summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2004-12-02 18:27:08 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:06:17 -0500
commit64b516b10546619d3b1adef7fcc4cfef3ad610f9 (patch)
treeed55e190612e6c1f2fadf0c16e24b39917197cb2
parent00948a80724ccfe1454bc40fcfcdc2287b4e3f31 (diff)
downloadsamba-64b516b10546619d3b1adef7fcc4cfef3ad610f9.tar.gz
samba-64b516b10546619d3b1adef7fcc4cfef3ad610f9.tar.bz2
samba-64b516b10546619d3b1adef7fcc4cfef3ad610f9.zip
r4045: readd krb5 support defaulted to disable
use: gensec:krb5=yes gensec:ms_krb5=yes to enable it or -k on the client tools on the command line metze (This used to be commit 0ae5794cf44933d2554e0356baaca24c7a784f71)
-rw-r--r--source4/lib/cmdline/popt_common.c2
-rw-r--r--source4/libcli/auth/clikrb5.c1
-rw-r--r--source4/libcli/auth/gensec.m42
-rw-r--r--source4/libcli/auth/gensec.mk2
-rw-r--r--source4/libcli/auth/gensec_krb5.c12
-rw-r--r--source4/libcli/auth/kerberos.c1
-rw-r--r--source4/libcli/auth/kerberos_verify.c4
-rw-r--r--source4/param/loadparm.c3
8 files changed, 22 insertions, 5 deletions
diff --git a/source4/lib/cmdline/popt_common.c b/source4/lib/cmdline/popt_common.c
index 6422b84b44..c7bd35cbab 100644
--- a/source4/lib/cmdline/popt_common.c
+++ b/source4/lib/cmdline/popt_common.c
@@ -373,6 +373,8 @@ static void popt_common_credentials_callback(poptContext con,
#else
cmdline_auth_info.use_kerberos = True;
cmdline_auth_info.got_pass = True;
+ lp_set_cmdline("gensec:krb5", "True");
+ lp_set_cmdline("gensec:ms_krb5", "True");
#endif
break;
diff --git a/source4/libcli/auth/clikrb5.c b/source4/libcli/auth/clikrb5.c
index b5158a038a..48e1f88503 100644
--- a/source4/libcli/auth/clikrb5.c
+++ b/source4/libcli/auth/clikrb5.c
@@ -22,6 +22,7 @@
#include "includes.h"
#include "system/network.h"
#include "system/kerberos.h"
+#include "libcli/auth/kerberos.h"
#include "system/time.h"
#ifdef HAVE_KRB5
diff --git a/source4/libcli/auth/gensec.m4 b/source4/libcli/auth/gensec.m4
index dd72d967dd..9b814014ca 100644
--- a/source4/libcli/auth/gensec.m4
+++ b/source4/libcli/auth/gensec.m4
@@ -2,5 +2,5 @@ SMB_MODULE_DEFAULT(gensec_krb5, NOT)
if test x"$SMB_EXT_LIB_ENABLE_KRB5" = x"YES"; then
/* enable this when krb5 is fully working */
- SMB_MODULE_DEFAULT(gensec_krb5, NOT)
+ SMB_MODULE_DEFAULT(gensec_krb5, STATIC)
fi
diff --git a/source4/libcli/auth/gensec.mk b/source4/libcli/auth/gensec.mk
index 30da8aaa0e..66abfd10b7 100644
--- a/source4/libcli/auth/gensec.mk
+++ b/source4/libcli/auth/gensec.mk
@@ -19,7 +19,7 @@ ADD_OBJ_FILES = \
libcli/auth/kerberos.o \
libcli/auth/kerberos_verify.o \
libcli/auth/gssapi_parse.o
-REQUIRED_SUBSYSTEMS = EXT_LIB_KRB5
+REQUIRED_SUBSYSTEMS = NDR_KRB5PAC EXT_LIB_KRB5
# End MODULE gensec_krb5
################################################
diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c
index 97025fa6c4..0f1bf8e700 100644
--- a/source4/libcli/auth/gensec_krb5.c
+++ b/source4/libcli/auth/gensec_krb5.c
@@ -512,9 +512,14 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
{
char *principal;
DATA_BLOB unwrapped_in;
- DATA_BLOB unwrapped_out;
+ DATA_BLOB unwrapped_out = data_blob(NULL, 0);
uint8 tok_id[2];
+ if (!in.data) {
+ *out = unwrapped_out;
+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
+ }
+
/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
nt_status = ads_verify_ticket(out_mem_ctx,
@@ -544,8 +549,11 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
if (NT_STATUS_IS_OK(nt_status)) {
gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
/* wrap that up in a nice GSS-API wrapping */
+#ifndef GENSEC_SEND_UNWRAPPED_KRB5
*out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
-
+#else
+ *out = unwrapped_out;
+#endif
gensec_krb5_state->peer_principal = talloc_steal(gensec_krb5_state, principal);
}
return nt_status;
diff --git a/source4/libcli/auth/kerberos.c b/source4/libcli/auth/kerberos.c
index 50f2e0f24e..9510aaa7fb 100644
--- a/source4/libcli/auth/kerberos.c
+++ b/source4/libcli/auth/kerberos.c
@@ -22,6 +22,7 @@
#include "includes.h"
#include "system/kerberos.h"
+#include "libcli/auth/kerberos.h"
#include "system/time.h"
#ifdef HAVE_KRB5
diff --git a/source4/libcli/auth/kerberos_verify.c b/source4/libcli/auth/kerberos_verify.c
index 6d87cf8d8b..d00394fd79 100644
--- a/source4/libcli/auth/kerberos_verify.c
+++ b/source4/libcli/auth/kerberos_verify.c
@@ -101,7 +101,9 @@ static krb5_error_code ads_keytab_verify_ticket(krb5_context context, krb5_auth_
}
DEBUG(10, ("Checking principal: %s\n", princ_name));
/* Look for a CIFS ticket */
- if (!strncasecmp(princ_name, "cifs/", 5) || (!strncasecmp(princ_name, "host/", 5))) {
+ if (!strncasecmp(princ_name, "cifs/", 5) ||
+ !strncasecmp(princ_name, "host/", 5) ||
+ !strncasecmp(princ_name, "ldap/", 5)) {
#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK
krb5_auth_con_setuseruserkey(context, auth_context, &kt_entry.keyblock);
#else
diff --git a/source4/param/loadparm.c b/source4/param/loadparm.c
index 978d86a9a3..1d9553de3e 100644
--- a/source4/param/loadparm.c
+++ b/source4/param/loadparm.c
@@ -3071,6 +3071,9 @@ BOOL lp_load(const char *pszFname, BOOL global_only, BOOL save_defaults,
lp_do_parameter(-1, "wins server", "127.0.0.1");
}
+ lp_do_parameter(-1, "gensec:krb5", "False");
+ lp_do_parameter(-1, "gensec:ms_krb5", "False");
+
init_iconv();
return (bRetval);