7 files changed, 84 insertions, 91 deletions

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 26494f0222..6316b52bad 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -154,6 +154,7 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
 {
 	NTSTATUS nt_status;
 	OM_uint32 maj_stat, min_stat;
+	gss_buffer_desc name_token;
 	struct gensec_gssapi_state *gensec_gssapi_state;
 	struct cli_credentials *machine_account;
 
@@ -177,7 +178,6 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
 						 machine_account, 
 						 gensec_gssapi_state->smb_krb5_context,
 						 &gensec_gssapi_state->keytab);
-		talloc_free(machine_account);
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			DEBUG(3, ("Could not create memory keytab!\n"));
 			talloc_free(machine_account);
@@ -185,9 +185,26 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
 		}
 	}
 
+	name_token.value = cli_credentials_get_principal(machine_account, 
+							 machine_account);
+	name_token.length = strlen(name_token.value);
+
+	maj_stat = gss_import_name (&min_stat,
+				    &name_token,
+				    GSS_C_NT_USER_NAME,
+				    &gensec_gssapi_state->server_name);
+	talloc_free(machine_account);
+
+	if (maj_stat) {
+		DEBUG(2, ("GSS Import name of %s failed: %s\n",
+			  (char *)name_token.value,
+			  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
 	maj_stat = gsskrb5_acquire_cred(&min_stat, 
 					gensec_gssapi_state->keytab, NULL,
-					NULL,
+					gensec_gssapi_state->server_name,
 					GSS_C_INDEFINITE,
 					GSS_C_NULL_OID_SET,
 					GSS_C_ACCEPT,
diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c
index 31e0c71c55..3935bfaf92 100644
--- a/source4/auth/kerberos/kerberos.c
+++ b/source4/auth/kerberos/kerberos.c
@@ -69,35 +69,27 @@ kerb_prompter(krb5_context ctx, void *data,
   original password.
 */
  int kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc, 
-				const char *principal, krb5_keyblock *keyblock,
+				krb5_principal principal, krb5_keyblock *keyblock,
 				time_t *expire_time, time_t *kdc_time)
 {
 	krb5_error_code code = 0;
-	krb5_principal me;
 	krb5_creds my_creds;
 	krb5_get_init_creds_opt options;
 
-	if ((code = krb5_parse_name(ctx, principal, &me))) {
-		return code;
-	}
-
 	krb5_get_init_creds_opt_init(&options);
 
-	if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, me, keyblock,
+	if ((code = krb5_get_init_creds_keyblock(ctx, &my_creds, principal, keyblock,
 						 0, NULL, &options))) {
-		krb5_free_principal(ctx, me);
 		return code;
 	}
 	
-	if ((code = krb5_cc_initialize(ctx, cc, me))) {
+	if ((code = krb5_cc_initialize(ctx, cc, principal))) {
 		krb5_free_cred_contents(ctx, &my_creds);
-		krb5_free_principal(ctx, me);
 		return code;
 	}
 	
 	if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
 		krb5_free_cred_contents(ctx, &my_creds);
-		krb5_free_principal(ctx, me);
 		return code;
 	}
 	
@@ -110,7 +102,6 @@ kerb_prompter(krb5_context ctx, void *data,
 	}
 
 	krb5_free_cred_contents(ctx, &my_creds);
-	krb5_free_principal(ctx, me);
 	
 	return 0;
 }
@@ -120,36 +111,28 @@ kerb_prompter(krb5_context ctx, void *data,
   Orignally by remus@snapserver.com
 */
  int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, 
-			       const char *principal, const char *password, 
-			       time_t *expire_time, time_t *kdc_time)
+				krb5_principal principal, const char *password, 
+				time_t *expire_time, time_t *kdc_time)
 {
 	krb5_error_code code = 0;
-	krb5_principal me;
 	krb5_creds my_creds;
 	krb5_get_init_creds_opt options;
 
-	if ((code = krb5_parse_name(ctx, principal, &me))) {
-		return code;
-	}
-
 	krb5_get_init_creds_opt_init(&options);
 
-	if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, password, 
+	if ((code = krb5_get_init_creds_password(ctx, &my_creds, principal, password, 
 						 kerb_prompter, 
 						 NULL, 0, NULL, &options))) {
-		krb5_free_principal(ctx, me);
 		return code;
 	}
 	
-	if ((code = krb5_cc_initialize(ctx, cc, me))) {
+	if ((code = krb5_cc_initialize(ctx, cc, principal))) {
 		krb5_free_cred_contents(ctx, &my_creds);
-		krb5_free_principal(ctx, me);
 		return code;
 	}
 	
 	if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
 		krb5_free_cred_contents(ctx, &my_creds);
-		krb5_free_principal(ctx, me);
 		return code;
 	}
 	
@@ -162,7 +145,6 @@ kerb_prompter(krb5_context ctx, void *data,
 	}
 
 	krb5_free_cred_contents(ctx, &my_creds);
-	krb5_free_principal(ctx, me);
 	
 	return 0;
 }
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 8cc8e561ac..39bba5f46f 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -102,10 +102,10 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 			   DATA_BLOB *ap_rep,
 			   krb5_keyblock **keyblock);
 int kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, 
-			       const char *principal, const char *password, 
+			       krb5_principal principal, const char *password, 
 			       time_t *expire_time, time_t *kdc_time);
 int kerberos_kinit_keyblock_cc(krb5_context ctx, krb5_ccache cc, 
-			       const char *principal, krb5_keyblock *keyblock,
+			       krb5_principal principal, krb5_keyblock *keyblock,
 			       time_t *expire_time, time_t *kdc_time);
 krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context,
 							krb5_principal host_princ,
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 9dc8621b0e..922869af5c 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -87,7 +87,7 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
 				  cli_credentials_get_realm(machine_account), 
 				  "host", salt_body, NULL);
 
-	if (ret != 0) {
+	if (ret == 0) {
 		mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
 		mem_ctx->principal = *salt_princ;
 		talloc_set_destructor(mem_ctx, free_principal);
@@ -95,6 +95,36 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
 	return ret;
 }
 
+krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx, 
+					   struct cli_credentials *credentials, 
+					   struct smb_krb5_context *smb_krb5_context,
+					   krb5_principal *princ)
+{
+	krb5_error_code ret;
+	const char *princ_string;
+	struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container);
+	if (!mem_ctx) {
+		return ENOMEM;
+	}
+	
+	princ_string = cli_credentials_get_principal(credentials, mem_ctx);
+
+	if (!princ_string) {
+		talloc_free(mem_ctx);
+		return ENOMEM;
+	}
+
+	ret = krb5_parse_name(smb_krb5_context->krb5_context,
+			      princ_string, princ);
+
+	if (ret == 0) {
+		mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
+		mem_ctx->principal = *princ;
+		talloc_set_destructor(mem_ctx, free_principal);
+	}
+	return ret;
+}
+
 /**
  * Return a freshly allocated ccache (destroyed by destructor on child
  * of parent_ctx), for a given set of client credentials 
@@ -108,6 +138,7 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
 	krb5_error_code ret;
 	const char *password;
 	time_t kdc_time = 0;
+	krb5_principal princ;
 
 	TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 
@@ -115,11 +146,17 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
 		return ENOMEM;
 	}
 
+	ret = principal_from_credentials(mem_ctx, credentials, smb_krb5_context, &princ);
+	if (ret) {
+		talloc_free(mem_ctx);
+		return ret;
+	}
+
 	password = cli_credentials_get_password(credentials);
 	
 	if (password) {
 		ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache, 
-						 cli_credentials_get_principal(credentials, mem_ctx), 
+						 princ, 
 						 password, NULL, &kdc_time);
 	} else {
 		/* No password available, try to use a keyblock instead */
@@ -139,7 +176,7 @@ krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
 		
 		if (ret == 0) {
 			ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, ccache, 
-							 cli_credentials_get_principal(credentials, mem_ctx), 
+							 princ,
 							 &keyblock, NULL, &kdc_time);
 			krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &keyblock);
 		}
@@ -191,12 +228,13 @@ static int free_keytab(void *ptr) {
 	struct keytab_container *mem_ctx = talloc(parent_ctx, struct keytab_container);
 	krb5_enctype *enctypes;
 	krb5_principal salt_princ;
+	krb5_principal princ;
 	
 	if (!mem_ctx) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	ret = krb5_kt_resolve(smb_krb5_context->krb5_context, "MEMORY_WILDCARD:", keytab);
+	ret = krb5_kt_resolve(smb_krb5_context->krb5_context, "MEMORY:", keytab);
 	if (ret) {
 		DEBUG(1,("failed to generate a new krb5 keytab: %s\n", 
 			 error_message(ret)));
@@ -214,7 +252,18 @@ static int free_keytab(void *ptr) {
 					      &salt_princ);
 	if (ret) {
 		DEBUG(1,("create_memory_keytab: maksing salt principal failed (%s)\n",
-			 error_message(ret)));
+			 smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
+						    ret, mem_ctx)));
+		talloc_free(mem_ctx);
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	ret = principal_from_credentials(mem_ctx, machine_account, smb_krb5_context, &princ);
+	if (ret) {
+		DEBUG(1,("create_memory_keytab: maksing krb5 principal failed (%s)\n",
+			 smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
+						    ret, mem_ctx)));
+		talloc_free(mem_ctx);
 		return NT_STATUS_INTERNAL_ERROR;
 	}
 
@@ -243,7 +292,7 @@ static int free_keytab(void *ptr) {
 			return NT_STATUS_INTERNAL_ERROR;
 		}
 
-		entry.principal = salt_princ;
+		entry.principal = princ;
 		entry.vno       = cli_credentials_get_kvno(machine_account);
 		ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry);
 		if (ret) {
@@ -283,7 +332,7 @@ static int free_keytab(void *ptr) {
 			return NT_STATUS_INTERNAL_ERROR;
 		}
 
-                entry.principal = salt_princ;
+                entry.principal = princ;
                 entry.vno       = cli_credentials_get_kvno(machine_account);
 		ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry);
 		if (ret) {
diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c
index 62fb92d666..4d6eae2b24 100644
--- a/source4/heimdal/lib/krb5/context.c
+++ b/source4/heimdal/lib/krb5/context.c
@@ -231,7 +231,6 @@ krb5_init_context(krb5_context *context)
     krb5_kt_register (p, &krb5_wrfkt_ops);
     krb5_kt_register (p, &krb5_javakt_ops);
     krb5_kt_register (p, &krb5_mkt_ops);
-    krb5_kt_register (p, &krb5_mktw_ops);
     krb5_kt_register (p, &krb5_akf_ops);
     krb5_kt_register (p, &krb4_fkt_ops);
     krb5_kt_register (p, &krb5_srvtab_fkt_ops);
diff --git a/source4/heimdal/lib/krb5/keytab_memory.c b/source4/heimdal/lib/krb5/keytab_memory.c
index 3dca5154e3..1d866fa11e 100644
--- a/source4/heimdal/lib/krb5/keytab_memory.c
+++ b/source4/heimdal/lib/krb5/keytab_memory.c
@@ -174,56 +174,3 @@ const krb5_kt_ops krb5_mkt_ops = {
     mkt_add_entry,
     mkt_remove_entry
 };
-
-static krb5_error_code 
-mktw_get_entry(krb5_context context,
-	       krb5_keytab id,
-	       krb5_const_principal principal,
-	       krb5_kvno kvno,
-	       krb5_enctype enctype,
-	       krb5_keytab_entry *entry)
-{
-    krb5_keytab_entry tmp;
-    krb5_error_code ret;
-    krb5_kt_cursor cursor;
-
-    ret = krb5_kt_start_seq_get (context, id, &cursor);
-    if (ret)
-	return KRB5_KT_NOTFOUND; /* XXX i.e. file not found */
-
-    entry->vno = 0;
-    while (krb5_kt_next_entry(context, id, &tmp, &cursor) == 0) {
-	if (krb5_kt_compare(context, &tmp, NULL, 0, enctype)) {
-	    if (kvno == tmp.vno) {
-		krb5_kt_copy_entry_contents (context, &tmp, entry);
-		krb5_kt_free_entry (context, &tmp);
-		krb5_kt_end_seq_get(context, id, &cursor);
-		return 0;
-	    } else if (kvno == 0 && tmp.vno > entry->vno) {
-		if (entry->vno)
-		    krb5_kt_free_entry (context, entry);
-		krb5_kt_copy_entry_contents (context, &tmp, entry);
-	    }
-	}
-	krb5_kt_free_entry(context, &tmp);
-    }
-    krb5_kt_end_seq_get (context, id, &cursor);
-    if (entry->vno) {
-	return 0;
-    } else {
-	    return KRB5_KT_NOTFOUND;
-    }
-};
-
-const krb5_kt_ops krb5_mktw_ops = {
-    "MEMORY_WILDCARD",
-    mkt_resolve,
-    mkt_get_name,
-    mkt_close,
-    mktw_get_entry, /* get */
-    mkt_start_seq_get,
-    mkt_next_entry,
-    mkt_end_seq_get,
-    mkt_add_entry,
-    mkt_remove_entry
-};
diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h
index 5789bff205..c47c4450f1 100644
--- a/source4/heimdal/lib/krb5/krb5.h
+++ b/source4/heimdal/lib/krb5/krb5.h
@@ -698,7 +698,6 @@ extern const krb5_kt_ops krb5_fkt_ops;
 extern const krb5_kt_ops krb5_wrfkt_ops;
 extern const krb5_kt_ops krb5_javakt_ops;
 extern const krb5_kt_ops krb5_mkt_ops;
-extern const krb5_kt_ops krb5_mktw_ops;
 extern const krb5_kt_ops krb5_akf_ops;
 extern const krb5_kt_ops krb4_fkt_ops;
 extern const krb5_kt_ops krb5_srvtab_fkt_ops;