/*
* @Description: send session setup kerberos.
* @input: user name, password, domain of user, server name.
* @return: 0 if success, -1 if error
* */
int cli_session_setup_spnego_send(
const char *user, const char *pass, const char *user_domain,
const char *dest_realm)
{
int status = -1;
char *principal = NULL;
/*parser spnego token init from SMB2 NEGOTIATE
*get list OID, got spnego_principal */
spnego_parse_negTokenInit();
/*check server support kerberos?*/
if(check_kerberos()){
/* send AS_REQ and get TGT ticket*/
kerberos_kinit_password();
/*got principal from and remote_name*/
principal = cli_session_setup_get_principal();
if(principal){
/*send session setup kerberos*/
cli_session_setup_kerberos_send();
/*prepare polling to get recive*/
/*paser recive*/
cli_session_setup_spnego_done_krb();
}
}
return status;
}
ADS_STATUS kerberos_set_password(const char *kpasswd_server,
const char *auth_principal, const char *auth_password,
const char *target_principal, const char *new_password,
int time_offset)
{
int ret;
if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) {
DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
return ADS_ERROR_KRB5(ret);
}
if (!strcmp(auth_principal, target_principal))
return ads_krb5_chg_password(kpasswd_server, target_principal,
auth_password, new_password, time_offset);
else
return ads_krb5_set_password(kpasswd_server, target_principal,
new_password, time_offset);
}
/* run kinit to setup our ccache */
int ads_kinit_password(ADS_STRUCT *ads)
{
char *s;
int ret;
if (asprintf(&s, "%s@%s", ads->auth.user_name, ads->auth.realm) == -1) {
return KRB5_CC_NOMEM;
}
if (!ads->auth.password) {
return KRB5_LIBOS_CANTREADPWD;
}
ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset);
if (ret) {
DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
s, error_message(ret)));
}
free(s);
return ret;
}
static BOOL manage_client_krb5_init(SPNEGO_DATA spnego)
{
char *principal;
DATA_BLOB tkt, to_server;
DATA_BLOB session_key_krb5 = data_blob(NULL, 0);
SPNEGO_DATA reply;
char *reply_base64;
int retval;
const char *my_mechs[] = {OID_KERBEROS5_OLD, NULL};
ssize_t len;
if ( (spnego.negTokenInit.mechListMIC.data == NULL) ||
(spnego.negTokenInit.mechListMIC.length == 0) ) {
DEBUG(1, ("Did not get a principal for krb5\n"));
return False;
}
principal = SMB_MALLOC(spnego.negTokenInit.mechListMIC.length+1);
if (principal == NULL) {
DEBUG(1, ("Could not malloc principal\n"));
return False;
}
memcpy(principal, spnego.negTokenInit.mechListMIC.data,
spnego.negTokenInit.mechListMIC.length);
principal[spnego.negTokenInit.mechListMIC.length] = '\0';
retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL);
if (retval) {
pstring user;
/* Let's try to first get the TGT, for that we need a
password. */
if (opt_password == NULL) {
DEBUG(10, ("Requesting password\n"));
x_fprintf(x_stdout, "PW\n");
return True;
}
pstr_sprintf(user, "%s@%s", opt_username, opt_domain);
if ((retval = kerberos_kinit_password(user, opt_password, 0, NULL))) {
DEBUG(10, ("Requesting TGT failed: %s\n", error_message(retval)));
return False;
}
retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL);
if (retval) {
DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval)));
return False;
}
}
data_blob_free(&session_key_krb5);
ZERO_STRUCT(reply);
reply.type = SPNEGO_NEG_TOKEN_INIT;
reply.negTokenInit.mechTypes = my_mechs;
reply.negTokenInit.reqFlags = 0;
reply.negTokenInit.mechToken = tkt;
reply.negTokenInit.mechListMIC = data_blob(NULL, 0);
len = write_spnego_data(&to_server, &reply);
data_blob_free(&tkt);
if (len == -1) {
DEBUG(1, ("Could not write SPNEGO data blob\n"));
return False;
}
reply_base64 = base64_encode_data_blob(to_server);
x_fprintf(x_stdout, "KK %s *\n", reply_base64);
SAFE_FREE(reply_base64);
data_blob_free(&to_server);
DEBUG(10, ("sent GSS-SPNEGO KERBEROS5 negTokenInit\n"));
return True;
}
