summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-11-02 03:48:49 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:45:40 -0500
commitcc0f3779b1de565ed33504d123e41656d6d2aab2 (patch)
tree12928a2becf2827256ef954b83c425daec2ec3ce
parent375922801fca7eab7eefe28594df70ce28100f19 (diff)
downloadsamba-cc0f3779b1de565ed33504d123e41656d6d2aab2.tar.gz
samba-cc0f3779b1de565ed33504d123e41656d6d2aab2.tar.bz2
samba-cc0f3779b1de565ed33504d123e41656d6d2aab2.zip
r11468: Merge a bit more of init_sec_context from Heimdal CVS into our
DCE_STYLE modified version, and add parametric options to control delegation. It turns out the only remaining issue is sending delegated credentials to a windows server, probably due to the bug lha mentions in his blog (using the wrong key). If I turn delgation on in smbclient, but off in smbd, I can proxy a cifs session. I can't wait till Heimdal 0.8, so I'll see if I can figure out the fix myself :-) Andrew Bartlett (This used to be commit fd5fd03570c13f5644e53ff89ac8eca7c0985740)
-rw-r--r--source4/auth/gensec/gensec_gssapi.c9
-rw-r--r--source4/heimdal/lib/gssapi/init_sec_context.c25
2 files changed, 29 insertions, 5 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 4608b62db5..a51a30900f 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -124,7 +124,14 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
/* TODO: Fill in channel bindings */
gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
- gensec_gssapi_state->want_flags = GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG;
+ gensec_gssapi_state->want_flags = 0;
+ if (lp_parm_bool(-1, "gensec_gssapi", "mutual", True)) {
+ gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG;
+ }
+ if (lp_parm_bool(-1, "gensec_gssapi", "delegation", False)) {
+ gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG;
+ }
+
gensec_gssapi_state->got_flags = 0;
gensec_gssapi_state->session_key = data_blob(NULL, 0);
diff --git a/source4/heimdal/lib/gssapi/init_sec_context.c b/source4/heimdal/lib/gssapi/init_sec_context.c
index b8eb748bf5..06aba8f785 100644
--- a/source4/heimdal/lib/gssapi/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/init_sec_context.c
@@ -275,7 +275,7 @@ do_delegation (krb5_auth_context ac,
krb5_creds *cred,
const gss_name_t target_name,
krb5_data *fwd_data,
- int *flags)
+ u_int32_t *flags)
{
krb5_creds creds;
krb5_kdc_flags fwd_flags;
@@ -406,9 +406,26 @@ gsskrb5_initiator_start
flags = 0;
ap_options = 0;
+ /*
+ * If the realm policy approves a delegation, lets check local
+ * policy if the credentials should be delegated, defafult to
+ * false.
+ */
+ if (cred->flags.b.ok_as_delegate) {
+ krb5_boolean delegate = FALSE;
+
+ _gss_check_compat(NULL, target_name, "ok-as-delegate",
+ &delegate, TRUE);
+ krb5_appdefault_boolean(gssapi_krb5_context,
+ "gssapi", target_name->realm,
+ "ok-as-delegate", delegate, &delegate);
+ if (delegate)
+ req_flags |= GSS_C_DELEG_FLAG;
+ }
+
if (req_flags & GSS_C_DELEG_FLAG) {
do_delegation((*context_handle)->auth_context,
- ccache, cred, target_name, &fwd_data, &flags);
+ ccache, cred, target_name, &fwd_data, &flags);
}
if (req_flags & GSS_C_MUTUAL_FLAG) {
@@ -542,8 +559,8 @@ gsskrb5_initiator_wait_for_mutual(
krb5_error_code kret;
krb5_data inbuf;
u_int32_t flags = (*context_handle)->flags;
- OM_uint32 l_seq_number;
- OM_uint32 r_seq_number;
+ int32_t l_seq_number;
+ int32_t r_seq_number;
/* We need to decapsulate the AP_REP if GSS_C_DCE_STYLE isn't in use */
{