From 190a2ec9772fd62c149e6730773699398736dc68 Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 12 Nov 2009 00:51:46 +0100 Subject: [PATCH 1/2] s3-kerberos: add smb_krb5_principal_get_realm(). Guenther --- source3/include/includes.h | 2 ++ source3/libsmb/clikrb5.c | 25 +++++++++++++++++++++++++ 2 files changed, 27 insertions(+), 0 deletions(-) diff --git a/source3/include/includes.h b/source3/include/includes.h index 8bd27b9..cbf30d6 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -1086,6 +1086,8 @@ krb5_error_code smb_krb5_get_creds(const char *server_s, const char *cc, const char *impersonate_princ_s, krb5_creds **creds_p); +char *smb_krb5_principal_get_realm(krb5_context context, + krb5_principal principal); #endif /* HAVE_KRB5 */ diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index d5a910b..e86c6c4 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -2234,6 +2234,31 @@ krb5_error_code smb_krb5_get_creds(const char *server_s, return ret; } +/* + * smb_krb5_principal_get_realm + * + * @brief Get realm of a principal + * + * @param[in] context The krb5_context + * @param[in] principal The principal + * @return pointer to the realm + * + */ + +char *smb_krb5_principal_get_realm(krb5_context context, + krb5_principal principal) +{ +#ifdef HAVE_KRB5_PRINCIPAL_GET_REALM /* Heimdal */ + return krb5_principal_get_realm(context, principal); +#elif defined(krb5_princ_realm) /* MIT */ + krb5_data *realm; + realm = krb5_princ_realm(context, principal); + return (char *)realm->data; +#else + return NULL; +#endif +} + #else /* HAVE_KRB5 */ /* this saves a few linking headaches */ int cli_krb5_get_ticket(const char *principal, time_t time_offset, -- 1.6.2.5 From 211076629f2d06b980f667643c175b7babf523d1 Mon Sep 17 00:00:00 2001 From: =?utf-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 12 Nov 2009 00:52:38 +0100 Subject: [PATCH 2/2] cifs.upcall: Fix Bug #6868: support building with Heimdal we well as with MIT. Guenther --- client/cifs.upcall.c | 34 ++++++++++++++++------------------ 1 files changed, 16 insertions(+), 18 deletions(-) diff --git a/client/cifs.upcall.c b/client/cifs.upcall.c index 97c6ae0..d3ff5f1 100644 --- a/client/cifs.upcall.c +++ b/client/cifs.upcall.c @@ -45,18 +45,6 @@ typedef enum _sectype { MS_KRB5 } sectype_t; -static inline int -k5_data_equal(krb5_data d1, krb5_data d2, unsigned int length) -{ - if (!length) - length = d1.length; - - return (d1.length == length && - d1.length == d2.length && - memcmp(d1.data, d2.data, length) == 0); - -} - /* does the ccache have a valid TGT? */ static time_t get_tgt_time(const char *ccname) { @@ -65,9 +53,8 @@ get_tgt_time(const char *ccname) { krb5_cc_cursor cur; krb5_creds creds; krb5_principal principal; - krb5_data tgt = { .data = "krbtgt", - .length = 6 }; time_t credtime = 0; + char *realm = NULL; if (krb5_init_context(&context)) { syslog(LOG_DEBUG, "%s: unable to init krb5 context", __func__); @@ -94,16 +81,27 @@ get_tgt_time(const char *ccname) { goto err_ccstart; } + if ((realm = smb_krb5_principal_get_realm(context, principal)) == NULL) { + syslog(LOG_DEBUG, "%s: unable to get realm", __func__); + goto err_ccstart; + } + while (!credtime && !krb5_cc_next_cred(context, ccache, &cur, &creds)) { - if (k5_data_equal(creds.server->realm, principal->realm, 0) && - k5_data_equal(creds.server->data[0], tgt, tgt.length) && - k5_data_equal(creds.server->data[1], principal->realm, 0) && + char *name; + if (smb_krb5_unparse_name(NULL, context, creds.server, &name)) { + syslog(LOG_DEBUG, "%s: unable to unparse name", __func__); + goto err_endseq; + } + if (krb5_realm_compare(context, creds.server, principal) && + strnequal(name, KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE) && + strnequal(name+KRB5_TGS_NAME_SIZE+1, realm, strlen(realm)) && creds.times.endtime > time(NULL)) credtime = creds.times.endtime; krb5_free_cred_contents(context, &creds); + TALLOC_FREE(name); } +err_endseq: krb5_cc_end_seq_get(context, ccache, &cur); - err_ccstart: krb5_free_principal(context, principal); err_princ: -- 1.6.2.5