summaryrefslogtreecommitdiff
path: root/source4/auth/gensec
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2009-02-13 14:02:49 +1100
committerAndrew Bartlett <abartlet@samba.org>2009-02-13 14:02:49 +1100
commitcd6026135d3dc7eaa773c60aa168bae8f3f15502 (patch)
tree9843b78f5fbb32605b6a6f7527783b13995187f8 /source4/auth/gensec
parent71632a16977a93968b0d520a491a52f635e611a1 (diff)
downloadsamba-cd6026135d3dc7eaa773c60aa168bae8f3f15502.tar.gz
samba-cd6026135d3dc7eaa773c60aa168bae8f3f15502.tar.bz2
samba-cd6026135d3dc7eaa773c60aa168bae8f3f15502.zip
Push sam_get_server_info_principal into the auth subsystem
This means it must be accessed via the supplied auth_context in the GENSEC server, and should remove the hard depenceny of GENSEC on the auth subsystem and ldb (allowing LDB not to rely on LDB is considered a good thing, apparently) Andrew Bartlett
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r--source4/auth/gensec/config.mk2
-rw-r--r--source4/auth/gensec/gensec_gssapi.c10
-rw-r--r--source4/auth/gensec/gensec_krb5.c19
3 files changed, 24 insertions, 7 deletions
diff --git a/source4/auth/gensec/config.mk b/source4/auth/gensec/config.mk
index 3d13ce7f6d..27cf442b68 100644
--- a/source4/auth/gensec/config.mk
+++ b/source4/auth/gensec/config.mk
@@ -21,7 +21,7 @@ $(eval $(call proto_header_template,$(gensecsrcdir)/gensec_proto.h,$(gensec_OBJ_
[MODULE::gensec_krb5]
SUBSYSTEM = gensec
INIT_FUNCTION = gensec_krb5_init
-PRIVATE_DEPENDENCIES = CREDENTIALS KERBEROS auth_session auth_sam
+PRIVATE_DEPENDENCIES = CREDENTIALS KERBEROS auth_session
# End MODULE gensec_krb5
################################################
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index dcfffef3df..aae04dffe2 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1290,12 +1290,14 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
return NT_STATUS_NO_MEMORY;
}
- if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
+ if (gensec_security->auth_context &&
+ !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
- nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx,
- gensec_security->settings->lp_ctx, principal_string,
- &server_info);
+ nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx,
+ gensec_security->auth_context,
+ principal_string,
+ &server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 6e715d0090..b04abfc16c 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -607,8 +607,23 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n",
smb_get_krb5_error_message(context,
ret, mem_ctx)));
- nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, gensec_security->settings->lp_ctx, principal_string,
- &server_info);
+ if (gensec_security->auth_context &&
+ !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
+ DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s"));
+ nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx,
+ gensec_security->auth_context,
+ principal_string,
+ &server_info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(mem_ctx);
+ return nt_status;
+ }
+ } else {
+ DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
+ principal_string));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
krb5_free_principal(context, client_principal);
free(principal_string);
generated by cgit (git 2.34.1) at 2024-12-14 10:56:29 +0000