r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5

authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
author: Andrew Bartlett <abartlet@samba.org> 2005-10-20 03:47:55 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 13:45:00 -0500
commit: 372ca26b2052e267711a45c8bf341f55505f3f8f (patch)
tree: 8c13e34fdac62ca762972d25cfe95b053bff93fa /source4/auth/gensec
parent: 9e25f33a1a06e1374bb643cb087af0e0bedb99c7 (diff)
download: samba-372ca26b2052e267711a45c8bf341f55505f3f8f.tar.gz
samba-372ca26b2052e267711a45c8bf341f55505f3f8f.tar.bz2
samba-372ca26b2052e267711a45c8bf341f55505f3f8f.zip
3 files changed, 51 insertions, 32 deletions
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index 21e70e1c0e..375c55e3ba 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -439,7 +439,7 @@ const char *gensec_get_name_by_oid(const char *oid_string)
 	if (ops) {
 		return ops->name;
 	}
-	return NULL;
+	return oid_string;
 }
 	
 
@@ -489,6 +489,22 @@ NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
 	return gensec_start_mech(gensec_security);
 }
 
+/** 
+ * Start a GENSEC sub-mechanism by an internal name
+ *
+ */
+
+NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security, 
+					const char *name) 
+{
+	gensec_security->ops = gensec_security_by_name(name);
+	if (!gensec_security->ops) {
+		DEBUG(3, ("Could not find GENSEC backend for name=%s\n", name));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+	return gensec_start_mech(gensec_security);
+}
+
 /*
   wrappers for the gensec function pointers
 */
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 8eae8bda71..97543de445 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -43,7 +43,7 @@ struct gensec_gssapi_state {
 	struct smb_krb5_context *smb_krb5_context;
 	krb5_ccache ccache;
 	const char *ccache_name;
-	krb5_keytab keytab;
+	struct keytab_container *keytab;
 
 	gss_cred_id_t cred;
 };
@@ -154,6 +154,7 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
 {
 	NTSTATUS nt_status;
 	OM_uint32 maj_stat, min_stat;
+	int ret;
 	gss_buffer_desc name_token;
 	struct gensec_gssapi_state *gensec_gssapi_state;
 	struct cli_credentials *machine_account;
@@ -165,45 +166,43 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
 
 	gensec_gssapi_state = gensec_security->private_data;
 
-	machine_account = cli_credentials_init(gensec_gssapi_state);
-	cli_credentials_set_conf(machine_account);
-	nt_status = cli_credentials_set_machine_account(machine_account);
+	machine_account = gensec_get_credentials(gensec_security);
 	
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		DEBUG(3, ("Could not obtain machine account credentials from the local database\n"));
-		talloc_free(machine_account);
-		return nt_status;
+	if (!machine_account) {
+		DEBUG(3, ("No machine account credentials specified\n"));
+		return NT_STATUS_INVALID_PARAMETER;
 	} else {
-		nt_status = create_memory_keytab(gensec_gssapi_state,
-						 machine_account, 
-						 gensec_gssapi_state->smb_krb5_context,
-						 &gensec_gssapi_state->keytab);
-		if (!NT_STATUS_IS_OK(nt_status)) {
+		ret = cli_credentials_get_keytab(machine_account, &gensec_gssapi_state->keytab);
+		if (ret) {
 			DEBUG(3, ("Could not create memory keytab!\n"));
-			talloc_free(machine_account);
-			return nt_status;
+			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 		}
 	}
 
 	name_token.value = cli_credentials_get_principal(machine_account, 
 							 machine_account);
-	name_token.length = strlen(name_token.value);
-
-	maj_stat = gss_import_name (&min_stat,
-				    &name_token,
-				    GSS_C_NT_USER_NAME,
-				    &gensec_gssapi_state->server_name);
-	talloc_free(machine_account);
 
-	if (maj_stat) {
-		DEBUG(2, ("GSS Import name of %s failed: %s\n",
-			  (char *)name_token.value,
-			  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
-		return NT_STATUS_UNSUCCESSFUL;
+	/* This might have been explicity set to NULL, ie use what the client calls us */
+	if (name_token.value) {
+		name_token.length = strlen(name_token.value);
+		
+		maj_stat = gss_import_name (&min_stat,
+					    &name_token,
+					    GSS_C_NT_USER_NAME,
+					    &gensec_gssapi_state->server_name);
+
+		if (maj_stat) {
+			DEBUG(2, ("GSS Import name of %s failed: %s\n",
+				  (char *)name_token.value,
+				  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+	} else {
+		gensec_gssapi_state->server_name = GSS_C_NO_NAME;
 	}
 
 	maj_stat = gsskrb5_acquire_cred(&min_stat, 
-					gensec_gssapi_state->keytab, NULL,
+					gensec_gssapi_state->keytab->keytab, NULL,
 					gensec_gssapi_state->server_name,
 					GSS_C_INDEFINITE,
 					GSS_C_NULL_OID_SET,
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 71974790b1..d999559a49 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -86,6 +86,10 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
 {
 	struct gensec_krb5_state *gensec_krb5_state;
 
+	if (!gensec_get_credentials(gensec_security)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	gensec_krb5_state = talloc(gensec_security, struct gensec_krb5_state);
 	if (!gensec_krb5_state) {
 		return NT_STATUS_NO_MEMORY;
@@ -185,7 +189,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
 	gensec_krb5_state = gensec_security->private_data;
 	gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
 
-	ret = cli_credentials_get_ccache(gensec_security->credentials, &ccache_container);
+	ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), &ccache_container);
 	if (ret) {
 		DEBUG(1,("gensec_krb5_start: cli_credentials_get_ccache failed: %s\n", 
 			 error_message(ret)));
@@ -391,7 +395,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
 			nt_status = ads_verify_ticket(out_mem_ctx, 
 						      gensec_krb5_state->smb_krb5_context,
 						      &gensec_krb5_state->auth_context, 
-						      lp_realm(), 
+						      gensec_get_credentials(gensec_security),
 						      gensec_get_target_service(gensec_security), &unwrapped_in, 
 						      &gensec_krb5_state->ticket, &unwrapped_out,
 						      &gensec_krb5_state->keyblock);
@@ -400,7 +404,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
 			nt_status = ads_verify_ticket(out_mem_ctx, 
 						      gensec_krb5_state->smb_krb5_context,
 						      &gensec_krb5_state->auth_context, 
-						      lp_realm(), 
+						      gensec_get_credentials(gensec_security),
 						      gensec_get_target_service(gensec_security), 
 						      &in, 
 						      &gensec_krb5_state->ticket, &unwrapped_out,
author	Andrew Bartlett <abartlet@samba.org>	2005-10-20 03:47:55 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 13:45:00 -0500
commit	372ca26b2052e267711a45c8bf341f55505f3f8f (patch)
tree	8c13e34fdac62ca762972d25cfe95b053bff93fa /source4/auth/gensec
parent	9e25f33a1a06e1374bb643cb087af0e0bedb99c7 (diff)
download	samba-372ca26b2052e267711a45c8bf341f55505f3f8f.tar.gz samba-372ca26b2052e267711a45c8bf341f55505f3f8f.tar.bz2 samba-372ca26b2052e267711a45c8bf341f55505f3f8f.zip