summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorJeff Layton <jlayton@redhat.com>2008-08-19 21:29:41 -0400
committerJeff Layton <jlayton@redhat.com>2008-08-21 19:38:41 -0400
commit6cbebac514a8661f577e11d05f3eae675b605d51 (patch)
tree09939459eccd61c5b9f238111fcc30fbd6a90e21 /source3
parent3be3dac17d7e333c3e3760ae9b0b2a5441206046 (diff)
downloadsamba-6cbebac514a8661f577e11d05f3eae675b605d51.tar.gz
samba-6cbebac514a8661f577e11d05f3eae675b605d51.tar.bz2
samba-6cbebac514a8661f577e11d05f3eae675b605d51.zip
cifs.upcall: handle MSKRB5 OID properly
When the kernel sends the upcall a sec=mskrb5 parameter, that means the the MSKRB5 OID is preferred by the server. This patch fixes the upcall to use that OID in place of the "normal" krb5 OID when it gets a sec=mskrb5 parameter. Signed-off-by: Jeff Layton <jlayton@redhat.com> Acked-by: Steve French <smfrench@gmail.com> (This used to be commit 6287e13b34efeaa8fd94c7c6d99468350ce6172e)
Diffstat (limited to 'source3')
-rw-r--r--source3/client/cifs.upcall.c18
1 files changed, 13 insertions, 5 deletions
diff --git a/source3/client/cifs.upcall.c b/source3/client/cifs.upcall.c
index aa5eb57310..fd3ed17d2d 100644
--- a/source3/client/cifs.upcall.c
+++ b/source3/client/cifs.upcall.c
@@ -29,7 +29,7 @@ create dns_resolver * * /usr/local/sbin/cifs.upcall %k
#include "cifs_spnego.h"
-const char *CIFSSPNEGO_VERSION = "1.1";
+const char *CIFSSPNEGO_VERSION = "1.2";
static const char *prog = "cifs.upcall";
typedef enum _secType {
KRB5,
@@ -73,7 +73,7 @@ int handle_krb5_mech(const char *oid, const char *principal,
tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
/* and wrap that in a shiny SPNEGO wrapper */
- *secblob = gen_negTokenInit(OID_KERBEROS5, tkt_wrapped);
+ *secblob = gen_negTokenInit(oid, tkt_wrapped);
data_blob_free(&tkt_wrapped);
data_blob_free(&tkt);
@@ -118,6 +118,9 @@ int decode_key_description(const char *desc, int *ver, secType_t * sec,
if (strncmp(tkn + 4, "krb5", 4) == 0) {
retval |= DKD_HAVE_SEC;
*sec = KRB5;
+ } else if (strncmp(tkn + 4, "mskrb5", 6) == 0) {
+ retval |= DKD_HAVE_SEC;
+ *sec = MS_KRB5;
}
} else if (strncmp(tkn, "uid=", 4) == 0) {
errno = 0;
@@ -219,7 +222,7 @@ int main(const int argc, char *const argv[])
uid_t uid;
int kernel_upcall_version;
int c, use_cifs_service_prefix = 0;
- char *buf, *hostname = NULL;
+ char *buf, *oid, *hostname = NULL;
openlog(prog, 0, LOG_DAEMON);
@@ -301,6 +304,7 @@ int main(const int argc, char *const argv[])
// do mech specific authorization
switch (sectype) {
+ case MS_KRB5:
case KRB5:{
char *princ;
size_t len;
@@ -319,8 +323,12 @@ int main(const int argc, char *const argv[])
}
strlcpy(princ + 5, hostname, len - 5);
- rc = handle_krb5_mech(OID_KERBEROS5, princ,
- &secblob, &sess_key);
+ if (sectype == MS_KRB5)
+ oid = OID_KERBEROS5_OLD;
+ else
+ oid = OID_KERBEROS5;
+
+ rc = handle_krb5_mech(oid, princ, &secblob, &sess_key);
SAFE_FREE(princ);
break;
}