summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2009-07-14 10:19:16 +1000
committerAndrew Bartlett <abartlet@samba.org>2009-07-16 09:23:35 +1000
commitbc354fb1a6fd524629434c199e2ca260a8400bb4 (patch)
tree178a2133890a1ab68a9e4ae7dbc6864a1f1a0264 /source4/auth
parent271b5af92e9aada36adc648a6dd43a13c5aed340 (diff)
downloadsamba-bc354fb1a6fd524629434c199e2ca260a8400bb4.tar.gz
samba-bc354fb1a6fd524629434c199e2ca260a8400bb4.tar.bz2
samba-bc354fb1a6fd524629434c199e2ca260a8400bb4.zip
s4:gensec Allow mutual auth to be turned off in 'fake_gssapi_krb5'
This allows the older 'like Samba3' GENSEC krb5 implementation to work against Windows 2008. I'm using this to track down interop issues in this area. Andrew Bartlett
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/gensec/gensec_krb5.c20
1 files changed, 15 insertions, 5 deletions
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 09bdec512d..aed6822b89 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -57,6 +57,7 @@ struct gensec_krb5_state {
krb5_keyblock *keyblock;
krb5_ticket *ticket;
bool gssapi;
+ krb5_flags ap_req_options;
};
static int gensec_krb5_destroy(struct gensec_krb5_state *gensec_krb5_state)
@@ -221,7 +222,6 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
NTSTATUS nt_status;
struct ccache_container *ccache_container;
const char *hostname;
- krb5_flags ap_req_options = AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED;
const char *principal;
krb5_data in_data;
@@ -247,6 +247,11 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
+ gensec_krb5_state->ap_req_options = AP_OPTS_USE_SUBKEY;
+
+ if (gensec_setting_bool(gensec_security->settings, "gensec_krb5", "mutual", true)) {
+ gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
+ }
principal = gensec_get_target_principal(gensec_security);
@@ -274,7 +279,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
if (ret == 0) {
ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->auth_context,
- ap_req_options,
+ gensec_krb5_state->ap_req_options,
target_principal,
&in_data, ccache_container->ccache,
&gensec_krb5_state->enc_ticket);
@@ -284,7 +289,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
} else {
ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->auth_context,
- ap_req_options,
+ gensec_krb5_state->ap_req_options,
gensec_get_target_service(gensec_security),
hostname,
&in_data, ccache_container->ccache,
@@ -392,8 +397,13 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
} else {
*out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
}
- gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
- nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ if (gensec_krb5_state->ap_req_options & AP_OPTS_MUTUAL_REQUIRED) {
+ gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
+ nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ } else {
+ gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
+ nt_status = NT_STATUS_OK;
+ }
return nt_status;
}