diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-06-29 13:55:09 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:18:57 -0500 |
commit | 9a7481bcfeff29495334eff8803878c2c238878f (patch) | |
tree | 040ffa0f4b35ebe93b749a7b32166a9be1e525ad /source4/kdc/pac-glue.c | |
parent | f4e75294be1f4c9d110d4ca48c5143078ade2bce (diff) | |
download | samba-9a7481bcfeff29495334eff8803878c2c238878f.tar.gz samba-9a7481bcfeff29495334eff8803878c2c238878f.tar.xz samba-9a7481bcfeff29495334eff8803878c2c238878f.zip |
r7993: Further work on the Krb5 PAC.
We now generate the PAC, and can verifiy both our own PAC and the PAC
from Win2k3.
This commit adds the PAC generation code, spits out the code to get
the information we need from the NETLOGON server back into a auth/
helper function, and adds a number of glue functions.
In the process of building the PAC generation code, some hints in the
Microsoft PAC specification shed light on other parts of the code, and
the updates to samr.idl and netlogon.idl come from those hints.
Also in this commit:
The Heimdal build package has been split up, so as to only link the
KDC with smbd, not the client utils.
To enable the PAC to be veified with gensec_krb5 (which isn't quite
dead yet), the keyblock has been passed back to the calling layer.
Andrew Bartlett
(This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)
Diffstat (limited to 'source4/kdc/pac-glue.c')
-rw-r--r-- | source4/kdc/pac-glue.c | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c new file mode 100644 index 00000000000..40d11d31e9a --- /dev/null +++ b/source4/kdc/pac-glue.c @@ -0,0 +1,79 @@ +/* + Unix SMB/CIFS implementation. + + PAC Glue between Samba and the KDC + + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "kdc/kdc.h" + + krb5_error_code samba_get_pac(krb5_context context, + struct krb5_kdc_configuration *config, + krb5_principal client, + krb5_keyblock *keyblock, + krb5_data *pac) +{ + krb5_error_code ret; + NTSTATUS nt_status; + struct auth_serversupplied_info *server_info; + char *username, *p; + const char *realm; + TALLOC_CTX *mem_ctx = talloc_named(config, 0, "samba_get_pac context"); + if (!mem_ctx) { + return ENOMEM; + } + + ret = krb5_unparse_name(context, client, &username); + + if (ret != 0) { + krb5_set_error_string(context, "get pac: could not parse principal"); + krb5_warnx(context, "get pac: could not parse principal"); + talloc_free(mem_ctx); + return ret; + } + + /* parse the principal name */ + realm = krb5_principal_get_realm(context, client); + username = talloc_strdup(mem_ctx, username); + p = strchr(username, '@'); + if (p) { + p[0] = '\0'; + } + + + nt_status = sam_get_server_info(mem_ctx, username, realm, + data_blob(NULL, 0), data_blob(NULL, 0), + &server_info); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0, ("Getting user info for PAC failed: %s\n", + nt_errstr(nt_status))); + talloc_free(mem_ctx); + return EINVAL; + } + + ret = kerberos_encode_pac(mem_ctx, server_info, + context, + keyblock, + pac); + + talloc_free(mem_ctx); + + return ret; +} |