krb5_setpw.c

samba-3.0.22.tar.gz 编译smb服务器的源码

		int rc = errno;
	        free(ap_req.data);
		krb5_auth_con_free(context, auth_context);
		DEBUG(1,("failed to open kpasswd socket to %s (%s)\n", 
			 kdc_host, strerror(errno)));
		return ADS_ERROR_SYSTEM(rc);
	}
	
	addr_len = sizeof(remote_addr);
	getpeername(sock, &remote_addr, &addr_len);
	addr_len = sizeof(local_addr);
	getsockname(sock, &local_addr, &addr_len);
	
	setup_kaddr(&remote_kaddr, &remote_addr);
	setup_kaddr(&local_kaddr, &local_addr);

	ret = krb5_auth_con_setaddrs(context, auth_context, &local_kaddr, NULL);
	if (ret) {
	        close(sock);
	        free(ap_req.data);
		krb5_auth_con_free(context, auth_context);
		DEBUG(1,("krb5_auth_con_setaddrs failed (%s)\n", error_message(ret)));
		return ADS_ERROR_KRB5(ret);
	}

	ret = build_kpasswd_request(pversion, context, auth_context, &ap_req,
				  princ, newpw, &chpw_req);
	if (ret) {
	        close(sock);
	        free(ap_req.data);
		krb5_auth_con_free(context, auth_context);
		DEBUG(1,("build_setpw_request failed (%s)\n", error_message(ret)));
		return ADS_ERROR_KRB5(ret);
	}

	if (write(sock, chpw_req.data, chpw_req.length) != chpw_req.length) {
	        close(sock);
		free(chpw_req.data);
	        free(ap_req.data);
		krb5_auth_con_free(context, auth_context);
		DEBUG(1,("send of chpw failed (%s)\n", strerror(errno)));
		return ADS_ERROR_SYSTEM(errno);
	}

	free(chpw_req.data);

	chpw_rep.length = 1500;
	chpw_rep.data = (char *) SMB_MALLOC(chpw_rep.length);
	if (!chpw_rep.data) {
	        close(sock);
	        free(ap_req.data);
		krb5_auth_con_free(context, auth_context);
		DEBUG(1,("send of chpw failed (%s)\n", strerror(errno)));
		errno = ENOMEM;
		return ADS_ERROR_SYSTEM(errno);
	}

	ret = read(sock, chpw_rep.data, chpw_rep.length);
	if (ret < 0) {
	        close(sock);
		free(chpw_rep.data);
		free(ap_req.data);
		krb5_auth_con_free(context, auth_context);
		DEBUG(1,("recv of chpw reply failed (%s)\n", strerror(errno)));
		return ADS_ERROR_SYSTEM(errno);
	}

	close(sock);
	chpw_rep.length = ret;

	ret = krb5_auth_con_setaddrs(context, auth_context, NULL,&remote_kaddr);
	if (ret) {
	        free(chpw_rep.data);
	        free(ap_req.data);
		krb5_auth_con_free(context, auth_context);
		DEBUG(1,("krb5_auth_con_setaddrs on reply failed (%s)\n", 
			 error_message(ret)));
		return ADS_ERROR_KRB5(ret);
	}

	ret = parse_setpw_reply(context, auth_context, &chpw_rep);
	free(chpw_rep.data);

	if (ret) {
	        free(ap_req.data);
		krb5_auth_con_free(context, auth_context);
		DEBUG(1,("parse_setpw_reply failed (%s)\n", 
			 error_message(ret)));
		return ADS_ERROR_KRB5(ret);
	}

	free(ap_req.data);
	krb5_auth_con_free(context, auth_context);

	return ADS_SUCCESS;
}

ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *princ, 
				 const char *newpw, int time_offset)
{

	ADS_STATUS aret;
	krb5_error_code ret = 0;
	krb5_context context = NULL;
	krb5_principal principal = NULL;
	char *princ_name = NULL;
	char *realm = NULL;
	krb5_creds creds, *credsp = NULL;
#if KRB5_PRINC_REALM_RETURNS_REALM
	krb5_realm orig_realm;
#else
	krb5_data orig_realm;
#endif
	krb5_ccache ccache = NULL;

	ZERO_STRUCT(creds);
	
	initialize_krb5_error_table();
	ret = krb5_init_context(&context);
	if (ret) {
		DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
		return ADS_ERROR_KRB5(ret);
	}
	
	if (time_offset != 0) {
		krb5_set_real_time(context, time(NULL) + time_offset, 0);
	}

	ret = krb5_cc_default(context, &ccache);
	if (ret) {
	        krb5_free_context(context);
		DEBUG(1,("Failed to get default creds (%s)\n", error_message(ret)));
		return ADS_ERROR_KRB5(ret);
	}

	realm = strchr_m(princ, '@');
	if (!realm) {
		krb5_cc_close(context, ccache);
	        krb5_free_context(context);
		DEBUG(1,("Failed to get realm\n"));
		return ADS_ERROR_KRB5(-1);
	}
	realm++;

	asprintf(&princ_name, "kadmin/changepw@%s", realm);
	ret = krb5_parse_name(context, princ_name, &creds.server);
	if (ret) {
		krb5_cc_close(context, ccache);
                krb5_free_context(context);
		DEBUG(1,("Failed to parse kadmin/changepw (%s)\n", error_message(ret)));
		return ADS_ERROR_KRB5(ret);
	}
	free(princ_name);

	/* parse the principal we got as a function argument */
	ret = krb5_parse_name(context, princ, &principal);
	if (ret) {
		krb5_cc_close(context, ccache);
	        krb5_free_principal(context, creds.server);
                krb5_free_context(context);
		DEBUG(1,("Failed to parse %s (%s)\n", princ_name, error_message(ret)));
		return ADS_ERROR_KRB5(ret);
	}

	/* The creds.server principal takes ownership of this memory.
		Remember to set back to original value before freeing. */
	orig_realm = *krb5_princ_realm(context, creds.server);
	krb5_princ_set_realm(context, creds.server, krb5_princ_realm(context, principal));
	
	ret = krb5_cc_get_principal(context, ccache, &creds.client);
	if (ret) {
		krb5_cc_close(context, ccache);
		krb5_princ_set_realm(context, creds.server, &orig_realm);
	        krb5_free_principal(context, creds.server);
	        krb5_free_principal(context, principal);
                krb5_free_context(context);
		DEBUG(1,("Failed to get principal from ccache (%s)\n", 
			 error_message(ret)));
		return ADS_ERROR_KRB5(ret);
	}
	
	ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp); 
	if (ret) {
		krb5_cc_close(context, ccache);
	        krb5_free_principal(context, creds.client);
		krb5_princ_set_realm(context, creds.server, &orig_realm);
	        krb5_free_principal(context, creds.server);
	        krb5_free_principal(context, principal);
	        krb5_free_context(context);
		DEBUG(1,("krb5_get_credentials failed (%s)\n", error_message(ret)));
		return ADS_ERROR_KRB5(ret);
	}
	
	/* we might have to call krb5_free_creds(...) from now on ... */

	aret = do_krb5_kpasswd_request(context, kdc_host,
				       KRB5_KPASSWD_VERS_SETPW,
				       credsp, princ, newpw);

	krb5_free_creds(context, credsp);
	krb5_free_principal(context, creds.client);
	krb5_princ_set_realm(context, creds.server, &orig_realm);
        krb5_free_principal(context, creds.server);
	krb5_free_principal(context, principal);
	krb5_cc_close(context, ccache);
	krb5_free_context(context);

	return aret;
}

/*
  we use a prompter to avoid a crash bug in the kerberos libs when 
  dealing with empty passwords
  this prompter is just a string copy ...
*/
static krb5_error_code 
kerb_prompter(krb5_context ctx, void *data,
	       const char *name,
	       const char *banner,
	       int num_prompts,
	       krb5_prompt prompts[])
{
	if (num_prompts == 0) return 0;

	memset(prompts[0].reply->data, 0, prompts[0].reply->length);
	if (prompts[0].reply->length > 0) {
		if (data) {
			strncpy(prompts[0].reply->data, data, prompts[0].reply->length-1);
			prompts[0].reply->length = strlen(prompts[0].reply->data);
		} else {
			prompts[0].reply->length = 0;
		}
	}
	return 0;
}

static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
					const char *principal,
					const char *oldpw, 
					const char *newpw, 
					int time_offset)
{
    ADS_STATUS aret;
    krb5_error_code ret;
    krb5_context context = NULL;
    krb5_principal princ;
    krb5_get_init_creds_opt opts;
    krb5_creds creds;
    char *chpw_princ = NULL, *password;

    initialize_krb5_error_table();
    ret = krb5_init_context(&context);
    if (ret) {
	DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
	return ADS_ERROR_KRB5(ret);
    }

    if ((ret = krb5_parse_name(context, principal,
                                    &princ))) {
	krb5_free_context(context);
	DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret)));
	return ADS_ERROR_KRB5(ret);
    }

    krb5_get_init_creds_opt_init(&opts);
    krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60);
    krb5_get_init_creds_opt_set_renew_life(&opts, 0);
    krb5_get_init_creds_opt_set_forwardable(&opts, 0);
    krb5_get_init_creds_opt_set_proxiable(&opts, 0);

    /* We have to obtain an INITIAL changepw ticket for changing password */
    asprintf(&chpw_princ, "kadmin/changepw@%s",
				(char *) krb5_princ_realm(context, princ));
    password = SMB_STRDUP(oldpw);
    ret = krb5_get_init_creds_password(context, &creds, princ, password,
					   kerb_prompter, NULL, 
					   0, chpw_princ, &opts);
    SAFE_FREE(chpw_princ);
    SAFE_FREE(password);

    if (ret) {
      if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
	DEBUG(1,("Password incorrect while getting initial ticket"));
      else
	DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret)));

	krb5_free_principal(context, princ);
	krb5_free_context(context);
	return ADS_ERROR_KRB5(ret);
    }

    aret = do_krb5_kpasswd_request(context, kdc_host,
				   KRB5_KPASSWD_VERS_CHANGEPW,
				   &creds, principal, newpw);

    krb5_free_principal(context, princ);
    krb5_free_context(context);

    return aret;
}


ADS_STATUS kerberos_set_password(const char *kpasswd_server, 
				 const char *auth_principal, const char *auth_password,
				 const char *target_principal, const char *new_password,
				 int time_offset)
{
    int ret;

    if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL, NULL))) {
	DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
	return ADS_ERROR_KRB5(ret);
    }

    if (!strcmp(auth_principal, target_principal))
	return ads_krb5_chg_password(kpasswd_server, target_principal,
				     auth_password, new_password, time_offset);
    else
    	return ads_krb5_set_password(kpasswd_server, target_principal,
				     new_password, time_offset);
}


/**
 * Set the machine account password
 * @param ads connection to ads server
 * @param hostname machine whose password is being set
 * @param password new password
 * @return status of password change
 **/
ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
				    const char *machine_account,
				    const char *password)
{
	ADS_STATUS status;
	char *principal = NULL; 

	/*
	  we need to use the '$' form of the name here (the machine account name), 
	  as otherwise the server might end up setting the password for a user
	  instead
	 */
	asprintf(&principal, "%s@%s", machine_account, ads->config.realm);
	
	status = ads_krb5_set_password(ads->auth.kdc_server, principal, 
				       password, ads->auth.time_offset);
	
	free(principal);

	return status;
}



#endif