diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-09-05 10:53:14 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:36:31 -0500 |
commit | 6b14ffe2713efe2e16a988d920d2dbd7c088601d (patch) | |
tree | a5b65d3ac673fee94037f026769ffe781a29f301 /source4/auth/gensec | |
parent | a5148773417adcc343b194693168fb4817bc3a65 (diff) | |
download | samba-6b14ffe2713efe2e16a988d920d2dbd7c088601d.tar.gz samba-6b14ffe2713efe2e16a988d920d2dbd7c088601d.tar.bz2 samba-6b14ffe2713efe2e16a988d920d2dbd7c088601d.zip |
r10035: This patch removes the need for the special case hack
'MEMORY_WILDCARD' keytab type. (part of this checking is in effect a
merge from lorikeet-heimdal, where I removed this)
This is achieved by correctly using the GSSAPI gsskrb5_acquire_cred()
function, as this allows us to specify the target principal, regardless
of which alias the client may use.
This patch also tries to simplify some principal handling and fixes some
error cases.
Posted to samba-technical, reviewed by metze, and looked over by lha on IRC.
Andrew Bartlett
(This used to be commit 506a7b67aee949b102d8bf0d6ee9cd12def10d00)
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 26494f0222..6316b52bad 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -154,6 +154,7 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi { NTSTATUS nt_status; OM_uint32 maj_stat, min_stat; + gss_buffer_desc name_token; struct gensec_gssapi_state *gensec_gssapi_state; struct cli_credentials *machine_account; @@ -177,7 +178,6 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi machine_account, gensec_gssapi_state->smb_krb5_context, &gensec_gssapi_state->keytab); - talloc_free(machine_account); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(3, ("Could not create memory keytab!\n")); talloc_free(machine_account); @@ -185,9 +185,26 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi } } + name_token.value = cli_credentials_get_principal(machine_account, + machine_account); + name_token.length = strlen(name_token.value); + + maj_stat = gss_import_name (&min_stat, + &name_token, + GSS_C_NT_USER_NAME, + &gensec_gssapi_state->server_name); + talloc_free(machine_account); + + if (maj_stat) { + DEBUG(2, ("GSS Import name of %s failed: %s\n", + (char *)name_token.value, + gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); + return NT_STATUS_UNSUCCESSFUL; + } + maj_stat = gsskrb5_acquire_cred(&min_stat, gensec_gssapi_state->keytab, NULL, - NULL, + gensec_gssapi_state->server_name, GSS_C_INDEFINITE, GSS_C_NULL_OID_SET, GSS_C_ACCEPT, |