static void
test_get_init_creds(krb5_context context,
krb5_principal client)
{
krb5_error_code ret;
krb5_get_init_creds_opt *opt;
krb5_creds cred;
ret = krb5_get_init_creds_opt_alloc(context, &opt);
if (ret)
krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
ret = krb5_get_init_creds_opt_set_process_last_req(context,
opt,
lr_proc,
NULL);
if (ret)
krb5_err(context, 1, ret,
"krb5_get_init_creds_opt_set_process_last_req");
ret = krb5_get_init_creds_password(context,
&cred,
client,
password_str,
krb5_prompter_posix,
NULL,
0,
NULL,
opt);
if (ret)
krb5_err(context, 1, ret, "krb5_get_init_creds_password");
krb5_get_init_creds_opt_free(context, opt);
}
/* Inspired by krb5_verify_user from Heimdal */
static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal principal, const char *password, krb5_principal server)
{
krb5_creds creds;
krb5_get_init_creds_opt gic_options;
krb5_error_code ret;
char *name = NULL;
memset(&creds, 0, sizeof(creds));
ret = krb5_unparse_name(context, principal, &name);
if (ret == 0)
{
#ifdef PRINTFS
printf("Trying to get TGT for user %s\n", name);
#endif
free(name);
}
krb5_get_init_creds_opt_init(&gic_options);
ret = krb5_get_init_creds_password(context, &creds, principal, (char *)password, NULL, NULL, 0, NULL, &gic_options);
if (ret)
{
set_basicauth_error(context, ret);
goto end;
}
end:
krb5_free_cred_contents(context, &creds);
return ret;
}
static E2kKerberosResult
get_init_cred (krb5_context ctx, const char *usr_name, const char *passwd,
const char *in_tkt_service, krb5_creds *cred)
{
krb5_principal principal;
krb5_get_init_creds_opt opt;
krb5_error_code result;
result = krb5_parse_name (ctx, usr_name, &principal);
if (result)
return E2K_KERBEROS_USER_UNKNOWN;
krb5_get_init_creds_opt_init (&opt);
krb5_get_init_creds_opt_set_tkt_life (&opt, 5*60);
krb5_get_init_creds_opt_set_renew_life (&opt, 0);
krb5_get_init_creds_opt_set_forwardable (&opt, 0);
krb5_get_init_creds_opt_set_proxiable (&opt, 0);
result = krb5_get_init_creds_password (ctx, cred, principal,
(char *) passwd,
NULL, NULL, 0,
(char *) in_tkt_service, &opt);
krb5_free_principal (ctx, principal);
return krb5_result_to_e2k_kerberos_result (result);
}
static krb5_error_code
verify_user_opt_int(krb5_context context,
krb5_principal principal,
const char *password,
krb5_verify_opt *vopt)
{
krb5_error_code ret;
krb5_get_init_creds_opt *opt;
krb5_creds cred;
ret = krb5_get_init_creds_opt_alloc (context, &opt);
if (ret)
return ret;
krb5_get_init_creds_opt_set_default_flags(context, NULL,
krb5_principal_get_realm(context, principal),
opt);
ret = krb5_get_init_creds_password (context,
&cred,
principal,
password,
krb5_prompter_posix,
NULL,
0,
NULL,
opt);
krb5_get_init_creds_opt_free(context, opt);
if(ret)
return ret;
#define OPT(V, D) ((vopt && (vopt->V)) ? (vopt->V) : (D))
return verify_common (context, principal, OPT(ccache, NULL),
OPT(keytab, NULL), vopt ? vopt->secure : TRUE,
OPT(service, "host"), cred);
#undef OPT
}
int init_krb5_cc(){
krb5_ccache cc = NULL;
krb5_context ctx;
krb5_error_code err;
krb5_principal princ;
krb5_creds creds;
char name[64];
char *pass;
err = krb5_init_context(&ctx);
if (err) {
printf("krb5_init_context: %d: %s\n", err,
krb5_get_error_message(ctx, err));
return -1;
}
printf("Username: "******"%s", name);
err = krb5_parse_name(ctx, name, &princ);
if (err) {
printf("krb5_parse_name: %d: %s\n", err,
krb5_get_error_message(ctx, err));
return -1;
}
err = krb5_cc_default(ctx, &cc);
if (err) {
printf("krb5_cc_default: %d: %s\n", err,
krb5_get_error_message(ctx, err));
return -1;
}
err = krb5_cc_initialize(ctx, cc, princ);
if (err) {
printf("krb5_cc_initialize: %d: %s\n", err,
krb5_get_error_message(ctx, err));
return -1;
}
pass = getpass("Password: "******"krb5_get_init_creds_password: %d: %s\n", err,
krb5_get_error_message(ctx, err));
return -1;
}
err = krb5_cc_store_cred(ctx, cc, &creds);
if (err) {
printf("krb5_cc_store_cred: %d: %s\n", err,
krb5_get_error_message(ctx, err));
return -1;
}
return 0;
}
KRB5Creds::KRB5Creds(KRB5Principal &principal, const std::string &password, const char *tkt_service) : m_creds()
{
krb5_error_code ret =
krb5_get_init_creds_password(g_context.get(), &m_creds, principal.get(),
const_cast<char*>(password.c_str()), NULL, NULL,
0, const_cast<char*>(tkt_service), NULL);
if (ret) {
throw KRB5Exception("krb5_get_init_creds_keytab", ret);
}
}
/* simulate a kinit, putting the tgt in the default cache location [email protected] */ int kerberos_kinit_password(const char *principal, const char *password, int time_offset) { krb5_context ctx; krb5_error_code code = 0; krb5_ccache cc; krb5_principal me; krb5_creds my_creds; if ((code = krb5_init_context(&ctx))) return code; if (time_offset != 0) { krb5_set_real_time(ctx, time(NULL) + time_offset, 0); } if ((code = krb5_cc_default(ctx, &cc))) { krb5_free_context(ctx); return code; } if ((code = krb5_parse_name(ctx, principal, &me))) { krb5_free_context(ctx); return code; } if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, NULL, kerb_prompter, password, 0, NULL, NULL))) { krb5_free_principal(ctx, me); krb5_free_context(ctx); return code; } if ((code = krb5_cc_initialize(ctx, cc, me))) { krb5_free_cred_contents(ctx, &my_creds); krb5_free_principal(ctx, me); krb5_free_context(ctx); return code; } if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) { krb5_cc_close(ctx, cc); krb5_free_cred_contents(ctx, &my_creds); krb5_free_principal(ctx, me); krb5_free_context(ctx); return code; } krb5_cc_close(ctx, cc); krb5_free_cred_contents(ctx, &my_creds); krb5_free_principal(ctx, me); krb5_free_context(ctx); return 0; }
/* call-seq:
* krb5.change_password(old, new)
*
* Changes the password for the principal from +old+ to +new+. The principal
* is defined as whoever the last principal was authenticated via the
* Krb5#get_init_creds_password method.
*
* Attempting to change a password before a principal has been established
* will raise an error.
*
* Example:
*
* krb5.get_init_creds_password('foo', 'XXXXXX') # Authenticate 'foo' user
* krb5.change_password('XXXXXX', 'YYYYYY') # Change password for 'foo'
*/
static VALUE rkrb5_change_password(VALUE self, VALUE v_old, VALUE v_new){
RUBY_KRB5* ptr;
krb5_data result_string;
krb5_data pw_result_string;
krb5_error_code kerror;
char *old_passwd;
char *new_passwd;
int pw_result;
Check_Type(v_old, T_STRING);
Check_Type(v_new, T_STRING);
old_passwd = StringValueCStr(v_old);
new_passwd = StringValueCStr(v_new);
Data_Get_Struct(self, RUBY_KRB5, ptr);
if(!ptr->ctx)
rb_raise(cKrb5Exception, "no context has been established");
if(!ptr->princ)
rb_raise(cKrb5Exception, "no principal has been established");
kerror = krb5_get_init_creds_password(
ptr->ctx,
&ptr->creds,
ptr->princ,
old_passwd,
NULL,
NULL,
0,
"kadmin/changepw",
NULL
);
if(kerror)
rb_raise(cKrb5Exception, "krb5_get_init_creds_password: %s", error_message(kerror));
kerror = krb5_change_password(
ptr->ctx,
&ptr->creds,
new_passwd,
&pw_result,
&pw_result_string,
&result_string
);
if(kerror)
rb_raise(cKrb5Exception, "krb5_change_password: %s", error_message(kerror));
return Qtrue;
}
static PyObject *
k5_change_password(PyObject *self, PyObject *args)
{
int result_code;
char *name, *oldpass, *newpass;
krb5_context ctx;
krb5_error_code code;
krb5_principal principal;
krb5_get_init_creds_opt options;
krb5_creds creds;
krb5_data result_code_string, result_string;
if (!PyArg_ParseTuple(args, "sss", &name, &oldpass, &newpass))
return NULL;
/* Initialize parameters. */
code = krb5_init_context(&ctx);
RETURN_ON_ERROR("krb5_init_context()", code);
code = krb5_parse_name(ctx, name, &principal);
RETURN_ON_ERROR("krb5_parse_name()", code);
/* Get credentials using the password. */
krb5_get_init_creds_opt_init(&options);
krb5_get_init_creds_opt_set_tkt_life(&options, 5*60);
krb5_get_init_creds_opt_set_renew_life(&options, 0);
krb5_get_init_creds_opt_set_forwardable(&options, 0);
krb5_get_init_creds_opt_set_proxiable(&options, 0);
memset(&creds, 0, sizeof (creds));
code = krb5_get_init_creds_password(ctx, &creds, principal, oldpass,
NULL, NULL, 0, "kadmin/changepw",
&options);
RETURN_ON_ERROR("krb5_get_init_creds_password()", code);
code = krb5_change_password(ctx, &creds, newpass, &result_code,
&result_code_string, &result_string);
RETURN_ON_ERROR("krb5_change_password()", code);
/* Any other error? */
if (result_code != 0)
{
_k5_set_password_error(&result_code_string, &result_string);
return NULL;
}
/* Free up results. */
if (result_code_string.data != NULL)
free(result_code_string.data);
if (result_string.data != NULL)
free(result_string.data);
Py_INCREF(Py_None);
return Py_None;
}
/*
* call-seq:
* krb5.get_init_creds_password(user, password, service = nil)
*
* Authenticates the credentials of +user+ using +password+ against +service+,
* and has the effect of setting the principal and context internally. This method
* must typically be called before using other methods.
*/
static VALUE rkrb5_get_init_creds_passwd(int argc, VALUE* argv, VALUE self){
RUBY_KRB5* ptr;
VALUE v_user, v_pass, v_service;
char* user;
char* pass;
char* service;
krb5_error_code kerror;
Data_Get_Struct(self, RUBY_KRB5, ptr);
if(!ptr->ctx)
rb_raise(cKrb5Exception, "no context has been established");
rb_scan_args(argc, argv, "21", &v_user, &v_pass, &v_service);
Check_Type(v_user, T_STRING);
Check_Type(v_pass, T_STRING);
user = StringValueCStr(v_user);
pass = StringValueCStr(v_pass);
if(NIL_P(v_service)){
service = NULL;
}
else{
Check_Type(v_service, T_STRING);
service = StringValueCStr(v_service);
}
kerror = krb5_parse_name(ptr->ctx, user, &ptr->princ);
if(kerror)
rb_raise(cKrb5Exception, "krb5_parse_name: %s", error_message(kerror));
kerror = krb5_get_init_creds_password(
ptr->ctx,
&ptr->creds,
ptr->princ,
pass,
0,
NULL,
0,
service,
NULL
);
if(kerror)
rb_raise(cKrb5Exception, "krb5_get_init_creds_password: %s", error_message(kerror));
return Qtrue;
}
static int
k5ping(krb5_context ctx, const char *host, int socktype, krb5_principal princ,
int use_kt, const char *passwd, krb5_principal sprinc)
{
K5BAIL_DECLS;
krb5_error_code kerr;
krb5_ccache ccache = NULL;
krb5_keytab kt;
krb5_creds creds;
krb5_get_init_creds_opt *opt = NULL;
VERBOSE(1, (stderr, "initiating kerberos5/%s ping to %s\n",
socktype == SOCK_DGRAM ? "udp" : "tcp", host));
parse_kdc(host);
current_socktype = socktype;
K5BAIL(krb5_cc_resolve(ctx, "MEMORY:k5ping", &ccache));
K5BAIL(krb5_get_init_creds_opt_alloc(ctx, &opt));
krb5_get_init_creds_opt_set_tkt_life(opt, 15 * 60);
if (use_kt) {
K5BAIL(krb5_kt_default(ctx, &kt));
K5BAIL(krb5_get_init_creds_keytab(ctx, &creds, princ, kt, 0,
NULL, opt));
} else {
K5BAIL(krb5_get_init_creds_password(ctx, &creds, princ, passwd,
krb5_prompter_posix, NULL, 0, NULL, opt));
}
K5BAIL(krb5_cc_store_cred(ctx, ccache, &creds));
kret = kvno5(ctx, host, socktype, princ, sprinc, ccache);
done:
if (ccache)
krb5_cc_destroy(ctx, ccache);
/* XXXrcd: free a few more things here... */
/* opt. creds. */
if (croakstr[0])
fail_msg("kerberos5", socktype, host, croakstr);
return kret;
}
/*
* call-seq:
* get_init_creds_password(username, password)
*
* Call krb5_get_init_creds_password() to get credentials based on a username
* and password. Returns true on success, raises Krb5Auth::Krb5::Exception
* on failure.
*/
int Krb5_get_init_creds_password(char* user, char* pass)
{
struct krb5_object *kerb = Krb5_new();
krb5_error_code krbret;
krbret = krb5_parse_name(kerb->ctx, user, &kerb->princ);
if (krbret) {
//fail
}
krbret = krb5_get_init_creds_password(kerb->ctx, &kerb->creds, kerb->princ,
pass, 0, NULL, 0,NULL, NULL);
if (krbret)
return 0;
else
return 1;
}
/*
* Test whether anonymous authentication works. If this doesn't, we need to
* skip the tests of anonymous FAST.
*/
static bool
anon_fast_works(void)
{
krb5_context ctx;
krb5_error_code retval;
krb5_principal princ = NULL;
char *realm;
krb5_creds creds;
krb5_get_init_creds_opt *opts = NULL;
/* Construct the anonymous principal name. */
retval = krb5_init_context(&ctx);
if (retval != 0)
bail("cannot initialize Kerberos");
retval = krb5_get_default_realm(ctx, &realm);
if (retval != 0)
bail("cannot get default realm");
retval = krb5_build_principal_ext(ctx, &princ, strlen(realm), realm,
strlen(KRB5_WELLKNOWN_NAME), KRB5_WELLKNOWN_NAME,
strlen(KRB5_ANON_NAME), KRB5_ANON_NAME, NULL);
if (retval != 0)
bail("cannot construct anonymous principal");
krb5_free_default_realm(ctx, realm);
/* Obtain the credentials. */
memset(&creds, 0, sizeof(creds));
retval = krb5_get_init_creds_opt_alloc(ctx, &opts);
if (retval != 0)
bail("cannot create credential options");
krb5_get_init_creds_opt_set_anonymous(opts, 1);
krb5_get_init_creds_opt_set_tkt_life(opts, 60);
retval = krb5_get_init_creds_password(ctx, &creds, princ, NULL, NULL,
NULL, 0, NULL, opts);
/* Clean up. */
if (princ != NULL)
krb5_free_principal(ctx, princ);
if (opts != NULL)
krb5_get_init_creds_opt_free(ctx, opts);
krb5_free_cred_contents(ctx, &creds);
return (retval == 0);
}
int
v5::initCredential(krb5_context kcontext, krb5_principal kprincipal,
krb5_get_init_creds_opt *opts, const QString& password,
krb5_timestamp *tgtEndtime)
{
krb5_error_code retval;
krb5_creds my_creds;
krb5_ccache ccache;
qDebug("call initCredential");
retval = krb5_get_init_creds_password(kcontext, &my_creds, kprincipal,
password.toUtf8().data(), NULL, NULL,
0, NULL, opts);
if (retval)
{
return retval;
}
retval = krb5_cc_default(kcontext, &ccache);
if (retval)
{
goto out;
}
retval = krb5_cc_initialize(kcontext, ccache, kprincipal);
if (retval)
goto out;
retval = krb5_cc_store_cred(kcontext, ccache, &my_creds);
if (retval)
goto out;
*tgtEndtime = my_creds.times.endtime;
out:
krb5_free_cred_contents (kcontext, &my_creds);
krb5_cc_close (kcontext, ccache);
return retval;
}
/* simulate a kinit, putting the tgt in the given credentials cache. Orignally by [email protected] */ int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, krb5_principal principal, const char *password, time_t *expire_time, time_t *kdc_time) { krb5_error_code code = 0; krb5_creds my_creds; krb5_get_init_creds_opt options; krb5_get_init_creds_opt_init(&options); krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, &options); if ((code = krb5_get_init_creds_password(ctx, &my_creds, principal, password, NULL, NULL, 0, NULL, &options))) { return code; } if ((code = krb5_cc_initialize(ctx, cc, principal))) { krb5_free_cred_contents(ctx, &my_creds); return code; } if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) { krb5_free_cred_contents(ctx, &my_creds); return code; } if (expire_time) { *expire_time = (time_t) my_creds.times.endtime; } if (kdc_time) { *kdc_time = (time_t) my_creds.times.starttime; } krb5_free_cred_contents(ctx, &my_creds); return 0; }
static PyObject *
k5_get_init_creds_password(PyObject *self, PyObject *args)
{
char *name, *password;
krb5_context ctx;
krb5_error_code code;
krb5_ccache ccache;
krb5_principal principal;
krb5_get_init_creds_opt options;
krb5_creds creds;
if (!PyArg_ParseTuple(args, "ss", &name, &password))
return NULL;
/* Initialize parameters. */
code = krb5_init_context(&ctx);
RETURN_ON_ERROR("krb5_init_context()", code);
code = krb5_parse_name(ctx, name, &principal);
RETURN_ON_ERROR("krb5_parse_name()", code);
krb5_get_init_creds_opt_init(&options);
memset(&creds, 0, sizeof (creds));
/* Get the credentials. */
code = krb5_get_init_creds_password(ctx, &creds, principal, password,
NULL, NULL, 0, NULL, &options);
RETURN_ON_ERROR("krb5_get_init_creds_password()", code);
/* Store the credential in the credential cache. */
code = krb5_cc_default(ctx, &ccache);
RETURN_ON_ERROR("krb5_cc_default()", code);
code = krb5_cc_initialize(ctx, ccache, principal);
RETURN_ON_ERROR("krb5_cc_initialize()", code);
code = krb5_cc_store_cred(ctx, ccache, &creds);
RETURN_ON_ERROR("krb5_cc_store_creds()", code);
krb5_cc_close(ctx, ccache);
Py_INCREF(Py_None);
return Py_None;
}
krb5CredsObject *creds_new(PyObject *unused, PyObject *args)
{
krb5_error_code ret;
krb5ContextObject *context;
krb5PrincipalObject *principal;
char *password_string;
char *in_tkt_service;
krb5CredsObject *self = (krb5CredsObject *) PyObject_NEW(krb5CredsObject, &krb5CredsType);
int error = 0;
if (!PyArg_ParseTuple(args, "OOss", &context, &principal, &password_string,
&in_tkt_service))
return NULL;
/* FIXME */
if (in_tkt_service[0] == '\0')
in_tkt_service = NULL;
if (self == NULL)
return NULL;
self->context = context->context;
ret = krb5_get_init_creds_password(self->context, &self->creds,
principal->principal, NULL, kerb_prompter, password_string,
0, in_tkt_service, NULL);
if (ret) {
error = 1;
krb5_exception(NULL, ret);
goto out;
}
out:
if (error)
return NULL;
else
return self;
}
/*
* call-seq:
* get_init_creds_password(username, password)
*
* Call krb5_get_init_creds_password() to get credentials based on a username
* and password. Returns true on success, raises Krb5Auth::Krb5::Exception on
* failure.
*/
static VALUE Krb5_get_init_creds_password(VALUE self, VALUE _user, VALUE _pass)
{
Check_Type(_user,T_STRING);
Check_Type(_pass,T_STRING);
char *user = StringValueCStr(_user);
char *pass = StringValueCStr(_pass);
struct ruby_krb5 *kerb;
krb5_error_code krbret;
Data_Get_Struct(self, struct ruby_krb5, kerb);
if (!kerb) {
NOSTRUCT_EXCEPT();
return Qfalse;
}
krbret = krb5_parse_name(kerb->ctx, user, &kerb->princ);
if (krbret) {
goto failed_pass;
}
krbret = krb5_get_init_creds_password(kerb->ctx, &kerb->creds, kerb->princ,
pass, 0, NULL, 0,NULL, NULL);
if (krbret) {
goto failed_pass;
}
return Qtrue;
failed_pass:
Krb5_register_error(krbret);
// we will never reach here, since Krb5_register_error will rb_raise(). just
// leave it to shut the compiler up
return Qfalse;
}
int
main(int argc, char **argv)
{
krb5_context ctx;
krb5_get_init_creds_opt *opt;
char *user, *password, *service = NULL;
krb5_boolean use_cb;
krb5_principal client;
krb5_creds creds;
if (argc < 4) {
fprintf(stderr, "Usage: %s username password {1|0} [service]\n",
argv[0]);
return 1;
}
user = argv[1];
password = argv[2];
use_cb = atoi(argv[3]);
if (argc >= 5)
service = argv[4];
assert(krb5_init_context(&ctx) == 0);
assert(krb5_get_init_creds_opt_alloc(ctx, &opt) == 0);
if (use_cb) {
assert(krb5_get_init_creds_opt_set_expire_callback(ctx, opt, expire_cb,
&exp_dummy) == 0);
}
assert(krb5_parse_name(ctx, user, &client) == 0);
assert(krb5_get_init_creds_password(ctx, &creds, client, password,
prompter_cb, &prompt_dummy, 0, service,
opt) == 0);
krb5_get_init_creds_opt_free(ctx, opt);
krb5_free_principal(ctx, client);
krb5_free_cred_contents(ctx, &creds);
return 0;
}
static krb5_error_code
get_new_cache(krb5_context context,
krb5_principal client,
const char *password,
krb5_prompter_fct prompter,
const char *keytab,
const char *server_name,
krb5_ccache *ret_cache)
{
krb5_error_code ret;
krb5_creds cred;
krb5_get_init_creds_opt *opt;
krb5_ccache id;
ret = krb5_get_init_creds_opt_alloc (context, &opt);
if (ret)
return ret;
krb5_get_init_creds_opt_set_default_flags(context, "kadmin",
krb5_principal_get_realm(context,
client),
opt);
krb5_get_init_creds_opt_set_forwardable (opt, FALSE);
krb5_get_init_creds_opt_set_proxiable (opt, FALSE);
if(password == NULL && prompter == NULL) {
krb5_keytab kt;
if(keytab == NULL)
ret = krb5_kt_default(context, &kt);
else
ret = krb5_kt_resolve(context, keytab, &kt);
if(ret) {
krb5_get_init_creds_opt_free(context, opt);
return ret;
}
ret = krb5_get_init_creds_keytab (context,
&cred,
client,
kt,
0,
server_name,
opt);
krb5_kt_close(context, kt);
} else {
ret = krb5_get_init_creds_password (context,
&cred,
client,
password,
prompter,
NULL,
0,
server_name,
opt);
}
krb5_get_init_creds_opt_free(context, opt);
switch(ret){
case 0:
break;
case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
case KRB5KRB_AP_ERR_MODIFIED:
return KADM5_BAD_PASSWORD;
default:
return ret;
}
ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &id);
if(ret)
return ret;
ret = krb5_cc_initialize (context, id, cred.client);
if (ret)
return ret;
ret = krb5_cc_store_cred (context, id, &cred);
if (ret)
return ret;
krb5_free_cred_contents (context, &cred);
*ret_cache = id;
return 0;
}
krb5_error_code
kcm_ccache_acquire(krb5_context context,
kcm_ccache ccache,
time_t *expire)
{
krb5_error_code ret = 0;
krb5_creds cred;
krb5_const_realm realm;
krb5_get_init_creds_opt *opt = NULL;
krb5_ccache_data ccdata;
char *in_tkt_service = NULL;
*expire = 0;
memset(&cred, 0, sizeof(cred));
KCM_ASSERT_VALID(ccache);
/* We need a cached key or keytab to acquire credentials */
if (ccache->flags & KCM_FLAGS_USE_PASSWORD) {
if (ccache->password == NULL)
krb5_abortx(context,
"kcm_ccache_acquire: KCM_FLAGS_USE_PASSWORD without password");
} else if (ccache->flags & KCM_FLAGS_USE_KEYTAB) {
if (ccache->keytab == NULL)
krb5_abortx(context,
"kcm_ccache_acquire: KCM_FLAGS_USE_KEYTAB without keytab");
} else {
kcm_log(0, "Cannot acquire initial credentials for cache %s without key",
ccache->name);
return KRB5_FCC_INTERNAL;
}
/* Fake up an internal ccache */
kcm_internal_ccache(context, ccache, &ccdata);
/* Now, actually acquire the creds */
if (ccache->server != NULL) {
ret = krb5_unparse_name(context, ccache->server, &in_tkt_service);
if (ret) {
kcm_log(0, "Failed to unparse service name for cache %s",
ccache->name);
return ret;
}
}
realm = krb5_principal_get_realm(context, ccache->client);
ret = krb5_get_init_creds_opt_alloc(context, &opt);
if (ret)
goto out;
krb5_get_init_creds_opt_set_default_flags(context, "kcm", realm, opt);
if (ccache->tkt_life != 0)
krb5_get_init_creds_opt_set_tkt_life(opt, ccache->tkt_life);
if (ccache->renew_life != 0)
krb5_get_init_creds_opt_set_renew_life(opt, ccache->renew_life);
krb5_get_init_creds_opt_set_forwardable(opt, 1);
if (ccache->flags & KCM_FLAGS_USE_PASSWORD) {
ret = krb5_get_init_creds_password(context,
&cred,
ccache->client,
ccache->password,
NULL,
NULL,
0,
in_tkt_service,
opt);
} else {
ret = krb5_get_init_creds_keytab(context,
&cred,
ccache->client,
ccache->keytab,
0,
in_tkt_service,
opt);
}
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kcm_log(0, "Failed to acquire credentials for cache %s: %s",
ccache->name, msg);
krb5_free_error_message(context, msg);
if (in_tkt_service != NULL)
free(in_tkt_service);
goto out;
}
if (in_tkt_service != NULL)
free(in_tkt_service);
/* Swap them in */
kcm_ccache_remove_creds_internal(context, ccache);
ret = kcm_ccache_store_cred_internal(context, ccache, &cred, NULL, 0);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kcm_log(0, "Failed to store credentials for cache %s: %s",
ccache->name, msg);
krb5_free_error_message(context, msg);
krb5_free_cred_contents(context, &cred);
goto out;
}
*expire = cred.times.endtime;
out:
if (opt)
krb5_get_init_creds_opt_free(context, opt);
return ret;
}
static void do_renew(GtkWidget *widget, GtkWidget *entry)
{
char *pass;
krb5_error_code code;
krb5_context kcontext;
krb5_principal me = NULL;
char *service_name = NULL;
krb5_ccache ccache = NULL;
krb5_creds my_creds;
char *msg = NULL;
krb5_deltat start_time = 0;
krb5_deltat lifetime = 10 * 60 * 60;
krb5_get_init_creds_opt opts;
int non_fatal = 0;
pass = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry)));
gtk_entry_set_text(GTK_ENTRY(entry), "");
krb5_get_init_creds_opt_init(&opts);
if (!pass || !strlen(pass))
{
non_fatal = 1;
msg = g_strdup("Incorrect password: please try again.");
}
else if ((code = krb5_init_context(&kcontext)))
msg = g_strdup_printf("%s when initializing kerberos library",
error_message(code));
else if ((code = krb5_cc_default(kcontext, &ccache)))
msg = g_strdup_printf("%s while getting default cache.",
error_message(code));
else if ((code = krb5_parse_name(kcontext, name, &me)))
msg = g_strdup_printf("%s while parsing name %s.", error_message(code),
name);
else if ((code = krb5_get_init_creds_password(kcontext,
&my_creds, me, pass,
krb5_prompter_posix, NULL,
start_time, service_name,
&opts)))
{
if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
{
non_fatal = 1;
msg = g_strdup("Incorrect password: please try again.");
}
else
{
msg = g_strdup_printf("%s while getting initial"
" credentials", error_message(code));
}
}
else
{
if ((code = krb5_cc_initialize(kcontext, ccache, me)))
{
msg = g_strdup_printf("%s while initializing cache",
error_message(code));
}
else if ((code = krb5_cc_store_cred(kcontext, ccache,
&my_creds)))
{
msg = g_strdup_printf("%s while storing credentials",
error_message(code));
}
else
{
if (me)
krb5_free_principal(kcontext, me);
if (ccache)
krb5_cc_close(kcontext, ccache);
krb5_free_context(kcontext);
}
}
g_free(pass);
if (msg)
{
/* encountered an error. don't quit */
if (non_fatal)
do_error_dialog(msg);
else
do_fatal_dialog(msg);
g_free(msg);
}
else
/* no errors, we're done */
{
system("fsid -a > /dev/null");
system("zctl load /dev/null > /dev/null");
exit(0);
}
}
DWORD
VMCALoginUserPrivate(
PCSTR pszUserName,
const char* pszPassword
)
/*
VMCALoginUser Creates a TGT cache for the Process to
communicate with the VMCA
*/
{
DWORD dwError = 0;
krb5_context context = NULL;
krb5_get_init_creds_opt *opt = NULL;
krb5_principal principal = NULL;
krb5_ccache ccache = NULL;
krb5_creds creds = { 0 };
krb5_error_code err_code = 0;
#ifdef DEBUG_KRB
PSTR pszErrstr = NULL;
#endif
err_code = krb5_init_context(&context);
BAIL_ON_ERROR(err_code);
// it is assumed that pszUserName is in user@REALM format.
err_code = krb5_parse_name_flags(
context,
pszUserName,
KRB5_PRINCIPAL_PARSE_REQUIRE_REALM,
&principal);
BAIL_ON_ERROR(err_code);
// Find the default cred cache
err_code = krb5_cc_default(context, &ccache);
BAIL_ON_ERROR(err_code);
#ifdef DEBUG_KRB
printf("Default Cache Name is : %s\n", krb5_cc_default_name(context));
#endif
err_code = krb5_get_init_creds_opt_alloc(context, &opt);
BAIL_ON_ERROR(err_code);
krb5_get_init_creds_opt_set_tkt_life(opt, 2 * 60 * 60); //2 hours ticket
krb5_get_init_creds_opt_set_forwardable(opt, 1);
// Let us get the Creds from the Kerberos Server
err_code = krb5_get_init_creds_password(
context,
&creds,
principal,
(PSTR) pszPassword,
NULL,
NULL,
0,
NULL,
opt);
BAIL_ON_ERROR(err_code);
err_code = krb5_cc_store_cred(context, ccache, &creds);
if ( err_code == KRB5_FCC_NOFILE){
krb5_cc_initialize(context, ccache, principal);
err_code = krb5_cc_store_cred(context, ccache, &creds);
BAIL_ON_ERROR(err_code);
}
BAIL_ON_ERROR(err_code);
cleanup:
if(principal != NULL) {
krb5_free_principal(context, principal);
}
if(opt != NULL){
krb5_get_init_creds_opt_free(context,opt);
}
if ( ccache != NULL) {
krb5_cc_close(context, ccache);
}
krb5_free_cred_contents(context, &creds);
if(context != NULL){
krb5_free_context(context);
}
return dwError;
error :
#ifdef DEBUG_KRB
pszErrstr = (PSTR) krb5_get_error_message(context, err_code);
printf("Error code : %d\n", err_code);
printf("Error Message : %s\n", pszErrstr);
krb5_free_error_message(context, (const char *)pszErrstr);
#endif
dwError = err_code;
goto cleanup;
}
/*
* This function produces a cred with a MEMORY ccache containing a TGT
* acquired with a password.
*/
static OM_uint32
acquire_cred_with_password(OM_uint32 *minor_status,
krb5_context context,
const char *password,
OM_uint32 time_req,
gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
gsskrb5_cred handle)
{
OM_uint32 ret = GSS_S_FAILURE;
krb5_creds cred;
krb5_get_init_creds_opt *opt;
krb5_ccache ccache = NULL;
krb5_error_code kret;
time_t now;
OM_uint32 left;
if (cred_usage == GSS_C_ACCEPT) {
/*
* TODO: Here we should eventually support user2user (when we get
* support for that via an extension to the mechanism
* allowing for more than two security context tokens),
* and/or new unique MEMORY keytabs (we have MEMORY keytab
* support, but we don't have a keytab equivalent of
* krb5_cc_new_unique()). Either way, for now we can't
* support this.
*/
*minor_status = ENOTSUP; /* XXX Better error? */
return GSS_S_FAILURE;
}
memset(&cred, 0, sizeof(cred));
if (handle->principal == NULL) {
kret = krb5_get_default_principal(context, &handle->principal);
if (kret)
goto end;
}
kret = krb5_get_init_creds_opt_alloc(context, &opt);
if (kret)
goto end;
/*
* Get the current time before the AS exchange so we don't
* accidentally end up returning a value that puts advertised
* expiration past the real expiration.
*
* We need to do this because krb5_cc_get_lifetime() returns a
* relative time that we need to add to the current time. We ought
* to have a version of krb5_cc_get_lifetime() that returns absolute
* time...
*/
krb5_timeofday(context, &now);
kret = krb5_get_init_creds_password(context, &cred, handle->principal,
password, NULL, NULL, 0, NULL, opt);
krb5_get_init_creds_opt_free(context, opt);
if (kret)
goto end;
kret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &ccache);
if (kret)
goto end;
kret = krb5_cc_initialize(context, ccache, cred.client);
if (kret)
goto end;
kret = krb5_cc_store_cred(context, ccache, &cred);
if (kret)
goto end;
handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
ret = __gsskrb5_ccache_lifetime(minor_status, context, ccache,
handle->principal, &left);
if (ret != GSS_S_COMPLETE)
goto end;
handle->endtime = now + left;
handle->ccache = ccache;
ccache = NULL;
ret = GSS_S_COMPLETE;
kret = 0;
end:
if (ccache != NULL)
krb5_cc_destroy(context, ccache);
if (cred.client != NULL)
krb5_free_cred_contents(context, &cred);
if (ret != GSS_S_COMPLETE && kret != 0)
*minor_status = kret;
return (ret);
}
int
main(int argc, char **argv)
{
krb5_context context;
krb5_error_code ret;
krb5_creds cred;
krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP};
krb5_get_init_creds_opt *get_options;
krb5_verify_init_creds_opt verify_options;
krb5_principal principal = NULL;
int optidx = 0;
setprogname (argv[0]);
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage (0);
if(version_flag) {
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
ret = krb5_init_context(&context);
if (ret)
errx (1, "krb5_init_context failed: %d", ret);
ret = krb5_get_init_creds_opt_alloc (context, &get_options);
if (ret)
krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
krb5_get_init_creds_opt_set_preauth_list (get_options,
pre_auth_types,
1);
krb5_verify_init_creds_opt_init (&verify_options);
if (argc) {
ret = krb5_parse_name(context, argv[0], &principal);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name: %s", argv[0]);
} else {
ret = krb5_get_default_principal(context, &principal);
if (ret)
krb5_err(context, 1, ret, "krb5_get_default_principal");
}
ret = krb5_get_init_creds_password (context,
&cred,
principal,
NULL,
krb5_prompter_posix,
NULL,
0,
NULL,
get_options);
if (ret)
krb5_err(context, 1, ret, "krb5_get_init_creds");
ret = krb5_verify_init_creds (context,
&cred,
NULL,
NULL,
NULL,
&verify_options);
if (ret)
krb5_err(context, 1, ret, "krb5_verify_init_creds");
krb5_free_cred_contents (context, &cred);
krb5_free_context (context);
return 0;
}
/* Perform one iteration of attempting to get credentials. This includes
* searching existing ccache for requested service if INIT_CREDS. */
static kadm5_ret_t
gic_iter(kadm5_server_handle_t handle, enum init_type init_type,
krb5_ccache ccache, krb5_principal client, char *pass, char *svcname,
char *realm, krb5_principal *server_out)
{
kadm5_ret_t code;
krb5_context ctx;
krb5_keytab kt;
krb5_get_init_creds_opt *opt = NULL;
krb5_creds mcreds, outcreds;
*server_out = NULL;
ctx = handle->context;
kt = NULL;
memset(&opt, 0, sizeof(opt));
memset(&mcreds, 0, sizeof(mcreds));
memset(&outcreds, 0, sizeof(outcreds));
/* Credentials for kadmin don't need to be forwardable or proxiable. */
if (init_type != INIT_CREDS) {
code = krb5_get_init_creds_opt_alloc(ctx, &opt);
krb5_get_init_creds_opt_set_forwardable(opt, 0);
krb5_get_init_creds_opt_set_proxiable(opt, 0);
krb5_get_init_creds_opt_set_out_ccache(ctx, opt, ccache);
if (init_type == INIT_ANONYMOUS)
krb5_get_init_creds_opt_set_anonymous(opt, 1);
}
if (init_type == INIT_PASS || init_type == INIT_ANONYMOUS) {
code = krb5_get_init_creds_password(ctx, &outcreds, client, pass,
krb5_prompter_posix,
NULL, 0, svcname, opt);
if (code)
goto error;
} else if (init_type == INIT_SKEY) {
if (pass) {
code = krb5_kt_resolve(ctx, pass, &kt);
if (code)
goto error;
}
code = krb5_get_init_creds_keytab(ctx, &outcreds, client, kt,
0, svcname, opt);
if (pass)
krb5_kt_close(ctx, kt);
if (code)
goto error;
} else if (init_type == INIT_CREDS) {
mcreds.client = client;
code = krb5_parse_name_flags(ctx, svcname,
KRB5_PRINCIPAL_PARSE_IGNORE_REALM,
&mcreds.server);
if (code)
goto error;
code = krb5_set_principal_realm(ctx, mcreds.server, realm);
if (code)
goto error;
code = krb5_cc_retrieve_cred(ctx, ccache, 0,
&mcreds, &outcreds);
krb5_free_principal(ctx, mcreds.server);
if (code)
goto error;
} else {
code = EINVAL;
goto error;
}
/* Steal the server principal of the creds we acquired and return it to the
* caller, which needs to knows what service to authenticate to. */
*server_out = outcreds.server;
outcreds.server = NULL;
error:
krb5_free_cred_contents(ctx, &outcreds);
if (opt)
krb5_get_init_creds_opt_free(ctx, opt);
return code;
}
static void
generate_requests (const char *filename, unsigned nreq)
{
krb5_context context;
krb5_error_code ret;
int i;
char **words;
unsigned nwords;
ret = krb5_init_context (&context);
if (ret)
errx (1, "krb5_init_context failed: %d", ret);
nwords = read_words (filename, &words);
for (i = 0; i < nreq; ++i) {
char *name = words[rand() % nwords];
krb5_get_init_creds_opt *opt;
krb5_creds cred;
krb5_principal principal;
int result_code;
krb5_data result_code_string, result_string;
char *old_pwd, *new_pwd;
int aret;
krb5_get_init_creds_opt_alloc (context, &opt);
krb5_get_init_creds_opt_set_tkt_life (opt, 300);
krb5_get_init_creds_opt_set_forwardable (opt, FALSE);
krb5_get_init_creds_opt_set_proxiable (opt, FALSE);
ret = krb5_parse_name (context, name, &principal);
if (ret)
krb5_err (context, 1, ret, "krb5_parse_name %s", name);
aret = asprintf (&old_pwd, "%s", name);
if (aret == -1)
krb5_errx(context, 1, "out of memory");
aret = asprintf (&new_pwd, "%s2", name);
if (aret == -1)
krb5_errx(context, 1, "out of memory");
ret = krb5_get_init_creds_password (context,
&cred,
principal,
old_pwd,
nop_prompter,
NULL,
0,
"kadmin/changepw",
opt);
if( ret == KRB5KRB_AP_ERR_BAD_INTEGRITY
|| ret == KRB5KRB_AP_ERR_MODIFIED) {
char *tmp;
tmp = new_pwd;
new_pwd = old_pwd;
old_pwd = tmp;
ret = krb5_get_init_creds_password (context,
&cred,
principal,
old_pwd,
nop_prompter,
NULL,
0,
"kadmin/changepw",
opt);
}
if (ret)
krb5_err (context, 1, ret, "krb5_get_init_creds_password");
krb5_free_principal (context, principal);
ret = krb5_set_password (context,
&cred,
new_pwd,
NULL,
&result_code,
&result_code_string,
&result_string);
if (ret)
krb5_err (context, 1, ret, "krb5_change_password");
free (old_pwd);
free (new_pwd);
krb5_free_cred_contents (context, &cred);
krb5_get_init_creds_opt_free(context, opt);
}
}
/*
* call-seq:
* change_password(old_password, new_password)
*
* Allow user to change their Kerberos password, providing the +old_password+
* and the +new_password+.
*
* Returns true on success, raises a Krb5Auth::Krb5::Exception on failure.
*/
static VALUE Krb5_change_password(VALUE self, VALUE v_old, VALUE v_new)
{
char *oldpass;
char *newpass;
int pw_result;
struct ruby_krb5 *kerb;
krb5_error_code krbret;
krb5_data pw_res_string, res_string;
Check_Type(v_old, T_STRING);
Check_Type(v_new, T_STRING);
oldpass = StringValueCStr(v_old);
newpass = StringValueCStr(v_new);
Data_Get_Struct(self, struct ruby_krb5, kerb);
if(!kerb){
NOSTRUCT_EXCEPT();
return Qfalse;
}
krbret = krb5_get_init_creds_password(
kerb->ctx,
&kerb->creds,
kerb->princ,
oldpass,
NULL,
NULL,
0,
"kadmin/changepw",
NULL
);
if(krbret){
Krb5_register_error(krbret);
return Qfalse;
}
krbret = krb5_change_password(
kerb->ctx,
&kerb->creds,
newpass,
&pw_result,
&pw_res_string,
&res_string
);
// 0 is success. Anything else is failure.
if(krbret){
Krb5_register_error(krbret);
return Qfalse;
}
if(pw_result){
Krb5_register_error(pw_result);
return Qfalse;
}
return Qtrue;
}
static int32_t
acquire_cred(struct client *c,
krb5_principal principal,
krb5_get_init_creds_opt *opt,
int32_t *handle)
{
krb5_error_code ret;
krb5_creds cred;
krb5_ccache id;
gss_cred_id_t gcred;
OM_uint32 maj_stat, min_stat;
*handle = 0;
krb5_get_init_creds_opt_set_forwardable (opt, 1);
krb5_get_init_creds_opt_set_renew_life (opt, 3600 * 24 * 30);
memset(&cred, 0, sizeof(cred));
ret = krb5_get_init_creds_password (context,
&cred,
principal,
NULL,
NULL,
NULL,
0,
NULL,
opt);
if (ret) {
logmessage(c, __FILE__, __LINE__, 0,
"krb5_get_init_creds failed: %d", ret);
return convert_krb5_to_gsm(ret);
}
ret = krb5_cc_new_unique(context, "MEMORY", NULL, &id);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_initialize (context, id, cred.client);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_store_cred (context, id, &cred);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_store_cred");
krb5_free_cred_contents (context, &cred);
maj_stat = gss_krb5_import_cred(&min_stat,
id,
NULL,
NULL,
&gcred);
krb5_cc_close(context, id);
if (maj_stat) {
logmessage(c, __FILE__, __LINE__, 0,
"krb5 import creds failed with: %d", maj_stat);
return convert_gss_to_gsm(maj_stat);
}
*handle = add_handle(c, handle_cred, gcred);
return 0;
}
static OM_uint32 acquire_initiator_cred
(OM_uint32 * minor_status,
krb5_context context,
gss_const_OID credential_type,
const void *credential_data,
gss_const_name_t desired_name,
OM_uint32 time_req,
gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
gsskrb5_cred handle
)
{
OM_uint32 ret;
krb5_creds cred;
krb5_principal def_princ;
krb5_get_init_creds_opt *opt;
krb5_ccache ccache;
krb5_keytab keytab;
krb5_error_code kret;
keytab = NULL;
ccache = NULL;
def_princ = NULL;
ret = GSS_S_FAILURE;
memset(&cred, 0, sizeof(cred));
/*
* If we have a preferred principal, lets try to find it in all
* caches, otherwise, fall back to default cache, ignore all
* errors while searching.
*/
if (credential_type != GSS_C_NO_OID &&
!gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
kret = KRB5_NOCREDS_SUPPLIED; /* XXX */
goto end;
}
if (handle->principal) {
kret = krb5_cc_cache_match (context,
handle->principal,
&ccache);
if (kret == 0) {
ret = GSS_S_COMPLETE;
goto found;
}
}
if (ccache == NULL) {
kret = krb5_cc_default(context, &ccache);
if (kret)
goto end;
}
kret = krb5_cc_get_principal(context, ccache, &def_princ);
if (kret != 0) {
/* we'll try to use a keytab below */
krb5_cc_close(context, ccache);
def_princ = NULL;
kret = 0;
} else if (handle->principal == NULL) {
kret = krb5_copy_principal(context, def_princ, &handle->principal);
if (kret)
goto end;
} else if (handle->principal != NULL &&
krb5_principal_compare(context, handle->principal,
def_princ) == FALSE) {
krb5_free_principal(context, def_princ);
def_princ = NULL;
krb5_cc_close(context, ccache);
ccache = NULL;
}
if (def_princ == NULL) {
/* We have no existing credentials cache,
* so attempt to get a TGT using a keytab.
*/
if (handle->principal == NULL) {
kret = krb5_get_default_principal(context, &handle->principal);
if (kret)
goto end;
}
kret = krb5_get_init_creds_opt_alloc(context, &opt);
if (kret)
goto end;
if (credential_type != GSS_C_NO_OID &&
gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
gss_buffer_t password = (gss_buffer_t)credential_data;
/* XXX are we requiring password to be NUL terminated? */
kret = krb5_get_init_creds_password(context, &cred,
handle->principal,
password->value,
NULL, NULL, 0, NULL, opt);
} else {
kret = get_keytab(context, &keytab);
if (kret) {
krb5_get_init_creds_opt_free(context, opt);
goto end;
}
kret = krb5_get_init_creds_keytab(context, &cred,
handle->principal, keytab,
0, NULL, opt);
}
krb5_get_init_creds_opt_free(context, opt);
if (kret)
goto end;
kret = krb5_cc_new_unique(context, krb5_cc_type_memory,
NULL, &ccache);
if (kret)
goto end;
kret = krb5_cc_initialize(context, ccache, cred.client);
if (kret) {
krb5_cc_destroy(context, ccache);
goto end;
}
kret = krb5_cc_store_cred(context, ccache, &cred);
if (kret) {
krb5_cc_destroy(context, ccache);
goto end;
}
handle->lifetime = cred.times.endtime;
handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
} else {
ret = __gsskrb5_ccache_lifetime(minor_status,
context,
ccache,
handle->principal,
&handle->lifetime);
if (ret != GSS_S_COMPLETE) {
krb5_cc_close(context, ccache);
goto end;
}
kret = 0;
}
found:
handle->ccache = ccache;
ret = GSS_S_COMPLETE;
end:
if (cred.client != NULL)
krb5_free_cred_contents(context, &cred);
if (def_princ != NULL)
krb5_free_principal(context, def_princ);
if (keytab != NULL)
krb5_kt_close(context, keytab);
if (ret != GSS_S_COMPLETE && kret != 0)
*minor_status = kret;
return (ret);
}
