summaryrefslogtreecommitdiff
path: root/source4/smb_server
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-10-20 03:47:55 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:45:00 -0500
commit372ca26b2052e267711a45c8bf341f55505f3f8f (patch)
tree8c13e34fdac62ca762972d25cfe95b053bff93fa /source4/smb_server
parent9e25f33a1a06e1374bb643cb087af0e0bedb99c7 (diff)
downloadsamba-372ca26b2052e267711a45c8bf341f55505f3f8f.tar.gz
samba-372ca26b2052e267711a45c8bf341f55505f3f8f.tar.bz2
samba-372ca26b2052e267711a45c8bf341f55505f3f8f.zip
r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5
authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
Diffstat (limited to 'source4/smb_server')
-rw-r--r--source4/smb_server/negprot.c28
-rw-r--r--source4/smb_server/sesssetup.c2
-rw-r--r--source4/smb_server/smb_server.h4
3 files changed, 28 insertions, 6 deletions
diff --git a/source4/smb_server/negprot.c b/source4/smb_server/negprot.c
index 31f31272e0..a9cc05e251 100644
--- a/source4/smb_server/negprot.c
+++ b/source4/smb_server/negprot.c
@@ -326,6 +326,7 @@ static void reply_nt1(struct smbsrv_request *req, uint16_t choice)
req_push_str(req, NULL, lp_netbios_name(), -1, STR_UNICODE|STR_TERMINATE|STR_NOALIGN);
DEBUG(3,("not using SPNEGO\n"));
} else {
+ struct cli_credentials *server_credentials;
struct gensec_security *gensec_security;
DATA_BLOB null_data_blob = data_blob(NULL, 0);
DATA_BLOB blob;
@@ -333,19 +334,38 @@ static void reply_nt1(struct smbsrv_request *req, uint16_t choice)
&gensec_security,
req->smb_conn->connection->event.ctx);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0, ("Failed to start GENSEC: %s\n", nt_errstr(nt_status)));
+ smbsrv_terminate_connection(req->smb_conn, "Failed to start GENSEC\n");
+ return;
+ }
+
if (req->smb_conn->negotiate.auth_context) {
smbsrv_terminate_connection(req->smb_conn, "reply_nt1: is this a secondary negprot? auth_context is non-NULL!\n");
return;
}
- req->smb_conn->negotiate.auth_context = NULL;
+ server_credentials
+ = cli_credentials_init(req);
+ if (!server_credentials) {
+ smbsrv_terminate_connection(req->smb_conn, "Failed to init server credentials\n");
+ return;
+ }
+ cli_credentials_set_conf(server_credentials);
+ nt_status = cli_credentials_set_machine_account(server_credentials);
if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0, ("Failed to start GENSEC: %s\n", nt_errstr(nt_status)));
- smbsrv_terminate_connection(req->smb_conn, "Failed to start GENSEC\n");
- return;
+ DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(nt_status)));
+ talloc_free(server_credentials);
+ server_credentials = NULL;
}
+ req->smb_conn->negotiate.server_credentials = talloc_steal(req->smb_conn, server_credentials);
+
+ gensec_set_target_service(gensec_security, "cifs");
+
+ gensec_set_credentials(gensec_security, server_credentials);
+
nt_status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO);
if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source4/smb_server/sesssetup.c b/source4/smb_server/sesssetup.c
index 1fa04b99e5..bdd4a3fab2 100644
--- a/source4/smb_server/sesssetup.c
+++ b/source4/smb_server/sesssetup.c
@@ -293,6 +293,8 @@ static NTSTATUS sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup
return status;
}
+ gensec_set_credentials(gensec_ctx, req->smb_conn->negotiate.server_credentials);
+
gensec_set_target_service(gensec_ctx, "cifs");
gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY);
diff --git a/source4/smb_server/smb_server.h b/source4/smb_server/smb_server.h
index 01fb1e26a3..360ea7ddfb 100644
--- a/source4/smb_server/smb_server.h
+++ b/source4/smb_server/smb_server.h
@@ -194,8 +194,8 @@ struct smbsrv_connection {
/* authentication context for multi-part negprot */
struct auth_context *auth_context;
- /* state of NTLMSSP auth */
- struct auth_ntlmssp_state *ntlmssp_state;
+ /* reference to the kerberos keytab, or machine trust account */
+ struct cli_credentials *server_credentials;
/* did we tell the client we support encrypted passwords? */
BOOL encrypted_passwords;