summaryrefslogtreecommitdiff
path: root/source3/librpc/crypto
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-04-16 08:50:53 +1000
committerAndrew Bartlett <abartlet@samba.org>2011-04-20 04:31:07 +0200
commit3a2afe4285fca8ab9e3e323ef7f5388f4090d669 (patch)
treed8501df4f75eff16ab8b74a98f790373aec94465 /source3/librpc/crypto
parent1804d9a64662d37f6c7c50bdd7b8edd80f42192b (diff)
downloadsamba-3a2afe4285fca8ab9e3e323ef7f5388f4090d669.tar.gz
samba-3a2afe4285fca8ab9e3e323ef7f5388f4090d669.tar.bz2
samba-3a2afe4285fca8ab9e3e323ef7f5388f4090d669.zip
s3-gse: Allow the GSSAPI wrapper to load a keytab using gss_krb5_import_cred()
This Heimdal function does not set the global state, and allows the GSSAPI server to progress further when compiled against Heimdal (such as in the top level build). The ability to specify a keytab has been removed from the API as it is unused, and and the Heimdal function (avoiding setting global variables) works with an open keytab. Andrew Bartlett
Diffstat (limited to 'source3/librpc/crypto')
-rw-r--r--source3/librpc/crypto/gse.c50
-rw-r--r--source3/librpc/crypto/gse.h1
2 files changed, 29 insertions, 22 deletions
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 6e3066a9d0..0d9eead082 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -342,15 +342,14 @@ done:
NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
bool do_sign, bool do_seal,
uint32_t add_gss_c_flags,
- const char *keytab_name,
struct gse_context **_gse_ctx)
{
struct gse_context *gse_ctx;
OM_uint32 gss_maj, gss_min;
- gss_OID_set_desc mech_set;
krb5_error_code ret;
- const char *ktname;
NTSTATUS status;
+ const char *ktname;
+ gss_OID_set_desc mech_set;
status = gse_context_init(mem_ctx, do_sign, do_seal,
NULL, add_gss_c_flags, &gse_ctx);
@@ -358,27 +357,36 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- if (!keytab_name) {
- ret = gse_krb5_get_server_keytab(gse_ctx->k5ctx,
- &gse_ctx->keytab);
- if (ret) {
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
- }
- ret = smb_krb5_keytab_name(gse_ctx, gse_ctx->k5ctx,
- gse_ctx->keytab, &ktname);
- if (ret) {
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
- }
- } else {
- ktname = keytab_name;
+ ret = gse_krb5_get_server_keytab(gse_ctx->k5ctx,
+ &gse_ctx->keytab);
+ if (ret) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto done;
}
+#ifdef HAVE_GSS_KRB5_IMPORT_CRED
+ /* This creates a GSSAPI cred_id_t with the principal and keytab set */
+ gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab,
+ &gse_ctx->creds);
+ if (gss_maj) {
+ DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n",
+ gse_errstr(gse_ctx, gss_maj, gss_min)));
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto done;
+ }
+#else
/* FIXME!!!
* This call sets the default keytab for the whole server, not
* just for this context. Need to find a way that does not alter
* the state of the whole server ... */
+
+ ret = smb_krb5_keytab_name(gse_ctx, gse_ctx->k5ctx,
+ gse_ctx->keytab, &ktname);
+ if (ret) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto done;
+ }
+
ret = gsskrb5_register_acceptor_identity(ktname);
if (ret) {
status = NT_STATUS_INTERNAL_ERROR;
@@ -387,7 +395,7 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
mech_set.count = 1;
mech_set.elements = &gse_ctx->gss_mech;
-
+
gss_maj = gss_acquire_cred(&gss_min,
GSS_C_NO_NAME,
GSS_C_INDEFINITE,
@@ -395,13 +403,14 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
GSS_C_ACCEPT,
&gse_ctx->creds,
NULL, NULL);
+
if (gss_maj) {
DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
gse_errstr(gse_ctx, gss_maj, gss_min)));
status = NT_STATUS_INTERNAL_ERROR;
goto done;
}
-
+#endif
status = NT_STATUS_OK;
done:
@@ -932,7 +941,6 @@ NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
bool do_sign, bool do_seal,
uint32_t add_gss_c_flags,
- const char *keytab,
struct gse_context **_gse_ctx)
{
return NT_STATUS_NOT_IMPLEMENTED;
diff --git a/source3/librpc/crypto/gse.h b/source3/librpc/crypto/gse.h
index a6d9a35a7f..fbcf5b6e10 100644
--- a/source3/librpc/crypto/gse.h
+++ b/source3/librpc/crypto/gse.h
@@ -42,7 +42,6 @@ NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
bool do_sign, bool do_seal,
uint32_t add_gss_c_flags,
- const char *keytab,
struct gse_context **_gse_ctx);
NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx,
struct gse_context *gse_ctx,