summaryrefslogtreecommitdiff
path: root/source3/libads/sasl.c
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2007-07-31 09:49:14 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:29:06 -0500
commit3edc6088aaff282530435ca19f70a96b22f045f4 (patch)
tree00f272bb1700257890daed3980b29d2c9b48b8ad /source3/libads/sasl.c
parentae5da66e2321052f23260f3ebbe4854df31a4d66 (diff)
downloadsamba-3edc6088aaff282530435ca19f70a96b22f045f4.tar.gz
samba-3edc6088aaff282530435ca19f70a96b22f045f4.tar.bz2
samba-3edc6088aaff282530435ca19f70a96b22f045f4.zip
r24098: - make use of the ads_service_principal abstraction
also for the "GSSAPI" sasl mech. - also use the ads_kinit_password() fallback logic from the "GSS-SPNEGO" sasl mech. metze (This used to be commit cbaf44de1e1f8007dc4ca249791ea30d2902c7c4)
Diffstat (limited to 'source3/libads/sasl.c')
-rw-r--r--source3/libads/sasl.c93
1 files changed, 32 insertions, 61 deletions
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 4436551d88..0bc741c02a 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -905,11 +905,9 @@ failed:
this routine is much less fragile
see RFC2078 and RFC2222 for details
*/
-static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
+static ADS_STATUS ads_sasl_gssapi_do_bind(ADS_STRUCT *ads, const gss_name_t serv_name)
{
uint32 minor_status;
- gss_name_t serv_name;
- gss_buffer_desc input_name;
gss_ctx_id_t context_handle = GSS_C_NO_CONTEXT;
gss_OID mech_type = GSS_C_NULL_OID;
gss_buffer_desc output_token, input_token;
@@ -921,62 +919,7 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
int gss_rc, rc;
uint8 *p;
uint32 max_msg_size = 0;
- char *sname = NULL;
ADS_STATUS status;
- krb5_principal principal = NULL;
- krb5_context ctx = NULL;
- krb5_enctype enc_types[] = {
-#ifdef ENCTYPE_ARCFOUR_HMAC
- ENCTYPE_ARCFOUR_HMAC,
-#endif
- ENCTYPE_DES_CBC_MD5,
- ENCTYPE_NULL};
- gss_OID_desc nt_principal =
- {10, CONST_DISCARD(char *, "\052\206\110\206\367\022\001\002\002\002")};
-
- /* we need to fetch a service ticket as the ldap user in the
- servers realm, regardless of our realm */
- asprintf(&sname, "ldap/%s@%s", ads->config.ldap_server_name, ads->config.realm);
-
- initialize_krb5_error_table();
- status = ADS_ERROR_KRB5(krb5_init_context(&ctx));
- if (!ADS_ERR_OK(status)) {
- SAFE_FREE(sname);
- return status;
- }
- status = ADS_ERROR_KRB5(krb5_set_default_tgs_ktypes(ctx, enc_types));
- if (!ADS_ERR_OK(status)) {
- SAFE_FREE(sname);
- krb5_free_context(ctx);
- return status;
- }
- status = ADS_ERROR_KRB5(smb_krb5_parse_name(ctx, sname, &principal));
- if (!ADS_ERR_OK(status)) {
- SAFE_FREE(sname);
- krb5_free_context(ctx);
- return status;
- }
-
- input_name.value = &principal;
- input_name.length = sizeof(principal);
-
- gss_rc = gss_import_name(&minor_status, &input_name, &nt_principal, &serv_name);
-
- /*
- * The MIT libraries have a *HORRIBLE* bug - input_value.value needs
- * to point to the *address* of the krb5_principal, and the gss libraries
- * to a shallow copy of the krb5_principal pointer - so we need to keep
- * the krb5_principal around until we do the gss_release_name. MIT *SUCKS* !
- * Just one more way in which MIT engineers screwed me over.... JRA.
- */
-
- SAFE_FREE(sname);
-
- if (gss_rc) {
- krb5_free_principal(ctx, principal);
- krb5_free_context(ctx);
- return ADS_ERROR_GSS(gss_rc, minor_status);
- }
input_token.value = NULL;
input_token.length = 0;
@@ -1122,16 +1065,44 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
}
failed:
- gss_release_name(&minor_status, &serv_name);
if (context_handle != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&minor_status, &context_handle, GSS_C_NO_BUFFER);
- krb5_free_principal(ctx, principal);
- krb5_free_context(ctx);
if(scred)
ber_bvfree(scred);
return status;
}
+
+static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
+{
+ ADS_STATUS status;
+ struct ads_service_principal p;
+
+ status = ads_generate_service_principal(ads, NULL, &p);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ status = ads_sasl_gssapi_do_bind(ads, p.name);
+ if (ADS_ERR_OK(status)) {
+ ads_free_service_principal(&p);
+ return status;
+ }
+
+ DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
+ "calling kinit\n", ads_errstr(status)));
+
+ status = ADS_ERROR_KRB5(ads_kinit_password(ads));
+
+ if (ADS_ERR_OK(status)) {
+ status = ads_sasl_gssapi_do_bind(ads, p.name);
+ }
+
+ ads_free_service_principal(&p);
+
+ return status;
+}
+
#endif /* HAVE_GGSAPI */
/* mapping between SASL mechanisms and functions */