diff options
author | Andrew Bartlett <abartlet@samba.org> | 2009-07-16 08:29:43 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2009-07-16 09:23:36 +1000 |
commit | e16a2a1fa941511a8eeefd05b397dd934a77c9f6 (patch) | |
tree | 524eab235477ccbac2f4ab432b978ba42bedb89c | |
parent | 84dca625cab96f72123308d80a5aeed5fc42f0c5 (diff) | |
download | samba-e16a2a1fa941511a8eeefd05b397dd934a77c9f6.tar.gz samba-e16a2a1fa941511a8eeefd05b397dd934a77c9f6.tar.bz2 samba-e16a2a1fa941511a8eeefd05b397dd934a77c9f6.zip |
s4:gensec Rework gensec_krb5 mutual authentication defaults
When emulating Samba3 (which we do to ensure we don't break
compatability), don't do mutual authentication by default, as it
breaks the session key with AES and isn't what Samba3 does anyway.
Andrew Bartlett
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 52 |
1 files changed, 28 insertions, 24 deletions
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index aed6822b89..f4ef36a24d 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -89,7 +89,7 @@ static int gensec_krb5_destroy(struct gensec_krb5_state *gensec_krb5_state) return 0; } -static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) +static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool gssapi) { krb5_error_code ret; struct gensec_krb5_state *gensec_krb5_state; @@ -115,7 +115,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) gensec_krb5_state->keyblock = NULL; gensec_krb5_state->session_key = data_blob(NULL, 0); gensec_krb5_state->pac = data_blob(NULL, 0); - gensec_krb5_state->gssapi = false; + gensec_krb5_state->gssapi = gssapi; talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy); @@ -187,12 +187,12 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) return NT_STATUS_OK; } -static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security) +static NTSTATUS gensec_krb5_common_server_start(struct gensec_security *gensec_security, bool gssapi) { NTSTATUS nt_status; struct gensec_krb5_state *gensec_krb5_state; - nt_status = gensec_krb5_start(gensec_security); + nt_status = gensec_krb5_start(gensec_security, gssapi); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } @@ -203,19 +203,17 @@ static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security return NT_STATUS_OK; } -static NTSTATUS gensec_fake_gssapi_krb5_server_start(struct gensec_security *gensec_security) +static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security) { - NTSTATUS nt_status = gensec_krb5_server_start(gensec_security); + return gensec_krb5_common_server_start(gensec_security, false); +} - if (NT_STATUS_IS_OK(nt_status)) { - struct gensec_krb5_state *gensec_krb5_state; - gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; - gensec_krb5_state->gssapi = true; - } - return nt_status; +static NTSTATUS gensec_fake_gssapi_krb5_server_start(struct gensec_security *gensec_security) +{ + return gensec_krb5_common_server_start(gensec_security, true); } -static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security) +static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_security, bool gssapi) { struct gensec_krb5_state *gensec_krb5_state; krb5_error_code ret; @@ -240,7 +238,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security return NT_STATUS_INVALID_PARAMETER; } - nt_status = gensec_krb5_start(gensec_security); + nt_status = gensec_krb5_start(gensec_security, gssapi); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } @@ -249,8 +247,16 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START; gensec_krb5_state->ap_req_options = AP_OPTS_USE_SUBKEY; - if (gensec_setting_bool(gensec_security->settings, "gensec_krb5", "mutual", true)) { - gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED; + if (gensec_krb5_state->gssapi) { + /* The Fake GSSAPI modal emulates Samba3, which does not do mutual authentication */ + if (gensec_setting_bool(gensec_security->settings, "gensec_fake_gssapi_krb5", "mutual", false)) { + gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED; + } + } else { + /* The wrapping for KPASSWD (a user of the raw KRB5 API) should be mutually authenticated */ + if (gensec_setting_bool(gensec_security->settings, "gensec_krb5", "mutual", true)) { + gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED; + } } principal = gensec_get_target_principal(gensec_security); @@ -333,16 +339,14 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security } } -static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gensec_security) +static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security) { - NTSTATUS nt_status = gensec_krb5_client_start(gensec_security); + return gensec_krb5_common_client_start(gensec_security, false); +} - if (NT_STATUS_IS_OK(nt_status)) { - struct gensec_krb5_state *gensec_krb5_state; - gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; - gensec_krb5_state->gssapi = true; - } - return nt_status; +static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gensec_security) +{ + return gensec_krb5_common_client_start(gensec_security, true); } /** |