summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-06-23 01:50:04 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:18:42 -0500
commit4432cc73aee188b1aa50b6e1618acd59ebfebd9c (patch)
treea1047fc2471966fe7b9f81ecb80b45d28334f189 /source4
parent3cb74e995ec69efe3d6d21394db9ccb9ae9acb40 (diff)
downloadsamba-4432cc73aee188b1aa50b6e1618acd59ebfebd9c.tar.gz
samba-4432cc73aee188b1aa50b6e1618acd59ebfebd9c.tar.bz2
samba-4432cc73aee188b1aa50b6e1618acd59ebfebd9c.zip
r7843: Use the new Heimdal gsskrb_acquire_creds API. This has the right
lifetime constraints, and works with the in-memory keytab. Move initialize_krb5_error_table() into our kerberos startup code, rather than in the GSSAPI code explitly. (Hmm, we probably don't need this at all..) Andrew Bartlett (This used to be commit bedf92da5c81066405c87c9e588842d3ca5ba945)
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/gensec/gensec_gssapi.c56
-rw-r--r--source4/auth/kerberos/clikrb5.c2
2 files changed, 27 insertions, 31 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 1542441e27..533448e06f 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -170,6 +170,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_security)
{
NTSTATUS nt_status;
+ OM_uint32 maj_stat, min_stat;
struct gensec_gssapi_state *gensec_gssapi_state;
struct cli_credentials *machine_account;
@@ -201,7 +202,21 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
}
}
- gsskrb5_register_acceptor_keytab(gensec_gssapi_state->keytab);
+ maj_stat = gsskrb5_acquire_cred(&min_stat,
+ gensec_gssapi_state->keytab, NULL,
+ NULL,
+ GSS_C_INDEFINITE,
+ GSS_C_NULL_OID_SET,
+ GSS_C_ACCEPT,
+ &gensec_gssapi_state->cred,
+ NULL,
+ NULL);
+ if (maj_stat) {
+ DEBUG(1, ("Aquiring acceptor credentails failed: %s\n",
+ gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
return NT_STATUS_OK;
}
@@ -251,8 +266,6 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
return NT_STATUS_UNSUCCESSFUL;
}
- initialize_krb5_error_table();
-
nt_status = kinit_to_ccache(gensec_gssapi_state,
gensec_get_credentials(gensec_security),
gensec_gssapi_state->smb_krb5_context,
@@ -261,25 +274,16 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
return nt_status;
}
- maj_stat = gss_krb5_ccache_name(&min_stat,
- gensec_gssapi_state->ccache_name,
+ maj_stat = gsskrb5_acquire_cred(&min_stat,
+ NULL, gensec_gssapi_state->ccache,
+ gensec_gssapi_state->client_name,
+ GSS_C_INDEFINITE,
+ GSS_C_NULL_OID_SET,
+ GSS_C_INITIATE,
+ &gensec_gssapi_state->cred,
+ NULL,
NULL);
if (maj_stat) {
- DEBUG(1, ("GSS krb5 ccache set %s failed: %s\n",
- gensec_gssapi_state->ccache_name,
- gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- maj_stat = gss_acquire_cred(&min_stat,
- gensec_gssapi_state->client_name,
- GSS_C_INDEFINITE,
- GSS_C_NULL_OID_SET,
- GSS_C_INITIATE,
- &gensec_gssapi_state->cred,
- NULL,
- NULL);
- if (maj_stat) {
DEBUG(1, ("Aquiring initiator credentails failed: %s\n",
gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
return NT_STATUS_UNSUCCESSFUL;
@@ -336,16 +340,6 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
switch (gensec_security->gensec_role) {
case GENSEC_CLIENT:
{
- maj_stat = gss_krb5_ccache_name(&min_stat,
- gensec_gssapi_state->ccache_name,
- NULL);
- if (maj_stat) {
- DEBUG(1, ("GSS krb5 ccache set %s failed: %s\n",
- gensec_gssapi_state->ccache_name,
- gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
maj_stat = gss_init_sec_context(&min_stat,
gensec_gssapi_state->cred,
&gensec_gssapi_state->gssapi_context,
@@ -365,7 +359,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
{
maj_stat = gss_accept_sec_context(&min_stat,
&gensec_gssapi_state->gssapi_context,
- GSS_C_NO_CREDENTIAL,
+ gensec_gssapi_state->cred,
&input_token,
gensec_gssapi_state->input_chan_bindings,
&gensec_gssapi_state->client_name,
diff --git a/source4/auth/kerberos/clikrb5.c b/source4/auth/kerberos/clikrb5.c
index 0fede8b2cd..95a45fc739 100644
--- a/source4/auth/kerberos/clikrb5.c
+++ b/source4/auth/kerberos/clikrb5.c
@@ -503,6 +503,8 @@ static void smb_krb5_debug_wrapper(const char *timestr, const char *msg, void *p
krb5_error_code ret;
TALLOC_CTX *tmp_ctx;
+ initialize_krb5_error_table();
+
*smb_krb5_context = talloc(parent_ctx, struct smb_krb5_context);
tmp_ctx = talloc_new(*smb_krb5_context);