diff options
author | Jeremy Allison <jra@samba.org> | 2004-11-02 02:21:26 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:53:07 -0500 |
commit | ff4cb6b5e80731856d6f3f7eebd8fc23902e3580 (patch) | |
tree | 8b3d3502f2b5c3011cc107838a8c20427844236b /source/libads/util.c | |
parent | 05619cfdbf814e5c79e65934b82424eca00c76c4 (diff) | |
download | samba-ff4cb6b5e80731856d6f3f7eebd8fc23902e3580.tar.gz samba-ff4cb6b5e80731856d6f3f7eebd8fc23902e3580.tar.xz samba-ff4cb6b5e80731856d6f3f7eebd8fc23902e3580.zip |
r3451: Finish off kerberos salting patch. Needs testing !
Jeremy.
Diffstat (limited to 'source/libads/util.c')
-rw-r--r-- | source/libads/util.c | 58 |
1 files changed, 32 insertions, 26 deletions
diff --git a/source/libads/util.c b/source/libads/util.c index 9912a7ba831..f5b88735387 100644 --- a/source/libads/util.c +++ b/source/libads/util.c @@ -24,39 +24,45 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal) { - char *tmp_password; - char *password; - char *new_password; - char *service_principal; - ADS_STATUS ret; - uint32 sec_channel_type; + char *password; + char *new_password; + char *service_principal; + ADS_STATUS ret; + uint32 sec_channel_type; - if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) { - DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal)); - return ADS_ERROR_SYSTEM(ENOENT); - } + if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) { + DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal)); + return ADS_ERROR_SYSTEM(ENOENT); + } - tmp_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); - new_password = strdup(tmp_password); + new_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); - asprintf(&service_principal, "HOST/%s", host_principal); + asprintf(&service_principal, "HOST/%s", host_principal); - ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset); + ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset); - if (!ADS_ERR_OK(ret)) goto failed; + if (!ADS_ERR_OK(ret)) { + goto failed; + } - if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) { - DEBUG(1,("Failed to save machine password\n")); - return ADS_ERROR_SYSTEM(EACCES); - } + if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) { + DEBUG(1,("Failed to save machine password\n")); + ret = ADS_ERROR_SYSTEM(EACCES); + goto failed; + } -failed: - SAFE_FREE(service_principal); - SAFE_FREE(new_password); + /* Determine if the KDC is salting keys for this principal in a + * non-obvious way. */ + if (!kerberos_derive_salting_principal(service_principal)) { + DEBUG(1,("Failed to determine correct salting principal for %s\n", service_principal)); + ret = ADS_ERROR_SYSTEM(EACCES); + goto failed; + } - return ret; +failed: + SAFE_FREE(service_principal); + SAFE_FREE(password); + SAFE_FREE(new_password); + return ret; } - - - #endif |