diff options
author | Andrew Bartlett <abartlet@samba.org> | 2006-11-07 06:59:56 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:25:03 -0500 |
commit | 3c1e780ec7e16dc6667402bbc65708bf9a5c062f (patch) | |
tree | 2102bb577ea9f00751b8c869b0a5c756fc2ae8e5 /source4/auth/kerberos | |
parent | 8b91594e0936bbaedf5430406fcf8df3ea406c10 (diff) | |
download | samba-3c1e780ec7e16dc6667402bbc65708bf9a5c062f.tar.gz samba-3c1e780ec7e16dc6667402bbc65708bf9a5c062f.tar.bz2 samba-3c1e780ec7e16dc6667402bbc65708bf9a5c062f.zip |
r19604: This is a massive commit, and I appologise in advance for it's size.
This merges Samba4 with lorikeet-heimdal, which itself has been
tracking Heimdal CVS for the past couple of weeks.
This is such a big change because Heimdal reorganised it's internal
structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases.
In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO
PAC. This matches windows behavour. We also have an option to
require the PAC to be present (which allows us to automate the testing
of this code).
This also includes a restructure of how the kerberos dependencies are
handled, due to the fallout of the merge.
Andrew Bartlett
(This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
Diffstat (limited to 'source4/auth/kerberos')
-rw-r--r-- | source4/auth/kerberos/kerberos.c | 4 | ||||
-rw-r--r-- | source4/auth/kerberos/kerberos_pac.c | 6 | ||||
-rw-r--r-- | source4/auth/kerberos/krb5_init_context.c | 32 | ||||
-rw-r--r-- | source4/auth/kerberos/krb5_init_context.h | 5 |
4 files changed, 24 insertions, 23 deletions
diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c index 06f0c186a3..2b4c5d4cb0 100644 --- a/source4/auth/kerberos/kerberos.c +++ b/source4/auth/kerberos/kerberos.c @@ -45,6 +45,8 @@ krb5_get_init_creds_opt_init(&options); + krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, &options); + if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal, keyblock, 0, NULL, &options))) { return code; @@ -87,6 +89,8 @@ krb5_get_init_creds_opt_init(&options); + krb5_get_init_creds_opt_set_default_flags(ctx, NULL, NULL, &options); + if ((code = krb5_get_init_creds_password(ctx, &my_creds, principal, password, NULL, NULL, 0, NULL, &options))) { diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index dcfe16c896..8e1801f745 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -280,7 +280,8 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx, return NT_STATUS_ACCESS_DENIED; } - ret = krb5_parse_name_norealm(context, logon_name->account_name, &client_principal_pac); + ret = krb5_parse_name_flags(context, logon_name->account_name, KRB5_PRINCIPAL_PARSE_NO_REALM, + &client_principal_pac); if (ret) { DEBUG(2, ("Could not parse name from incoming PAC: [%s]: %s\n", logon_name->account_name, @@ -591,7 +592,8 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, u_LOGON_INFO->logon_info.info = LOGON_INFO; LOGON_INFO->info3 = *sam3; - ret = krb5_unparse_name_norealm(context, client_principal, &name); + ret = krb5_unparse_name_flags(context, client_principal, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name); if (ret) { return ret; } diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c index d895d7a336..a3ef895b16 100644 --- a/source4/auth/kerberos/krb5_init_context.c +++ b/source4/auth/kerberos/krb5_init_context.c @@ -23,6 +23,7 @@ #include "includes.h" #include "system/kerberos.h" +#include "heimdal/lib/krb5/krb5_locl.h" #include "auth/kerberos/kerberos.h" #include "lib/socket/socket.h" #include "system/network.h" @@ -69,7 +70,7 @@ static void smb_krb5_debug_close(void *private) { static void smb_krb5_debug_wrapper(const char *timestr, const char *msg, void *private) { - DEBUG(3, ("Kerberos: %s\n", msg)); + DEBUG(2, ("Kerberos: %s\n", msg)); } /* @@ -224,11 +225,11 @@ static void smb_krb5_socket_handler(struct event_context *ev, struct fd_event *f } -static krb5_error_code smb_krb5_send_and_recv_func(krb5_context context, - void *data, - krb5_krbhst_info *hi, - const krb5_data *send_buf, - krb5_data *recv_buf) +krb5_error_code smb_krb5_send_and_recv_func(krb5_context context, + void *data, + krb5_krbhst_info *hi, + const krb5_data *send_buf, + krb5_data *recv_buf) { krb5_error_code ret; NTSTATUS status; @@ -363,13 +364,6 @@ static krb5_error_code smb_krb5_send_and_recv_func(krb5_context context, return KRB5_KDC_UNREACH; } -/* NO internal data, so nothing to free */ -static void smb_krb5_send_and_recv_close_func(krb5_context context, void *data) -{ - return; -} - - krb5_error_code smb_krb5_init_context(void *parent_ctx, struct smb_krb5_context **smb_krb5_context) { @@ -437,9 +431,9 @@ krb5_error_code smb_krb5_init_context(void *parent_ctx, ev = event_context_find(*smb_krb5_context); /* Set use of our socket lib */ - ret = krb5_set_send_recv_func((*smb_krb5_context)->krb5_context, - smb_krb5_send_and_recv_func, - smb_krb5_send_and_recv_close_func, ev); + ret = krb5_set_send_to_kdc_func((*smb_krb5_context)->krb5_context, + smb_krb5_send_and_recv_func, + ev); if (ret) { DEBUG(1,("krb5_set_send_recv_func failed (%s)\n", smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx))); @@ -454,12 +448,8 @@ krb5_error_code smb_krb5_init_context(void *parent_ctx, /* Set options in kerberos */ - (*smb_krb5_context)->krb5_context->fdns = FALSE; + krb5_set_dns_canonicalize_hostname((*smb_krb5_context)->krb5_context, FALSE); return 0; } - void smb_krb5_free_context(struct smb_krb5_context *smb_krb5_context) -{ - talloc_free(smb_krb5_context); -} diff --git a/source4/auth/kerberos/krb5_init_context.h b/source4/auth/kerberos/krb5_init_context.h index f3ffc067fa..7aad97e2ca 100644 --- a/source4/auth/kerberos/krb5_init_context.h +++ b/source4/auth/kerberos/krb5_init_context.h @@ -27,3 +27,8 @@ krb5_error_code smb_krb5_init_context(void *parent_ctx, struct smb_krb5_context **smb_krb5_context); void smb_krb5_free_context(struct smb_krb5_context *smb_krb5_context); +krb5_error_code smb_krb5_send_and_recv_func(krb5_context context, + void *data, + krb5_krbhst_info *hi, + const krb5_data *send_buf, + krb5_data *recv_buf); |