summaryrefslogtreecommitdiff
path: root/source4/auth/gensec
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-10-11 16:53:08 +1100
committerAndrew Bartlett <abartlet@samba.org>2010-10-11 13:02:16 +0000
commit42127cdbb040a260c2c745e9114b600f2186794a (patch)
tree348783a93d8fd3efe162470678ae1cc128edb6f6 /source4/auth/gensec
parent5cd9495fb3f74d8e896c81e5c060a1643722870e (diff)
downloadsamba-42127cdbb040a260c2c745e9114b600f2186794a.tar.gz
samba-42127cdbb040a260c2c745e9114b600f2186794a.tar.bz2
samba-42127cdbb040a260c2c745e9114b600f2186794a.zip
s4-credentials Add explicit event context handling to Kerberos calls (only)
By setting the event context to use for this operation (only) onto the krb5_context just before we call that operation, we can try and emulate the specification of an event context to the actual send_to_kdc() This eliminates the specification of an event context to many other cli_credentials calls, and the last use of event_context_find() Special care is taken to restore the event context in the event of nesting in the send_to_kdc function. Andrew Bartlett
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r--source4/auth/gensec/gensec_gssapi.c36
-rw-r--r--source4/auth/gensec/gensec_krb5.c12
2 files changed, 32 insertions, 16 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 51d59d9f21..4729ed6062 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -147,7 +147,6 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
{
struct gensec_gssapi_state *gensec_gssapi_state;
krb5_error_code ret;
- struct gsskrb5_send_to_kdc send_to_kdc;
const char *realm;
gensec_gssapi_state = talloc(gensec_security, struct gensec_gssapi_state);
@@ -209,7 +208,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
gensec_gssapi_state->pac = data_blob(NULL, 0);
ret = smb_krb5_init_context(gensec_gssapi_state,
- gensec_security->event_ctx,
+ NULL,
gensec_security->settings->lp_ctx,
&gensec_gssapi_state->smb_krb5_context);
if (ret) {
@@ -237,16 +236,6 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destructor);
- send_to_kdc.func = smb_krb5_send_and_recv_func;
- send_to_kdc.ptr = gensec_security->event_ctx;
-
- ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
- if (ret) {
- DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
- talloc_free(gensec_gssapi_state);
- return NT_STATUS_INTERNAL_ERROR;
- }
-
realm = lpcfg_realm(gensec_security->settings->lp_ctx);
if (realm != NULL) {
ret = gsskrb5_set_default_realm(realm);
@@ -290,7 +279,6 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
} else {
ret = cli_credentials_get_server_gss_creds(machine_account,
- gensec_security->event_ctx,
gensec_security->settings->lp_ctx, &gcc);
if (ret) {
DEBUG(1, ("Aquiring acceptor credentials failed: %s\n",
@@ -469,6 +457,17 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
switch (gensec_security->gensec_role) {
case GENSEC_CLIENT:
{
+ struct gsskrb5_send_to_kdc send_to_kdc;
+ krb5_error_code ret;
+ send_to_kdc.func = smb_krb5_send_and_recv_func;
+ send_to_kdc.ptr = gensec_security->event_ctx;
+
+ min_stat = gsskrb5_set_send_to_kdc(&send_to_kdc);
+ if (min_stat) {
+ DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
maj_stat = gss_init_sec_context(&min_stat,
gensec_gssapi_state->client_cred->creds,
&gensec_gssapi_state->gssapi_context,
@@ -485,6 +484,16 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
if (gss_oid_p) {
gensec_gssapi_state->gss_oid = gss_oid_p;
}
+
+ send_to_kdc.func = smb_krb5_send_and_recv_func;
+ send_to_kdc.ptr = NULL;
+
+ ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
+ if (ret) {
+ DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
break;
}
case GENSEC_SERVER:
@@ -1369,7 +1378,6 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
cli_credentials_set_anonymous(session_info->credentials);
ret = cli_credentials_set_client_gss_creds(session_info->credentials,
- gensec_security->event_ctx,
gensec_security->settings->lp_ctx,
gensec_gssapi_state->delegated_cred_handle,
CRED_SPECIFIED, &error_string);
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index a0d880f5b2..345ef361ed 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -119,7 +119,6 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool
talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy);
if (cli_credentials_get_krb5_context(creds,
- gensec_security->event_ctx,
gensec_security->settings->lp_ctx, &gensec_krb5_state->smb_krb5_context)) {
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
@@ -240,6 +239,7 @@ static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_s
const char *error_string;
const char *principal;
krb5_data in_data;
+ struct tevent_context *previous_ev;
hostname = gensec_get_target_hostname(gensec_security);
if (!hostname) {
@@ -299,6 +299,12 @@ static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_s
}
in_data.length = 0;
+ /* Do this every time, in case we have weird recursive issues here */
+ ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, gensec_security->event_ctx, &previous_ev);
+ if (ret != 0) {
+ DEBUG(1, ("gensec_krb5_start: Setting event context failed\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
if (principal) {
krb5_principal target_principal;
ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
@@ -322,6 +328,9 @@ static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_s
&in_data, ccache_container->ccache,
&gensec_krb5_state->enc_ticket);
}
+
+ smb_krb5_context_remove_event_ctx(gensec_krb5_state->smb_krb5_context, previous_ev, gensec_security->event_ctx);
+
switch (ret) {
case 0:
return NT_STATUS_OK;
@@ -488,7 +497,6 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
/* Grab the keytab, however generated */
ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security),
- gensec_security->event_ctx,
gensec_security->settings->lp_ctx, &keytab);
if (ret) {
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;