summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2007-05-04 09:55:40 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:19:53 -0500
commitdcd902f24a59288bbb7400d59c0afc0c8303ed69 (patch)
tree618f671d76e661fc285f08b7b447fa11b83e2ac9
parent997ded4e3f0dc2199b9a66a9485c919c16fbabc6 (diff)
downloadsamba-dcd902f24a59288bbb7400d59c0afc0c8303ed69.tar.gz
samba-dcd902f24a59288bbb7400d59c0afc0c8303ed69.tar.xz
samba-dcd902f24a59288bbb7400d59c0afc0c8303ed69.zip
r22664: When we have krb5_get_init_creds_opt_get_error() then try to get the NTSTATUS
codes directly out of the krb5_error edata. Guenther
-rw-r--r--source/configure.in1
-rw-r--r--source/include/ads.h6
-rw-r--r--source/libads/kerberos.c121
-rw-r--r--source/libsmb/clikrb5.c39
4 files changed, 167 insertions, 0 deletions
diff --git a/source/configure.in b/source/configure.in
index 358b233f00f..a334a48183e 100644
--- a/source/configure.in
+++ b/source/configure.in
@@ -3658,6 +3658,7 @@ if test x"$with_ads_support" != x"no"; then
AC_CHECK_FUNC_EXT(initialize_krb5_error_table, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_get_init_creds_opt_alloc, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_get_init_creds_opt_free, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_get_init_creds_opt_get_error, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_enctype_to_string, $KRB5_LIBS)
LIBS="$KRB5_LIBS $LIBS"
diff --git a/source/include/ads.h b/source/include/ads.h
index 29df0d2f353..0e4df629a77 100644
--- a/source/include/ads.h
+++ b/source/include/ads.h
@@ -298,6 +298,12 @@ typedef void **ADS_MODLIST;
#ifdef HAVE_KRB5
typedef struct {
+ NTSTATUS ntstatus;
+ uint32 unknown1;
+ uint32 unknown2; /* 0x00000001 */
+} KRB5_EDATA_NTSTATUS;
+
+typedef struct {
#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
krb5_address **addrs;
#elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */
diff --git a/source/libads/kerberos.c b/source/libads/kerberos.c
index 72ff2cbdab8..dc3d11a60c2 100644
--- a/source/libads/kerberos.c
+++ b/source/libads/kerberos.c
@@ -55,6 +55,127 @@ kerb_prompter(krb5_context ctx, void *data,
return 0;
}
+static BOOL smb_krb5_err_io_nstatus(TALLOC_CTX *mem_ctx,
+ DATA_BLOB *edata_blob,
+ KRB5_EDATA_NTSTATUS *edata)
+{
+ BOOL ret = False;
+ prs_struct ps;
+
+ if (!mem_ctx || !edata_blob || !edata)
+ return False;
+
+ if (!prs_init(&ps, edata_blob->length, mem_ctx, UNMARSHALL))
+ return False;
+
+ if (!prs_copy_data_in(&ps, (char *)edata_blob->data, edata_blob->length))
+ goto out;
+
+ prs_set_offset(&ps, 0);
+
+ if (!prs_ntstatus("ntstatus", &ps, 1, &edata->ntstatus))
+ goto out;
+
+ if (!prs_uint32("unknown1", &ps, 1, &edata->unknown1))
+ goto out;
+
+ if (!prs_uint32("unknown2", &ps, 1, &edata->unknown2)) /* only seen 00000001 here */
+ goto out;
+
+ ret = True;
+ out:
+ prs_mem_free(&ps);
+
+ return ret;
+}
+
+ static BOOL smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error,
+ NTSTATUS *nt_status)
+{
+ DATA_BLOB edata;
+ DATA_BLOB unwrapped_edata;
+ TALLOC_CTX *mem_ctx;
+ KRB5_EDATA_NTSTATUS parsed_edata;
+
+#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
+ edata = data_blob(error->e_data->data, error->e_data->length);
+#else
+ edata = data_blob(error->e_data.data, error->e_data.length);
+#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
+
+#ifdef DEVELOPER
+ dump_data(10, edata.data, edata.length);
+#endif /* DEVELOPER */
+
+ mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error");
+ if (mem_ctx == NULL) {
+ data_blob_free(&edata);
+ return False;
+ }
+
+ if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) {
+ data_blob_free(&edata);
+ TALLOC_FREE(mem_ctx);
+ return False;
+ }
+
+ data_blob_free(&edata);
+
+ if (!smb_krb5_err_io_nstatus(mem_ctx, &unwrapped_edata, &parsed_edata)) {
+ data_blob_free(&unwrapped_edata);
+ TALLOC_FREE(mem_ctx);
+ return False;
+ }
+
+ data_blob_free(&unwrapped_edata);
+
+ if (nt_status) {
+ *nt_status = parsed_edata.ntstatus;
+ }
+
+ TALLOC_FREE(mem_ctx);
+
+ return True;
+}
+
+ static BOOL smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(krb5_context ctx,
+ krb5_get_init_creds_opt *opt,
+ NTSTATUS *nt_status)
+{
+ BOOL ret = False;
+ krb5_error *error = NULL;
+
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR
+ ret = krb5_get_init_creds_opt_get_error(ctx, opt, &error);
+ if (ret) {
+ DEBUG(1,("krb5_get_init_creds_opt_get_error gave: %s\n",
+ error_message(ret)));
+ return False;
+ }
+#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR */
+
+ if (!error) {
+ DEBUG(1,("no krb5_error\n"));
+ return False;
+ }
+
+#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
+ if (!error->e_data) {
+#else
+ if (error->e_data.data == NULL) {
+#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
+ DEBUG(1,("no edata in krb5_error\n"));
+ krb5_free_error(ctx, error);
+ return False;
+ }
+
+ ret = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status);
+
+ krb5_free_error(ctx, error);
+
+ return ret;
+}
+
/*
simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
place in default cache location.
diff --git a/source/libsmb/clikrb5.c b/source/libsmb/clikrb5.c
index 474c6823ea0..64cfe6e952c 100644
--- a/source/libsmb/clikrb5.c
+++ b/source/libsmb/clikrb5.c
@@ -272,6 +272,45 @@ static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context,
}
#endif
+BOOL unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
+ DATA_BLOB *edata,
+ DATA_BLOB *edata_out)
+{
+ DATA_BLOB edata_contents;
+ ASN1_DATA data;
+ int edata_type;
+
+ if (!edata->length) {
+ return False;
+ }
+
+ asn1_load(&data, *edata);
+ asn1_start_tag(&data, ASN1_SEQUENCE(0));
+ asn1_start_tag(&data, ASN1_CONTEXT(1));
+ asn1_read_Integer(&data, &edata_type);
+
+ if (edata_type != KRB5_PADATA_PW_SALT) {
+ DEBUG(0,("edata is not of required type %d but of type %d\n",
+ KRB5_PADATA_PW_SALT, edata_type));
+ asn1_free(&data);
+ return False;
+ }
+
+ asn1_start_tag(&data, ASN1_CONTEXT(2));
+ asn1_read_OctetString(&data, &edata_contents);
+ asn1_end_tag(&data);
+ asn1_end_tag(&data);
+ asn1_end_tag(&data);
+ asn1_free(&data);
+
+ *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length);
+
+ data_blob_free(&edata_contents);
+
+ return True;
+}
+
+
BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data)
{
DATA_BLOB pac_contents;