diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-06-23 01:50:04 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:18:42 -0500 |
commit | 4432cc73aee188b1aa50b6e1618acd59ebfebd9c (patch) | |
tree | a1047fc2471966fe7b9f81ecb80b45d28334f189 /source4/auth | |
parent | 3cb74e995ec69efe3d6d21394db9ccb9ae9acb40 (diff) | |
download | samba-4432cc73aee188b1aa50b6e1618acd59ebfebd9c.tar.gz samba-4432cc73aee188b1aa50b6e1618acd59ebfebd9c.tar.bz2 samba-4432cc73aee188b1aa50b6e1618acd59ebfebd9c.zip |
r7843: Use the new Heimdal gsskrb_acquire_creds API. This has the right
lifetime constraints, and works with the in-memory keytab.
Move initialize_krb5_error_table() into our kerberos startup code,
rather than in the GSSAPI code explitly. (Hmm, we probably don't need
this at all..)
Andrew Bartlett
(This used to be commit bedf92da5c81066405c87c9e588842d3ca5ba945)
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 56 | ||||
-rw-r--r-- | source4/auth/kerberos/clikrb5.c | 2 |
2 files changed, 27 insertions, 31 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 1542441e27..533448e06f 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -170,6 +170,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_security) { NTSTATUS nt_status; + OM_uint32 maj_stat, min_stat; struct gensec_gssapi_state *gensec_gssapi_state; struct cli_credentials *machine_account; @@ -201,7 +202,21 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi } } - gsskrb5_register_acceptor_keytab(gensec_gssapi_state->keytab); + maj_stat = gsskrb5_acquire_cred(&min_stat, + gensec_gssapi_state->keytab, NULL, + NULL, + GSS_C_INDEFINITE, + GSS_C_NULL_OID_SET, + GSS_C_ACCEPT, + &gensec_gssapi_state->cred, + NULL, + NULL); + if (maj_stat) { + DEBUG(1, ("Aquiring acceptor credentails failed: %s\n", + gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + return NT_STATUS_OK; } @@ -251,8 +266,6 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi return NT_STATUS_UNSUCCESSFUL; } - initialize_krb5_error_table(); - nt_status = kinit_to_ccache(gensec_gssapi_state, gensec_get_credentials(gensec_security), gensec_gssapi_state->smb_krb5_context, @@ -261,25 +274,16 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi return nt_status; } - maj_stat = gss_krb5_ccache_name(&min_stat, - gensec_gssapi_state->ccache_name, + maj_stat = gsskrb5_acquire_cred(&min_stat, + NULL, gensec_gssapi_state->ccache, + gensec_gssapi_state->client_name, + GSS_C_INDEFINITE, + GSS_C_NULL_OID_SET, + GSS_C_INITIATE, + &gensec_gssapi_state->cred, + NULL, NULL); if (maj_stat) { - DEBUG(1, ("GSS krb5 ccache set %s failed: %s\n", - gensec_gssapi_state->ccache_name, - gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); - return NT_STATUS_UNSUCCESSFUL; - } - - maj_stat = gss_acquire_cred(&min_stat, - gensec_gssapi_state->client_name, - GSS_C_INDEFINITE, - GSS_C_NULL_OID_SET, - GSS_C_INITIATE, - &gensec_gssapi_state->cred, - NULL, - NULL); - if (maj_stat) { DEBUG(1, ("Aquiring initiator credentails failed: %s\n", gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); return NT_STATUS_UNSUCCESSFUL; @@ -336,16 +340,6 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, switch (gensec_security->gensec_role) { case GENSEC_CLIENT: { - maj_stat = gss_krb5_ccache_name(&min_stat, - gensec_gssapi_state->ccache_name, - NULL); - if (maj_stat) { - DEBUG(1, ("GSS krb5 ccache set %s failed: %s\n", - gensec_gssapi_state->ccache_name, - gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); - return NT_STATUS_UNSUCCESSFUL; - } - maj_stat = gss_init_sec_context(&min_stat, gensec_gssapi_state->cred, &gensec_gssapi_state->gssapi_context, @@ -365,7 +359,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, { maj_stat = gss_accept_sec_context(&min_stat, &gensec_gssapi_state->gssapi_context, - GSS_C_NO_CREDENTIAL, + gensec_gssapi_state->cred, &input_token, gensec_gssapi_state->input_chan_bindings, &gensec_gssapi_state->client_name, diff --git a/source4/auth/kerberos/clikrb5.c b/source4/auth/kerberos/clikrb5.c index 0fede8b2cd..95a45fc739 100644 --- a/source4/auth/kerberos/clikrb5.c +++ b/source4/auth/kerberos/clikrb5.c @@ -503,6 +503,8 @@ static void smb_krb5_debug_wrapper(const char *timestr, const char *msg, void *p krb5_error_code ret; TALLOC_CTX *tmp_ctx; + initialize_krb5_error_table(); + *smb_krb5_context = talloc(parent_ctx, struct smb_krb5_context); tmp_ctx = talloc_new(*smb_krb5_context); |