r7843: Use the new Heimdal gsskrb_acquire_creds API. This has the right

lifetime constraints, and works with the in-memory keytab. Move initialize_krb5_error_table() into our kerberos startup code, rather than in the GSSAPI code explitly. (Hmm, we probably don't need this at all..) Andrew Bartlett (This used to be commit bedf92da5c81066405c87c9e588842d3ca5ba945)
author: Andrew Bartlett <abartlet@samba.org> 2005-06-23 01:50:04 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 13:18:42 -0500
commit: 4432cc73aee188b1aa50b6e1618acd59ebfebd9c (patch)
tree: a1047fc2471966fe7b9f81ecb80b45d28334f189 /source4/auth
parent: 3cb74e995ec69efe3d6d21394db9ccb9ae9acb40 (diff)
download: samba-4432cc73aee188b1aa50b6e1618acd59ebfebd9c.tar.gz
samba-4432cc73aee188b1aa50b6e1618acd59ebfebd9c.tar.bz2
samba-4432cc73aee188b1aa50b6e1618acd59ebfebd9c.zip
2 files changed, 27 insertions, 31 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 1542441e27..533448e06f 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -170,6 +170,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_security)
 {
 	NTSTATUS nt_status;
+	OM_uint32 maj_stat, min_stat;
 	struct gensec_gssapi_state *gensec_gssapi_state;
 	struct cli_credentials *machine_account;
 
@@ -201,7 +202,21 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
 		}
 	}
 
-	gsskrb5_register_acceptor_keytab(gensec_gssapi_state->keytab);
+	maj_stat = gsskrb5_acquire_cred(&min_stat, 
+					gensec_gssapi_state->keytab, NULL,
+					NULL,
+					GSS_C_INDEFINITE,
+					GSS_C_NULL_OID_SET,
+					GSS_C_ACCEPT,
+					&gensec_gssapi_state->cred,
+					NULL, 
+					NULL);
+	if (maj_stat) {
+		DEBUG(1, ("Aquiring acceptor credentails failed: %s\n", 
+			  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+	}
+
 	return NT_STATUS_OK;
 
 }
@@ -251,8 +266,6 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 
-	initialize_krb5_error_table();
-	
 	nt_status = kinit_to_ccache(gensec_gssapi_state, 
 				    gensec_get_credentials(gensec_security),
 				    gensec_gssapi_state->smb_krb5_context, 
@@ -261,25 +274,16 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 		return nt_status;
 	}
 
-	maj_stat = gss_krb5_ccache_name(&min_stat, 
-					gensec_gssapi_state->ccache_name, 
+	maj_stat = gsskrb5_acquire_cred(&min_stat, 
+					NULL, gensec_gssapi_state->ccache,
+					gensec_gssapi_state->client_name,
+					GSS_C_INDEFINITE,
+					GSS_C_NULL_OID_SET,
+					GSS_C_INITIATE,
+					&gensec_gssapi_state->cred,
+					NULL, 
 					NULL);
 	if (maj_stat) {
-		DEBUG(1, ("GSS krb5 ccache set %s failed: %s\n",
-			  gensec_gssapi_state->ccache_name, 
-			  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-
-	maj_stat = gss_acquire_cred(&min_stat, 
-				    gensec_gssapi_state->client_name,
-				    GSS_C_INDEFINITE,
-				    GSS_C_NULL_OID_SET,
-				    GSS_C_INITIATE,
-				    &gensec_gssapi_state->cred,
-				    NULL, 
-				    NULL);
-	if (maj_stat) {
 		DEBUG(1, ("Aquiring initiator credentails failed: %s\n", 
 			  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
 		return NT_STATUS_UNSUCCESSFUL;
@@ -336,16 +340,6 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
 	switch (gensec_security->gensec_role) {
 	case GENSEC_CLIENT:
 	{
-		maj_stat = gss_krb5_ccache_name(&min_stat, 
-						gensec_gssapi_state->ccache_name, 
-						NULL);
-		if (maj_stat) {
-			DEBUG(1, ("GSS krb5 ccache set %s failed: %s\n",
-				  gensec_gssapi_state->ccache_name, 
-				  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
-			return NT_STATUS_UNSUCCESSFUL;
-		}
-
 		maj_stat = gss_init_sec_context(&min_stat, 
 						gensec_gssapi_state->cred,
 						&gensec_gssapi_state->gssapi_context, 
@@ -365,7 +359,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
 	{
 		maj_stat = gss_accept_sec_context(&min_stat, 
 						  &gensec_gssapi_state->gssapi_context, 
-						  GSS_C_NO_CREDENTIAL, 
+						  gensec_gssapi_state->cred,
 						  &input_token, 
 						  gensec_gssapi_state->input_chan_bindings,
 						  &gensec_gssapi_state->client_name, 
diff --git a/source4/auth/kerberos/clikrb5.c b/source4/auth/kerberos/clikrb5.c
index 0fede8b2cd..95a45fc739 100644
--- a/source4/auth/kerberos/clikrb5.c
+++ b/source4/auth/kerberos/clikrb5.c
@@ -503,6 +503,8 @@ static void smb_krb5_debug_wrapper(const char *timestr, const char *msg, void *p
 	krb5_error_code ret;
 	TALLOC_CTX *tmp_ctx;
 	
+	initialize_krb5_error_table();
+	
 	*smb_krb5_context = talloc(parent_ctx, struct smb_krb5_context);
 	tmp_ctx = talloc_new(*smb_krb5_context);
author	Andrew Bartlett <abartlet@samba.org>	2005-06-23 01:50:04 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 13:18:42 -0500
commit	4432cc73aee188b1aa50b6e1618acd59ebfebd9c (patch)
tree	a1047fc2471966fe7b9f81ecb80b45d28334f189 /source4/auth
parent	3cb74e995ec69efe3d6d21394db9ccb9ae9acb40 (diff)
download	samba-4432cc73aee188b1aa50b6e1618acd59ebfebd9c.tar.gz samba-4432cc73aee188b1aa50b6e1618acd59ebfebd9c.tar.bz2 samba-4432cc73aee188b1aa50b6e1618acd59ebfebd9c.zip