summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-07-20 12:06:30 +1000
committerAndrew Bartlett <abartlet@samba.org>2011-07-20 06:35:05 +0200
commit481f05ce02df4069ba8ecb5a6ad76cb35299b14c (patch)
tree22a687a9a9289492a4111d7a0b61d9a5a06adc36
parent8ee3ba791d38542e88995fa3beebdd183891ce60 (diff)
downloadsamba-481f05ce02df4069ba8ecb5a6ad76cb35299b14c.tar.gz
samba-481f05ce02df4069ba8ecb5a6ad76cb35299b14c.tar.bz2
samba-481f05ce02df4069ba8ecb5a6ad76cb35299b14c.zip
s3-gse Work around the MIT 1.9 gss_krb5_import_cred
We detect this function at configure time, but it currently fails to operate the way we need - that is, when the principal is not specified, it gives this error. When the principal is specified we get 'wrong principal in request' in the GSS acceptor, so for now the best option is to fall back to the alternate approach. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Jul 20 06:35:05 CEST 2011 on sn-devel-104
-rw-r--r--source3/librpc/crypto/gse.c22
1 files changed, 16 insertions, 6 deletions
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index cfa6bf1e0d..a61288b254 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -374,16 +374,26 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
}
#ifdef HAVE_GSS_KRB5_IMPORT_CRED
- /* This creates a GSSAPI cred_id_t with the principal and keytab set */
+
+ /* This creates a GSSAPI cred_id_t with the keytab set */
gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab,
- &gse_ctx->creds);
- if (gss_maj) {
+ &gse_ctx->creds);
+
+ if (gss_maj != 0
+ && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n",
gse_errstr(gse_ctx, gss_maj, gss_min)));
status = NT_STATUS_INTERNAL_ERROR;
goto done;
- }
-#else
+
+ /* This is the error the MIT krb5 1.9 gives when it
+ * implements the function, but we do not specify the
+ * principal. However, when we specify the principal
+ * as host$@REALM the GSS acceptor fails with 'wrong
+ * principal in request'. Work around the issue by
+ * falling back to the alternate approach below. */
+ } else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME))
+#endif
/* FIXME!!!
* This call sets the default keytab for the whole server, not
* just for this context. Need to find a way that does not alter
@@ -423,7 +433,7 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
goto done;
}
}
-#endif
+
status = NT_STATUS_OK;
done: