summaryrefslogtreecommitdiff
path: root/source4/auth/gensec
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-09-28 04:50:02 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:39:06 -0500
commit718dd6dda6331b27b8f4fc89b891c27124c7821e (patch)
tree1892903ad434a04959966987275c32bd84a7e4fb /source4/auth/gensec
parentf54b3650d6e561213abdeffb56ee45b84ef4d068 (diff)
downloadsamba-718dd6dda6331b27b8f4fc89b891c27124c7821e.tar.gz
samba-718dd6dda6331b27b8f4fc89b891c27124c7821e.tar.bz2
samba-718dd6dda6331b27b8f4fc89b891c27124c7821e.zip
r10565: Try to make Kerberos authentication a bit more friendly.
This disables it for 'localhost' as well as for any host our KDC does not recognise. Andrew Bartlett (This used to be commit 49c6c36763aae23880a20a8ee50c00e8935d8548)
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r--source4/auth/gensec/gensec_gssapi.c38
-rw-r--r--source4/auth/gensec/gensec_krb5.c7
2 files changed, 35 insertions, 10 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 76458c5f9e..8eae8bda71 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -239,7 +239,11 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
return NT_STATUS_INVALID_PARAMETER;
}
if (is_ipaddress(hostname)) {
- DEBUG(2, ("Cannot do GSSAPI to an IP address"));
+ DEBUG(2, ("Cannot do GSSAPI to an IP address\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ if (strequal(hostname, "localhost")) {
+ DEBUG(2, ("GSSAPI to 'localhost' does not make sense\n"));
return NT_STATUS_INVALID_PARAMETER;
}
@@ -269,7 +273,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
DEBUG(2, ("GSS Import name of %s failed: %s\n",
(char *)name_token.value,
gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
- return NT_STATUS_UNSUCCESSFUL;
+ return NT_STATUS_INVALID_PARAMETER;
}
principal = gensec_get_target_principal(gensec_security);
@@ -306,9 +310,16 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
NULL,
NULL);
if (maj_stat) {
- DEBUG(1, ("Aquiring initiator credentails failed: %s\n",
- gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
- return NT_STATUS_UNSUCCESSFUL;
+ switch (min_stat) {
+ case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
+ DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n",
+ hostname, gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+ return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
+ default:
+ DEBUG(1, ("Aquiring initiator credentails failed: %s\n",
+ gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
}
return NT_STATUS_OK;
@@ -408,12 +419,23 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
gss_release_buffer(&min_stat2, &output_token);
return NT_STATUS_MORE_PROCESSING_REQUIRED;
- } else {
- if (maj_stat == GSS_S_FAILURE
- && (min_stat == KRB5KRB_AP_ERR_BADVERSION || min_stat == KRB5KRB_AP_ERR_MSG_TYPE)) {
+ } else if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length)
+ && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements,
+ gensec_gssapi_state->gss_oid->length) == 0)) {
+ switch (min_stat) {
+ case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
+ DEBUG(3, ("Server is not registered with our KDC: %s\n",
+ gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+ return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
+ case KRB5KRB_AP_ERR_MSG_TYPE:
/* garbage input, possibly from the auto-mech detection */
return NT_STATUS_INVALID_PARAMETER;
+ default:
+ DEBUG(1, ("GSS(krb5) Update failed: %s\n",
+ gssapi_error_string(out_mem_ctx, maj_stat, min_stat)));
+ return nt_status;
}
+ } else {
DEBUG(1, ("GSS Update failed: %s\n",
gssapi_error_string(out_mem_ctx, maj_stat, min_stat)));
return nt_status;
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 07e92f063f..71974790b1 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -172,7 +172,10 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
DEBUG(2, ("Cannot do krb5 to an IP address"));
return NT_STATUS_INVALID_PARAMETER;
}
-
+ if (strequal(hostname, "localhost")) {
+ DEBUG(2, ("krb5 to 'localhost' does not make sense"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
nt_status = gensec_krb5_start(gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -235,7 +238,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n",
hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5KRB_AP_ERR_TKT_EXPIRED:
case KRB5_CC_END: