summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-02-25 14:17:23 +1100
committerAndrew Bartlett <abartlet@samba.org>2012-03-01 22:04:45 +1100
commit4dae0e7ec5add0c2000484a7dc6ca6f147e6ecb9 (patch)
treed2327eaee942a7cf8e907b9aa976c7d31ebc62c4
parent5b700cb0e3bab1f9b0452db108d9150d5067c55d (diff)
downloadsamba-4dae0e7ec5add0c2000484a7dc6ca6f147e6ecb9.tar.gz
samba-4dae0e7ec5add0c2000484a7dc6ca6f147e6ecb9.tar.bz2
samba-4dae0e7ec5add0c2000484a7dc6ca6f147e6ecb9.zip
s3-ntlm_auth: Wrap kerberos token in GSSAPI
While windows will accept this ticket without the wrapping, it is nicer to follow the standard and wrap it up in GSSAPI. This should allow the ntlm_auth gss-spnego-client to talk to the ntlm_auth gss-spengo server. Reported by Christof Schmitt <christof.schmitt@us.ibm.com> Andrew Bartlett
-rw-r--r--source3/utils/ntlm_auth.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index bbf32f963b..fb38c8e09e 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1940,7 +1940,7 @@ static void manage_client_ntlmssp_targ(struct spnego_data spnego)
static bool manage_client_krb5_init(struct spnego_data spnego)
{
char *principal;
- DATA_BLOB tkt, to_server;
+ DATA_BLOB tkt, tkt_wrapped, to_server;
DATA_BLOB session_key_krb5 = data_blob_null;
struct spnego_data reply;
char *reply_base64;
@@ -2024,8 +2024,12 @@ static bool manage_client_krb5_init(struct spnego_data spnego)
DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval)));
return False;
}
+
}
+ /* wrap that up in a nice GSS-API wrapping */
+ tkt_wrapped = spnego_gen_krb5_wrap(ctx, tkt, TOK_ID_KRB_AP_REQ);
+
data_blob_free(&session_key_krb5);
ZERO_STRUCT(reply);
@@ -2034,7 +2038,7 @@ static bool manage_client_krb5_init(struct spnego_data spnego)
reply.negTokenInit.mechTypes = my_mechs;
reply.negTokenInit.reqFlags = data_blob_null;
reply.negTokenInit.reqFlagsPadding = 0;
- reply.negTokenInit.mechToken = tkt;
+ reply.negTokenInit.mechToken = tkt_wrapped;
reply.negTokenInit.mechListMIC = data_blob_null;
len = spnego_write_data(ctx, &to_server, &reply);