diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2005-07-09 01:58:38 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:19:25 -0500 |
| commit | c0a78453a77fb0aa42d676635778a75204b6869c (patch) | |
| tree | b8e6aee36941ffafe9858dbfbcebd93ab33e0f56 /source4/auth/gensec/gensec_gssapi.c | |
| parent | 37cf22a39eec62a62d5ad30d9419ce4e159dff31 (diff) | |
| download | samba-c0a78453a77fb0aa42d676635778a75204b6869c.tar.gz samba-c0a78453a77fb0aa42d676635778a75204b6869c.tar.bz2 samba-c0a78453a77fb0aa42d676635778a75204b6869c.zip | |
r8250: More PAC work. We now sucessfully verify the KDC signature from my DC
(I have included the krbtgt key from my test network).
It turns out the krbtgt signature is over the 16 (or whatever,
enc-type dependent) bytes of the signature, not the entire structure.
Also do not even try to use Kerberos or GSSAPI on an IP address, it
will only fail.
Andrew Bartlett
(This used to be commit 3b9558e82fdebb58f240d43f6a594d676eb04daf)
Diffstat (limited to 'source4/auth/gensec/gensec_gssapi.c')
| -rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 2b7c4ca2cc..e6049edc58 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -228,6 +228,16 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi NTSTATUS nt_status; gss_buffer_desc name_token; OM_uint32 maj_stat, min_stat; + const char *hostname = gensec_get_target_hostname(gensec_security); + + if (!hostname) { + DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n")); + return NT_STATUS_INVALID_PARAMETER; + } + if (is_ipaddress(hostname)) { + DEBUG(2, ("Cannot do GSSAPI to a IP address")); + return NT_STATUS_INVALID_PARAMETER; + } nt_status = gensec_gssapi_start(gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { @@ -238,7 +248,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi name_token.value = talloc_asprintf(gensec_gssapi_state, "%s@%s", gensec_get_target_service(gensec_security), - gensec_get_target_hostname(gensec_security)); + hostname); name_token.length = strlen(name_token.value); maj_stat = gss_import_name (&min_stat, @@ -786,7 +796,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi /* decode and verify the pac */ nt_status = kerberos_decode_pac(mem_ctx, &logon_info, pac_blob, gensec_gssapi_state->smb_krb5_context, - keyblock); + NULL, keyblock); if (NT_STATUS_IS_OK(nt_status)) { union netr_Validation validation; |