summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2009-07-14 10:19:16 +1000
committerAndrew Bartlett <abartlet@samba.org>2009-07-16 09:23:35 +1000
commitbc354fb1a6fd524629434c199e2ca260a8400bb4 (patch)
tree178a2133890a1ab68a9e4ae7dbc6864a1f1a0264
parent271b5af92e9aada36adc648a6dd43a13c5aed340 (diff)
downloadsamba-bc354fb1a6fd524629434c199e2ca260a8400bb4.tar.gz
samba-bc354fb1a6fd524629434c199e2ca260a8400bb4.tar.bz2
samba-bc354fb1a6fd524629434c199e2ca260a8400bb4.zip
s4:gensec Allow mutual auth to be turned off in 'fake_gssapi_krb5'
This allows the older 'like Samba3' GENSEC krb5 implementation to work against Windows 2008. I'm using this to track down interop issues in this area. Andrew Bartlett
-rw-r--r--source4/auth/gensec/gensec_krb5.c20
1 files changed, 15 insertions, 5 deletions
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 09bdec512d..aed6822b89 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -57,6 +57,7 @@ struct gensec_krb5_state {
krb5_keyblock *keyblock;
krb5_ticket *ticket;
bool gssapi;
+ krb5_flags ap_req_options;
};
static int gensec_krb5_destroy(struct gensec_krb5_state *gensec_krb5_state)
@@ -221,7 +222,6 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
NTSTATUS nt_status;
struct ccache_container *ccache_container;
const char *hostname;
- krb5_flags ap_req_options = AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED;
const char *principal;
krb5_data in_data;
@@ -247,6 +247,11 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
+ gensec_krb5_state->ap_req_options = AP_OPTS_USE_SUBKEY;
+
+ if (gensec_setting_bool(gensec_security->settings, "gensec_krb5", "mutual", true)) {
+ gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
+ }
principal = gensec_get_target_principal(gensec_security);
@@ -274,7 +279,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
if (ret == 0) {
ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->auth_context,
- ap_req_options,
+ gensec_krb5_state->ap_req_options,
target_principal,
&in_data, ccache_container->ccache,
&gensec_krb5_state->enc_ticket);
@@ -284,7 +289,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
} else {
ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->auth_context,
- ap_req_options,
+ gensec_krb5_state->ap_req_options,
gensec_get_target_service(gensec_security),
hostname,
&in_data, ccache_container->ccache,
@@ -392,8 +397,13 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
} else {
*out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
}
- gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
- nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ if (gensec_krb5_state->ap_req_options & AP_OPTS_MUTUAL_REQUIRED) {
+ gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
+ nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ } else {
+ gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
+ nt_status = NT_STATUS_OK;
+ }
return nt_status;
}