_PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred, struct loadparm_context *lp_ctx, const char *keytab_name, enum credentials_obtained obtained) { krb5_error_code ret; struct keytab_container *ktc; struct smb_krb5_context *smb_krb5_context; TALLOC_CTX *mem_ctx; if (cred->keytab_obtained >= obtained) { return 0; } ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context); if (ret) { return ret; } mem_ctx = talloc_new(cred); if (!mem_ctx) { return ENOMEM; } ret = smb_krb5_get_keytab_container(mem_ctx, smb_krb5_context, NULL, keytab_name, &ktc); if (ret) { return ret; } cred->keytab_obtained = obtained; talloc_steal(cred, ktc); cred->keytab = ktc; talloc_free(mem_ctx); return ret; }
/* Get the keytab (actually, a container containing the krb5_keytab) * attached to this context. If this hasn't been done or set before, * it will be generated from the password. */ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, struct loadparm_context *lp_ctx, struct keytab_container **_ktc) { krb5_error_code ret; struct keytab_container *ktc; struct smb_krb5_context *smb_krb5_context; const char *keytab_name; krb5_keytab keytab; TALLOC_CTX *mem_ctx; if (cred->keytab_obtained >= (MAX(cred->principal_obtained, cred->username_obtained))) { *_ktc = cred->keytab; return 0; } if (cli_credentials_is_anonymous(cred)) { return EINVAL; } ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context); if (ret) { return ret; } mem_ctx = talloc_new(cred); if (!mem_ctx) { return ENOMEM; } ret = smb_krb5_create_memory_keytab(mem_ctx, smb_krb5_context->krb5_context, cli_credentials_get_password(cred), cli_credentials_get_username(cred), cli_credentials_get_realm(cred), cli_credentials_get_kvno(cred), &keytab, &keytab_name); if (ret) { talloc_free(mem_ctx); return ret; } ret = smb_krb5_get_keytab_container(mem_ctx, smb_krb5_context, keytab, keytab_name, &ktc); if (ret) { talloc_free(mem_ctx); return ret; } cred->keytab_obtained = (MAX(cred->principal_obtained, cred->username_obtained)); /* We make this keytab up based on a password. Therefore * match-by-key is acceptable, we can't match on the wrong * principal */ ktc->password_based = true; talloc_steal(cred, ktc); cred->keytab = ktc; *_ktc = cred->keytab; talloc_free(mem_ctx); return ret; }
/* Get the keytab (actually, a container containing the krb5_keytab) * attached to this context. If this hasn't been done or set before, * it will be generated from the password. */ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, struct loadparm_context *lp_ctx, struct keytab_container **_ktc) { krb5_error_code ret; struct keytab_container *ktc; struct smb_krb5_context *smb_krb5_context; const char *keytab_name; krb5_keytab keytab; TALLOC_CTX *mem_ctx; const char *username = cli_credentials_get_username(cred); const char *realm = cli_credentials_get_realm(cred); const char *error_string; const char *salt_principal; if (cred->keytab_obtained >= (MAX(cred->principal_obtained, cred->username_obtained))) { *_ktc = cred->keytab; return 0; } if (cli_credentials_is_anonymous(cred)) { return EINVAL; } ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context); if (ret) { return ret; } mem_ctx = talloc_new(cred); if (!mem_ctx) { return ENOMEM; } /* * FIXME: Currently there is no better way than to create the correct * salt principal by checking if the username ends with a '$'. It would * be better if it is part of the credentials. */ ret = smb_krb5_create_salt_principal(mem_ctx, username, realm, &salt_principal, &error_string); if (ret) { talloc_free(mem_ctx); return ret; } ret = smb_krb5_create_memory_keytab(mem_ctx, smb_krb5_context->krb5_context, cli_credentials_get_password(cred), username, realm, salt_principal, cli_credentials_get_kvno(cred), &keytab, &keytab_name); if (ret) { talloc_free(mem_ctx); return ret; } ret = smb_krb5_get_keytab_container(mem_ctx, smb_krb5_context, keytab, keytab_name, &ktc); if (ret) { talloc_free(mem_ctx); return ret; } cred->keytab_obtained = (MAX(cred->principal_obtained, cred->username_obtained)); /* We make this keytab up based on a password. Therefore * match-by-key is acceptable, we can't match on the wrong * principal */ ktc->password_based = true; talloc_steal(cred, ktc); cred->keytab = ktc; *_ktc = cred->keytab; talloc_free(mem_ctx); return ret; }