summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-02-25 14:15:17 +1100
committerAndrew Bartlett <abartlet@samba.org>2012-03-01 22:04:45 +1100
commit5b700cb0e3bab1f9b0452db108d9150d5067c55d (patch)
tree018cac6599c4f88be421ee31574690ad06eccadd
parent6090a155f0d11effad565ffa37af9a26fff5e715 (diff)
downloadsamba-5b700cb0e3bab1f9b0452db108d9150d5067c55d.tar.gz
samba-5b700cb0e3bab1f9b0452db108d9150d5067c55d.tar.bz2
samba-5b700cb0e3bab1f9b0452db108d9150d5067c55d.zip
s3-ntlm_auth: Add --target-service and --target-hostname options
This will allow the gss-spnego-client protocol to work with modern SPNEGO servers that do not send the principal in the mechListMIC. Andrew Bartlett
-rw-r--r--source3/utils/ntlm_auth.c49
1 files changed, 40 insertions, 9 deletions
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index b38995712c..bbf32f963b 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -151,6 +151,9 @@ static const char *require_membership_of;
static const char *require_membership_of_sid;
static const char *opt_pam_winbind_conf;
+const char *opt_target_service;
+const char *opt_target_hostname;
+
/**
* A limited set of features are defined with text strings as needed
* by ntlm_auth
@@ -1953,17 +1956,41 @@ static bool manage_client_krb5_init(struct spnego_data spnego)
return False;
}
- principal = (char *)SMB_MALLOC(
- spnego.negTokenInit.mechListMIC.length+1);
+ principal = talloc_strndup(ctx, (char *)spnego.negTokenInit.mechListMIC.data,
+ spnego.negTokenInit.mechListMIC.length);
- if (principal == NULL) {
- DEBUG(1, ("Could not malloc principal\n"));
- return False;
+ if (!principal) {
+ return false;
}
- memcpy(principal, spnego.negTokenInit.mechListMIC.data,
- spnego.negTokenInit.mechListMIC.length);
- principal[spnego.negTokenInit.mechListMIC.length] = '\0';
+ /* We may not be allowed to use the server-supplied SPNEGO principal, or it may not have been supplied to us
+ */
+ if (!lp_client_use_spnego_principal() || strequal(principal, ADS_IGNORE_PRINCIPAL)) {
+ TALLOC_FREE(principal);
+ }
+
+ if (principal == NULL &&
+ !is_ipaddress(opt_target_hostname)) {
+ DEBUG(3,("manage_client_krb5_init: using target "
+ "hostname not SPNEGO principal\n"));
+
+ principal = kerberos_get_principal_from_service_hostname(talloc_tos(),
+ opt_target_service,
+ opt_target_hostname);
+
+ if (!principal) {
+ return false;
+ }
+
+ DEBUG(3,("manage_client_krb5_init: guessed "
+ "server principal=%s\n",
+ principal ? principal : "<null>"));
+ }
+
+ if (principal == NULL) {
+ DEBUG(3,("manage_client_krb5_init: could not guess server principal\n"));
+ return false;
+ }
retval = cli_krb5_get_ticket(ctx, principal, 0,
&tkt, &session_key_krb5,
@@ -2766,7 +2793,9 @@ enum {
OPT_DIAGNOSTICS,
OPT_REQUIRE_MEMBERSHIP,
OPT_USE_CACHED_CREDS,
- OPT_PAM_WINBIND_CONF
+ OPT_PAM_WINBIND_CONF,
+ OPT_TARGET_SERVICE,
+ OPT_TARGET_HOSTNAME
};
int main(int argc, const char **argv)
@@ -2808,6 +2837,8 @@ enum {
"Perform diagnostics on the authentication chain"},
{ "require-membership-of", 0, POPT_ARG_STRING, &require_membership_of, OPT_REQUIRE_MEMBERSHIP, "Require that a user be a member of this group (either name or SID) for authentication to succeed" },
{ "pam-winbind-conf", 0, POPT_ARG_STRING, &opt_pam_winbind_conf, OPT_PAM_WINBIND_CONF, "Require that request must set WBFLAG_PAM_CONTACT_TRUSTDOM when krb5 auth is required" },
+ { "target-service", 0, POPT_ARG_STRING, &opt_target_service, OPT_TARGET_SERVICE, "Target service (eg http)" },
+ { "target-hostname", 0, POPT_ARG_STRING, &opt_target_hostname, OPT_TARGET_HOSTNAME, "Target hostname" },
POPT_COMMON_CONFIGFILE
POPT_COMMON_VERSION
POPT_TABLEEND