/* * @Description: send session setup kerberos. * @input: user name, password, domain of user, server name. * @return: 0 if success, -1 if error * */ int cli_session_setup_spnego_send( const char *user, const char *pass, const char *user_domain, const char *dest_realm) { int status = -1; char *principal = NULL; /*parser spnego token init from SMB2 NEGOTIATE *get list OID, got spnego_principal */ spnego_parse_negTokenInit(); /*check server support kerberos?*/ if(check_kerberos()){ /* send AS_REQ and get TGT ticket*/ kerberos_kinit_password(); /*got principal from and remote_name*/ principal = cli_session_setup_get_principal(); if(principal){ /*send session setup kerberos*/ cli_session_setup_kerberos_send(); /*prepare polling to get recive*/ /*paser recive*/ cli_session_setup_spnego_done_krb(); } } return status; }
ADS_STATUS kerberos_set_password(const char *kpasswd_server, const char *auth_principal, const char *auth_password, const char *target_principal, const char *new_password, int time_offset) { int ret; if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) { DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret))); return ADS_ERROR_KRB5(ret); } if (!strcmp(auth_principal, target_principal)) return ads_krb5_chg_password(kpasswd_server, target_principal, auth_password, new_password, time_offset); else return ads_krb5_set_password(kpasswd_server, target_principal, new_password, time_offset); }
/* run kinit to setup our ccache */ int ads_kinit_password(ADS_STRUCT *ads) { char *s; int ret; if (asprintf(&s, "%s@%s", ads->auth.user_name, ads->auth.realm) == -1) { return KRB5_CC_NOMEM; } if (!ads->auth.password) { return KRB5_LIBOS_CANTREADPWD; } ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset); if (ret) { DEBUG(0,("kerberos_kinit_password %s failed: %s\n", s, error_message(ret))); } free(s); return ret; }
static BOOL manage_client_krb5_init(SPNEGO_DATA spnego) { char *principal; DATA_BLOB tkt, to_server; DATA_BLOB session_key_krb5 = data_blob(NULL, 0); SPNEGO_DATA reply; char *reply_base64; int retval; const char *my_mechs[] = {OID_KERBEROS5_OLD, NULL}; ssize_t len; if ( (spnego.negTokenInit.mechListMIC.data == NULL) || (spnego.negTokenInit.mechListMIC.length == 0) ) { DEBUG(1, ("Did not get a principal for krb5\n")); return False; } principal = SMB_MALLOC(spnego.negTokenInit.mechListMIC.length+1); if (principal == NULL) { DEBUG(1, ("Could not malloc principal\n")); return False; } memcpy(principal, spnego.negTokenInit.mechListMIC.data, spnego.negTokenInit.mechListMIC.length); principal[spnego.negTokenInit.mechListMIC.length] = '\0'; retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL); if (retval) { pstring user; /* Let's try to first get the TGT, for that we need a password. */ if (opt_password == NULL) { DEBUG(10, ("Requesting password\n")); x_fprintf(x_stdout, "PW\n"); return True; } pstr_sprintf(user, "%s@%s", opt_username, opt_domain); if ((retval = kerberos_kinit_password(user, opt_password, 0, NULL))) { DEBUG(10, ("Requesting TGT failed: %s\n", error_message(retval))); return False; } retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL); if (retval) { DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval))); return False; } } data_blob_free(&session_key_krb5); ZERO_STRUCT(reply); reply.type = SPNEGO_NEG_TOKEN_INIT; reply.negTokenInit.mechTypes = my_mechs; reply.negTokenInit.reqFlags = 0; reply.negTokenInit.mechToken = tkt; reply.negTokenInit.mechListMIC = data_blob(NULL, 0); len = write_spnego_data(&to_server, &reply); data_blob_free(&tkt); if (len == -1) { DEBUG(1, ("Could not write SPNEGO data blob\n")); return False; } reply_base64 = base64_encode_data_blob(to_server); x_fprintf(x_stdout, "KK %s *\n", reply_base64); SAFE_FREE(reply_base64); data_blob_free(&to_server); DEBUG(10, ("sent GSS-SPNEGO KERBEROS5 negTokenInit\n")); return True; }