diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2011-12-06 14:18:41 +1100 |
|---|---|---|
| committer | Amitay Isaacs <amitay@samba.org> | 2011-12-07 02:20:10 +0100 |
| commit | dbbb626dc0ad7b0100aec3ee3a787e1ac18f528a (patch) | |
| tree | f4a58debf6b3a02633af0007549893070244f177 | |
| parent | 0344e7278b5ddaba0efd7b31a894e901bd9ef6fb (diff) | |
| download | samba-dbbb626dc0ad7b0100aec3ee3a787e1ac18f528a.tar.gz samba-dbbb626dc0ad7b0100aec3ee3a787e1ac18f528a.tar.bz2 samba-dbbb626dc0ad7b0100aec3ee3a787e1ac18f528a.zip | |
s4-dns Use match-by-key in GSSAPI server if principal is not specified
This allows dlz_bind9 to match on exactly the same key as bind9 itself
Andrew Bartlett
Autobuild-User: Amitay Isaacs <amitay@samba.org>
Autobuild-Date: Wed Dec 7 02:20:10 CET 2011 on sn-devel-104
| -rw-r--r-- | auth/credentials/credentials_krb5.c | 12 | ||||
| -rw-r--r-- | source4/dns_server/dlz_bind9.c | 27 |
2 files changed, 14 insertions, 25 deletions
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index 1b7be3f63c..1e5600c2b1 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -794,9 +794,15 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, return ENOMEM; } - /* This creates a GSSAPI cred_id_t with the principal and keytab set */ - maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab, - &gcc->creds); + if (obtained < CRED_SPECIFIED) { + /* This creates a GSSAPI cred_id_t with the principal and keytab set */ + maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab, + &gcc->creds); + } else { + /* This creates a GSSAPI cred_id_t with the principal and keytab set */ + maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab, + &gcc->creds); + } if (maj_stat) { if (min_stat) { ret = min_stat; diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c index 1240ab7cc3..97eaac8564 100644 --- a/source4/dns_server/dlz_bind9.c +++ b/source4/dns_server/dlz_bind9.c @@ -1043,17 +1043,6 @@ _PUBLIC_ isc_result_t dlz_configure(dns_view_t *view, void *dbdata) return ISC_R_SUCCESS; } -static char *strlower(char *str) -{ - int i; - - for (i=0; i<strlen(str); i++) { - str[i] = (char) tolower(str[i]); - } - - return str; -} - /* authorize a zone update */ @@ -1065,8 +1054,8 @@ _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const TALLOC_CTX *tmp_ctx; DATA_BLOB ap_req; struct cli_credentials *server_credentials; - char *keytab_name, *username; - bool ret; + char *keytab_name; + int ret; int ldb_ret; NTSTATUS nt_status; struct gensec_security *gensec_ctx; @@ -1104,22 +1093,17 @@ _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const cli_credentials_set_krb5_context(server_credentials, state->smb_krb5_ctx); cli_credentials_set_conf(server_credentials, state->lp); - username = talloc_asprintf(tmp_ctx, "dns-%s", lpcfg_netbios_name(state->lp)); - username = strlower(username); - cli_credentials_set_username(server_credentials, username, CRED_SPECIFIED); - talloc_free(username); - keytab_name = talloc_asprintf(tmp_ctx, "file:%s/dns.keytab", lpcfg_private_dir(state->lp)); ret = cli_credentials_set_keytab_name(server_credentials, state->lp, keytab_name, CRED_SPECIFIED); - talloc_free(keytab_name); if (ret != 0) { - state->log(ISC_LOG_ERROR, "samba_dlz: failed to obtain server credentials for %s", - username); + state->log(ISC_LOG_ERROR, "samba_dlz: failed to obtain server credentials from %s", + keytab_name); talloc_free(tmp_ctx); return false; } + talloc_free(keytab_name); nt_status = gensec_server_start(tmp_ctx, lpcfg_gensec_settings(tmp_ctx, state->lp), @@ -1131,7 +1115,6 @@ _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const } gensec_set_credentials(gensec_ctx, server_credentials); - gensec_set_target_service(gensec_ctx, "dns"); nt_status = gensec_start_mech_by_name(gensec_ctx, "spnego"); if (!NT_STATUS_IS_OK(nt_status)) { |