diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-06-23 01:50:04 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:18:42 -0500 |
commit | 4432cc73aee188b1aa50b6e1618acd59ebfebd9c (patch) | |
tree | a1047fc2471966fe7b9f81ecb80b45d28334f189 | |
parent | 3cb74e995ec69efe3d6d21394db9ccb9ae9acb40 (diff) | |
download | samba-4432cc73aee188b1aa50b6e1618acd59ebfebd9c.tar.gz samba-4432cc73aee188b1aa50b6e1618acd59ebfebd9c.tar.bz2 samba-4432cc73aee188b1aa50b6e1618acd59ebfebd9c.zip |
r7843: Use the new Heimdal gsskrb_acquire_creds API. This has the right
lifetime constraints, and works with the in-memory keytab.
Move initialize_krb5_error_table() into our kerberos startup code,
rather than in the GSSAPI code explitly. (Hmm, we probably don't need
this at all..)
Andrew Bartlett
(This used to be commit bedf92da5c81066405c87c9e588842d3ca5ba945)
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 56 | ||||
-rw-r--r-- | source4/auth/kerberos/clikrb5.c | 2 |
2 files changed, 27 insertions, 31 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 1542441e27..533448e06f 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -170,6 +170,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_security) { NTSTATUS nt_status; + OM_uint32 maj_stat, min_stat; struct gensec_gssapi_state *gensec_gssapi_state; struct cli_credentials *machine_account; @@ -201,7 +202,21 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi } } - gsskrb5_register_acceptor_keytab(gensec_gssapi_state->keytab); + maj_stat = gsskrb5_acquire_cred(&min_stat, + gensec_gssapi_state->keytab, NULL, + NULL, + GSS_C_INDEFINITE, + GSS_C_NULL_OID_SET, + GSS_C_ACCEPT, + &gensec_gssapi_state->cred, + NULL, + NULL); + if (maj_stat) { + DEBUG(1, ("Aquiring acceptor credentails failed: %s\n", + gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + return NT_STATUS_OK; } @@ -251,8 +266,6 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi return NT_STATUS_UNSUCCESSFUL; } - initialize_krb5_error_table(); - nt_status = kinit_to_ccache(gensec_gssapi_state, gensec_get_credentials(gensec_security), gensec_gssapi_state->smb_krb5_context, @@ -261,25 +274,16 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi return nt_status; } - maj_stat = gss_krb5_ccache_name(&min_stat, - gensec_gssapi_state->ccache_name, + maj_stat = gsskrb5_acquire_cred(&min_stat, + NULL, gensec_gssapi_state->ccache, + gensec_gssapi_state->client_name, + GSS_C_INDEFINITE, + GSS_C_NULL_OID_SET, + GSS_C_INITIATE, + &gensec_gssapi_state->cred, + NULL, NULL); if (maj_stat) { - DEBUG(1, ("GSS krb5 ccache set %s failed: %s\n", - gensec_gssapi_state->ccache_name, - gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); - return NT_STATUS_UNSUCCESSFUL; - } - - maj_stat = gss_acquire_cred(&min_stat, - gensec_gssapi_state->client_name, - GSS_C_INDEFINITE, - GSS_C_NULL_OID_SET, - GSS_C_INITIATE, - &gensec_gssapi_state->cred, - NULL, - NULL); - if (maj_stat) { DEBUG(1, ("Aquiring initiator credentails failed: %s\n", gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); return NT_STATUS_UNSUCCESSFUL; @@ -336,16 +340,6 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, switch (gensec_security->gensec_role) { case GENSEC_CLIENT: { - maj_stat = gss_krb5_ccache_name(&min_stat, - gensec_gssapi_state->ccache_name, - NULL); - if (maj_stat) { - DEBUG(1, ("GSS krb5 ccache set %s failed: %s\n", - gensec_gssapi_state->ccache_name, - gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); - return NT_STATUS_UNSUCCESSFUL; - } - maj_stat = gss_init_sec_context(&min_stat, gensec_gssapi_state->cred, &gensec_gssapi_state->gssapi_context, @@ -365,7 +359,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, { maj_stat = gss_accept_sec_context(&min_stat, &gensec_gssapi_state->gssapi_context, - GSS_C_NO_CREDENTIAL, + gensec_gssapi_state->cred, &input_token, gensec_gssapi_state->input_chan_bindings, &gensec_gssapi_state->client_name, diff --git a/source4/auth/kerberos/clikrb5.c b/source4/auth/kerberos/clikrb5.c index 0fede8b2cd..95a45fc739 100644 --- a/source4/auth/kerberos/clikrb5.c +++ b/source4/auth/kerberos/clikrb5.c @@ -503,6 +503,8 @@ static void smb_krb5_debug_wrapper(const char *timestr, const char *msg, void *p krb5_error_code ret; TALLOC_CTX *tmp_ctx; + initialize_krb5_error_table(); + *smb_krb5_context = talloc(parent_ctx, struct smb_krb5_context); tmp_ctx = talloc_new(*smb_krb5_context); |