summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-12-06 14:18:41 +1100
committerAmitay Isaacs <amitay@samba.org>2011-12-07 02:20:10 +0100
commitdbbb626dc0ad7b0100aec3ee3a787e1ac18f528a (patch)
treef4a58debf6b3a02633af0007549893070244f177
parent0344e7278b5ddaba0efd7b31a894e901bd9ef6fb (diff)
downloadsamba-dbbb626dc0ad7b0100aec3ee3a787e1ac18f528a.tar.gz
samba-dbbb626dc0ad7b0100aec3ee3a787e1ac18f528a.tar.bz2
samba-dbbb626dc0ad7b0100aec3ee3a787e1ac18f528a.zip
s4-dns Use match-by-key in GSSAPI server if principal is not specified
This allows dlz_bind9 to match on exactly the same key as bind9 itself Andrew Bartlett Autobuild-User: Amitay Isaacs <amitay@samba.org> Autobuild-Date: Wed Dec 7 02:20:10 CET 2011 on sn-devel-104
-rw-r--r--auth/credentials/credentials_krb5.c12
-rw-r--r--source4/dns_server/dlz_bind9.c27
2 files changed, 14 insertions, 25 deletions
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 1b7be3f63c..1e5600c2b1 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -794,9 +794,15 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
return ENOMEM;
}
- /* This creates a GSSAPI cred_id_t with the principal and keytab set */
- maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab,
- &gcc->creds);
+ if (obtained < CRED_SPECIFIED) {
+ /* This creates a GSSAPI cred_id_t with the principal and keytab set */
+ maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab,
+ &gcc->creds);
+ } else {
+ /* This creates a GSSAPI cred_id_t with the principal and keytab set */
+ maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab,
+ &gcc->creds);
+ }
if (maj_stat) {
if (min_stat) {
ret = min_stat;
diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c
index 1240ab7cc3..97eaac8564 100644
--- a/source4/dns_server/dlz_bind9.c
+++ b/source4/dns_server/dlz_bind9.c
@@ -1043,17 +1043,6 @@ _PUBLIC_ isc_result_t dlz_configure(dns_view_t *view, void *dbdata)
return ISC_R_SUCCESS;
}
-static char *strlower(char *str)
-{
- int i;
-
- for (i=0; i<strlen(str); i++) {
- str[i] = (char) tolower(str[i]);
- }
-
- return str;
-}
-
/*
authorize a zone update
*/
@@ -1065,8 +1054,8 @@ _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
TALLOC_CTX *tmp_ctx;
DATA_BLOB ap_req;
struct cli_credentials *server_credentials;
- char *keytab_name, *username;
- bool ret;
+ char *keytab_name;
+ int ret;
int ldb_ret;
NTSTATUS nt_status;
struct gensec_security *gensec_ctx;
@@ -1104,22 +1093,17 @@ _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
cli_credentials_set_krb5_context(server_credentials, state->smb_krb5_ctx);
cli_credentials_set_conf(server_credentials, state->lp);
- username = talloc_asprintf(tmp_ctx, "dns-%s", lpcfg_netbios_name(state->lp));
- username = strlower(username);
- cli_credentials_set_username(server_credentials, username, CRED_SPECIFIED);
- talloc_free(username);
-
keytab_name = talloc_asprintf(tmp_ctx, "file:%s/dns.keytab",
lpcfg_private_dir(state->lp));
ret = cli_credentials_set_keytab_name(server_credentials, state->lp, keytab_name,
CRED_SPECIFIED);
- talloc_free(keytab_name);
if (ret != 0) {
- state->log(ISC_LOG_ERROR, "samba_dlz: failed to obtain server credentials for %s",
- username);
+ state->log(ISC_LOG_ERROR, "samba_dlz: failed to obtain server credentials from %s",
+ keytab_name);
talloc_free(tmp_ctx);
return false;
}
+ talloc_free(keytab_name);
nt_status = gensec_server_start(tmp_ctx,
lpcfg_gensec_settings(tmp_ctx, state->lp),
@@ -1131,7 +1115,6 @@ _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
}
gensec_set_credentials(gensec_ctx, server_credentials);
- gensec_set_target_service(gensec_ctx, "dns");
nt_status = gensec_start_mech_by_name(gensec_ctx, "spnego");
if (!NT_STATUS_IS_OK(nt_status)) {