diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-02-25 14:15:17 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2012-03-01 22:04:45 +1100 |
commit | 5b700cb0e3bab1f9b0452db108d9150d5067c55d (patch) | |
tree | 018cac6599c4f88be421ee31574690ad06eccadd /source3/utils | |
parent | 6090a155f0d11effad565ffa37af9a26fff5e715 (diff) | |
download | samba-5b700cb0e3bab1f9b0452db108d9150d5067c55d.tar.gz samba-5b700cb0e3bab1f9b0452db108d9150d5067c55d.tar.bz2 samba-5b700cb0e3bab1f9b0452db108d9150d5067c55d.zip |
s3-ntlm_auth: Add --target-service and --target-hostname options
This will allow the gss-spnego-client protocol to work with modern
SPNEGO servers that do not send the principal in the mechListMIC.
Andrew Bartlett
Diffstat (limited to 'source3/utils')
-rw-r--r-- | source3/utils/ntlm_auth.c | 49 |
1 files changed, 40 insertions, 9 deletions
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index b38995712c..bbf32f963b 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -151,6 +151,9 @@ static const char *require_membership_of; static const char *require_membership_of_sid; static const char *opt_pam_winbind_conf; +const char *opt_target_service; +const char *opt_target_hostname; + /** * A limited set of features are defined with text strings as needed * by ntlm_auth @@ -1953,17 +1956,41 @@ static bool manage_client_krb5_init(struct spnego_data spnego) return False; } - principal = (char *)SMB_MALLOC( - spnego.negTokenInit.mechListMIC.length+1); + principal = talloc_strndup(ctx, (char *)spnego.negTokenInit.mechListMIC.data, + spnego.negTokenInit.mechListMIC.length); - if (principal == NULL) { - DEBUG(1, ("Could not malloc principal\n")); - return False; + if (!principal) { + return false; } - memcpy(principal, spnego.negTokenInit.mechListMIC.data, - spnego.negTokenInit.mechListMIC.length); - principal[spnego.negTokenInit.mechListMIC.length] = '\0'; + /* We may not be allowed to use the server-supplied SPNEGO principal, or it may not have been supplied to us + */ + if (!lp_client_use_spnego_principal() || strequal(principal, ADS_IGNORE_PRINCIPAL)) { + TALLOC_FREE(principal); + } + + if (principal == NULL && + !is_ipaddress(opt_target_hostname)) { + DEBUG(3,("manage_client_krb5_init: using target " + "hostname not SPNEGO principal\n")); + + principal = kerberos_get_principal_from_service_hostname(talloc_tos(), + opt_target_service, + opt_target_hostname); + + if (!principal) { + return false; + } + + DEBUG(3,("manage_client_krb5_init: guessed " + "server principal=%s\n", + principal ? principal : "<null>")); + } + + if (principal == NULL) { + DEBUG(3,("manage_client_krb5_init: could not guess server principal\n")); + return false; + } retval = cli_krb5_get_ticket(ctx, principal, 0, &tkt, &session_key_krb5, @@ -2766,7 +2793,9 @@ enum { OPT_DIAGNOSTICS, OPT_REQUIRE_MEMBERSHIP, OPT_USE_CACHED_CREDS, - OPT_PAM_WINBIND_CONF + OPT_PAM_WINBIND_CONF, + OPT_TARGET_SERVICE, + OPT_TARGET_HOSTNAME }; int main(int argc, const char **argv) @@ -2808,6 +2837,8 @@ enum { "Perform diagnostics on the authentication chain"}, { "require-membership-of", 0, POPT_ARG_STRING, &require_membership_of, OPT_REQUIRE_MEMBERSHIP, "Require that a user be a member of this group (either name or SID) for authentication to succeed" }, { "pam-winbind-conf", 0, POPT_ARG_STRING, &opt_pam_winbind_conf, OPT_PAM_WINBIND_CONF, "Require that request must set WBFLAG_PAM_CONTACT_TRUSTDOM when krb5 auth is required" }, + { "target-service", 0, POPT_ARG_STRING, &opt_target_service, OPT_TARGET_SERVICE, "Target service (eg http)" }, + { "target-hostname", 0, POPT_ARG_STRING, &opt_target_hostname, OPT_TARGET_HOSTNAME, "Target hostname" }, POPT_COMMON_CONFIGFILE POPT_COMMON_VERSION POPT_TABLEEND |