diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-04-16 08:50:53 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-04-20 04:31:07 +0200 |
commit | 3a2afe4285fca8ab9e3e323ef7f5388f4090d669 (patch) | |
tree | d8501df4f75eff16ab8b74a98f790373aec94465 /source3/librpc | |
parent | 1804d9a64662d37f6c7c50bdd7b8edd80f42192b (diff) | |
download | samba-3a2afe4285fca8ab9e3e323ef7f5388f4090d669.tar.gz samba-3a2afe4285fca8ab9e3e323ef7f5388f4090d669.tar.bz2 samba-3a2afe4285fca8ab9e3e323ef7f5388f4090d669.zip |
s3-gse: Allow the GSSAPI wrapper to load a keytab using gss_krb5_import_cred()
This Heimdal function does not set the global state, and allows the
GSSAPI server to progress further when compiled against Heimdal (such
as in the top level build).
The ability to specify a keytab has been removed from the API as it is
unused, and and the Heimdal function (avoiding setting global
variables) works with an open keytab.
Andrew Bartlett
Diffstat (limited to 'source3/librpc')
-rw-r--r-- | source3/librpc/crypto/gse.c | 50 | ||||
-rw-r--r-- | source3/librpc/crypto/gse.h | 1 |
2 files changed, 29 insertions, 22 deletions
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index 6e3066a9d0..0d9eead082 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -342,15 +342,14 @@ done: NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, bool do_sign, bool do_seal, uint32_t add_gss_c_flags, - const char *keytab_name, struct gse_context **_gse_ctx) { struct gse_context *gse_ctx; OM_uint32 gss_maj, gss_min; - gss_OID_set_desc mech_set; krb5_error_code ret; - const char *ktname; NTSTATUS status; + const char *ktname; + gss_OID_set_desc mech_set; status = gse_context_init(mem_ctx, do_sign, do_seal, NULL, add_gss_c_flags, &gse_ctx); @@ -358,27 +357,36 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - if (!keytab_name) { - ret = gse_krb5_get_server_keytab(gse_ctx->k5ctx, - &gse_ctx->keytab); - if (ret) { - status = NT_STATUS_INTERNAL_ERROR; - goto done; - } - ret = smb_krb5_keytab_name(gse_ctx, gse_ctx->k5ctx, - gse_ctx->keytab, &ktname); - if (ret) { - status = NT_STATUS_INTERNAL_ERROR; - goto done; - } - } else { - ktname = keytab_name; + ret = gse_krb5_get_server_keytab(gse_ctx->k5ctx, + &gse_ctx->keytab); + if (ret) { + status = NT_STATUS_INTERNAL_ERROR; + goto done; } +#ifdef HAVE_GSS_KRB5_IMPORT_CRED + /* This creates a GSSAPI cred_id_t with the principal and keytab set */ + gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab, + &gse_ctx->creds); + if (gss_maj) { + DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n", + gse_errstr(gse_ctx, gss_maj, gss_min))); + status = NT_STATUS_INTERNAL_ERROR; + goto done; + } +#else /* FIXME!!! * This call sets the default keytab for the whole server, not * just for this context. Need to find a way that does not alter * the state of the whole server ... */ + + ret = smb_krb5_keytab_name(gse_ctx, gse_ctx->k5ctx, + gse_ctx->keytab, &ktname); + if (ret) { + status = NT_STATUS_INTERNAL_ERROR; + goto done; + } + ret = gsskrb5_register_acceptor_identity(ktname); if (ret) { status = NT_STATUS_INTERNAL_ERROR; @@ -387,7 +395,7 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, mech_set.count = 1; mech_set.elements = &gse_ctx->gss_mech; - + gss_maj = gss_acquire_cred(&gss_min, GSS_C_NO_NAME, GSS_C_INDEFINITE, @@ -395,13 +403,14 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, GSS_C_ACCEPT, &gse_ctx->creds, NULL, NULL); + if (gss_maj) { DEBUG(0, ("gss_acquire_creds failed with [%s]\n", gse_errstr(gse_ctx, gss_maj, gss_min))); status = NT_STATUS_INTERNAL_ERROR; goto done; } - +#endif status = NT_STATUS_OK; done: @@ -932,7 +941,6 @@ NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, bool do_sign, bool do_seal, uint32_t add_gss_c_flags, - const char *keytab, struct gse_context **_gse_ctx) { return NT_STATUS_NOT_IMPLEMENTED; diff --git a/source3/librpc/crypto/gse.h b/source3/librpc/crypto/gse.h index a6d9a35a7f..fbcf5b6e10 100644 --- a/source3/librpc/crypto/gse.h +++ b/source3/librpc/crypto/gse.h @@ -42,7 +42,6 @@ NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, bool do_sign, bool do_seal, uint32_t add_gss_c_flags, - const char *keytab, struct gse_context **_gse_ctx); NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx, |