diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2005-05-15 23:42:11 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:16:45 -0500 |
| commit | 5c6dd5e800b879efdce3bbc3a16f32c5e78b4917 (patch) | |
| tree | 13a8286bebac583bd979d278b7f12fac25c8513b /source4/auth/kerberos/kerberos_verify.c | |
| parent | 8f96c42027d282eec047d1b25951a33bc2fce71f (diff) | |
| download | samba-5c6dd5e800b879efdce3bbc3a16f32c5e78b4917.tar.gz samba-5c6dd5e800b879efdce3bbc3a16f32c5e78b4917.tar.bz2 samba-5c6dd5e800b879efdce3bbc3a16f32c5e78b4917.zip | |
r6800: A big GENSEC update:
Finally remove the distinction between 'krb5' and 'ms_krb5'. We now
don't do kerberos stuff twice on failure. The solution to this is
slightly more general than perhaps was really required (as this is a
special case), but it works, and I'm happy with the cleanup I achived
in the process. All modules have been updated to supply a
NULL-terminated list of OIDs.
In that process, SPNEGO code has been generalised, as I realised that
two of the functions should have been identical in behaviour.
Over in the actual modules, I have worked to remove the 'kinit' code
from gensec_krb5, and placed it in kerberos/kerberos_util.c.
The GSSAPI module has been extended to use this, so no longer requires
a manual kinit at the command line. It will soon loose the
requirement for a on-disk keytab too.
The general kerberos code has also been updated to move from
error_message() to our routine which gets the Heimdal error string
(which may be much more useful) when available.
Andrew Bartlett
(This used to be commit 0101728d8e2ed9419eb31fe95047944a718ba135)
Diffstat (limited to 'source4/auth/kerberos/kerberos_verify.c')
| -rw-r--r-- | source4/auth/kerberos/kerberos_verify.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/source4/auth/kerberos/kerberos_verify.c b/source4/auth/kerberos/kerberos_verify.c index 927b12d454..0497e3effa 100644 --- a/source4/auth/kerberos/kerberos_verify.c +++ b/source4/auth/kerberos/kerberos_verify.c @@ -93,7 +93,8 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex /* Generate the list of principal names which we expect * clients might want to use for authenticating to the file - * service. We allow name$,{host,cifs}/{name,fqdn,name.REALM}. */ + * service. We allow name$,{host,service}/{name,fqdn,name.REALM}. + * (where service is specified by the caller) */ my_name = lp_netbios_name(); @@ -103,9 +104,9 @@ static krb5_error_code ads_keytab_verify_ticket(TALLOC_CTX *mem_ctx, krb5_contex asprintf(&valid_princ_formats[1], "host/%s@%s", my_name, lp_realm()); asprintf(&valid_princ_formats[2], "host/%s@%s", my_fqdn, lp_realm()); asprintf(&valid_princ_formats[3], "host/%s.%s@%s", my_name, lp_realm(), lp_realm()); - asprintf(&valid_princ_formats[4], "cifs/%s@%s", my_name, lp_realm()); - asprintf(&valid_princ_formats[5], "cifs/%s@%s", my_fqdn, lp_realm()); - asprintf(&valid_princ_formats[6], "cifs/%s.%s@%s", my_name, lp_realm(), lp_realm()); + asprintf(&valid_princ_formats[4], "%s/%s@%s", service, my_name, lp_realm()); + asprintf(&valid_princ_formats[5], "%s/%s@%s", service, my_fqdn, lp_realm()); + asprintf(&valid_princ_formats[6], "%s/%s.%s@%s", service, my_name, lp_realm(), lp_realm()); ZERO_STRUCT(kt_entry); ZERO_STRUCT(kt_cursor); |