summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-06-23 01:50:04 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:18:42 -0500
commit4432cc73aee188b1aa50b6e1618acd59ebfebd9c (patch)
treea1047fc2471966fe7b9f81ecb80b45d28334f189
parent3cb74e995ec69efe3d6d21394db9ccb9ae9acb40 (diff)
downloadsamba-4432cc73aee188b1aa50b6e1618acd59ebfebd9c.tar.gz
samba-4432cc73aee188b1aa50b6e1618acd59ebfebd9c.tar.bz2
samba-4432cc73aee188b1aa50b6e1618acd59ebfebd9c.zip
r7843: Use the new Heimdal gsskrb_acquire_creds API. This has the right
lifetime constraints, and works with the in-memory keytab. Move initialize_krb5_error_table() into our kerberos startup code, rather than in the GSSAPI code explitly. (Hmm, we probably don't need this at all..) Andrew Bartlett (This used to be commit bedf92da5c81066405c87c9e588842d3ca5ba945)
-rw-r--r--source4/auth/gensec/gensec_gssapi.c56
-rw-r--r--source4/auth/kerberos/clikrb5.c2
2 files changed, 27 insertions, 31 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 1542441e27..533448e06f 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -170,6 +170,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_security)
{
NTSTATUS nt_status;
+ OM_uint32 maj_stat, min_stat;
struct gensec_gssapi_state *gensec_gssapi_state;
struct cli_credentials *machine_account;
@@ -201,7 +202,21 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
}
}
- gsskrb5_register_acceptor_keytab(gensec_gssapi_state->keytab);
+ maj_stat = gsskrb5_acquire_cred(&min_stat,
+ gensec_gssapi_state->keytab, NULL,
+ NULL,
+ GSS_C_INDEFINITE,
+ GSS_C_NULL_OID_SET,
+ GSS_C_ACCEPT,
+ &gensec_gssapi_state->cred,
+ NULL,
+ NULL);
+ if (maj_stat) {
+ DEBUG(1, ("Aquiring acceptor credentails failed: %s\n",
+ gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
return NT_STATUS_OK;
}
@@ -251,8 +266,6 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
return NT_STATUS_UNSUCCESSFUL;
}
- initialize_krb5_error_table();
-
nt_status = kinit_to_ccache(gensec_gssapi_state,
gensec_get_credentials(gensec_security),
gensec_gssapi_state->smb_krb5_context,
@@ -261,25 +274,16 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
return nt_status;
}
- maj_stat = gss_krb5_ccache_name(&min_stat,
- gensec_gssapi_state->ccache_name,
+ maj_stat = gsskrb5_acquire_cred(&min_stat,
+ NULL, gensec_gssapi_state->ccache,
+ gensec_gssapi_state->client_name,
+ GSS_C_INDEFINITE,
+ GSS_C_NULL_OID_SET,
+ GSS_C_INITIATE,
+ &gensec_gssapi_state->cred,
+ NULL,
NULL);
if (maj_stat) {
- DEBUG(1, ("GSS krb5 ccache set %s failed: %s\n",
- gensec_gssapi_state->ccache_name,
- gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- maj_stat = gss_acquire_cred(&min_stat,
- gensec_gssapi_state->client_name,
- GSS_C_INDEFINITE,
- GSS_C_NULL_OID_SET,
- GSS_C_INITIATE,
- &gensec_gssapi_state->cred,
- NULL,
- NULL);
- if (maj_stat) {
DEBUG(1, ("Aquiring initiator credentails failed: %s\n",
gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
return NT_STATUS_UNSUCCESSFUL;
@@ -336,16 +340,6 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
switch (gensec_security->gensec_role) {
case GENSEC_CLIENT:
{
- maj_stat = gss_krb5_ccache_name(&min_stat,
- gensec_gssapi_state->ccache_name,
- NULL);
- if (maj_stat) {
- DEBUG(1, ("GSS krb5 ccache set %s failed: %s\n",
- gensec_gssapi_state->ccache_name,
- gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
maj_stat = gss_init_sec_context(&min_stat,
gensec_gssapi_state->cred,
&gensec_gssapi_state->gssapi_context,
@@ -365,7 +359,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
{
maj_stat = gss_accept_sec_context(&min_stat,
&gensec_gssapi_state->gssapi_context,
- GSS_C_NO_CREDENTIAL,
+ gensec_gssapi_state->cred,
&input_token,
gensec_gssapi_state->input_chan_bindings,
&gensec_gssapi_state->client_name,
diff --git a/source4/auth/kerberos/clikrb5.c b/source4/auth/kerberos/clikrb5.c
index 0fede8b2cd..95a45fc739 100644
--- a/source4/auth/kerberos/clikrb5.c
+++ b/source4/auth/kerberos/clikrb5.c
@@ -503,6 +503,8 @@ static void smb_krb5_debug_wrapper(const char *timestr, const char *msg, void *p
krb5_error_code ret;
TALLOC_CTX *tmp_ctx;
+ initialize_krb5_error_table();
+
*smb_krb5_context = talloc(parent_ctx, struct smb_krb5_context);
tmp_ctx = talloc_new(*smb_krb5_context);