diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2005-11-02 03:48:49 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:45:40 -0500 |
| commit | cc0f3779b1de565ed33504d123e41656d6d2aab2 (patch) | |
| tree | 12928a2becf2827256ef954b83c425daec2ec3ce | |
| parent | 375922801fca7eab7eefe28594df70ce28100f19 (diff) | |
| download | samba-cc0f3779b1de565ed33504d123e41656d6d2aab2.tar.gz samba-cc0f3779b1de565ed33504d123e41656d6d2aab2.tar.bz2 samba-cc0f3779b1de565ed33504d123e41656d6d2aab2.zip | |
r11468: Merge a bit more of init_sec_context from Heimdal CVS into our
DCE_STYLE modified version, and add parametric options to control
delegation.
It turns out the only remaining issue is sending delegated credentials
to a windows server, probably due to the bug lha mentions in his blog
(using the wrong key).
If I turn delgation on in smbclient, but off in smbd, I can proxy a
cifs session.
I can't wait till Heimdal 0.8, so I'll see if I can figure out the fix
myself :-)
Andrew Bartlett
(This used to be commit fd5fd03570c13f5644e53ff89ac8eca7c0985740)
| -rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 9 | ||||
| -rw-r--r-- | source4/heimdal/lib/gssapi/init_sec_context.c | 25 |
2 files changed, 29 insertions, 5 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 4608b62db5..a51a30900f 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -124,7 +124,14 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) /* TODO: Fill in channel bindings */ gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS; - gensec_gssapi_state->want_flags = GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG; + gensec_gssapi_state->want_flags = 0; + if (lp_parm_bool(-1, "gensec_gssapi", "mutual", True)) { + gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG; + } + if (lp_parm_bool(-1, "gensec_gssapi", "delegation", False)) { + gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG; + } + gensec_gssapi_state->got_flags = 0; gensec_gssapi_state->session_key = data_blob(NULL, 0); diff --git a/source4/heimdal/lib/gssapi/init_sec_context.c b/source4/heimdal/lib/gssapi/init_sec_context.c index b8eb748bf5..06aba8f785 100644 --- a/source4/heimdal/lib/gssapi/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/init_sec_context.c @@ -275,7 +275,7 @@ do_delegation (krb5_auth_context ac, krb5_creds *cred, const gss_name_t target_name, krb5_data *fwd_data, - int *flags) + u_int32_t *flags) { krb5_creds creds; krb5_kdc_flags fwd_flags; @@ -406,9 +406,26 @@ gsskrb5_initiator_start flags = 0; ap_options = 0; + /* + * If the realm policy approves a delegation, lets check local + * policy if the credentials should be delegated, defafult to + * false. + */ + if (cred->flags.b.ok_as_delegate) { + krb5_boolean delegate = FALSE; + + _gss_check_compat(NULL, target_name, "ok-as-delegate", + &delegate, TRUE); + krb5_appdefault_boolean(gssapi_krb5_context, + "gssapi", target_name->realm, + "ok-as-delegate", delegate, &delegate); + if (delegate) + req_flags |= GSS_C_DELEG_FLAG; + } + if (req_flags & GSS_C_DELEG_FLAG) { do_delegation((*context_handle)->auth_context, - ccache, cred, target_name, &fwd_data, &flags); + ccache, cred, target_name, &fwd_data, &flags); } if (req_flags & GSS_C_MUTUAL_FLAG) { @@ -542,8 +559,8 @@ gsskrb5_initiator_wait_for_mutual( krb5_error_code kret; krb5_data inbuf; u_int32_t flags = (*context_handle)->flags; - OM_uint32 l_seq_number; - OM_uint32 r_seq_number; + int32_t l_seq_number; + int32_t r_seq_number; /* We need to decapsulate the AP_REP if GSS_C_DCE_STYLE isn't in use */ { |