diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-09-28 04:50:02 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:39:06 -0500 |
commit | 718dd6dda6331b27b8f4fc89b891c27124c7821e (patch) | |
tree | 1892903ad434a04959966987275c32bd84a7e4fb /source4/auth | |
parent | f54b3650d6e561213abdeffb56ee45b84ef4d068 (diff) | |
download | samba-718dd6dda6331b27b8f4fc89b891c27124c7821e.tar.gz samba-718dd6dda6331b27b8f4fc89b891c27124c7821e.tar.bz2 samba-718dd6dda6331b27b8f4fc89b891c27124c7821e.zip |
r10565: Try to make Kerberos authentication a bit more friendly.
This disables it for 'localhost' as well as for any host our KDC does
not recognise.
Andrew Bartlett
(This used to be commit 49c6c36763aae23880a20a8ee50c00e8935d8548)
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 38 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 7 |
2 files changed, 35 insertions, 10 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 76458c5f9e..8eae8bda71 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -239,7 +239,11 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi return NT_STATUS_INVALID_PARAMETER; } if (is_ipaddress(hostname)) { - DEBUG(2, ("Cannot do GSSAPI to an IP address")); + DEBUG(2, ("Cannot do GSSAPI to an IP address\n")); + return NT_STATUS_INVALID_PARAMETER; + } + if (strequal(hostname, "localhost")) { + DEBUG(2, ("GSSAPI to 'localhost' does not make sense\n")); return NT_STATUS_INVALID_PARAMETER; } @@ -269,7 +273,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi DEBUG(2, ("GSS Import name of %s failed: %s\n", (char *)name_token.value, gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_INVALID_PARAMETER; } principal = gensec_get_target_principal(gensec_security); @@ -306,9 +310,16 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi NULL, NULL); if (maj_stat) { - DEBUG(1, ("Aquiring initiator credentails failed: %s\n", - gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); - return NT_STATUS_UNSUCCESSFUL; + switch (min_stat) { + case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: + DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n", + hostname, gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); + return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */ + default: + DEBUG(1, ("Aquiring initiator credentails failed: %s\n", + gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); + return NT_STATUS_UNSUCCESSFUL; + } } return NT_STATUS_OK; @@ -408,12 +419,23 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, gss_release_buffer(&min_stat2, &output_token); return NT_STATUS_MORE_PROCESSING_REQUIRED; - } else { - if (maj_stat == GSS_S_FAILURE - && (min_stat == KRB5KRB_AP_ERR_BADVERSION || min_stat == KRB5KRB_AP_ERR_MSG_TYPE)) { + } else if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length) + && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, + gensec_gssapi_state->gss_oid->length) == 0)) { + switch (min_stat) { + case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: + DEBUG(3, ("Server is not registered with our KDC: %s\n", + gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); + return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */ + case KRB5KRB_AP_ERR_MSG_TYPE: /* garbage input, possibly from the auto-mech detection */ return NT_STATUS_INVALID_PARAMETER; + default: + DEBUG(1, ("GSS(krb5) Update failed: %s\n", + gssapi_error_string(out_mem_ctx, maj_stat, min_stat))); + return nt_status; } + } else { DEBUG(1, ("GSS Update failed: %s\n", gssapi_error_string(out_mem_ctx, maj_stat, min_stat))); return nt_status; diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 07e92f063f..71974790b1 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -172,7 +172,10 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security DEBUG(2, ("Cannot do krb5 to an IP address")); return NT_STATUS_INVALID_PARAMETER; } - + if (strequal(hostname, "localhost")) { + DEBUG(2, ("krb5 to 'localhost' does not make sense")); + return NT_STATUS_INVALID_PARAMETER; + } nt_status = gensec_krb5_start(gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { @@ -235,7 +238,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n", hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state))); - return NT_STATUS_ACCESS_DENIED; + return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */ case KRB5KDC_ERR_PREAUTH_FAILED: case KRB5KRB_AP_ERR_TKT_EXPIRED: case KRB5_CC_END: |