From fd1ec141224225d884d9904a669341a74e7d629d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Sun, 22 Apr 2007 10:42:26 +0000 Subject: [PATCH] Add --ntlm-domain that store the ntlm cred for this domain if the Kerberos password auth worked. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20517 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kuser/kinit.c | 64 ++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 53 insertions(+), 11 deletions(-) diff --git a/kuser/kinit.c b/kuser/kinit.c index 391f797db..69bd73644 100644 --- a/kuser/kinit.c +++ b/kuser/kinit.c @@ -44,6 +44,7 @@ struct krb5_dh_moduli; struct krb5_plugin; enum plugin_type; #include "krb5-private.h" +#include "heimntlm.h" int forwardable_flag = -1; int proxiable_flag = -1; @@ -73,6 +74,7 @@ char *pk_user_id = NULL; char *pk_x509_anchors = NULL; int pk_use_enckey = 0; static int canonicalize_flag = 0; +static char *ntlm_domain; static char *krb4_cc_name; @@ -154,19 +156,19 @@ static struct getargs args[] = { { "canonicalize",0, arg_flag, &canonicalize_flag, "canonicalize client principal" }, - #ifdef PKINIT - { "pk-user", 'C', arg_string, &pk_user_id, - "principal's public/private/certificate identifier", - "id" }, + { "pk-user", 'C', arg_string, &pk_user_id, + "principal's public/private/certificate identifier", "id" }, - { "x509-anchors", 'D', arg_string, &pk_x509_anchors, - "directory with CA certificates", "directory" }, - - { "pk-use-enckey", 0, arg_flag, &pk_use_enckey, - "Use RSA encrypted reply (instead of DH)" }, + { "x509-anchors", 'D', arg_string, &pk_x509_anchors, + "directory with CA certificates", "directory" }, + { "pk-use-enckey", 0, arg_flag, &pk_use_enckey, + "Use RSA encrypted reply (instead of DH)" }, #endif + { "ntlm-domain", 0, arg_string, &ntlm_domain, + "NTLM domain", "domain" }, + { "version", 0, arg_flag, &version_flag }, { "help", 0, arg_flag, &help_flag } }; @@ -334,6 +336,39 @@ out: return ret; } +static krb5_error_code +store_ntlmkey(krb5_context context, krb5_ccache id, + const char *domain, krb5_const_principal client, + struct ntlm_buf *buf) +{ + krb5_error_code ret; + krb5_creds cred; + + memset(&cred, 0, sizeof(cred)); + + ret = krb5_make_principal(context, &cred.server, + krb5_principal_get_realm(context, client), + "@ntlm-key", domain, NULL); + if (ret) + goto out; + ret = krb5_copy_principal(context, client, &cred.client); + if (ret) + goto out; + + cred.times.authtime = time(NULL); + cred.times.endtime = time(NULL) + 3600 * 24 * 30; /* XXX */ + cred.session.keytype = ENCTYPE_ARCFOUR_HMAC_MD5; + ret = krb5_data_copy(&cred.session.keyvalue, buf->data, buf->length); + if (ret) + goto out; + + ret = krb5_cc_store_cred(context, id, &cred); + +out: + krb5_free_cred_contents (context, &cred); + return 0; +} + static krb5_error_code get_new_tickets(krb5_context context, krb5_principal principal, @@ -349,7 +384,9 @@ get_new_tickets(krb5_context context, krb5_deltat renew = 0; char *renewstr = NULL; krb5_enctype *enctype = NULL; + struct ntlm_buf ntlmkey; + memset(&ntlmkey, 0, sizeof(ntlmkey)); passwd[0] = '\0'; if (password_file) { @@ -378,8 +415,8 @@ get_new_tickets(krb5_context context, if (ret) krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc"); - krb5_get_init_creds_opt_set_default_flags(context, "kinit", - /* XXX */principal->realm, opt); + krb5_get_init_creds_opt_set_default_flags(context, "kinit", + krb5_principal_get_realm(context, principal), opt); if(forwardable_flag != -1) krb5_get_init_creds_opt_set_forwardable (opt, forwardable_flag); @@ -509,6 +546,8 @@ get_new_tickets(krb5_context context, opt); } krb5_get_init_creds_opt_free(context, opt); + if (ntlm_domain && passwd[0]) + heim_ntlm_nt_key(passwd, &ntlmkey); memset(passwd, 0, sizeof(passwd)); switch(ret){ @@ -556,6 +595,9 @@ get_new_tickets(krb5_context context, krb5_free_cred_contents (context, &cred); + if (ntlm_domain && ntlmkey.data) + store_ntlmkey(context, ccache, ntlm_domain, principal, &ntlmkey); + if (enctype) free(enctype);