summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-01-02 23:53:14 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:08:12 -0500
commit0dcd4645961c5d672b9526538eaddf0503db793a (patch)
treed6723b21fc30ff1a1e6b73aa851e1bedfc446c77
parent022bc635ef40827e778e08ee27cb8f16bf28c90b (diff)
downloadsamba-0dcd4645961c5d672b9526538eaddf0503db793a.tar.gz
samba-0dcd4645961c5d672b9526538eaddf0503db793a.tar.bz2
samba-0dcd4645961c5d672b9526538eaddf0503db793a.zip
r4494: Allow gensec_gssapi to use the SPNEGO mech provided by Heimdal (off by
default at this point), and include the GSSAPI OIDs in our source, per advice by lha that this is easier than getting the includes right. Andrew Bartlett (This used to be commit 9ff8b2b4d12d364084df5c95a752ce2a0546053d)
-rw-r--r--source4/libcli/auth/gensec_gssapi.c51
-rw-r--r--source4/param/loadparm.c3
2 files changed, 46 insertions, 8 deletions
diff --git a/source4/libcli/auth/gensec_gssapi.c b/source4/libcli/auth/gensec_gssapi.c
index c41c3fb2bc..432d59ef24 100644
--- a/source4/libcli/auth/gensec_gssapi.c
+++ b/source4/libcli/auth/gensec_gssapi.c
@@ -36,6 +36,7 @@ struct gensec_gssapi_state {
gss_name_t server_name;
gss_name_t client_name;
int want_flags, got_flags;
+ const gss_OID_desc *gss_oid;
};
static int gensec_gssapi_destory(void *ptr)
{
@@ -91,6 +92,19 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
gensec_gssapi_state->want_flags |= GSS_C_CONF_FLAG;
}
+ if (strcmp(gensec_security->ops->oid, GENSEC_OID_KERBEROS5) == 0) {
+ static const gss_OID_desc gensec_gss_krb5_mechanism_oid_desc =
+ {9, (void *)discard_const_p(char, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")};
+
+ gensec_gssapi_state->gss_oid = &gensec_gss_krb5_mechanism_oid_desc;
+ } else if (strcmp(gensec_security->ops->oid, GENSEC_OID_SPNEGO) == 0) {
+ static const gss_OID_desc gensec_gss_spnego_mechanism_oid_desc =
+ {6, (void *)discard_const_p(char, "\x2b\x06\x01\x05\x05\x02")};
+ gensec_gssapi_state->gss_oid = &gensec_gss_spnego_mechanism_oid_desc;
+ } else {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
return NT_STATUS_OK;
}
@@ -162,7 +176,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
OM_uint32 maj_stat, min_stat;
OM_uint32 min_stat2;
gss_buffer_desc input_token, output_token;
-
+ gss_OID gss_oid_p;
input_token.length = in.length;
input_token.value = in.data;
@@ -173,7 +187,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
GSS_C_NO_CREDENTIAL,
&gensec_gssapi_state->gssapi_context,
gensec_gssapi_state->server_name,
- GSS_C_NO_OID,
+ discard_const_p(gss_OID_desc, gensec_gssapi_state->gss_oid),
gensec_gssapi_state->want_flags,
0,
gensec_gssapi_state->input_chan_bindings,
@@ -192,11 +206,12 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
&input_token,
gensec_gssapi_state->input_chan_bindings,
&gensec_gssapi_state->client_name,
- NULL /* mech oid */,
+ &gss_oid_p,
&output_token,
&gensec_gssapi_state->got_flags,
NULL,
NULL);
+ gensec_gssapi_state->gss_oid = gss_oid_p;
break;
}
default:
@@ -309,8 +324,10 @@ static BOOL gensec_gssapi_have_feature(struct gensec_security *gensec_security,
return False;
}
-static const struct gensec_security_ops gensec_gssapi_security_ops = {
- .name = "gssapi",
+/* As a server, this could in theory accept any GSSAPI mech */
+static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
+ .name = "gssapi_krb5",
+ .sasl_name = "GSSAPI",
.oid = GENSEC_OID_KERBEROS5,
.client_start = gensec_gssapi_client_start,
.server_start = gensec_gssapi_server_start,
@@ -321,14 +338,34 @@ static const struct gensec_security_ops gensec_gssapi_security_ops = {
};
+static const struct gensec_security_ops gensec_gssapi_spnego_security_ops = {
+ .name = "gssapi_spnego",
+ .sasl_name = "GSS-SPNEGO",
+ .oid = GENSEC_OID_SPNEGO,
+ .client_start = gensec_gssapi_client_start,
+ .server_start = gensec_gssapi_server_start,
+ .update = gensec_gssapi_update,
+ .wrap = gensec_gssapi_wrap,
+ .unwrap = gensec_gssapi_unwrap,
+ .have_feature = gensec_gssapi_have_feature
+
+};
+
NTSTATUS gensec_gssapi_init(void)
{
NTSTATUS ret;
- ret = gensec_register(&gensec_gssapi_security_ops);
+ ret = gensec_register(&gensec_gssapi_krb5_security_ops);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(0,("Failed to register '%s' gensec backend!\n",
+ gensec_gssapi_krb5_security_ops.name));
+ return ret;
+ }
+
+ ret = gensec_register(&gensec_gssapi_spnego_security_ops);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(0,("Failed to register '%s' gensec backend!\n",
- gensec_gssapi_security_ops.name));
+ gensec_gssapi_spnego_security_ops.name));
return ret;
}
diff --git a/source4/param/loadparm.c b/source4/param/loadparm.c
index e06daf92c1..00c9133067 100644
--- a/source4/param/loadparm.c
+++ b/source4/param/loadparm.c
@@ -3078,7 +3078,8 @@ BOOL lp_load(const char *pszFname, BOOL global_only, BOOL save_defaults,
lp_do_parameter(-1, "wins server", "127.0.0.1");
}
- lp_do_parameter(-1, "gensec:gssapi", "False");
+ lp_do_parameter(-1, "gensec:gssapi_krb5", "False");
+ lp_do_parameter(-1, "gensec:gssapi_spnego", "False");
lp_do_parameter(-1, "gensec:krb5", "False");
lp_do_parameter(-1, "gensec:ms_krb5", "False");