summaryrefslogtreecommitdiff
path: root/source4/auth/gensec
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-09-05 10:53:14 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:36:31 -0500
commit6b14ffe2713efe2e16a988d920d2dbd7c088601d (patch)
treea5b65d3ac673fee94037f026769ffe781a29f301 /source4/auth/gensec
parenta5148773417adcc343b194693168fb4817bc3a65 (diff)
downloadsamba-6b14ffe2713efe2e16a988d920d2dbd7c088601d.tar.gz
samba-6b14ffe2713efe2e16a988d920d2dbd7c088601d.tar.bz2
samba-6b14ffe2713efe2e16a988d920d2dbd7c088601d.zip
r10035: This patch removes the need for the special case hack
'MEMORY_WILDCARD' keytab type. (part of this checking is in effect a merge from lorikeet-heimdal, where I removed this) This is achieved by correctly using the GSSAPI gsskrb5_acquire_cred() function, as this allows us to specify the target principal, regardless of which alias the client may use. This patch also tries to simplify some principal handling and fixes some error cases. Posted to samba-technical, reviewed by metze, and looked over by lha on IRC. Andrew Bartlett (This used to be commit 506a7b67aee949b102d8bf0d6ee9cd12def10d00)
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r--source4/auth/gensec/gensec_gssapi.c21
1 files changed, 19 insertions, 2 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 26494f0222..6316b52bad 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -154,6 +154,7 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
{
NTSTATUS nt_status;
OM_uint32 maj_stat, min_stat;
+ gss_buffer_desc name_token;
struct gensec_gssapi_state *gensec_gssapi_state;
struct cli_credentials *machine_account;
@@ -177,7 +178,6 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
machine_account,
gensec_gssapi_state->smb_krb5_context,
&gensec_gssapi_state->keytab);
- talloc_free(machine_account);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(3, ("Could not create memory keytab!\n"));
talloc_free(machine_account);
@@ -185,9 +185,26 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
}
}
+ name_token.value = cli_credentials_get_principal(machine_account,
+ machine_account);
+ name_token.length = strlen(name_token.value);
+
+ maj_stat = gss_import_name (&min_stat,
+ &name_token,
+ GSS_C_NT_USER_NAME,
+ &gensec_gssapi_state->server_name);
+ talloc_free(machine_account);
+
+ if (maj_stat) {
+ DEBUG(2, ("GSS Import name of %s failed: %s\n",
+ (char *)name_token.value,
+ gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
maj_stat = gsskrb5_acquire_cred(&min_stat,
gensec_gssapi_state->keytab, NULL,
- NULL,
+ gensec_gssapi_state->server_name,
GSS_C_INDEFINITE,
GSS_C_NULL_OID_SET,
GSS_C_ACCEPT,