Index: source/libads/kerberos_verify.c =================================================================== RCS file: /cvsroot/samba/source/libads/kerberos_verify.c,v retrieving revision 1.1.2.28 diff -u -r1.1.2.28 kerberos_verify.c --- source/libads/kerberos_verify.c 3 Sep 2003 00:45:15 -0000 1.1.2.28 +++ source/libads/kerberos_verify.c 19 Sep 2003 08:29:15 -0000 @@ -26,7 +26,59 @@ #ifdef HAVE_KRB5 -static void free_keytab(krb5_context context, krb5_keytab keytab) +static krb5_error_code kerberos_rd_req( + krb5_context context, + krb5_auth_context *auth_context, + const krb5_data *packet, + krb5_const_principal server, + krb5_keytab keytab, + krb5_flags *ap_req_options, + krb5_ticket **tkt, + krb5_keyblock *key) { + +#ifndef HAVE_PRINCIPALNAME2KRB5_PRINCIPAL + + /* MIT */ + return krb5_rd_req(context, auth_context, packet, NULL, keytab, NULL, tkt); + +#else + + /* HEIMDAL */ + /* do not query the keytab for any keys ! */ + + krb5_error_code ret; + krb5_ap_req ap_req; + krb5_principal service = NULL; + + if (*auth_context == NULL) { + ret = krb5_auth_con_init(context, auth_context); + if (ret) + return ret; + } + + ret = krb5_decode_ap_req(context, packet, &ap_req); + if (ret) + return ret; + + if (server == NULL) { + principalname2krb5_principal(&service, + ap_req.ticket.sname, + ap_req.ticket.realm); + server = service; + } + + ret = krb5_verify_ap_req(context, auth_context, &ap_req, server, + key, 0, ap_req_options, tkt); + + free_AP_REQ(&ap_req); + if (service) + krb5_free_principal(context, service); + + return ret; +#endif +} + + void free_keytab(krb5_context context, krb5_keytab keytab) { int ret=0; @@ -267,19 +319,22 @@ goto out; } +#if 0 if (!setup_keytab(context, host_princ, host_princ_s, password, enctypes, &keytab)) { DEBUG(3,("ads_verify_ticket: unable to setup keytab\n")); sret = NT_STATUS_LOGON_FAILURE; goto out; } +#endif + if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) { + sret = NT_STATUS_NO_MEMORY; + goto out; + } + /* We need to setup a auth context with each possible encoding type in turn. */ for (i=0;enctypes[i];i++) { - if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) { - sret = NT_STATUS_NO_MEMORY; - goto out; - } if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) { continue; @@ -287,18 +342,11 @@ krb5_auth_con_setuseruserkey(context, auth_context, key); - krb5_free_keyblock(context, key); - packet.length = ticket->length; packet.data = (krb5_pointer)ticket->data; - if (!(ret = krb5_rd_req(context, &auth_context, &packet, -#ifdef HAVE_MEMORY_KEYTAB - host_princ, -#else - NULL, -#endif - keytab, NULL, &tkt))) { + if (!(ret = kerberos_rd_req(context, &auth_context, &packet, + NULL, keytab, NULL, &tkt, key))) { DEBUG(10,("ads_verify_ticket: enc type [%u] decrypted message !\n", (unsigned int)enctypes[i] )); auth_ok = True; @@ -310,10 +358,12 @@ (unsigned int)enctypes[i], error_message(ret))); } + krb5_free_keyblock(context, key); + release_server_mutex(); if (!auth_ok) { - DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n", + DEBUG(3,("ads_verify_ticket: kerberos_rd_req with auth failed (%s)\n", error_message(ret))); sret = NT_STATUS_LOGON_FAILURE; goto out; Index: source/configure.in =================================================================== RCS file: /cvsroot/samba/source/configure.in,v retrieving revision 1.300.2.165 diff -u -r1.300.2.165 configure.in --- source/configure.in 10 Sep 2003 15:39:21 -0000 1.300.2.165 +++ source/configure.in 19 Sep 2003 08:30:47 -0000 @@ -2505,6 +2505,7 @@ AC_CHECK_FUNC_EXT(krb5_get_default_in_tkt_etypes, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_free_ktypes, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_principal_get_comp_string, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(principalname2krb5_principal, $KRB5_LIBS) LIBS="$LIBS $KRB5_LIBS"