diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2010-10-11 16:53:08 +1100 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2010-10-11 13:02:16 +0000 |
| commit | 42127cdbb040a260c2c745e9114b600f2186794a (patch) | |
| tree | 348783a93d8fd3efe162470678ae1cc128edb6f6 /source4/auth/gensec | |
| parent | 5cd9495fb3f74d8e896c81e5c060a1643722870e (diff) | |
| download | samba-42127cdbb040a260c2c745e9114b600f2186794a.tar.gz samba-42127cdbb040a260c2c745e9114b600f2186794a.tar.bz2 samba-42127cdbb040a260c2c745e9114b600f2186794a.zip | |
s4-credentials Add explicit event context handling to Kerberos calls (only)
By setting the event context to use for this operation (only) onto
the krb5_context just before we call that operation, we can try
and emulate the specification of an event context to the actual send_to_kdc()
This eliminates the specification of an event context to many other
cli_credentials calls, and the last use of event_context_find()
Special care is taken to restore the event context in the event of
nesting in the send_to_kdc function.
Andrew Bartlett
Diffstat (limited to 'source4/auth/gensec')
| -rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 36 | ||||
| -rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 12 |
2 files changed, 32 insertions, 16 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 51d59d9f21..4729ed6062 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -147,7 +147,6 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) { struct gensec_gssapi_state *gensec_gssapi_state; krb5_error_code ret; - struct gsskrb5_send_to_kdc send_to_kdc; const char *realm; gensec_gssapi_state = talloc(gensec_security, struct gensec_gssapi_state); @@ -209,7 +208,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) gensec_gssapi_state->pac = data_blob(NULL, 0); ret = smb_krb5_init_context(gensec_gssapi_state, - gensec_security->event_ctx, + NULL, gensec_security->settings->lp_ctx, &gensec_gssapi_state->smb_krb5_context); if (ret) { @@ -237,16 +236,6 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destructor); - send_to_kdc.func = smb_krb5_send_and_recv_func; - send_to_kdc.ptr = gensec_security->event_ctx; - - ret = gsskrb5_set_send_to_kdc(&send_to_kdc); - if (ret) { - DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n")); - talloc_free(gensec_gssapi_state); - return NT_STATUS_INTERNAL_ERROR; - } - realm = lpcfg_realm(gensec_security->settings->lp_ctx); if (realm != NULL) { ret = gsskrb5_set_default_realm(realm); @@ -290,7 +279,6 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } else { ret = cli_credentials_get_server_gss_creds(machine_account, - gensec_security->event_ctx, gensec_security->settings->lp_ctx, &gcc); if (ret) { DEBUG(1, ("Aquiring acceptor credentials failed: %s\n", @@ -469,6 +457,17 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, switch (gensec_security->gensec_role) { case GENSEC_CLIENT: { + struct gsskrb5_send_to_kdc send_to_kdc; + krb5_error_code ret; + send_to_kdc.func = smb_krb5_send_and_recv_func; + send_to_kdc.ptr = gensec_security->event_ctx; + + min_stat = gsskrb5_set_send_to_kdc(&send_to_kdc); + if (min_stat) { + DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n")); + return NT_STATUS_INTERNAL_ERROR; + } + maj_stat = gss_init_sec_context(&min_stat, gensec_gssapi_state->client_cred->creds, &gensec_gssapi_state->gssapi_context, @@ -485,6 +484,16 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, if (gss_oid_p) { gensec_gssapi_state->gss_oid = gss_oid_p; } + + send_to_kdc.func = smb_krb5_send_and_recv_func; + send_to_kdc.ptr = NULL; + + ret = gsskrb5_set_send_to_kdc(&send_to_kdc); + if (ret) { + DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n")); + return NT_STATUS_INTERNAL_ERROR; + } + break; } case GENSEC_SERVER: @@ -1369,7 +1378,6 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi cli_credentials_set_anonymous(session_info->credentials); ret = cli_credentials_set_client_gss_creds(session_info->credentials, - gensec_security->event_ctx, gensec_security->settings->lp_ctx, gensec_gssapi_state->delegated_cred_handle, CRED_SPECIFIED, &error_string); diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index a0d880f5b2..345ef361ed 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -119,7 +119,6 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy); if (cli_credentials_get_krb5_context(creds, - gensec_security->event_ctx, gensec_security->settings->lp_ctx, &gensec_krb5_state->smb_krb5_context)) { talloc_free(gensec_krb5_state); return NT_STATUS_INTERNAL_ERROR; @@ -240,6 +239,7 @@ static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_s const char *error_string; const char *principal; krb5_data in_data; + struct tevent_context *previous_ev; hostname = gensec_get_target_hostname(gensec_security); if (!hostname) { @@ -299,6 +299,12 @@ static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_s } in_data.length = 0; + /* Do this every time, in case we have weird recursive issues here */ + ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, gensec_security->event_ctx, &previous_ev); + if (ret != 0) { + DEBUG(1, ("gensec_krb5_start: Setting event context failed\n")); + return NT_STATUS_NO_MEMORY; + } if (principal) { krb5_principal target_principal; ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal, @@ -322,6 +328,9 @@ static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_s &in_data, ccache_container->ccache, &gensec_krb5_state->enc_ticket); } + + smb_krb5_context_remove_event_ctx(gensec_krb5_state->smb_krb5_context, previous_ev, gensec_security->event_ctx); + switch (ret) { case 0: return NT_STATUS_OK; @@ -488,7 +497,6 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, /* Grab the keytab, however generated */ ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), - gensec_security->event_ctx, gensec_security->settings->lp_ctx, &keytab); if (ret) { return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; |