diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2011-12-06 15:56:44 +1100 |
|---|---|---|
| committer | Amitay Isaacs <amitay@gmail.com> | 2011-12-07 10:43:52 +1100 |
| commit | 0344e7278b5ddaba0efd7b31a894e901bd9ef6fb (patch) | |
| tree | 5d4ca2d4e909d4c976d3c64bca3a9e9014f474e5 /source4/auth | |
| parent | b9f4febd405c9ed8c5386cedeb3190aa395b41c4 (diff) | |
| download | samba-0344e7278b5ddaba0efd7b31a894e901bd9ef6fb.tar.gz samba-0344e7278b5ddaba0efd7b31a894e901bd9ef6fb.tar.bz2 samba-0344e7278b5ddaba0efd7b31a894e901bd9ef6fb.zip | |
auth: Allow a NULL principal to be obtained from the credentials
This is important when trying to let GSSAPI search the keytab.
Andrew Bartlett
Diffstat (limited to 'source4/auth')
| -rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 5 | ||||
| -rw-r--r-- | source4/auth/kerberos/kerberos_util.c | 12 |
2 files changed, 14 insertions, 3 deletions
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 2a3bd22d32..0c86177960 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -521,7 +521,10 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } - /* This ensures we lookup the correct entry in that keytab */ + /* This ensures we lookup the correct entry in that + * keytab. A NULL principal is acceptable, and means + * that the krb5 libs should search the keytab at + * accept time for any matching key */ ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security), gensec_krb5_state->smb_krb5_context, &server_in_keytab, &obtained, &error_string); diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index c255e6605a..0a42c3078d 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -293,14 +293,16 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx, krb5_error_code ret; const char *princ_string; TALLOC_CTX *mem_ctx = talloc_new(parent_ctx); + *obtained = CRED_UNINITIALISED; + if (!mem_ctx) { (*error_string) = error_message(ENOMEM); return ENOMEM; } princ_string = cli_credentials_get_principal_and_obtained(credentials, mem_ctx, obtained); if (!princ_string) { - (*error_string) = error_message(ENOMEM); - return ENOMEM; + *princ = NULL; + return 0; } ret = parse_principal(parent_ctx, princ_string, @@ -359,6 +361,12 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx, return ret; } + if (princ == NULL) { + (*error_string) = talloc_asprintf(credentials, "principal, username or realm was not specified in the credentials"); + talloc_free(mem_ctx); + return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; + } + ret = impersonate_principal_from_credentials(mem_ctx, credentials, smb_krb5_context, &impersonate_principal, error_string); if (ret) { talloc_free(mem_ctx); |