auth/kerberos Add check for gss_inquire_sec_context_by_oid

Not all kerberos distributions have this function.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Apr 27 07:39:08 CEST 2011 on sn-devel-104

4 files changed, 13 insertions, 5 deletions

diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c
index dd2fb7e0a7..d89a649ff2 100644
--- a/auth/kerberos/gssapi_pac.c
+++ b/auth/kerberos/gssapi_pac.c
@@ -38,20 +38,19 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
 				gss_name_t gss_client_name,
 				DATA_BLOB *pac_blob)
 {
+	NTSTATUS status;
 	OM_uint32 gss_maj, gss_min;
-	gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
+#ifdef HAVE_GSS_GET_NAME_ATTRIBUTE
 	gss_buffer_desc pac_buffer;
 	gss_buffer_desc pac_display_buffer;
 	gss_buffer_desc pac_name = {
 		.value = "urn:mspac:",
 		.length = sizeof("urn:mspac:")-1
 	};
-	NTSTATUS status;
 	int more = -1;
 	int authenticated = false;
 	int complete = false;
 
-#ifdef HAVE_GSS_GET_NAME_ATTRIBUTE
 	gss_maj = gss_get_name_attribute(
 		&gss_min, gss_client_name, &pac_name,
 		&authenticated, &complete,
@@ -83,7 +82,10 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-#endif
+#elif defined(HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID)
+
+	gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
+
 	/* If we didn't have the routine to get a verified, validated
 	 * PAC (supplied only by MIT at the time of writing), then try
 	 * with the Heimdal OID (fetches the PAC directly and always
@@ -118,6 +120,10 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
 		gss_maj = gss_release_buffer_set(&gss_min, &set);
 		return status;
 	}
+#else
+	DEBUG(1, ("unable to obtain a PAC against this GSSAPI library.  "
+		  "GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8\n"));
+#endif
 	return NT_STATUS_ACCESS_DENIED;
 }
 #endif
diff --git a/source3/configure.in b/source3/configure.in
index a463aa910d..3624c25e62 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3871,6 +3871,7 @@ if test x"$with_ads_support" != x"no"; then
   AC_CHECK_FUNC_EXT(gss_krb5_import_cred, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(gss_get_name_attribute, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(gss_oid_equal, $KRB5_LIBS)
+  AC_CHECK_FUNC_EXT(gss_inquire_sec_context_by_oid, $KRB5_LIBS)
 
   # MIT krb5 1.8 does not expose this call (yet)
   AC_CHECK_DECLS(krb5_get_credentials_for_user, [], [], [#include <krb5.h>])
diff --git a/source3/wscript b/source3/wscript
index cdafc1683a..d9cc0c6124 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -632,7 +632,7 @@ msg.msg_acctrightslen = sizeof(fd);
         if conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi') or \
            conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi_krb5'):
             have_gssapi=True
-        conf.CHECK_FUNCS_IN('gss_wrap_iov gss_krb5_import_cred gss_get_name_attribute gss_oid_equal', 'gssapi gssapi_krb5 krb5')
+        conf.CHECK_FUNCS_IN('gss_wrap_iov gss_krb5_import_cred gss_get_name_attribute gss_oid_equal gss_inquire_sec_context_by_oid', 'gssapi gssapi_krb5 krb5')
         conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5')
         conf.CHECK_FUNCS('''
 krb5_set_real_time krb5_set_default_in_tkt_etypes krb5_set_default_tgs_enctypes
diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure
index f96c683baf..cd2a70f320 100644
--- a/source4/heimdal_build/wscript_configure
+++ b/source4/heimdal_build/wscript_configure
@@ -83,6 +83,7 @@ conf.define('HAVE_GSS_DISPLAY_STATUS', 1)
 conf.define('HAVE_GSS_WRAP_IOV', 1)
 conf.define('HAVE_GSS_KRB5_IMPORT_CRED', 1)
 conf.define('HAVE_GSS_OID_EQUAL', 1)
+conf.define('HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID', 1)
 conf.define('HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT', 1)
 conf.define('HAVE_LIBGSSAPI', 1)
 conf.define('HAVE_ADDR_TYPE_IN_KRB5_ADDRESS', 1)