diff options
| author | Andrew Tridgell <tridge@samba.org> | 2002-10-04 07:41:56 +0000 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2002-10-04 07:41:56 +0000 |
| commit | 14f65fb89716959852849745c89c4108eb7bbe36 (patch) | |
| tree | 2c1a6f03253fd3fd95b0844660a4a4ccb03214cd /source3/libads | |
| parent | 83e58265b5595f5268bbcbda1a078a81d6fd5a40 (diff) | |
| download | samba-14f65fb89716959852849745c89c4108eb7bbe36.tar.gz samba-14f65fb89716959852849745c89c4108eb7bbe36.tar.xz samba-14f65fb89716959852849745c89c4108eb7bbe36.zip | |
support all permitted encoding types in tickets. This allows us to
decode a type 23 ticket when the machine account is setup for non-DES
tickets
(This used to be commit 144d4429d7d91e8597263da6abc8041098f2a4c3)
Diffstat (limited to 'source3/libads')
| -rw-r--r-- | source3/libads/kerberos_verify.c | 44 |
1 files changed, 29 insertions, 15 deletions
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index 22b58f47dd..52fd2e6862 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -38,7 +38,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, krb5_ticket *tkt = NULL; krb5_data salt; krb5_encrypt_block eblock; - int ret; + int ret, i; krb5_keyblock * key; krb5_principal host_princ; char *host_princ_s; @@ -46,6 +46,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, fstring myname; char *password_s; krb5_data password; + krb5_enctype *enctypes = NULL; if (!secrets_init()) { DEBUG(1,("secrets_init failed\n")); @@ -70,7 +71,6 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, ret = krb5_set_default_realm(context, ads->auth.realm); if (ret) { DEBUG(1,("krb5_set_default_realm failed (%s)\n", error_message(ret))); - ads_destroy(&ads); return NT_STATUS_LOGON_FAILURE; } @@ -102,30 +102,44 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, return NT_STATUS_NO_MEMORY; } - krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5); - - ret = krb5_string_to_key(context, &eblock, key, &password, &salt); - if (ret) { - DEBUG(1,("krb5_string_to_key failed (%s)\n", error_message(ret))); + if ((ret = krb5_get_permitted_enctypes(context, &enctypes))) { + DEBUG(1,("krb5_get_permitted_enctypes failed (%s)\n", + error_message(ret))); return NT_STATUS_LOGON_FAILURE; } - krb5_auth_con_setuseruserkey(context, auth_context, key); + /* we need to setup a auth context with each possible encoding type in turn */ + for (i=0;enctypes[i];i++) { + krb5_use_enctype(context, &eblock, enctypes[i]); - packet.length = ticket->length; - packet.data = (krb5_pointer)ticket->data; + ret = krb5_string_to_key(context, &eblock, key, &password, &salt); + if (ret) { + continue; + } -#if 0 - file_save("/tmp/ticket.dat", ticket->data, ticket->length); -#endif + krb5_auth_con_setuseruserkey(context, auth_context, key); + + packet.length = ticket->length; + packet.data = (krb5_pointer)ticket->data; - if ((ret = krb5_rd_req(context, &auth_context, &packet, - NULL, keytab, NULL, &tkt))) { + if (!(ret = krb5_rd_req(context, &auth_context, &packet, + NULL, keytab, NULL, &tkt))) { + krb5_free_ktypes(context, enctypes); + break; + } + } + + if (!enctypes[i]) { DEBUG(3,("krb5_rd_req with auth failed (%s)\n", error_message(ret))); return NT_STATUS_LOGON_FAILURE; } +#if 0 + file_save("/tmp/ticket.dat", ticket->data, ticket->length); +#endif + + if (tkt->enc_part2) { *auth_data = data_blob(tkt->enc_part2->authorization_data[0]->contents, tkt->enc_part2->authorization_data[0]->length); |