diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-10-20 03:47:55 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:45:00 -0500 |
commit | 372ca26b2052e267711a45c8bf341f55505f3f8f (patch) | |
tree | 8c13e34fdac62ca762972d25cfe95b053bff93fa /source4/auth/gensec | |
parent | 9e25f33a1a06e1374bb643cb087af0e0bedb99c7 (diff) | |
download | samba-372ca26b2052e267711a45c8bf341f55505f3f8f.tar.gz samba-372ca26b2052e267711a45c8bf341f55505f3f8f.tar.bz2 samba-372ca26b2052e267711a45c8bf341f55505f3f8f.zip |
r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5
authentication. This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.
This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC. This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.
The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.
We also now allow for the old secret to be stored into the
credentials, allowing service password changes.
Andrew Bartlett
(This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r-- | source4/auth/gensec/gensec.c | 18 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 55 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 10 |
3 files changed, 51 insertions, 32 deletions
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c index 21e70e1c0e..375c55e3ba 100644 --- a/source4/auth/gensec/gensec.c +++ b/source4/auth/gensec/gensec.c @@ -439,7 +439,7 @@ const char *gensec_get_name_by_oid(const char *oid_string) if (ops) { return ops->name; } - return NULL; + return oid_string; } @@ -489,6 +489,22 @@ NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security, return gensec_start_mech(gensec_security); } +/** + * Start a GENSEC sub-mechanism by an internal name + * + */ + +NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security, + const char *name) +{ + gensec_security->ops = gensec_security_by_name(name); + if (!gensec_security->ops) { + DEBUG(3, ("Could not find GENSEC backend for name=%s\n", name)); + return NT_STATUS_INVALID_PARAMETER; + } + return gensec_start_mech(gensec_security); +} + /* wrappers for the gensec function pointers */ diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 8eae8bda71..97543de445 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -43,7 +43,7 @@ struct gensec_gssapi_state { struct smb_krb5_context *smb_krb5_context; krb5_ccache ccache; const char *ccache_name; - krb5_keytab keytab; + struct keytab_container *keytab; gss_cred_id_t cred; }; @@ -154,6 +154,7 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi { NTSTATUS nt_status; OM_uint32 maj_stat, min_stat; + int ret; gss_buffer_desc name_token; struct gensec_gssapi_state *gensec_gssapi_state; struct cli_credentials *machine_account; @@ -165,45 +166,43 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi gensec_gssapi_state = gensec_security->private_data; - machine_account = cli_credentials_init(gensec_gssapi_state); - cli_credentials_set_conf(machine_account); - nt_status = cli_credentials_set_machine_account(machine_account); + machine_account = gensec_get_credentials(gensec_security); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(3, ("Could not obtain machine account credentials from the local database\n")); - talloc_free(machine_account); - return nt_status; + if (!machine_account) { + DEBUG(3, ("No machine account credentials specified\n")); + return NT_STATUS_INVALID_PARAMETER; } else { - nt_status = create_memory_keytab(gensec_gssapi_state, - machine_account, - gensec_gssapi_state->smb_krb5_context, - &gensec_gssapi_state->keytab); - if (!NT_STATUS_IS_OK(nt_status)) { + ret = cli_credentials_get_keytab(machine_account, &gensec_gssapi_state->keytab); + if (ret) { DEBUG(3, ("Could not create memory keytab!\n")); - talloc_free(machine_account); - return nt_status; + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } } name_token.value = cli_credentials_get_principal(machine_account, machine_account); - name_token.length = strlen(name_token.value); - - maj_stat = gss_import_name (&min_stat, - &name_token, - GSS_C_NT_USER_NAME, - &gensec_gssapi_state->server_name); - talloc_free(machine_account); - if (maj_stat) { - DEBUG(2, ("GSS Import name of %s failed: %s\n", - (char *)name_token.value, - gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); - return NT_STATUS_UNSUCCESSFUL; + /* This might have been explicity set to NULL, ie use what the client calls us */ + if (name_token.value) { + name_token.length = strlen(name_token.value); + + maj_stat = gss_import_name (&min_stat, + &name_token, + GSS_C_NT_USER_NAME, + &gensec_gssapi_state->server_name); + + if (maj_stat) { + DEBUG(2, ("GSS Import name of %s failed: %s\n", + (char *)name_token.value, + gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); + return NT_STATUS_UNSUCCESSFUL; + } + } else { + gensec_gssapi_state->server_name = GSS_C_NO_NAME; } maj_stat = gsskrb5_acquire_cred(&min_stat, - gensec_gssapi_state->keytab, NULL, + gensec_gssapi_state->keytab->keytab, NULL, gensec_gssapi_state->server_name, GSS_C_INDEFINITE, GSS_C_NULL_OID_SET, diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 71974790b1..d999559a49 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -86,6 +86,10 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) { struct gensec_krb5_state *gensec_krb5_state; + if (!gensec_get_credentials(gensec_security)) { + return NT_STATUS_INVALID_PARAMETER; + } + gensec_krb5_state = talloc(gensec_security, struct gensec_krb5_state); if (!gensec_krb5_state) { return NT_STATUS_NO_MEMORY; @@ -185,7 +189,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security gensec_krb5_state = gensec_security->private_data; gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START; - ret = cli_credentials_get_ccache(gensec_security->credentials, &ccache_container); + ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), &ccache_container); if (ret) { DEBUG(1,("gensec_krb5_start: cli_credentials_get_ccache failed: %s\n", error_message(ret))); @@ -391,7 +395,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, nt_status = ads_verify_ticket(out_mem_ctx, gensec_krb5_state->smb_krb5_context, &gensec_krb5_state->auth_context, - lp_realm(), + gensec_get_credentials(gensec_security), gensec_get_target_service(gensec_security), &unwrapped_in, &gensec_krb5_state->ticket, &unwrapped_out, &gensec_krb5_state->keyblock); @@ -400,7 +404,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, nt_status = ads_verify_ticket(out_mem_ctx, gensec_krb5_state->smb_krb5_context, &gensec_krb5_state->auth_context, - lp_realm(), + gensec_get_credentials(gensec_security), gensec_get_target_service(gensec_security), &in, &gensec_krb5_state->ticket, &unwrapped_out, |