/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright 2014 Nexenta Systems, Inc. All rights reserved.
*/
/*
* Copyright 1990 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*
*
* Initialize a credentials cache.
*/
#include <kerberosv5/krb5.h>
#include <kerberosv5/com_err.h>
#include <assert.h>
#include <stdio.h>
#include <syslog.h>
#include <errno.h>
#include <smbsrv/libsmbns.h>
#include <smbns_krb.h>
int
smb_kinit(char *domain_name, char *principal_name, char *principal_passwd)
{
char default_realm[MAXHOSTNAMELEN];
krb5_context ctx = NULL;
krb5_ccache cc = NULL;
krb5_principal me = NULL;
krb5_creds my_creds;
krb5_error_code code;
const char *errmsg = NULL;
const char *doing = NULL;
smb_ads_status_t err;
assert(principal_name != NULL);
assert(principal_passwd != NULL);
(void) memset(&my_creds, 0, sizeof (my_creds));
/*
* From this point on, we can goto cleanup because the key variables
* are initialized.
*/
code = krb5_init_context(&ctx);
if (code) {
err = SMB_ADS_KRB5_INIT_CTX;
doing = "smbns_krb: initializing context";
goto cleanup;
}
/*
* In case krb5.conf is not configured, set the default realm.
*/
(void) strlcpy(default_realm, domain_name, sizeof (default_realm));
(void) smb_strupr(default_realm);
(void) krb5_set_default_realm(ctx, default_realm);
code = krb5_cc_default(ctx, &cc);
if (code != 0) {
err = SMB_ADS_KRB5_CC_DEFAULT;
doing = "smbns_krb: resolve default credentials cache";
goto cleanup;
}
/* Use specified name */
code = krb5_parse_name(ctx, principal_name, &me);
if (code != 0) {
err = SMB_ADS_KRB5_PARSE_PRINCIPAL;
doing = "smbns_krb: parsing principal name";
goto cleanup;
}
code = krb5_get_init_creds_password(ctx, &my_creds, me,
principal_passwd, NULL, 0, (krb5_deltat)0,
NULL, NULL);
if (code != 0) {
err = SMB_ADS_KRB5_GET_INIT_CREDS_PW;
doing = "smbns_krb: getting initial credentials";
if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
errmsg = "smbns_krb: Password incorrect";
}
goto cleanup;
}
code = krb5_cc_initialize(ctx, cc, me);
if (code != 0) {
err = SMB_ADS_KRB5_CC_INITIALIZE;
doing = "smbns_krb: initializing cache";
goto cleanup;
}
code = krb5_cc_store_cred(ctx, cc, &my_creds);
if (code != 0) {
err = SMB_ADS_KRB5_CC_STORE_CRED;
doing = "smbns_krb: storing credentials";
goto cleanup;
}
/* SUCCESS! */
err = SMB_ADS_SUCCESS;
cleanup:
if (code != 0) {
if (errmsg == NULL)
smb_krb5_log_errmsg(ctx, doing, code);
else
syslog(LOG_ERR, "%s (%s)", doing, errmsg);
}
if (my_creds.client == me) {
my_creds.client = NULL;
}
krb5_free_cred_contents(ctx, &my_creds);
if (me)
krb5_free_principal(ctx, me);
if (cc)
(void) krb5_cc_close(ctx, cc);
if (ctx)
krb5_free_context(ctx);
return (err);
}
/*
* Invoke krb5_get_error_message() to generate a richer error message.
*/
void
smb_krb5_log_errmsg(krb5_context ctx, const char *prefix, krb5_error_code code)
{
const char *msg;
msg = krb5_get_error_message(ctx, code);
syslog(LOG_ERR, "%s (%s)", prefix, msg);
krb5_free_error_message(ctx, msg);
}
/*
* smb_ccache_init
*
* Creates the directory where the Kerberos ccache file is located
* and set KRB5CCNAME in the environment.
*
* Returns 0 upon succcess. Otherwise, returns
* -1 if it fails to create the specified directory fails.
* -2 if it fails to set the KRB5CCNAME environment variable.
*/
int
smb_ccache_init(char *dir, char *filename)
{
static char buf[MAXPATHLEN];
if ((mkdir(dir, 0700) < 0) && (errno != EEXIST))
return (-1);
(void) snprintf(buf, MAXPATHLEN, "KRB5CCNAME=%s/%s", dir, filename);
if (putenv(buf) != 0)
return (-2);
return (0);
}
void
smb_ccache_remove(char *path)
{
if ((remove(path) < 0) && (errno != ENOENT))
syslog(LOG_ERR, "smbns_krb: failed to remove ccache (%s)",
path);
}