --- a/source4/kdc/kdc.h +++ b/source4/kdc/kdc.h @@ -41,7 +41,7 @@ struct kdc_reply { struct kdc_server { struct task_server *task; struct krb5_kdc_configuration *config; - krb5_context krb5_context; + struct smb_krb5_context *smb_krb5_context; }; /* hold information about one kdc socket */ |