r10364: Turn gensec:gssapi on by default, except for a login of the form

-Udomain\\user.

This will probably break in a few configurations, so please let me
know.  I'll also work to have a way to inhibit kerberos/ntlmssp, as
this removes -k.

Andrew Bartlett
(This used to be commit 3c0dc570b86e79aea5446d7c3bb9750a11bf8ca4)

4 files changed, 31 insertions, 38 deletions

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index c462cf0ecd..4e1d1e3015 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -250,6 +250,28 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 
 	gensec_gssapi_state = gensec_security->private_data;
 
+	ret = cli_credentials_get_ccache(creds, 
+					 &ccache);
+	if (ret) {
+		DEBUG(1, ("Failed to get CCACHE for gensec_gssapi: %s\n", error_message(ret)));
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	name_token.value = cli_credentials_get_principal(creds, 
+							 gensec_gssapi_state);
+	name_token.length = strlen(name_token.value);
+
+	maj_stat = gss_import_name (&min_stat,
+				    &name_token,
+				    GSS_C_NT_USER_NAME,
+				    &gensec_gssapi_state->client_name);
+	if (maj_stat) {
+		DEBUG(2, ("GSS Import name of %s failed: %s\n",
+			  (char *)name_token.value,
+			  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
 	principal = gensec_get_target_principal(gensec_security);
 	if (principal && lp_client_use_spnego_principal()) {
 		name_token.value = gensec_get_target_principal(gensec_security);
@@ -274,28 +296,6 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	ret = cli_credentials_get_ccache(creds, 
-					 &ccache);
-	if (ret) {
-		DEBUG(1, ("Failed to get CCACHE for gensec_gssapi: %s\n", error_message(ret)));
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-
-	name_token.value = cli_credentials_get_principal(creds, 
-							 gensec_gssapi_state);
-	name_token.length = strlen(name_token.value);
-
-	maj_stat = gss_import_name (&min_stat,
-				    &name_token,
-				    GSS_C_NT_USER_NAME,
-				    &gensec_gssapi_state->client_name);
-	if (maj_stat) {
-		DEBUG(2, ("GSS Import name of %s failed: %s\n",
-			  (char *)name_token.value,
-			  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-
 	maj_stat = gsskrb5_acquire_cred(&min_stat, 
 					NULL, ccache->ccache,
 					gensec_gssapi_state->client_name,
@@ -964,7 +964,7 @@ static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
 	.wrap           = gensec_gssapi_wrap,
 	.unwrap         = gensec_gssapi_unwrap,
 	.have_feature   = gensec_gssapi_have_feature,
-	.enabled        = False
+	.enabled        = True
 };
 
 NTSTATUS gensec_gssapi_init(void)
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 922869af5c..d0bb2f4f52 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -111,7 +111,7 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
 
 	if (!princ_string) {
 		talloc_free(mem_ctx);
-		return ENOMEM;
+		return EINVAL;
 	}
 
 	ret = krb5_parse_name(smb_krb5_context->krb5_context,
diff --git a/source4/lib/cmdline/popt_common.c b/source4/lib/cmdline/popt_common.c
index fe76292acb..43ea203b78 100644
--- a/source4/lib/cmdline/popt_common.c
+++ b/source4/lib/cmdline/popt_common.c
@@ -241,17 +241,7 @@ static void popt_common_credentials_callback(poptContext con,
 		cli_credentials_set_machine_account_pending(cmdline_credentials);
 		
 		/* machine accounts only work with kerberos (fall though)*/
-
-	case 'k':
-#ifndef HAVE_KRB5
-		d_printf("No kerberos support compiled in\n");
-		exit(1);
-#else
-		lp_set_cmdline("gensec:krb5", "True");
-#endif
 		break;
-
-
 	}
 }
 
@@ -261,7 +251,6 @@ struct poptOption popt_common_credentials[] = {
 	{ NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, popt_common_credentials_callback },
 	{ "user", 'U', POPT_ARG_STRING, NULL, 'U', "Set the network username", "[DOMAIN\\]USERNAME[%PASSWORD]" },
 	{ "no-pass", 'N', POPT_ARG_NONE, &dont_ask, True, "Don't ask for a password" },
-	{ "kerberos", 'k', POPT_ARG_NONE, NULL, 'k', "Use kerberos (active directory) authentication" },
 	{ "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" },
 	{ "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" },
 	{ "machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password (implies -k)" },
diff --git a/source4/lib/credentials.c b/source4/lib/credentials.c
index cdef9042b8..4650fee1af 100644
--- a/source4/lib/credentials.c
+++ b/source4/lib/credentials.c
@@ -121,9 +121,13 @@ const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_C
 	}
 
 	if (cred->principal_obtained < cred->username_obtained) {
-		return talloc_asprintf(mem_ctx, "%s@%s", 
-				       cli_credentials_get_username(cred, mem_ctx),
-				       cli_credentials_get_realm(cred));
+		if (cred->domain_obtained > cred->realm_obtained) {
+			return NULL;
+		} else {
+			return talloc_asprintf(mem_ctx, "%s@%s", 
+					       cli_credentials_get_username(cred, mem_ctx),
+					       cli_credentials_get_realm(cred));
+		}
 	}
 	return talloc_reference(mem_ctx, cred->principal);
 }