smbns_krb.c revision fc724630b14603e4c1147df68b7bf45f7de7431f
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* Copyright 1990 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*
*
* Initialize a credentials cache.
*/
#include <kerberosv5/krb5.h>
#include <kerberosv5/com_err.h>
#include <assert.h>
#include <string.h>
#include <stdio.h>
#include <time.h>
#include <netdb.h>
#include <syslog.h>
#include <locale.h>
#include <strings.h>
#include <errno.h>
#include <smbsrv/libsmbns.h>
#include <smbns_krb.h>
static int krb5_acquire_cred_kinit_main();
struct k_opts {
/* in seconds */
int forwardable;
int proxiable;
int addresses;
int not_forwardable;
int not_proxiable;
int no_addresses;
int verbose;
char *principal_name;
char *principal_passwd;
char *service_name;
char *keytab_name;
char *k5_cache_name;
char *k4_cache_name;
};
struct k5_data {
char *name;
};
static int
{
int code;
if (code) {
return (code);
}
return (code);
}
/* Use specified name */
return (code);
}
if (code) {
return (code);
}
return (0);
}
static void
{
}
static int
{
int notix = 1;
krb5_keytab keytab = 0;
krb5_error_code code = 0;
const char *errmsg;
/*
* From this point on, we can goto cleanup because my_creds is
* initialized.
*/
if (opts->forwardable)
if (opts->not_forwardable)
if (opts->not_proxiable)
if (code != 0) {
"(%s)", errmsg);
goto cleanup;
}
}
if (opts->no_addresses)
if (code != 0) {
goto cleanup;
}
}
case INIT_PW:
break;
case INIT_KT:
break;
case VALIDATE:
break;
case RENEW:
break;
}
if (code) {
char *doing = 0;
case INIT_PW:
case INIT_KT:
doing = "k5_kinit: getting initial credentials";
break;
case VALIDATE:
doing = "k5_kinit: validating credentials";
break;
case RENEW:
doing = "k5_kinit: renewing credentials";
break;
}
/*
* If got code == KRB5_AP_ERR_V4_REPLY && got_k4, we should
*/
if (code == KRB5KRB_AP_ERR_V4_REPLY) {
"The KDC doesn't support v5. "
"You may want the -4 option in the future", doing);
return (1);
} else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
} else {
}
goto cleanup;
}
/* We need to figure out what lifetime to use for Kerberos 4. */
}
if (code) {
goto cleanup;
}
if (code) {
goto cleanup;
}
notix = 0;
}
if (keytab)
return (notix?0:1);
}
int
{
int authed_k5 = 0;
"k5_begin failed\n");
return (0);
}
if (authed_k5)
else
return (authed_k5);
}
/*
* krb5_display_stat
* Display error message for GSS-API routines.
* Parameters:
* maj : GSS major status
* min : GSS minor status
* caller_mod: module name that calls this routine so that the module name
* can be displayed with the error messages
* Returns:
* None
*/
static void
{
}
/*
* krb5_acquire_cred_kinit
*
* Wrapper for krb5_acquire_cred_kinit_main with mutex to protect credential
* cache file when calling krb5_acquire_cred or kinit.
*/
int
{
int ret;
return (ret);
}
/*
* krb5_acquire_cred_kinit_main
*
* This routine is called by ADS module to get a handle to administrative
* user's credential stored locally on the system. The credential is the TGT.
* If the attempt at getting handle fails then a second attempt will be made
* after getting a new TGT.
*
* If there's no username then we must be using host credentials and we don't
* bother trying to acquire a credential for GSS_C_NO_NAME (which should be
* equivalent to using GSS_C_NO_CREDENTIAL, but it isn't in a very subtle way
* because mech_krb5 isn't so smart). Specifically mech_krb5 will try hard
* to get a non-expired TGT using the keytab if we're running as root (or fake
* it, using the special app_krb5_user_uid() function), but only when we use
* the default credential, as opposed to a credential for the default principal.
*
* Paramters:
* user : username to retrieve a handle to its credential
* pwd : password of username in case obtaining a new TGT is needed
* kinit_retry: if 0 then a second attempt will be made to get handle to the
* credential if the first attempt fails
* caller_mod : name of module that call this routine so that the module name
* can be included with error messages
* Returns:
* cred_handle: handle to the administrative user's credential (TGT)
* oid : contains Kerberos 5 object identifier
* kinit_retry: A 1 indicates that a second attempt has been made to get
* handle to the credential and no further attempts can be made
* -1 : error
* 0 : success
*/
static int
{
*oid = GSS_C_NO_OID;
return (0);
/* Object Identifier for Kerberos 5 */
return (-1);
}
!= GSS_S_COMPLETE) {
return (-1);
}
!= GSS_S_COMPLETE) {
return (-1);
}
&desired_name)) != GSS_S_COMPLETE) {
return (-1);
}
*kinit_retry = 1;
goto acquire_cred;
} else {
/* See above */
return (0);
}
return (-1);
}
}
return (0);
}
/*
* krb5_establish_sec_ctx_kinit
*
* This routine is called by the ADS module to establish a security
* context before ADS updates are allowed. If establishing a security context
* fails for any reason, a second attempt will be made after a new TGT is
* obtained. This routine is called many time as needed until a security
* context is established.
*
* The resources use for the security context must be released if security
* context establishment process fails.
* Parameters:
* user : user used in establishing a security context for. Is used for
* obtaining a new TGT for a second attempt at establishing
* security context
* pwd : password of above user
* cred_handle: a handle to the user credential (TGT) stored locally
* gss_context: initially set to GSS_C_NO_CONTEXT but will contain a handle
* to a security context
* target_name: contains service name to establish a security context with,
* ie ldap or dns
* gss_flags : flags used in establishing security context
* inputptr : initially set to GSS_C_NO_BUFFER but will be token data
* received from service's server to be processed to generate
* further token to be sent back to service's server during
* security context establishment
* kinit_retry: if 0 then a second attempt will be made to get handle to the
* credential if the first attempt fails
* caller_mod : name of module that call this routine so that the module name
* can be included with error messages
* Returns:
* gss_context : a handle to a security context
* out_tok : token data to be sent to service's server to establish
* security context
* ret_flags : return flags
* time_rec : valid time for security context, not currently used
* kinit_retry : A 1 indicates that a second attempt has been made to get
* handle to the credential and no further attempts can be
* made
* do_acquire_cred: A 1 indicates that a new handle to the local credential
* is needed for second attempt at security context
* establishment
* maj : major status code used if determining is security context
* establishment is successful
*/
int
int *kinit_retry, int *do_acquire_cred,
{
if (*gss_context != NULL)
*kinit_retry = 1;
*do_acquire_cred = 1;
return (-1);
} else {
return (-1);
}
}
return (0);
}
/*
* smb_ccache_init
*
* Creates the directory where the Kerberos ccache file is located
* and set KRB5CCNAME in the environment.
*
* Returns 0 upon succcess. Otherwise, returns
* -1 if it fails to create the specified directory fails.
* -2 if it fails to set the KRB5CCNAME environment variable.
*/
int
{
static char buf[MAXPATHLEN];
return (-1);
return (-2);
return (0);
}
void
smb_ccache_remove(char *path)
{
}