summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2007-04-17 03:49:46 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:50:58 -0500
commitd7fe1f182b042696c39df6a36d5e0af72be4e48f (patch)
tree83f8e57fd7577dbba6d97cda88aeb16a91f0ae1e
parentc2688ec22872006c1cdae3c4899153448a0f05ea (diff)
downloadsamba-d7fe1f182b042696c39df6a36d5e0af72be4e48f.tar.gz
samba-d7fe1f182b042696c39df6a36d5e0af72be4e48f.tar.bz2
samba-d7fe1f182b042696c39df6a36d5e0af72be4e48f.zip
r22294: Lock the delegated credentials to being kerberos only, we just don't
have the data for anything else. Andrew Bartlett (This used to be commit 9e0c0cd0ff678388436430bb1ba4eb7595cbefbd)
-rw-r--r--source4/auth/gensec/gensec_gssapi.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 11f94b7708..82a79e1945 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1339,6 +1339,8 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
}
cli_credentials_set_conf(session_info->credentials);
+ /* Just so we don't segfault trying to get at a username */
+ cli_credentials_set_anonymous(session_info->credentials);
ret = cli_credentials_set_client_gss_creds(session_info->credentials,
gensec_gssapi_state->delegated_cred_handle,
@@ -1347,6 +1349,10 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
talloc_free(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
+
+ /* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */
+ cli_credentials_set_kerberos_state(session_info->credentials, CRED_MUST_USE_KERBEROS);
+
/* It has been taken from this place... */
gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
}