r22664: When we have krb5_get_init_creds_opt_get_error() then try to get the NTSTATUS

codes directly out of the krb5_error edata.

Guenther

4 files changed, 167 insertions, 0 deletions

diff --git a/source/configure.in b/source/configure.in
index 358b233f00f..a334a48183e 100644
--- a/source/configure.in
+++ b/source/configure.in
@@ -3658,6 +3658,7 @@ if test x"$with_ads_support" != x"no"; then
   AC_CHECK_FUNC_EXT(initialize_krb5_error_table, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_get_init_creds_opt_alloc, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_get_init_creds_opt_free, $KRB5_LIBS)
+  AC_CHECK_FUNC_EXT(krb5_get_init_creds_opt_get_error, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_enctype_to_string, $KRB5_LIBS)
 
   LIBS="$KRB5_LIBS $LIBS"
diff --git a/source/include/ads.h b/source/include/ads.h
index 29df0d2f353..0e4df629a77 100644
--- a/source/include/ads.h
+++ b/source/include/ads.h
@@ -298,6 +298,12 @@ typedef void **ADS_MODLIST;
 
 #ifdef HAVE_KRB5
 typedef struct {
+	NTSTATUS ntstatus;
+	uint32 unknown1;
+	uint32 unknown2; /* 0x00000001 */
+} KRB5_EDATA_NTSTATUS;
+
+typedef struct {
 #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
 	krb5_address **addrs;
 #elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */
diff --git a/source/libads/kerberos.c b/source/libads/kerberos.c
index 72ff2cbdab8..dc3d11a60c2 100644
--- a/source/libads/kerberos.c
+++ b/source/libads/kerberos.c
@@ -55,6 +55,127 @@ kerb_prompter(krb5_context ctx, void *data,
 	return 0;
 }
 
+static BOOL smb_krb5_err_io_nstatus(TALLOC_CTX *mem_ctx, 
+				    DATA_BLOB *edata_blob, 
+				    KRB5_EDATA_NTSTATUS *edata)
+{
+	BOOL ret = False;
+	prs_struct ps;
+
+	if (!mem_ctx || !edata_blob || !edata) 
+		return False;
+
+	if (!prs_init(&ps, edata_blob->length, mem_ctx, UNMARSHALL))
+		return False;
+
+	if (!prs_copy_data_in(&ps, (char *)edata_blob->data, edata_blob->length))
+		goto out;
+
+	prs_set_offset(&ps, 0);
+
+	if (!prs_ntstatus("ntstatus", &ps, 1, &edata->ntstatus))
+		goto out;
+
+	if (!prs_uint32("unknown1", &ps, 1, &edata->unknown1))
+		goto out;
+
+	if (!prs_uint32("unknown2", &ps, 1, &edata->unknown2)) /* only seen 00000001 here */
+		goto out;
+
+	ret = True;
+ out:
+	prs_mem_free(&ps);
+
+	return ret;
+}
+
+ static BOOL smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error,
+						   NTSTATUS *nt_status)
+{
+	DATA_BLOB edata;
+	DATA_BLOB unwrapped_edata;
+	TALLOC_CTX *mem_ctx;
+	KRB5_EDATA_NTSTATUS parsed_edata;
+
+#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
+	edata = data_blob(error->e_data->data, error->e_data->length);
+#else
+	edata = data_blob(error->e_data.data, error->e_data.length);
+#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
+
+#ifdef DEVELOPER
+	dump_data(10, edata.data, edata.length);
+#endif /* DEVELOPER */
+
+	mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error");
+	if (mem_ctx == NULL) {
+		data_blob_free(&edata);
+		return False;
+	}
+
+	if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) {
+		data_blob_free(&edata);
+		TALLOC_FREE(mem_ctx);
+		return False;
+	}
+
+	data_blob_free(&edata);
+
+	if (!smb_krb5_err_io_nstatus(mem_ctx, &unwrapped_edata, &parsed_edata)) {
+		data_blob_free(&unwrapped_edata);
+		TALLOC_FREE(mem_ctx);
+		return False;
+	}
+
+	data_blob_free(&unwrapped_edata);
+
+	if (nt_status) {
+		*nt_status = parsed_edata.ntstatus;
+	}
+
+	TALLOC_FREE(mem_ctx);
+
+	return True;
+}
+
+ static BOOL smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(krb5_context ctx, 
+ 								  krb5_get_init_creds_opt *opt, 
+								  NTSTATUS *nt_status)
+{
+	BOOL ret = False;
+	krb5_error *error = NULL;
+
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR
+	ret = krb5_get_init_creds_opt_get_error(ctx, opt, &error);
+	if (ret) {
+		DEBUG(1,("krb5_get_init_creds_opt_get_error gave: %s\n", 
+			error_message(ret)));
+		return False;
+	}
+#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR */
+
+	if (!error) {
+		DEBUG(1,("no krb5_error\n"));
+		return False;
+	}
+
+#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
+	if (!error->e_data) {
+#else
+	if (error->e_data.data == NULL) {
+#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
+		DEBUG(1,("no edata in krb5_error\n")); 
+		krb5_free_error(ctx, error);
+		return False;
+	}
+
+	ret = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status);
+
+	krb5_free_error(ctx, error);
+
+	return ret;
+}
+
 /*
   simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
   place in default cache location.
diff --git a/source/libsmb/clikrb5.c b/source/libsmb/clikrb5.c
index 474c6823ea0..64cfe6e952c 100644
--- a/source/libsmb/clikrb5.c
+++ b/source/libsmb/clikrb5.c
@@ -272,6 +272,45 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context,
 }
 #endif
 
+BOOL unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx, 
+			   DATA_BLOB *edata, 
+			   DATA_BLOB *edata_out)
+{
+	DATA_BLOB edata_contents;
+	ASN1_DATA data;
+	int edata_type;
+
+	if (!edata->length) {
+		return False;
+	}
+
+	asn1_load(&data, *edata);
+	asn1_start_tag(&data, ASN1_SEQUENCE(0));
+	asn1_start_tag(&data, ASN1_CONTEXT(1));
+	asn1_read_Integer(&data, &edata_type);
+
+	if (edata_type != KRB5_PADATA_PW_SALT) {
+		DEBUG(0,("edata is not of required type %d but of type %d\n", 
+			KRB5_PADATA_PW_SALT, edata_type));
+		asn1_free(&data);
+		return False;
+	}
+	
+	asn1_start_tag(&data, ASN1_CONTEXT(2));
+	asn1_read_OctetString(&data, &edata_contents);
+	asn1_end_tag(&data);
+	asn1_end_tag(&data);
+	asn1_end_tag(&data);
+	asn1_free(&data);
+
+	*edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length);
+
+	data_blob_free(&edata_contents);
+
+	return True;
+}
+
+
 BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data)
 {
 	DATA_BLOB pac_contents;