summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorSimo Sorce <idra@samba.org>2012-05-08 12:38:20 -0400
committerAlexander Bokovoy <ab@samba.org>2012-05-23 17:51:49 +0300
commitad945bc68f6b1e73a47bc0a33b35fcbf182f8137 (patch)
tree76f7be6394314cb68f210b0e3bda6fb4837a936b /source4
parent302abe61900af3bd9b4fffe1b9e9d7e39cac599a (diff)
downloadsamba-ad945bc68f6b1e73a47bc0a33b35fcbf182f8137.tar.gz
samba-ad945bc68f6b1e73a47bc0a33b35fcbf182f8137.tar.bz2
samba-ad945bc68f6b1e73a47bc0a33b35fcbf182f8137.zip
gensec_gssapi: Make it possible to build with MIT krb5
We need to ifdef out some minor things here because there is no available API to set these options in MIT. The realm and canonicalize options should be not interesting in the client case. Same for the send_to_kdc hacks. Also the OLD DES3 enctype is not at all interesting. I am not aware that Windows will ever use DES3 and no modern implementation relies on that enctype anymore as it has been fully deprecated long ago, so we can simply ignore it.
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/gensec/gensec_gssapi.c30
-rwxr-xr-xsource4/heimdal_build/wscript_configure2
2 files changed, 21 insertions, 11 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index dde481a41c..6d6ea3cf28 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -42,6 +42,12 @@
#include "lib/util/util_net.h"
#include "auth/kerberos/pac_utils.h"
+#ifndef gss_mech_spnego
+gss_OID_desc spnego_mech_oid_desc =
+ { 6, discard_const_p(void, "\x2b\x06\x01\x05\x05\x02") };
+#define gss_mech_spnego (&spnego_mech_oid_desc)
+#endif
+
_PUBLIC_ NTSTATUS gensec_gssapi_init(void);
static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security);
@@ -166,7 +172,8 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
break;
case DCERPC_AUTH_TYPE_KRB5:
default:
- gensec_gssapi_state->gss_oid = gss_mech_krb5;
+ gensec_gssapi_state->gss_oid =
+ discard_const_p(void, gss_mech_krb5);
break;
}
@@ -199,6 +206,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destructor);
+#ifdef SAMBA4_USES_HEIMDAL
realm = lpcfg_realm(gensec_security->settings->lp_ctx);
if (realm != NULL) {
ret = gsskrb5_set_default_realm(realm);
@@ -216,7 +224,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
talloc_free(gensec_gssapi_state);
return NT_STATUS_INTERNAL_ERROR;
}
-
+#endif
return NT_STATUS_OK;
}
@@ -433,7 +441,9 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
switch (gensec_security->gensec_role) {
case GENSEC_CLIENT:
{
+#ifdef SAMBA4_USES_HEIMDAL
struct gsskrb5_send_to_kdc send_to_kdc;
+#endif
krb5_error_code ret;
nt_status = gensec_gssapi_client_creds(gensec_security, ev);
@@ -444,14 +454,13 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
#ifdef SAMBA4_USES_HEIMDAL
send_to_kdc.func = smb_krb5_send_and_recv_func;
send_to_kdc.ptr = ev;
-#endif
min_stat = gsskrb5_set_send_to_kdc(&send_to_kdc);
if (min_stat) {
DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
return NT_STATUS_INTERNAL_ERROR;
}
-
+#endif
maj_stat = gss_init_sec_context(&min_stat,
gensec_gssapi_state->client_cred->creds,
&gensec_gssapi_state->gssapi_context,
@@ -472,14 +481,13 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
#ifdef SAMBA4_USES_HEIMDAL
send_to_kdc.func = smb_krb5_send_and_recv_func;
send_to_kdc.ptr = NULL;
-#endif
ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
if (ret) {
DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
return NT_STATUS_INTERNAL_ERROR;
}
-
+#endif
break;
}
case GENSEC_SERVER:
@@ -1435,22 +1443,24 @@ static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, si
}
} else if (gensec_gssapi_state->lucid->protocol == 0) {
switch (gensec_gssapi_state->lucid->rfc1964_kd.ctx_key.type) {
- case KEYTYPE_DES:
- case KEYTYPE_ARCFOUR:
- case KEYTYPE_ARCFOUR_56:
+ case ENCTYPE_DES_CBC_CRC:
+ case ENCTYPE_ARCFOUR_HMAC:
+ case ENCTYPE_ARCFOUR_HMAC_EXP:
if (gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG) {
gensec_gssapi_state->sig_size = 45;
} else {
gensec_gssapi_state->sig_size = 37;
}
break;
- case KEYTYPE_DES3:
+#ifdef SAMBA4_USES_HEIMDAL
+ case ENCTYPE_OLD_DES3_CBC_SHA1:
if (gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG) {
gensec_gssapi_state->sig_size = 57;
} else {
gensec_gssapi_state->sig_size = 49;
}
break;
+#endif
}
}
diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure
index 17b7361cad..0b6ae88a35 100755
--- a/source4/heimdal_build/wscript_configure
+++ b/source4/heimdal_build/wscript_configure
@@ -147,9 +147,9 @@ conf.define('HAVE_ETYPE_IN_ENCRYPTEDDATA', 1)
conf.define('KRB5_PRINC_REALM_RETURNS_REALM', 1)
conf.define('HAVE_KRB5_PRINCIPAL_GET_REALM', 1)
conf.define('HAVE_KRB5_H', 1)
-conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5', 1)
conf.define('HAVE_AP_OPTS_USE_SUBKEY', 1)
conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5', 1)
+conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56', 1)
conf.define('HAVE_ENCTYPE_ARCFOUR_HMAC', 1)
conf.define('HAVE_KRB5_PDU_NONE_DECL', 1)
conf.define('HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96', 1)