summaryrefslogtreecommitdiff
path: root/source4/auth/gensec/gensec_krb5.c
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-07-09 01:58:38 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:19:25 -0500
commitc0a78453a77fb0aa42d676635778a75204b6869c (patch)
treeb8e6aee36941ffafe9858dbfbcebd93ab33e0f56 /source4/auth/gensec/gensec_krb5.c
parent37cf22a39eec62a62d5ad30d9419ce4e159dff31 (diff)
downloadsamba-c0a78453a77fb0aa42d676635778a75204b6869c.tar.gz
samba-c0a78453a77fb0aa42d676635778a75204b6869c.tar.bz2
samba-c0a78453a77fb0aa42d676635778a75204b6869c.zip
r8250: More PAC work. We now sucessfully verify the KDC signature from my DC
(I have included the krbtgt key from my test network). It turns out the krbtgt signature is over the 16 (or whatever, enc-type dependent) bytes of the signature, not the entire structure. Also do not even try to use Kerberos or GSSAPI on an IP address, it will only fail. Andrew Bartlett (This used to be commit 3b9558e82fdebb58f240d43f6a594d676eb04daf)
Diffstat (limited to 'source4/auth/gensec/gensec_krb5.c')
-rw-r--r--source4/auth/gensec/gensec_krb5.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 69dae1c8d9..168b6df364 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -138,8 +138,13 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
const char *hostname = gensec_get_target_hostname(gensec_security);
if (!hostname) {
DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ if (is_ipaddress(hostname)) {
+ DEBUG(2, ("Cannot do GSSAPI to a IP address"));
+ return NT_STATUS_INVALID_PARAMETER;
}
+
nt_status = gensec_krb5_start(gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -444,7 +449,8 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
/* decode and verify the pac */
nt_status = kerberos_decode_pac(gensec_krb5_state, &logon_info, gensec_krb5_state->pac,
- gensec_krb5_state->smb_krb5_context, (gensec_krb5_state->keyblock));
+ gensec_krb5_state->smb_krb5_context,
+ NULL, gensec_krb5_state->keyblock);
/* IF we have the PAC - otherwise we need to get this
* data from elsewere - local ldb, or (TODO) lookup of some