static E2kKerberosResult get_init_cred (krb5_context ctx, const char *usr_name, const char *passwd, const char *in_tkt_service, krb5_creds *cred) { krb5_principal principal; krb5_get_init_creds_opt opt; krb5_error_code result; result = krb5_parse_name (ctx, usr_name, &principal); if (result) return E2K_KERBEROS_USER_UNKNOWN; krb5_get_init_creds_opt_init (&opt); krb5_get_init_creds_opt_set_tkt_life (&opt, 5*60); krb5_get_init_creds_opt_set_renew_life (&opt, 0); krb5_get_init_creds_opt_set_forwardable (&opt, 0); krb5_get_init_creds_opt_set_proxiable (&opt, 0); result = krb5_get_init_creds_password (ctx, cred, principal, (char *) passwd, NULL, NULL, 0, (char *) in_tkt_service, &opt); krb5_free_principal (ctx, principal); return krb5_result_to_e2k_kerberos_result (result); }
void ceo_krb5_auth(char *principal) { krb5_error_code retval; krb5_creds creds; krb5_principal princ; krb5_ccache cache; krb5_get_init_creds_opt options; krb5_get_init_creds_opt_init(&options); memset(&creds, 0, sizeof(creds)); debug("krb5: getting TGT using keytab for %s", principal); if ((retval = krb5_parse_name(context, principal, &princ))) com_err(prog, retval, "while resolving user %s", principal); if ((retval = krb5_cc_default(context, &cache))) com_err(prog, retval, "while resolving credentials cache"); if ((retval = krb5_get_init_creds_keytab(context, &creds, princ, NULL, 0, NULL, &options))) com_err(prog, retval, "while getting initial credentials"); if ((retval = krb5_cc_initialize(context, cache, princ))) com_err(prog, retval, "while initializing credentials cache"); if ((retval = krb5_cc_store_cred(context, cache, &creds))) com_err(prog, retval, "while storing credentials"); krb5_free_cred_contents(context, &creds); krb5_free_principal(context, princ); krb5_cc_close(context, cache); }
/* Inspired by krb5_verify_user from Heimdal */ static krb5_error_code verify_krb5_user(krb5_context context, krb5_principal principal, const char *password, krb5_principal server) { krb5_creds creds; krb5_get_init_creds_opt gic_options; krb5_error_code ret; char *name = NULL; memset(&creds, 0, sizeof(creds)); ret = krb5_unparse_name(context, principal, &name); if (ret == 0) { #ifdef PRINTFS printf("Trying to get TGT for user %s\n", name); #endif free(name); } krb5_get_init_creds_opt_init(&gic_options); ret = krb5_get_init_creds_password(context, &creds, principal, (char *)password, NULL, NULL, 0, NULL, &gic_options); if (ret) { set_basicauth_error(context, ret); goto end; } end: krb5_free_cred_contents(context, &creds); return ret; }
int v5::renewCredential(krb5_context kcontext, krb5_principal kprincipal, krb5_timestamp *tgtEndtime) { krb5_error_code retval; krb5_creds my_creds; krb5_ccache ccache; krb5_get_init_creds_opt opts; qDebug("renew called"); if (kprincipal == NULL) { qDebug("No principal name"); return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; } krb5_get_init_creds_opt_init(&opts); if (getTgtFromCcache (kcontext, &my_creds)) { qDebug("got tgt from ccache"); //setOptionsUsingCreds(kcontext, &my_creds, &opts); *tgtEndtime = my_creds.times.endtime; krb5_free_cred_contents(kcontext, &my_creds); } else { qDebug("TGT expired"); *tgtEndtime = 0; } retval = krb5_cc_default(kcontext, &ccache); if (retval) return retval; retval = krb5_get_renewed_creds(kcontext, &my_creds, kprincipal, ccache, NULL); qDebug("krb5_get_renewed_creds returned: %d", retval); if (retval) goto out; retval = krb5_cc_initialize(kcontext, ccache, kprincipal); if (retval) goto out; retval = krb5_cc_store_cred(kcontext, ccache, &my_creds); if (retval) goto out; *tgtEndtime = my_creds.times.endtime; out: krb5_free_cred_contents(kcontext, &my_creds); krb5_cc_close (kcontext, ccache); return retval; }
/* * Allocate and initialize a krb5_get_init_creds_opt struct. This code * assumes that an all-zero bit pattern will create a NULL pointer. */ krb5_error_code krb5_get_init_creds_opt_alloc(krb5_context ctx UNUSED, krb5_get_init_creds_opt **opts) { *opts = calloc(1, sizeof(krb5_get_init_creds_opt)); if (*opts == NULL) return errno; krb5_get_init_creds_opt_init(*opts); return 0; }
static PyObject * k5_change_password(PyObject *self, PyObject *args) { int result_code; char *name, *oldpass, *newpass; krb5_context ctx; krb5_error_code code; krb5_principal principal; krb5_get_init_creds_opt options; krb5_creds creds; krb5_data result_code_string, result_string; if (!PyArg_ParseTuple(args, "sss", &name, &oldpass, &newpass)) return NULL; /* Initialize parameters. */ code = krb5_init_context(&ctx); RETURN_ON_ERROR("krb5_init_context()", code); code = krb5_parse_name(ctx, name, &principal); RETURN_ON_ERROR("krb5_parse_name()", code); /* Get credentials using the password. */ krb5_get_init_creds_opt_init(&options); krb5_get_init_creds_opt_set_tkt_life(&options, 5*60); krb5_get_init_creds_opt_set_renew_life(&options, 0); krb5_get_init_creds_opt_set_forwardable(&options, 0); krb5_get_init_creds_opt_set_proxiable(&options, 0); memset(&creds, 0, sizeof (creds)); code = krb5_get_init_creds_password(ctx, &creds, principal, oldpass, NULL, NULL, 0, "kadmin/changepw", &options); RETURN_ON_ERROR("krb5_get_init_creds_password()", code); code = krb5_change_password(ctx, &creds, newpass, &result_code, &result_code_string, &result_string); RETURN_ON_ERROR("krb5_change_password()", code); /* Any other error? */ if (result_code != 0) { _k5_set_password_error(&result_code_string, &result_string); return NULL; } /* Free up results. */ if (result_code_string.data != NULL) free(result_code_string.data); if (result_string.data != NULL) free(result_string.data); Py_INCREF(Py_None); return Py_None; }
static PyObject * k5_get_init_creds_keytab(PyObject *self, PyObject *args) { char *name, *ktname; krb5_context ctx; krb5_error_code code; krb5_keytab keytab; krb5_ccache ccache; krb5_principal principal; krb5_get_init_creds_opt options; krb5_creds creds; if (!PyArg_ParseTuple(args, "sz", &name, &ktname)) return NULL; /* Initialize parameters. */ code = krb5_init_context(&ctx); RETURN_ON_ERROR("krb5_init_context()", code); code = krb5_parse_name(ctx, name, &principal); RETURN_ON_ERROR("krb5_parse_name()", code); krb5_get_init_creds_opt_init(&options); memset(&creds, 0, sizeof (creds)); /* Resolve keytab */ if (ktname) { code = krb5_kt_resolve(ctx, ktname, &keytab); RETURN_ON_ERROR("krb5_kt_resolve()", code); } else { code = krb5_kt_default(ctx, &keytab); RETURN_ON_ERROR("krb5_kt_resolve()", code); } /* Get the credentials. */ code = krb5_get_init_creds_keytab(ctx, &creds, principal, keytab, 0, NULL, &options); RETURN_ON_ERROR("krb5_get_init_creds_keytab()", code); /* Store the credential in the credential cache. */ code = krb5_cc_default(ctx, &ccache); RETURN_ON_ERROR("krb5_cc_default()", code); code = krb5_cc_initialize(ctx, ccache, principal); RETURN_ON_ERROR("krb5_cc_initialize()", code); code = krb5_cc_store_cred(ctx, ccache, &creds); RETURN_ON_ERROR("krb5_cc_store_creds()", code); krb5_cc_close(ctx, ccache); Py_INCREF(Py_None); return Py_None; }
krb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_alloc( krb5_context context, krb5_get_init_creds_opt **opt) { #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC return krb5_get_init_creds_opt_alloc(context, opt); #else *opt = calloc(1, sizeof(krb5_get_init_creds_opt)); if (*opt == NULL) { return ENOMEM; } krb5_get_init_creds_opt_init(*opt); return 0; #endif }
/* simulate a kinit, putting the tgt in the given credentials cache. Orignally by [email protected] */ int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, krb5_principal principal, const char *password, time_t *expire_time, time_t *kdc_time) { krb5_error_code code = 0; krb5_creds my_creds; krb5_get_init_creds_opt options; krb5_get_init_creds_opt_init(&options); krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, &options); if ((code = krb5_get_init_creds_password(ctx, &my_creds, principal, password, NULL, NULL, 0, NULL, &options))) { return code; } if ((code = krb5_cc_initialize(ctx, cc, principal))) { krb5_free_cred_contents(ctx, &my_creds); return code; } if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) { krb5_free_cred_contents(ctx, &my_creds); return code; } if (expire_time) { *expire_time = (time_t) my_creds.times.endtime; } if (kdc_time) { *kdc_time = (time_t) my_creds.times.starttime; } krb5_free_cred_contents(ctx, &my_creds); return 0; }
static PyObject * k5_get_init_creds_password(PyObject *self, PyObject *args) { char *name, *password; krb5_context ctx; krb5_error_code code; krb5_ccache ccache; krb5_principal principal; krb5_get_init_creds_opt options; krb5_creds creds; if (!PyArg_ParseTuple(args, "ss", &name, &password)) return NULL; /* Initialize parameters. */ code = krb5_init_context(&ctx); RETURN_ON_ERROR("krb5_init_context()", code); code = krb5_parse_name(ctx, name, &principal); RETURN_ON_ERROR("krb5_parse_name()", code); krb5_get_init_creds_opt_init(&options); memset(&creds, 0, sizeof (creds)); /* Get the credentials. */ code = krb5_get_init_creds_password(ctx, &creds, principal, password, NULL, NULL, 0, NULL, &options); RETURN_ON_ERROR("krb5_get_init_creds_password()", code); /* Store the credential in the credential cache. */ code = krb5_cc_default(ctx, &ccache); RETURN_ON_ERROR("krb5_cc_default()", code); code = krb5_cc_initialize(ctx, ccache, principal); RETURN_ON_ERROR("krb5_cc_initialize()", code); code = krb5_cc_store_cred(ctx, ccache, &creds); RETURN_ON_ERROR("krb5_cc_store_creds()", code); krb5_cc_close(ctx, ccache); Py_INCREF(Py_None); return Py_None; }
krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context, krb5_get_init_creds_opt **opt) { #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC /* Heimdal or modern MIT version */ return krb5_get_init_creds_opt_alloc(context, opt); #else /* Historical MIT version */ krb5_get_init_creds_opt *my_opt; *opt = NULL; if ((my_opt = SMB_MALLOC(sizeof(krb5_get_init_creds_opt))) == NULL) { return ENOMEM; } krb5_get_init_creds_opt_init(my_opt); *opt = my_opt; return 0; #endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC */ }
krb5_error_code KRB5_LIB_FUNCTION krb5_get_init_creds_opt_alloc(krb5_context context, krb5_get_init_creds_opt **opt) { krb5_get_init_creds_opt *o; *opt = NULL; o = calloc(1, sizeof(*o)); if (o == NULL) { krb5_set_error_string(context, "out of memory"); return ENOMEM; } krb5_get_init_creds_opt_init(o); o->opt_private = calloc(1, sizeof(*o->opt_private)); if (o->opt_private == NULL) { krb5_set_error_string(context, "out of memory"); free(o); return ENOMEM; } o->opt_private->refcount = 1; *opt = o; return 0; }
static int CommandProc(struct cmd_syndesc *as, void *arock) { krb5_principal princ = 0; char *cell, *pname, **hrealms, *service; char service_temp[MAXKTCREALMLEN + 20]; krb5_creds incred[1], mcred[1], *outcred = 0, *afscred; krb5_ccache cc = 0; #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC krb5_get_init_creds_opt *gic_opts; #else krb5_get_init_creds_opt gic_opts[1]; #endif char *tofree = NULL, *outname; int code; char *what; int i, dosetpag, evil, noprdb, id; #ifdef AFS_RXK5 int authtype; #endif krb5_data enc_part[1]; krb5_prompter_fct pf = NULL; char *pass = 0; void *pa = 0; struct kp_arg klog_arg[1]; char passwd[BUFSIZ]; struct afsconf_cell cellconfig[1]; static char rn[] = "klog"; /*Routine name */ static int Pipe = 0; /* reading from a pipe */ static int Silent = 0; /* Don't want error messages */ int writeTicketFile = 0; /* write ticket file to /tmp */ service = 0; memset(incred, 0, sizeof *incred); /* blow away command line arguments */ for (i = 1; i < zero_argc; i++) memset(zero_argv[i], 0, strlen(zero_argv[i])); zero_argc = 0; memset(klog_arg, 0, sizeof *klog_arg); /* first determine quiet flag based on -silent switch */ Silent = (as->parms[aSILENT].items ? 1 : 0); if (Silent) { afs_set_com_err_hook(silent_errors); } if ((code = krb5_init_context(&k5context))) { afs_com_err(rn, code, "while initializing Kerberos 5 library"); KLOGEXIT(code); } if ((code = rx_Init(0))) { afs_com_err(rn, code, "while initializing rx"); KLOGEXIT(code); } initialize_U_error_table(); /*initialize_krb5_error_table();*/ initialize_RXK_error_table(); initialize_KTC_error_table(); initialize_ACFG_error_table(); /* initialize_rx_error_table(); */ if (!(tdir = afsconf_Open(AFSDIR_CLIENT_ETC_DIRPATH))) { afs_com_err(rn, 0, "can't get afs configuration (afsconf_Open(%s))", AFSDIR_CLIENT_ETC_DIRPATH); KLOGEXIT(1); } /* * Enable DES enctypes, which are currently still required for AFS. * krb5_allow_weak_crypto is MIT Kerberos 1.8. krb5_enctype_enable is * Heimdal. */ #if defined(HAVE_KRB5_ENCTYPE_ENABLE) i = krb5_enctype_valid(k5context, ETYPE_DES_CBC_CRC); if (i) krb5_enctype_enable(k5context, ETYPE_DES_CBC_CRC); #elif defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO) krb5_allow_weak_crypto(k5context, 1); #endif /* Parse remaining arguments. */ dosetpag = !! as->parms[aSETPAG].items; Pipe = !! as->parms[aPIPE].items; writeTicketFile = !! as->parms[aTMP].items; noprdb = !! as->parms[aNOPRDB].items; evil = (always_evil&1) || !! as->parms[aUNWRAP].items; #ifdef AFS_RXK5 authtype = 0; if (as->parms[aK5].items) authtype |= FORCE_RXK5; if (as->parms[aK4].items) authtype |= FORCE_RXKAD; if (!authtype) authtype |= env_afs_rxk5_default(); #endif cell = as->parms[aCELL].items ? as->parms[aCELL].items->data : 0; if ((code = afsconf_GetCellInfo(tdir, cell, "afsprot", cellconfig))) { if (cell) afs_com_err(rn, code, "Can't get cell information for '%s'", cell); else afs_com_err(rn, code, "Can't get determine local cell!"); KLOGEXIT(code); } if (as->parms[aKRBREALM].items) { code = krb5_set_default_realm(k5context, as->parms[aKRBREALM].items->data); if (code) { afs_com_err(rn, code, "Can't make <%s> the default realm", as->parms[aKRBREALM].items->data); KLOGEXIT(code); } } else if ((code = krb5_get_host_realm(k5context, cellconfig->hostName[0], &hrealms))) { afs_com_err(rn, code, "Can't get realm for host <%s> in cell <%s>\n", cellconfig->hostName[0], cellconfig->name); KLOGEXIT(code); } else { if (hrealms && *hrealms) { code = krb5_set_default_realm(k5context, *hrealms); if (code) { afs_com_err(rn, code, "Can't make <%s> the default realm", *hrealms); KLOGEXIT(code); } } if (hrealms) krb5_free_host_realm(k5context, hrealms); } id = getuid(); if (as->parms[aPRINCIPAL].items) { pname = as->parms[aPRINCIPAL].items->data; } else { /* No explicit name provided: use Unix uid. */ struct passwd *pw; pw = getpwuid(id); if (pw == 0) { afs_com_err(rn, 0, "Can't figure out your name from your user id (%d).", id); if (!Silent) fprintf(stderr, "%s: Try providing the user name.\n", rn); KLOGEXIT(1); } pname = pw->pw_name; } code = krb5_parse_name(k5context, pname, &princ); if (code) { afs_com_err(rn, code, "Can't parse principal <%s>", pname); KLOGEXIT(code); } if (as->parms[aPASSWORD].items) { /* * Current argument is the desired password string. Remember it in * our local buffer, and zero out the argument string - anyone can * see it there with ps! */ strncpy(passwd, as->parms[aPASSWORD].items->data, sizeof(passwd)); memset(as->parms[aPASSWORD].items->data, 0, strlen(as->parms[aPASSWORD].items->data)); pass = passwd; } /* Get the password if it wasn't provided. */ if (!pass) { if (Pipe) { strncpy(passwd, getpipepass(), sizeof(passwd)); pass = passwd; } else { pf = klog_prompter; pa = klog_arg; } } service = 0; #ifdef AFS_RXK5 if (authtype & FORCE_RXK5) { tofree = get_afs_krb5_svc_princ(cellconfig); snprintf(service_temp, sizeof service_temp, "%s", tofree); } else #endif snprintf (service_temp, sizeof service_temp, "afs/%s", cellconfig->name); klog_arg->pp = &pass; klog_arg->pstore = passwd; klog_arg->allocated = sizeof(passwd); /* XXX should allow k5 to prompt in most cases -- what about expired pw?*/ #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC code = krb5_get_init_creds_opt_alloc(k5context, &gic_opts); if (code) { afs_com_err(rn, code, "Can't allocate get_init_creds options"); KLOGEXIT(code); } #else krb5_get_init_creds_opt_init(gic_opts); #endif for (;;) { code = krb5_get_init_creds_password(k5context, incred, princ, pass, pf, /* prompter */ pa, /* data */ 0, /* start_time */ 0, /* in_tkt_service */ gic_opts); if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) break; } memset(passwd, 0, sizeof(passwd)); if (code) { char *r = 0; if (krb5_get_default_realm(k5context, &r)) r = 0; if (r) afs_com_err(rn, code, "Unable to authenticate in realm %s", r); else afs_com_err(rn, code, "Unable to authenticate to use cell %s", cellconfig->name); if (r) free(r); KLOGEXIT(code); } for (;;writeTicketFile = 0) { if (writeTicketFile) { what = "getting default ccache"; code = krb5_cc_default(k5context, &cc); } else { what = "krb5_cc_resolve"; code = krb5_cc_resolve(k5context, "MEMORY:core", &cc); if (code) goto Failed; } what = "initializing ccache"; code = krb5_cc_initialize(k5context, cc, princ); if (code) goto Failed; what = "writing Kerberos ticket file"; code = krb5_cc_store_cred(k5context, cc, incred); if (code) goto Failed; if (writeTicketFile) fprintf(stderr, "Wrote ticket file to %s\n", krb5_cc_get_name(k5context, cc)); break; Failed: if (code) afs_com_err(rn, code, "%s", what); if (writeTicketFile) { if (cc) { krb5_cc_close(k5context, cc); cc = 0; } continue; } KLOGEXIT(code); } for (service = service_temp;;service = "afs") { memset(mcred, 0, sizeof *mcred); mcred->client = princ; code = krb5_parse_name(k5context, service, &mcred->server); if (code) { afs_com_err(rn, code, "Unable to parse service <%s>\n", service); KLOGEXIT(code); } if (tofree) { free(tofree); tofree = 0; } if (!(code = krb5_unparse_name(k5context, mcred->server, &outname))) tofree = outname; else outname = service; code = krb5_get_credentials(k5context, 0, cc, mcred, &outcred); krb5_free_principal(k5context, mcred->server); if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || service != service_temp) break; #ifdef AFS_RXK5 if (authtype & FORCE_RXK5) break; #endif } afscred = outcred; if (code) { afs_com_err(rn, code, "Unable to get credentials to use %s", outname); KLOGEXIT(code); } #ifdef AFS_RXK5 if (authtype & FORCE_RXK5) { struct ktc_principal aserver[1]; int viceid = 555; memset(aserver, 0, sizeof *aserver); strncpy(aserver->cell, cellconfig->name, MAXKTCREALMLEN-1); code = ktc_SetK5Token(k5context, aserver, afscred, viceid, dosetpag); if (code) { afs_com_err(rn, code, "Unable to store tokens for cell %s\n", cellconfig->name); KLOGEXIT(1); } } else #endif { struct ktc_principal aserver[1], aclient[1]; struct ktc_token atoken[1]; memset(atoken, 0, sizeof *atoken); if (evil) { size_t elen = enc_part->length; atoken->kvno = RXKAD_TKT_TYPE_KERBEROS_V5_ENCPART_ONLY; if (afs_krb5_skip_ticket_wrapper(afscred->ticket.data, afscred->ticket.length, (char **) &enc_part->data, &elen)) { afs_com_err(rn, 0, "Can't unwrap %s AFS credential", cellconfig->name); KLOGEXIT(1); } } else { atoken->kvno = RXKAD_TKT_TYPE_KERBEROS_V5; *enc_part = afscred->ticket; } atoken->startTime = afscred->times.starttime; atoken->endTime = afscred->times.endtime; if (tkt_DeriveDesKey(get_creds_enctype(afscred), get_cred_keydata(afscred), get_cred_keylen(afscred), &atoken->sessionKey)) { afs_com_err(rn, 0, "Cannot derive DES key from enctype %i of length %u", get_creds_enctype(afscred), (unsigned)get_cred_keylen(afscred)); KLOGEXIT(1); } memcpy(atoken->ticket, enc_part->data, atoken->ticketLen = enc_part->length); memset(aserver, 0, sizeof *aserver); strncpy(aserver->name, "afs", 4); strncpy(aserver->cell, cellconfig->name, MAXKTCREALMLEN-1); memset(aclient, 0, sizeof *aclient); i = realm_len(k5context, afscred->client); if (i > MAXKTCREALMLEN-1) i = MAXKTCREALMLEN-1; memcpy(aclient->cell, realm_data(k5context, afscred->client), i); if (!noprdb) { int viceid = 0; k5_to_k4_name(k5context, afscred->client, aclient); code = whoami(atoken, cellconfig, aclient, &viceid); if (code) { afs_com_err(rn, code, "Can't get your viceid for cell %s", cellconfig->name); *aclient->name = 0; } else snprintf(aclient->name, MAXKTCNAMELEN-1, "AFS ID %d", viceid); } if (!*aclient->name) k5_to_k4_name(k5context, afscred->client, aclient); code = ktc_SetToken(aserver, atoken, aclient, dosetpag); if (code) { afs_com_err(rn, code, "Unable to store tokens for cell %s\n", cellconfig->name); KLOGEXIT(1); } } krb5_free_principal(k5context, princ); krb5_free_cred_contents(k5context, incred); if (outcred) krb5_free_creds(k5context, outcred); if (cc) krb5_cc_close(k5context, cc); if (tofree) free(tofree); return 0; }
int cosign_login_krb5( struct connlist *head, char *cosignname, char *id, char *realm, char *passwd, char *ip_addr, char *cookie, struct subparams *sp, char **msg ) { krb5_error_code kerror = 0; krb5_context kcontext; krb5_principal kprinc; krb5_principal sprinc; krb5_get_init_creds_opt kopts; krb5_verify_init_creds_opt kvic_opts[ 1 ]; krb5_creds kcreds; krb5_ccache kccache; krb5_keytab keytab = 0; char *tmpl = ERROR_HTML; char *sprinc_name = NULL; char ktbuf[ MAX_KEYTAB_NAME_LEN + 1 ]; char tmpkrb[ 16 ], krbpath [ MAXPATHLEN ]; int i; lcgi_configure(); if (( kerror = krb5_init_context( &kcontext ))) { sl[ SL_ERROR ].sl_data = (char *)error_message( kerror ); sl[ SL_TITLE ].sl_data = "Authentication Required ( kerberos error )"; subfile( tmpl, sl, 0 ); exit( 0 ); } if (( kerror = krb5_parse_name( kcontext, id, &kprinc ))) { sl[ SL_ERROR ].sl_data = (char *)error_message( kerror ); sl[ SL_TITLE ].sl_data = "Authentication Required ( kerberos error )"; subfile( tmpl, sl, 0 ); exit( 0 ); } /* need to get realm out */ if ( realm == NULL || *realm == '\0' ) { if (( kerror = krb5_get_default_realm( kcontext, &realm )) != 0 ) { sl[ SL_ERROR ].sl_data = (char *)error_message( kerror ); sl[ SL_TITLE ].sl_data = "Authentication Required " "( krb realm error )"; subfile( tmpl, sl, 0 ); exit( 0 ); } } if ( store_tickets ) { if ( mkcookie( sizeof( tmpkrb ), tmpkrb ) != 0 ) { sl[ SL_ERROR ].sl_data = "An unknown error occurred."; sl[ SL_TITLE ].sl_data = "Authentication Required (kerberos error)"; subfile( tmpl, sl, 0 ); exit( 0 ); } if ( snprintf( krbpath, sizeof( krbpath ), "%s/%s", ticket_path, tmpkrb ) >= sizeof( krbpath )) { sl[ SL_ERROR ].sl_data = "An unknown error occurred."; sl[ SL_TITLE ].sl_data = "Authentication Required (krbpath error)"; subfile( tmpl, sl, 0 ); exit( 0 ); } if (( kerror = krb5_cc_resolve( kcontext, krbpath, &kccache )) != 0 ) { sl[ SL_ERROR ].sl_data = (char *)error_message( kerror ); sl[ SL_TITLE ].sl_data = "Authentication Required (kerberos error)"; subfile( tmpl, sl, 0 ); exit( 0 ); } } krb5_get_init_creds_opt_init( &kopts ); krb5_get_init_creds_opt_set_tkt_life( &kopts, tkt_life ); krb5_get_init_creds_opt_set_renew_life( &kopts, 0 ); krb5_get_init_creds_opt_set_forwardable( &kopts, 1 ); krb5_get_init_creds_opt_set_proxiable( &kopts, 0 ); if (( kerror = krb5_get_init_creds_password( kcontext, &kcreds, kprinc, passwd, NULL, NULL, 0, NULL /*keytab */, &kopts ))) { if (( kerror == KRB5KRB_AP_ERR_BAD_INTEGRITY ) || ( kerror == KRB5KDC_ERR_PREAUTH_FAILED ) || ( kerror == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN )) { return( COSIGN_CGI_ERROR ); /* draw login or reauth page */ } else if ( kerror == KRB5KDC_ERR_KEY_EXP ) { *msg = (char *)error_message( kerror ); return( COSIGN_CGI_PASSWORD_EXPIRED ); } else { sl[ SL_ERROR ].sl_data = (char *)error_message( kerror ); sl[ SL_TITLE ].sl_data = "Error"; subfile( tmpl, sl, 0 ); exit( 0 ); } } /* verify no KDC spoofing */ if ( *keytab_path != '\0' ) { if ( strlen( keytab_path ) > MAX_KEYTAB_NAME_LEN ) { sl[ SL_ERROR ].sl_data = "server configuration error"; sl[ SL_TITLE ].sl_data = "Ticket Verification Error"; subfile( tmpl, sl, 0 ); exit( 0 ); } strcpy( ktbuf, keytab_path ); /* from mdw */ krb5_verify_init_creds_opt_init( kvic_opts ); krb5_verify_init_creds_opt_set_ap_req_nofail( kvic_opts, 1 ); if (( kerror = krb5_kt_resolve( kcontext, ktbuf, &keytab )) != 0 ) { sl[ SL_ERROR ].sl_data = (char *)error_message( kerror ); sl[ SL_TITLE ].sl_data = "KT Resolve Error"; subfile( tmpl, sl, 0 ); exit( 0 ); } if ( cosign_princ ) { kerror = krb5_parse_name( kcontext, cosign_princ, &sprinc ); } else { kerror = krb5_sname_to_principal( kcontext, NULL, "cosign", KRB5_NT_SRV_HST, &sprinc ); } if ( kerror != 0 ) { sl[ SL_ERROR ].sl_data = (char *)error_message( kerror ); sl[ SL_TITLE ].sl_data = "Server Principal Error"; subfile( tmpl, sl, 0 ); exit( 0 ); } if (( kerror = krb5_verify_init_creds( kcontext, &kcreds, sprinc, keytab, NULL, kvic_opts )) != 0 ) { if ( krb5_unparse_name( kcontext, sprinc, &sprinc_name ) == 0 ) { fprintf( stderr, "ticket verify error for " "user %s, keytab principal %s", id, sprinc_name ); free( sprinc_name ); } else { fprintf( stderr, "ticket verify error for user %s", id ); } sl[ SL_ERROR ].sl_data = (char *)error_message( kerror ); sl[ SL_TITLE ].sl_data = "Ticket Verify Error"; subfile( tmpl, sl, 0 ); krb5_free_principal( kcontext, sprinc ); exit( 0 ); } (void)krb5_kt_close( kcontext, keytab ); krb5_free_principal( kcontext, sprinc ); } for ( i = 0; i < COSIGN_MAXFACTORS - 1; i++ ) { if ( new_factors[ i ] == NULL ) { new_factors[ i ] = strdup( realm ); new_factors[ i + 1 ] = NULL; break; } if ( strcmp( new_factors[ i ], realm ) == 0 ) { break; } } if ( sp->sp_reauth && sp->sp_ipchanged == 0 ) { return( COSIGN_CGI_OK ); } if ( store_tickets ) { if (( kerror = krb5_cc_initialize( kcontext, kccache, kprinc )) != 0 ) { sl[ SL_ERROR ].sl_data = (char *)error_message( kerror ); sl[ SL_TITLE ].sl_data = "CC Initialize Error"; subfile( tmpl, sl, 0 ); exit( 0 ); } if (( kerror = krb5_cc_store_cred( kcontext, kccache, &kcreds )) != 0 ) { sl[ SL_ERROR ].sl_data = (char *)error_message( kerror ); sl[ SL_TITLE ].sl_data = "CC Storing Error"; subfile( tmpl, sl, 0 ); exit( 0 ); } krb5_cc_close( kcontext, kccache ); } krb5_free_cred_contents( kcontext, &kcreds ); krb5_free_principal( kcontext, kprinc ); krb5_free_context( kcontext ); /* password has been accepted, tell cosignd */ if ( cosign_login( head, cookie, ip_addr, cosignname, realm, ( store_tickets ? krbpath : NULL )) < 0 ) { fprintf( stderr, "cosign_login_krb5: login failed\n") ; sl[ SL_ERROR ].sl_data = "We were unable to contact the " "authentication server. Please try again later."; sl[ SL_TITLE ].sl_data = "Error: Please try later"; subfile( tmpl, sl, 0 ); exit( 0 ); } return( COSIGN_CGI_OK ); }
static ADS_STATUS ads_krb5_chg_password(const char *kdc_host, const char *principal, const char *oldpw, const char *newpw, int time_offset) { ADS_STATUS aret; krb5_error_code ret; krb5_context context = NULL; krb5_principal princ; krb5_get_init_creds_opt opts; krb5_creds creds; char *chpw_princ = NULL, *password; char *realm = NULL; int result_code; krb5_data result_code_string = { 0 }; krb5_data result_string = { 0 }; smb_krb5_addresses *addr = NULL; initialize_krb5_error_table(); ret = krb5_init_context(&context); if (ret) { DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret))); return ADS_ERROR_KRB5(ret); } if ((ret = smb_krb5_parse_name(context, principal, &princ))) { krb5_free_context(context); DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret))); return ADS_ERROR_KRB5(ret); } krb5_get_init_creds_opt_init(&opts); krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60); krb5_get_init_creds_opt_set_renew_life(&opts, 0); krb5_get_init_creds_opt_set_forwardable(&opts, 0); krb5_get_init_creds_opt_set_proxiable(&opts, 0); /* note that heimdal will fill in the local addresses if the addresses * in the creds_init_opt are all empty and then later fail with invalid * address, sending our local netbios krb5 address - just like windows * - avoids this - gd */ ret = smb_krb5_gen_netbios_krb5_address(&addr, lp_netbios_name()); if (ret) { krb5_free_principal(context, princ); krb5_free_context(context); return ADS_ERROR_KRB5(ret); } krb5_get_init_creds_opt_set_address_list(&opts, addr->addrs); realm = smb_krb5_principal_get_realm(context, princ); /* We have to obtain an INITIAL changepw ticket for changing password */ if (asprintf(&chpw_princ, "kadmin/changepw@%s", realm) == -1) { krb5_free_context(context); free(realm); DEBUG(1,("ads_krb5_chg_password: asprintf fail\n")); return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } free(realm); password = SMB_STRDUP(oldpw); ret = krb5_get_init_creds_password(context, &creds, princ, password, kerb_prompter, NULL, 0, chpw_princ, &opts); SAFE_FREE(chpw_princ); SAFE_FREE(password); if (ret) { if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) DEBUG(1,("Password incorrect while getting initial ticket")); else DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret))); krb5_free_principal(context, princ); krb5_free_context(context); return ADS_ERROR_KRB5(ret); } ret = krb5_change_password(context, &creds, discard_const_p(char, newpw), &result_code, &result_code_string, &result_string); if (ret) { DEBUG(1, ("krb5_change_password failed (%s)\n", error_message(ret))); aret = ADS_ERROR_KRB5(ret); goto done; } if (result_code != KRB5_KPASSWD_SUCCESS) { ret = kpasswd_err_to_krb5_err(result_code); DEBUG(1, ("krb5_change_password failed (%s)\n", error_message(ret))); aret = ADS_ERROR_KRB5(ret); goto done; } aret = ADS_SUCCESS; done: kerberos_free_data_contents(context, &result_code_string); kerberos_free_data_contents(context, &result_string); krb5_free_principal(context, princ); krb5_free_context(context); return aret; }
static int chk_kerberos( const struct berval *sc, const struct berval * passwd, const struct berval * cred, const char **text ) { unsigned int i; int rtn; for( i=0; i<cred->bv_len; i++) { if(cred->bv_val[i] == '\0') { return LUTIL_PASSWD_ERR; /* NUL character in password */ } } if( cred->bv_val[i] != '\0' ) { return LUTIL_PASSWD_ERR; /* cred must behave like a string */ } for( i=0; i<passwd->bv_len; i++) { if(passwd->bv_val[i] == '\0') { return LUTIL_PASSWD_ERR; /* NUL character in password */ } } if( passwd->bv_val[i] != '\0' ) { return LUTIL_PASSWD_ERR; /* passwd must behave like a string */ } rtn = LUTIL_PASSWD_ERR; #ifdef HAVE_KRB5 /* HAVE_HEIMDAL_KRB5 */ { /* Portions: * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska H\xf6gskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ krb5_context context; krb5_error_code ret; krb5_creds creds; krb5_get_init_creds_opt get_options; krb5_verify_init_creds_opt verify_options; krb5_principal client, server; #ifdef notdef krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP}; #endif ret = krb5_init_context( &context ); if (ret) { return LUTIL_PASSWD_ERR; } #ifdef notdef krb5_get_init_creds_opt_set_preauth_list(&get_options, pre_auth_types, 1); #endif krb5_get_init_creds_opt_init( &get_options ); krb5_verify_init_creds_opt_init( &verify_options ); ret = krb5_parse_name( context, passwd->bv_val, &client ); if (ret) { krb5_free_context( context ); return LUTIL_PASSWD_ERR; } ret = krb5_get_init_creds_password( context, &creds, client, cred->bv_val, NULL, NULL, 0, NULL, &get_options ); if (ret) { krb5_free_principal( context, client ); krb5_free_context( context ); return LUTIL_PASSWD_ERR; } { char *host = ldap_pvt_get_fqdn( NULL ); if( host == NULL ) { krb5_free_principal( context, client ); krb5_free_context( context ); return LUTIL_PASSWD_ERR; } ret = krb5_sname_to_principal( context, host, "ldap", KRB5_NT_SRV_HST, &server ); ber_memfree( host ); } if (ret) { krb5_free_principal( context, client ); krb5_free_context( context ); return LUTIL_PASSWD_ERR; } ret = krb5_verify_init_creds( context, &creds, server, NULL, NULL, &verify_options ); krb5_free_principal( context, client ); krb5_free_principal( context, server ); krb5_free_cred_contents( context, &creds ); krb5_free_context( context ); rtn = ret ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; } #elif defined(HAVE_KRB4) { /* Borrowed from Heimdal kpopper */ /* Portions: * Copyright (c) 1989 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ int status; char lrealm[REALM_SZ]; char tkt[MAXHOSTNAMELEN]; status = krb_get_lrealm(lrealm,1); if (status == KFAILURE) { return LUTIL_PASSWD_ERR; } snprintf(tkt, sizeof(tkt), "%s_slapd.%u", TKT_ROOT, (unsigned)getpid()); krb_set_tkt_string (tkt); status = krb_verify_user( passwd->bv_val, "", lrealm, cred->bv_val, 1, "ldap"); dest_tkt(); /* no point in keeping the tickets */ return status == KFAILURE ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; } #endif return rtn; }
krb5_error_code kcm_ccache_acquire(krb5_context context, kcm_ccache ccache, krb5_creds **credp) { krb5_error_code ret = 0; krb5_creds cred; krb5_const_realm realm; krb5_get_init_creds_opt opt; krb5_ccache_data ccdata; char *in_tkt_service = NULL; int done = 0; memset(&cred, 0, sizeof(cred)); KCM_ASSERT_VALID(ccache); /* We need a cached key or keytab to acquire credentials */ if (ccache->flags & KCM_FLAGS_USE_CACHED_KEY) { if (ccache->key.keyblock.keyvalue.length == 0) krb5_abortx(context, "kcm_ccache_acquire: KCM_FLAGS_USE_CACHED_KEY without key"); } else if (ccache->flags & KCM_FLAGS_USE_KEYTAB) { if (ccache->key.keytab == NULL) krb5_abortx(context, "kcm_ccache_acquire: KCM_FLAGS_USE_KEYTAB without keytab"); } else { kcm_log(0, "Cannot acquire initial credentials for cache %s without key", ccache->name); return KRB5_FCC_INTERNAL; } HEIMDAL_MUTEX_lock(&ccache->mutex); /* Fake up an internal ccache */ kcm_internal_ccache(context, ccache, &ccdata); /* Now, actually acquire the creds */ if (ccache->server != NULL) { ret = krb5_unparse_name(context, ccache->server, &in_tkt_service); if (ret) { kcm_log(0, "Failed to unparse service principal name for cache %s: %s", ccache->name, krb5_get_err_text(context, ret)); return ret; } } realm = krb5_principal_get_realm(context, ccache->client); krb5_get_init_creds_opt_init(&opt); krb5_get_init_creds_opt_set_default_flags(context, "kcm", realm, &opt); if (ccache->tkt_life != 0) krb5_get_init_creds_opt_set_tkt_life(&opt, ccache->tkt_life); if (ccache->renew_life != 0) krb5_get_init_creds_opt_set_renew_life(&opt, ccache->renew_life); if (ccache->flags & KCM_FLAGS_USE_CACHED_KEY) { ret = krb5_get_init_creds_keyblock(context, &cred, ccache->client, &ccache->key.keyblock, 0, in_tkt_service, &opt); } else { /* loosely based on lib/krb5/init_creds_pw.c */ while (!done) { ret = krb5_get_init_creds_keytab(context, &cred, ccache->client, ccache->key.keytab, 0, in_tkt_service, &opt); switch (ret) { case KRB5KDC_ERR_KEY_EXPIRED: if (in_tkt_service != NULL && strcmp(in_tkt_service, "kadmin/changepw") == 0) { goto out; } ret = change_pw_and_update_keytab(context, ccache); if (ret) goto out; break; case 0: default: done = 1; break; } } } if (ret) { kcm_log(0, "Failed to acquire credentials for cache %s: %s", ccache->name, krb5_get_err_text(context, ret)); if (in_tkt_service != NULL) free(in_tkt_service); goto out; } if (in_tkt_service != NULL) free(in_tkt_service); /* Swap them in */ kcm_ccache_remove_creds_internal(context, ccache); ret = kcm_ccache_store_cred_internal(context, ccache, &cred, 0, credp); if (ret) { kcm_log(0, "Failed to store credentials for cache %s: %s", ccache->name, krb5_get_err_text(context, ret)); krb5_free_cred_contents(context, &cred); goto out; } out: HEIMDAL_MUTEX_unlock(&ccache->mutex); return ret; }
static void do_renew(GtkWidget *widget, GtkWidget *entry) { char *pass; krb5_error_code code; krb5_context kcontext; krb5_principal me = NULL; char *service_name = NULL; krb5_ccache ccache = NULL; krb5_creds my_creds; char *msg = NULL; krb5_deltat start_time = 0; krb5_deltat lifetime = 10 * 60 * 60; krb5_get_init_creds_opt opts; int non_fatal = 0; pass = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry))); gtk_entry_set_text(GTK_ENTRY(entry), ""); krb5_get_init_creds_opt_init(&opts); if (!pass || !strlen(pass)) { non_fatal = 1; msg = g_strdup("Incorrect password: please try again."); } else if ((code = krb5_init_context(&kcontext))) msg = g_strdup_printf("%s when initializing kerberos library", error_message(code)); else if ((code = krb5_cc_default(kcontext, &ccache))) msg = g_strdup_printf("%s while getting default cache.", error_message(code)); else if ((code = krb5_parse_name(kcontext, name, &me))) msg = g_strdup_printf("%s while parsing name %s.", error_message(code), name); else if ((code = krb5_get_init_creds_password(kcontext, &my_creds, me, pass, krb5_prompter_posix, NULL, start_time, service_name, &opts))) { if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) { non_fatal = 1; msg = g_strdup("Incorrect password: please try again."); } else { msg = g_strdup_printf("%s while getting initial" " credentials", error_message(code)); } } else { if ((code = krb5_cc_initialize(kcontext, ccache, me))) { msg = g_strdup_printf("%s while initializing cache", error_message(code)); } else if ((code = krb5_cc_store_cred(kcontext, ccache, &my_creds))) { msg = g_strdup_printf("%s while storing credentials", error_message(code)); } else { if (me) krb5_free_principal(kcontext, me); if (ccache) krb5_cc_close(kcontext, ccache); krb5_free_context(kcontext); } } g_free(pass); if (msg) { /* encountered an error. don't quit */ if (non_fatal) do_error_dialog(msg); else do_fatal_dialog(msg); g_free(msg); } else /* no errors, we're done */ { system("fsid -a > /dev/null"); system("zctl load /dev/null > /dev/null"); exit(0); } }
int do_command(krb5_context context, krb5_keytab keytab, krb5_principal me, char *princ, char *cmd, char *cmddir) { char *p; char *answer; static char answer_exec[] = "Cannot execute command."; static char answer_priv[] = "You are not privileged to execute this command."; static char answer_regexp[] = "Command doesn't match any allowed regexp."; int result; if (debug) syslog(LOG_DEBUG, "Principal %s is trying to execute command %s", princ, cmd); /* Replace \n with \0 */ p = cmd; while (*p != '\0' && *p != '\n') p++; *p = '\0'; if (gethelp(cmd) == 0) return 0; if ((result = chk_user_cmd(princ, cmd)) != 0) { switch(result) { case CHK_GRP: answer = answer_priv; break; case CHK_REGEXP: answer = answer_regexp; break; default: answer = answer_exec; } if (debug) syslog(LOG_DEBUG, "%s", answer); if (write(1, answer, strlen(answer)) == -1) printf("Failed write to stdout.\n"); return 0; } else { char *localcmd, *pathenv; char ccname[255]; krb5_ccache ccache; krb5_creds creds; krb5_principal tgtserver; krb5_error_code retval; krb5_get_init_creds_opt opts; pathenv = malloc((strlen(cmddir) + 6) * sizeof(char)); if (pathenv == NULL) { syslog(LOG_ERR, "Not enough memory (env)"); exit(1); } sprintf(pathenv, "PATH=%s", cmddir); preauth = preauth_list; #ifdef __osf__ sprintf(ccname, "FILE:/tmp/afsadm_%d", getpid()); #else snprintf(ccname, 255, "FILE:/tmp/afsadm_%d", getpid()); #endif if (retval = krb5_cc_resolve(context, ccname, &ccache)) { syslog(LOG_ERR, "%s while resolving ccache", error_message(retval)); exit(1); } #ifdef __osf__ sprintf(ccname, "KRB5CCNAME=FILE:/tmp/afsadm_%d", getpid()); #else snprintf(ccname, 255, "KRB5CCNAME=FILE:/tmp/afsadm_%d", getpid()); #endif putenv(ccname); if (retval = krb5_cc_initialize(context, ccache, me)) { syslog(LOG_ERR, "%s while initialize ccache", error_message(retval)); exit(1); } memset((char *)&creds, 0, sizeof(creds)); creds.client = me; krb5_data *realm = krb5_princ_realm(context, me); if ((retval = krb5_build_principal_ext(context, &tgtserver, realm->length, realm->data, tgtname.length, tgtname.data, realm->length, realm->data, 0))) { syslog(LOG_ERR, "%s while building server name", error_message(retval)); krb5_cc_destroy(context, ccache); exit(1); } creds.server = tgtserver; krb5_get_init_creds_opt_init(&opts); opts.preauth_list = preauth; if (retval = krb5_get_init_creds_keytab(context, &creds, me, keytab, 0, NULL, &opts)) { syslog(LOG_ERR, "%s while getting tgt", error_message(retval)); krb5_cc_destroy(context, ccache); exit(1); } if (retval = krb5_cc_store_cred(context, ccache, &creds)) { syslog(LOG_ERR, "%s while saving credentials to ccache", error_message(retval)); krb5_cc_destroy(context, ccache); exit(1); } if (k_hasafs()) k_setpag(); localcmd = malloc(sizeof(char) * (strlen(cmd) + strlen(cmddir) + 2)); if (localcmd == NULL) { syslog(LOG_ERR, "Not enough memory (cmdpath malloc)"); exit(1); } sprintf(localcmd, "%s/%s", cmddir, cmd); syslog(LOG_INFO, "Principal %s : system(%s)", princ, localcmd); /* Set PATH to dircmd !!!! */ putenv(pathenv); //system("/usr/bin/id -a; aklog"); if (system("aklog") == -1) printf("Cannot execute aklog.\n"); result = system(localcmd); syslog(LOG_INFO, "Principal %s : system(%s) returns with %d", princ, localcmd, result); free(pathenv); free(localcmd); if (k_hasafs()) k_unlog(); krb5_cc_destroy(context, ccache); return 0; } }
/* * Function: Process WM_COMMAND messages */ static void kwin_command(HWND hwnd, int cid, HWND hwndCtl, UINT codeNotify) { char name[ANAME_SZ]; char realm[REALM_SZ]; char password[MAX_KPW_LEN]; HCURSOR hcursor; BOOL blogin; HMENU hmenu; char menuitem[MAX_K_NAME_SZ + 3]; char copyright[128]; int id; #ifdef KRB4 char instance[INST_SZ]; int lifetime; int krc; #endif #ifdef KRB5 long lifetime; krb5_error_code code; krb5_principal principal; krb5_creds creds; krb5_get_init_creds_opt opts; gic_data gd; #endif #ifdef KRB4 EnableWindow(GetDlgItem(hwnd, IDD_TICKET_DELETE), krb_get_num_cred() > 0); #endif #ifdef KRB5 EnableWindow(GetDlgItem(hwnd, IDD_TICKET_DELETE), k5_get_num_cred(1) > 0); #endif GetDlgItemText(hwnd, IDD_LOGIN_NAME, name, sizeof(name)); trim(name); blogin = strlen(name) > 0; if (blogin) { GetDlgItemText(hwnd, IDD_LOGIN_REALM, realm, sizeof(realm)); trim(realm); blogin = strlen(realm) > 0; } if (blogin) { GetDlgItemText(hwnd, IDD_LOGIN_PASSWORD, password, sizeof(password)); blogin = strlen(password) > 0; } EnableWindow(GetDlgItem(hwnd, IDD_LOGIN), blogin); id = (blogin) ? IDD_LOGIN : IDD_PASSWORD_CR2; SendMessage(hwnd, DM_SETDEFID, id, 0); if (codeNotify != BN_CLICKED && codeNotify != 0 && codeNotify != 1) return; /* FALSE */ /* * Check to see if this item is in a list of the ``recent hosts'' sort * of list, under the FILE menu. */ if (cid >= IDM_FIRST_LOGIN && cid < IDM_FIRST_LOGIN + FILE_MENU_MAX_LOGINS) { hmenu = GetMenu(hwnd); assert(hmenu != NULL); hmenu = GetSubMenu(hmenu, 0); assert(hmenu != NULL); if (!GetMenuString(hmenu, cid, menuitem, sizeof(menuitem), MF_BYCOMMAND)) return; /* TRUE */ if (menuitem[0]) kwin_init_name(hwnd, &menuitem[3]); return; /* TRUE */ } switch (cid) { case IDM_EXIT: if (isblocking) WSACancelBlockingCall(); WinHelp(hwnd, KERBEROS_HLP, HELP_QUIT, 0); PostQuitMessage(0); return; /* TRUE */ case IDD_PASSWORD_CR2: /* Make CR == TAB */ id = GetDlgCtrlID(GetFocus()); assert(id != 0); if (id == IDD_MAX_EDIT) PostMessage(hwnd, WM_NEXTDLGCTL, (WPARAM)GetDlgItem(hwnd, IDD_MIN_EDIT), MAKELONG(1, 0)); else PostMessage(hwnd, WM_NEXTDLGCTL, 0, 0); return; /* TRUE */ case IDD_LOGIN: if (isblocking) return; /* TRUE */ GetDlgItemText(hwnd, IDD_LOGIN_NAME, name, sizeof(name)); trim(name); GetDlgItemText(hwnd, IDD_LOGIN_REALM, realm, sizeof(realm)); trim(realm); GetDlgItemText(hwnd, IDD_LOGIN_PASSWORD, password, sizeof(password)); SetDlgItemText(hwnd, IDD_LOGIN_PASSWORD, ""); /* nuke the password */ trim(password); #ifdef KRB4 GetDlgItemText(hwnd, IDD_LOGIN_INSTANCE, instance, sizeof(instance)); trim(instance); #endif hcursor = SetCursor(LoadCursor(NULL, IDC_WAIT)); lifetime = cns_res.lifetime; start_blocking_hook(BLOCK_MAX_SEC); #ifdef KRB4 lifetime = (lifetime + 4) / 5; krc = krb_get_pw_in_tkt(name, instance, realm, "krbtgt", realm, lifetime, password); #endif #ifdef KRB5 principal = NULL; /* * convert the name + realm into a krb5 principal string and parse it into a principal */ sprintf(menuitem, "%s@%s", name, realm); code = krb5_parse_name(k5_context, menuitem, &principal); if (code) goto errorpoint; /* * set the various ticket options. First, initialize the structure, then set the ticket * to be forwardable if desired, and set the lifetime. */ krb5_get_init_creds_opt_init(&opts); krb5_get_init_creds_opt_set_forwardable(&opts, forwardable); krb5_get_init_creds_opt_set_tkt_life(&opts, lifetime * 60); if (noaddresses) { krb5_get_init_creds_opt_set_address_list(&opts, NULL); } /* * get the initial creds using the password and the options we set above */ gd.hinstance = hinstance; gd.hwnd = hwnd; gd.id = ID_VARDLG; code = krb5_get_init_creds_password(k5_context, &creds, principal, password, gic_prompter, &gd, 0, NULL, &opts); if (code) goto errorpoint; /* * initialize the credential cache */ code = krb5_cc_initialize(k5_context, k5_ccache, principal); if (code) goto errorpoint; /* * insert the principal into the cache */ code = krb5_cc_store_cred(k5_context, k5_ccache, &creds); errorpoint: if (principal) krb5_free_principal(k5_context, principal); end_blocking_hook(); SetCursor(hcursor); kwin_set_default_focus(hwnd); if (code) { if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) MessageBox(hwnd, "Password incorrect", NULL, MB_OK | MB_ICONEXCLAMATION); else com_err(NULL, code, "while logging in"); } #endif /* KRB5 */ #ifdef KRB4 if (krc != KSUCCESS) { MessageBox(hwnd, krb_get_err_text(krc), "", MB_OK | MB_ICONEXCLAMATION); return; /* TRUE */ } #endif kwin_save_name(hwnd); alerted = FALSE; switch (action) { case LOGIN_AND_EXIT: SendMessage(hwnd, WM_COMMAND, GET_WM_COMMAND_MPS(IDM_EXIT, 0, 0)); break; case LOGIN_AND_MINIMIZE: ShowWindow(hwnd, SW_MINIMIZE); break; } return; /* TRUE */ case IDD_TICKET_DELETE: if (isblocking) return; /* TRUE */ #ifdef KRB4 krc = dest_tkt(); if (krc != KSUCCESS) MessageBox(hwnd, krb_get_err_text(krc), "", MB_OK | MB_ICONEXCLAMATION); #endif #ifdef KRB5 code = k5_dest_tkt(); #endif kwin_set_default_focus(hwnd); alerted = FALSE; return; /* TRUE */ case IDD_CHANGE_PASSWORD: if (isblocking) return; /* TRUE */ password_dialog(hwnd); kwin_set_default_focus(hwnd); return; /* TRUE */ case IDM_OPTIONS: if (isblocking) return; /* TRUE */ opts_dialog(hwnd); return; /* TRUE */ case IDM_HELP_INDEX: WinHelp(hwnd, KERBEROS_HLP, HELP_INDEX, 0); return; /* TRUE */ case IDM_ABOUT: ticket_init_list(GetDlgItem(hwnd, IDD_TICKET_LIST)); if (isblocking) return; /* TRUE */ #ifdef KRB4 strcpy(copyright, " Kerberos 4 for Windows "); #endif #ifdef KRB5 strcpy(copyright, " Kerberos V5 for Windows "); #endif #ifdef _WIN32 strncat(copyright, "32-bit\n", sizeof(copyright) - 1 - strlen(copyright)); #else strncat(copyright, "16-bit\n", sizeof(copyright) - 1 - strlen(copyright)); #endif strncat(copyright, "\n Version 1.12\n\n", sizeof(copyright) - 1 - strlen(copyright)); #ifdef ORGANIZATION strncat(copyright, " For information, contact:\n", sizeof(copyright) - 1 - strlen(copyright)); strncat(copyright, ORGANIZATION, sizeof(copyright) - 1 - strlen(copyright)); #endif MessageBox(hwnd, copyright, KWIN_DIALOG_NAME, MB_OK); return; /* TRUE */ } return; /* FALSE */ }
static ADS_STATUS ads_krb5_chg_password(const char *kdc_host, const char *principal, const char *oldpw, const char *newpw, int time_offset) { ADS_STATUS aret; krb5_error_code ret; krb5_context context = NULL; krb5_principal princ; krb5_get_init_creds_opt opts; krb5_creds creds; char *chpw_princ = NULL, *password; const char *realm = NULL; initialize_krb5_error_table(); ret = krb5_init_context(&context); if (ret) { DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret))); return ADS_ERROR_KRB5(ret); } if ((ret = smb_krb5_parse_name(context, principal, &princ))) { krb5_free_context(context); DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret))); return ADS_ERROR_KRB5(ret); } krb5_get_init_creds_opt_init(&opts); krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60); krb5_get_init_creds_opt_set_renew_life(&opts, 0); krb5_get_init_creds_opt_set_forwardable(&opts, 0); krb5_get_init_creds_opt_set_proxiable(&opts, 0); realm = smb_krb5_principal_get_realm(context, princ); /* We have to obtain an INITIAL changepw ticket for changing password */ if (asprintf(&chpw_princ, "kadmin/changepw@%s", realm) == -1) { krb5_free_context(context); DEBUG(1,("ads_krb5_chg_password: asprintf fail\n")); return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } password = SMB_STRDUP(oldpw); ret = krb5_get_init_creds_password(context, &creds, princ, password, kerb_prompter, NULL, 0, chpw_princ, &opts); SAFE_FREE(chpw_princ); SAFE_FREE(password); if (ret) { if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) DEBUG(1,("Password incorrect while getting initial ticket")); else DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret))); krb5_free_principal(context, princ); krb5_free_context(context); return ADS_ERROR_KRB5(ret); } aret = do_krb5_kpasswd_request(context, kdc_host, KRB5_KPASSWD_VERS_CHANGEPW, &creds, principal, newpw); krb5_free_principal(context, princ); krb5_free_context(context); return aret; }
/* returns boolean */ static int k5_kinit(struct k_opts *opts, struct k5_data *k5, struct user_info *u_info) { char *doing; int notix = 1; krb5_keytab keytab = 0; krb5_creds my_creds; krb5_error_code code = 0; krb5_get_init_creds_opt options; krb5_address **addresses; krb5_get_init_creds_opt_init(&options); g_memset(&my_creds, 0, sizeof(my_creds)); /* From this point on, we can goto cleanup because my_creds is initialized. */ if (opts->lifetime) { krb5_get_init_creds_opt_set_tkt_life(&options, opts->lifetime); } if (opts->rlife) { krb5_get_init_creds_opt_set_renew_life(&options, opts->rlife); } if (opts->forwardable) { krb5_get_init_creds_opt_set_forwardable(&options, 1); } if (opts->not_forwardable) { krb5_get_init_creds_opt_set_forwardable(&options, 0); } if (opts->proxiable) { krb5_get_init_creds_opt_set_proxiable(&options, 1); } if (opts->not_proxiable) { krb5_get_init_creds_opt_set_proxiable(&options, 0); } if (opts->addresses) { addresses = NULL; code = krb5_os_localaddr(k5->ctx, &addresses); if (code != 0) { g_printf("krb5_os_localaddr failed in k5_kinit\n"); goto cleanup; } krb5_get_init_creds_opt_set_address_list(&options, addresses); } if (opts->no_addresses) { krb5_get_init_creds_opt_set_address_list(&options, NULL); } if ((opts->action == INIT_KT) && opts->keytab_name) { code = krb5_kt_resolve(k5->ctx, opts->keytab_name, &keytab); if (code != 0) { g_printf("krb5_kt_resolve failed in k5_kinit\n"); goto cleanup; } } switch (opts->action) { case INIT_PW: code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me, 0, kinit_prompter, u_info, opts->starttime, opts->service_name, &options); break; case INIT_KT: code = krb5_get_init_creds_keytab(k5->ctx, &my_creds, k5->me, keytab, opts->starttime, opts->service_name, &options); break; case VALIDATE: code = krb5_get_validated_creds(k5->ctx, &my_creds, k5->me, k5->cc, opts->service_name); break; case RENEW: code = krb5_get_renewed_creds(k5->ctx, &my_creds, k5->me, k5->cc, opts->service_name); break; } if (code != 0) { doing = 0; switch (opts->action) { case INIT_PW: case INIT_KT: doing = "getting initial credentials"; break; case VALIDATE: doing = "validating credentials"; break; case RENEW: doing = "renewing credentials"; break; } if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) { g_printf("sesman: Password incorrect while %s in k5_kinit\n", doing); } else { g_printf("sesman: error while %s in k5_kinit\n", doing); } goto cleanup; } if (!opts->lifetime) { /* We need to figure out what lifetime to use for Kerberos 4. */ opts->lifetime = my_creds.times.endtime - my_creds.times.authtime; } code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me); if (code != 0) { g_printf("krb5_cc_initialize failed in k5_kinit\n"); goto cleanup; } code = krb5_cc_store_cred(k5->ctx, k5->cc, &my_creds); if (code != 0) { g_printf("krb5_cc_store_cred failed in k5_kinit\n"); goto cleanup; } notix = 0; cleanup: if (my_creds.client == k5->me) { my_creds.client = 0; } krb5_free_cred_contents(k5->ctx, &my_creds); if (keytab) { krb5_kt_close(k5->ctx, keytab); } return notix ? 0 : 1; }
static DWORD IDMKrbRenewCredentials( PIDM_KRB_CONTEXT pKrbContext ) { DWORD dwError = 0; DWORD dwCleanupError = 0; BOOLEAN bLocked = FALSE; BOOLEAN bRefreshCreds = FALSE; krb5_context pCtx = NULL; PSTR pszPrincipal = NULL; krb5_principal pPrincipal = NULL; krb5_keytab ktid = 0; krb5_ccache pCache = NULL; krb5_creds creds = {0}; IDM_RWMUTEX_LOCK_SHARED(&pKrbContext->mutex_rw, bLocked, dwError); BAIL_ON_ERROR(dwError); if (!pKrbContext->expiryTime) { bRefreshCreds = TRUE; } else { krb5_timestamp now = time(NULL); if (now >= pKrbContext->expiryTime) { bRefreshCreds = TRUE; } else { double threshold = (30 * 60); // 30 minutes double interval = difftime(pKrbContext->expiryTime, now); if (interval <= threshold) { bRefreshCreds = TRUE; } } } if (bRefreshCreds) { krb5_error_code errKrb = 0; krb5_deltat startTime = 0; PSTR pszServiceName = NULL; krb5_get_init_creds_opt options = {0}; krb5_timestamp origExpiryTime = pKrbContext->expiryTime; IDM_RWMUTEX_UNLOCK(&pKrbContext->mutex_rw, bLocked, dwError); BAIL_ON_ERROR(dwError); dwError = IDMKrbGetPrincipal( pKrbContext->pszAccount, pKrbContext->pszDomain, &pszPrincipal); BAIL_ON_ERROR(dwError); errKrb = krb5_init_context(&pCtx); BAIL_ON_KERBEROS_ERROR(NULL, errKrb, dwError); errKrb = krb5_parse_name(pCtx, pszPrincipal, &pPrincipal); BAIL_ON_KERBEROS_ERROR(NULL, errKrb, dwError); errKrb = krb5_kt_default(pCtx, &ktid); BAIL_ON_KERBEROS_ERROR(NULL, errKrb, dwError); krb5_get_init_creds_opt_init(&options); krb5_get_init_creds_opt_set_forwardable(&options, TRUE); errKrb = krb5_get_init_creds_keytab( pCtx, &creds, pPrincipal, ktid, startTime, pszServiceName, &options); BAIL_ON_KERBEROS_ERROR(NULL, errKrb, dwError); IDM_RWMUTEX_LOCK_EXCLUSIVE(&pKrbContext->mutex_rw, bLocked, dwError); BAIL_ON_ERROR(dwError); if (pKrbContext->expiryTime <= origExpiryTime) { errKrb = krb5_cc_resolve(pCtx, pKrbContext->pszCachePath, &pCache); BAIL_ON_KERBEROS_ERROR(NULL, errKrb, dwError); errKrb = krb5_cc_initialize(pCtx, pCache, pPrincipal); BAIL_ON_KERBEROS_ERROR(NULL, errKrb, dwError); errKrb = krb5_cc_store_cred(pCtx, pCache, &creds); BAIL_ON_KERBEROS_ERROR(NULL, errKrb, dwError); pKrbContext->expiryTime = creds.times.endtime; } } cleanup: IDM_RWMUTEX_UNLOCK(&pKrbContext->mutex_rw, bLocked, dwCleanupError); if (pCtx) { if (ktid) { krb5_kt_close(pCtx, ktid); ktid = 0; } if (pPrincipal) { if (creds.client == pPrincipal) { creds.client = NULL; } krb5_free_principal(pCtx, pPrincipal); } krb5_free_cred_contents(pCtx, &creds); if (pCache) { krb5_cc_close(pCtx, pCache); } krb5_free_context(pCtx); } IDM_SAFE_FREE_MEMORY(pszPrincipal); if(!dwError) { dwError = dwCleanupError; } return dwError; error: goto cleanup; }
static krb5_error_code change_pw(krb5_context context, kcm_ccache ccache, char *cpn, char *newpw) { krb5_error_code ret; krb5_creds cpw_cred; int result_code; krb5_data result_code_string; krb5_data result_string; krb5_get_init_creds_opt options; memset(&cpw_cred, 0, sizeof(cpw_cred)); krb5_get_init_creds_opt_init(&options); krb5_get_init_creds_opt_set_tkt_life(&options, 60); krb5_get_init_creds_opt_set_forwardable(&options, FALSE); krb5_get_init_creds_opt_set_proxiable(&options, FALSE); krb5_data_zero(&result_code_string); krb5_data_zero(&result_string); ret = krb5_get_init_creds_keytab(context, &cpw_cred, ccache->client, ccache->key.keytab, 0, "kadmin/changepw", &options); if (ret) { kcm_log(0, "Failed to acquire password change credentials " "for principal %s: %s", cpn, krb5_get_err_text(context, ret)); goto out; } ret = krb5_set_password(context, &cpw_cred, newpw, ccache->client, &result_code, &result_code_string, &result_string); if (ret) { kcm_log(0, "Failed to change password for principal %s: %s", cpn, krb5_get_err_text(context, ret)); goto out; } if (result_code) { kcm_log(0, "Failed to change password for principal %s: %.*s", cpn, (int)result_string.length, result_string.length > 0 ? (char *)result_string.data : ""); goto out; } out: krb5_data_free(&result_string); krb5_data_free(&result_code_string); krb5_free_cred_contents(context, &cpw_cred); return ret; }
char * /* R: allocated response string */ auth_krb5 ( /* PARAMETERS */ const char *user, /* I: plaintext authenticator */ const char *password, /* I: plaintext password */ const char *service, /* I: service authenticating to */ const char *realm /* I: user's realm */ /* END PARAMETERS */ ) { /* VARIABLES */ krb5_context context; krb5_ccache ccache = NULL; krb5_principal auth_user; krb5_creds creds; krb5_get_init_creds_opt opts; char * result; char tfname[2048]; char principalbuf[2048]; krb5_error_code code; /* END VARIABLES */ if (!user|| !password) { syslog(LOG_ERR, "auth_krb5: NULL password or username?"); return strdup("NO saslauthd internal error"); } if (krb5_init_context(&context)) { syslog(LOG_ERR, "auth_krb5: krb5_init_context"); return strdup("NO saslauthd internal error"); } if (form_principal_name(user, service, realm, principalbuf, sizeof (principalbuf))) { syslog(LOG_ERR, "auth_krb5: form_principal_name"); return strdup("NO saslauthd principal name error"); } if (krb5_parse_name (context, principalbuf, &auth_user)) { krb5_free_context(context); syslog(LOG_ERR, "auth_krb5: krb5_parse_name"); return strdup("NO saslauthd internal error"); } if (krbtf_name(tfname, sizeof (tfname)) != 0) { syslog(LOG_ERR, "auth_krb5: could not generate ticket file name"); return strdup("NO saslauthd internal error"); } if (krb5_cc_resolve(context, tfname, &ccache)) { krb5_free_principal(context, auth_user); krb5_free_context(context); syslog(LOG_ERR, "auth_krb5: krb5_cc_resolve"); return strdup("NO saslauthd internal error"); } if (krb5_cc_initialize (context, ccache, auth_user)) { krb5_free_principal(context, auth_user); krb5_free_context(context); syslog(LOG_ERR, "auth_krb5: krb5_cc_initialize"); return strdup("NO saslauthd internal error"); } krb5_get_init_creds_opt_init(&opts); /* 15 min should be more than enough */ krb5_get_init_creds_opt_set_tkt_life(&opts, 900); if ((code = krb5_get_init_creds_password(context, &creds, auth_user, password, NULL, NULL, 0, NULL, &opts))) { krb5_cc_destroy(context, ccache); krb5_free_principal(context, auth_user); krb5_free_context(context); syslog(LOG_ERR, "auth_krb5: krb5_get_init_creds_password: %d", code); return strdup("NO saslauthd internal error"); } /* at this point we should have a TGT. Let's make sure it is valid */ if (krb5_cc_store_cred(context, ccache, &creds)) { krb5_free_principal(context, auth_user); krb5_cc_destroy(context, ccache); krb5_free_context(context); syslog(LOG_ERR, "auth_krb5: krb5_cc_store_cred"); return strdup("NO saslauthd internal error"); } if (!k5support_verify_tgt(context, ccache)) { syslog(LOG_ERR, "auth_krb5: k5support_verify_tgt"); result = strdup("NO saslauthd internal error"); goto fini; } /* * fall through -- user is valid beyond this point */ result = strdup("OK"); fini: /* destroy any tickets we had */ krb5_free_cred_contents(context, &creds); krb5_free_principal(context, auth_user); krb5_cc_destroy(context, ccache); krb5_free_context(context); return result; }
/* * Obtain credentials via a key in the keytab given * a keytab handle and a gssd_k5_kt_princ structure. * Checks to see if current credentials are expired, * if not, uses the keytab to obtain new credentials. * * Returns: * 0 => success (or credentials have not expired) * nonzero => error */ static int gssd_get_single_krb5_cred(krb5_context context, krb5_keytab kt, struct gssd_k5_kt_princ *ple, int nocache) { #if HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS krb5_get_init_creds_opt *init_opts = NULL; #else krb5_get_init_creds_opt options; #endif krb5_get_init_creds_opt *opts; krb5_creds my_creds; krb5_ccache ccache = NULL; char kt_name[BUFSIZ]; char cc_name[BUFSIZ]; int code; time_t now = time(0); char *cache_type; char *pname = NULL; char *k5err = NULL; memset(&my_creds, 0, sizeof(my_creds)); if (ple->ccname && ple->endtime > now && !nocache) { printerr(2, "INFO: Credentials in CC '%s' are good until %d\n", ple->ccname, ple->endtime); code = 0; goto out; } code = krb5_kt_get_name(context, kt, kt_name, BUFSIZ); if (code != 0) { printerr(0, "ERROR: Unable to get keytab name in " "gssd_get_single_krb5_cred\n"); goto out; } if ((krb5_unparse_name(context, ple->princ, &pname))) pname = NULL; #if HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS code = krb5_get_init_creds_opt_alloc(context, &init_opts); if (code) { k5err = gssd_k5_err_msg(context, code); printerr(0, "ERROR: %s allocating gic options\n", k5err); goto out; } if (krb5_get_init_creds_opt_set_addressless(context, init_opts, 1)) printerr(1, "WARNING: Unable to set option for addressless " "tickets. May have problems behind a NAT.\n"); #ifdef TEST_SHORT_LIFETIME /* set a short lifetime (for debugging only!) */ printerr(0, "WARNING: Using (debug) short machine cred lifetime!\n"); krb5_get_init_creds_opt_set_tkt_life(init_opts, 5 * 60); #endif opts = init_opts; #else /* HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS */ krb5_get_init_creds_opt_init(&options); krb5_get_init_creds_opt_set_address_list(&options, NULL); #ifdef TEST_SHORT_LIFETIME /* set a short lifetime (for debugging only!) */ printerr(0, "WARNING: Using (debug) short machine cred lifetime!\n"); krb5_get_init_creds_opt_set_tkt_life(&options, 5 * 60); #endif opts = &options; #endif code = krb5_get_init_creds_keytab(context, &my_creds, ple->princ, kt, 0, NULL, opts); if (code != 0) { k5err = gssd_k5_err_msg(context, code); printerr(1, "WARNING: %s while getting initial ticket for " "principal '%s' using keytab '%s'\n", k5err, pname ? pname : "<unparsable>", kt_name); goto out; } /* * Initialize cache file which we're going to be using */ if (use_memcache) cache_type = "MEMORY"; else cache_type = "FILE"; snprintf(cc_name, sizeof(cc_name), "%s:%s/%s%s_%s", cache_type, ccachesearch[0], GSSD_DEFAULT_CRED_PREFIX, GSSD_DEFAULT_MACHINE_CRED_SUFFIX, ple->realm); ple->endtime = my_creds.times.endtime; if (ple->ccname != NULL) gsh_free(ple->ccname); ple->ccname = gsh_strdup(cc_name); if (ple->ccname == NULL) { printerr(0, "ERROR: no storage to duplicate credentials " "cache name '%s'\n", cc_name); code = ENOMEM; goto out; } code = krb5_cc_resolve(context, cc_name, &ccache); if (code != 0) { k5err = gssd_k5_err_msg(context, code); printerr(0, "ERROR: %s while opening credential cache '%s'\n", k5err, cc_name); goto out; } code = krb5_cc_initialize(context, ccache, ple->princ); if (code != 0) { k5err = gssd_k5_err_msg(context, code); printerr(0, "ERROR: %s while initializing credential " "cache '%s'\n", k5err, cc_name); } code = krb5_cc_store_cred(context, ccache, &my_creds); if (code != 0) { k5err = gssd_k5_err_msg(context, code); printerr(0, "ERROR: %s while storing credentials in '%s'\n", k5err, cc_name); goto out; } /* if we get this far, let gss mech know */ gssd_set_krb5_ccache_name(cc_name); code = 0; printerr(2, "Successfully obtained machine credentials for " "principal '%s' stored in ccache '%s'\n", pname, cc_name); out: #if HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS if (init_opts) krb5_get_init_creds_opt_free(context, init_opts); #endif if (pname) k5_free_unparsed_name(context, pname); if (ccache) krb5_cc_close(context, ccache); krb5_free_cred_contents(context, &my_creds); gsh_free(k5err); return code; }
static int unenroll_host(const char *server, const char *hostname, const char *ktname, int quiet) { int rval = 0; int ret; char *ipaserver = NULL; char *host = NULL; struct utsname uinfo; char *principal = NULL; char *realm = NULL; krb5_context krbctx = NULL; krb5_keytab keytab = NULL; krb5_ccache ccache = NULL; krb5_principal princ = NULL; krb5_error_code krberr; krb5_creds creds; krb5_get_init_creds_opt gicopts; char tgs[LINE_MAX]; xmlrpc_env env; xmlrpc_value * argArrayP = NULL; xmlrpc_value * paramArrayP = NULL; xmlrpc_value * paramP = NULL; xmlrpc_value * resultP = NULL; xmlrpc_server_info * serverInfoP = NULL; xmlrpc_value *princP = NULL; char * url = NULL; char * user_agent = NULL; if (server) { ipaserver = strdup(server); } else { char * conf_data = read_config_file(IPA_CONFIG); if ((ipaserver = getIPAserver(conf_data)) == NULL) { if (!quiet) fprintf(stderr, _("Unable to determine IPA server from %s\n"), IPA_CONFIG); exit(1); } free(conf_data); } if (NULL == hostname) { uname(&uinfo); host = strdup(uinfo.nodename); } else { host = strdup(hostname); } if (NULL == strstr(host, ".")) { if (!quiet) fprintf(stderr, _("The hostname must be fully-qualified: %s\n"), host); rval = 16; goto cleanup; } krberr = krb5_init_context(&krbctx); if (krberr) { if (!quiet) fprintf(stderr, _("Unable to join host: " "Kerberos context initialization failed\n")); rval = 1; goto cleanup; } krberr = krb5_kt_resolve(krbctx, ktname, &keytab); if (krberr != 0) { if (!quiet) fprintf(stderr, _("Error resolving keytab: %s.\n"), error_message(krberr)); rval = 7; goto cleanup; } krberr = krb5_get_default_realm(krbctx, &realm); if (krberr != 0) { if (!quiet) fprintf(stderr, _("Error getting default Kerberos realm: %s.\n"), error_message(krberr)); rval = 21; goto cleanup; } ret = asprintf(&principal, "host/%s@%s", host, realm); if (ret == -1) { if (!quiet) fprintf(stderr, _("Out of memory!\n")); rval = 3; goto cleanup; } krberr = krb5_parse_name(krbctx, principal, &princ); if (krberr != 0) { if (!quiet) fprintf(stderr, _("Error parsing \"%1$s\": %2$s.\n"), principal, error_message(krberr)); return krberr; } strcpy(tgs, KRB5_TGS_NAME); snprintf(tgs + strlen(tgs), sizeof(tgs) - strlen(tgs), "/%.*s", (krb5_princ_realm(krbctx, princ))->length, (krb5_princ_realm(krbctx, princ))->data); snprintf(tgs + strlen(tgs), sizeof(tgs) - strlen(tgs), "@%.*s", (krb5_princ_realm(krbctx, princ))->length, (krb5_princ_realm(krbctx, princ))->data); memset(&creds, 0, sizeof(creds)); krb5_get_init_creds_opt_init(&gicopts); krb5_get_init_creds_opt_set_forwardable(&gicopts, 1); krberr = krb5_get_init_creds_keytab(krbctx, &creds, princ, keytab, 0, tgs, &gicopts); if (krberr != 0) { if (!quiet) fprintf(stderr, _("Error obtaining initial credentials: %s.\n"), error_message(krberr)); return krberr; } krberr = krb5_cc_resolve(krbctx, "MEMORY:ipa-join", &ccache); if (krberr == 0) { krberr = krb5_cc_initialize(krbctx, ccache, creds.client); } else { if (!quiet) fprintf(stderr, _("Unable to generate Kerberos Credential Cache\n")); rval = 19; goto cleanup; } krberr = krb5_cc_store_cred(krbctx, ccache, &creds); if (krberr != 0) { if (!quiet) fprintf(stderr, _("Error storing creds in credential cache: %s.\n"), error_message(krberr)); return krberr; } krb5_cc_close(krbctx, ccache); ccache = NULL; putenv("KRB5CCNAME=MEMORY:ipa-join"); /* Start up our XML-RPC client library. */ xmlrpc_client_init(XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION); xmlrpc_env_init(&env); xmlrpc_client_setup_global_const(&env); #if 1 ret = asprintf(&url, "https://%s:443/ipa/xml", ipaserver); #else ret = asprintf(&url, "http://%s:8888/", ipaserver); #endif if (ret == -1) { if (!quiet) fprintf(stderr, _("Out of memory!\n")); rval = 3; goto cleanup; } serverInfoP = xmlrpc_server_info_new(&env, url); argArrayP = xmlrpc_array_new(&env); paramArrayP = xmlrpc_array_new(&env); paramP = xmlrpc_string_new(&env, host); xmlrpc_array_append_item(&env, argArrayP, paramP); xmlrpc_array_append_item(&env, paramArrayP, argArrayP); xmlrpc_DECREF(paramP); if ((user_agent = set_user_agent(ipaserver)) == NULL) { rval = 3; goto cleanup; } callRPC(user_agent, &env, serverInfoP, "host_disable", paramArrayP, &resultP); if (handle_fault(&env)) { rval = 17; goto cleanup; } xmlrpc_struct_find_value(&env, resultP, "result", &princP); if (princP) { xmlrpc_bool result; xmlrpc_read_bool(&env, princP, &result); if (result == 1) { if (!quiet) fprintf(stderr, _("Unenrollment successful.\n")); } else { if (!quiet) fprintf(stderr, _("Unenrollment failed.\n")); } xmlrpc_DECREF(princP); } else { fprintf(stderr, _("result not found in XML-RPC response\n")); rval = 20; goto cleanup; } cleanup: free(user_agent); if (keytab) krb5_kt_close(krbctx, keytab); free((char *)principal); free((char *)ipaserver); if (princ) krb5_free_principal(krbctx, princ); if (ccache) krb5_cc_close(krbctx, ccache); if (krbctx) krb5_free_context(krbctx); free(url); xmlrpc_env_clean(&env); xmlrpc_client_cleanup(); return rval; }