diff options
| author | Dan Sledz <dsledz@isilon.com> | 2009-01-15 17:02:41 -0800 |
|---|---|---|
| committer | Steven Danneman <steven.danneman@isilon.com> | 2009-02-01 20:23:31 -0800 |
| commit | d96248a9b46559552f53b0ecd3861387ea7ff050 (patch) | |
| tree | e7d5f3d00f0831d1cb2c4315cd2fa7e1de6abaf6 /source3/include/includes.h | |
| parent | d75b3913c9e03ff97336aa7a6e1cbac2eb03f230 (diff) | |
| download | samba-d96248a9b46559552f53b0ecd3861387ea7ff050.tar.gz samba-d96248a9b46559552f53b0ecd3861387ea7ff050.tar.bz2 samba-d96248a9b46559552f53b0ecd3861387ea7ff050.zip | |
Add two new parameters to control how we verify kerberos tickets. Removes lp_use_kerberos_keytab parameter.
The first is "kerberos method" and replaces the "use kerberos keytab"
with an enum. Valid options are:
secrets only - use only the secrets for ticket verification (default)
system keytab - use only the system keytab for ticket verification
dedicated keytab - use a dedicated keytab for ticket verification.
secrets and keytab - use the secrets.tdb first, then the system keytab
For existing installs:
"use kerberos keytab = yes" corresponds to secrets and keytab
"use kerberos keytab = no" corresponds to secrets only
The major difference between "system keytab" and "dedicated keytab" is
that the latter method relies on kerberos to find the correct keytab
entry instead of filtering based on expected principals.
The second parameter is "dedicated keytab file", which is the keytab
to use when in "dedicated keytab" mode. This keytab is only used in
ads_verify_ticket.
Diffstat (limited to 'source3/include/includes.h')
| -rw-r--r-- | source3/include/includes.h | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/source3/include/includes.h b/source3/include/includes.h index c58ebcdbfe..ebd8923769 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -879,8 +879,25 @@ char *talloc_asprintf_strupper_m(TALLOC_CTX *t, const char *fmt, ...) PRINTF_ATT #define XATTR_REPLACE 0x2 /* set value, fail if attr does not exist */ #endif -#if defined(HAVE_KRB5) +/* + * This should be under the HAVE_KRB5 flag but since they're used + * in lp_kerberos_method(), they ned to be always available + */ +#define KERBEROS_VERIFY_SECRETS 0 +#define KERBEROS_VERIFY_SYSTEM_KEYTAB 1 +#define KERBEROS_VERIFY_DEDICATED_KEYTAB 2 +#define KERBEROS_VERIFY_SECRETS_AND_KEYTAB 3 +/* + * If you add any entries to the above, please modify the below expressions + * so they remain accurate. + */ +#define USE_KERBEROS_KEYTAB (KERBEROS_VERIFY_SECRETS != lp_kerberos_method()) +#define USE_SYSTEM_KEYTAB \ + ((KERBEROS_VERIFY_SECRETS_AND_KEYTAB == lp_kerberos_method()) || \ + (KERBEROS_VERIFY_SYSTEM_KEYTAB == lp_kerberos_method())) + +#if defined(HAVE_KRB5) krb5_error_code smb_krb5_parse_name(krb5_context context, const char *name, /* in unix charset */ krb5_principal *principal); |