summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/configure.in1
-rw-r--r--source3/librpc/crypto/gse.c50
-rw-r--r--source3/librpc/crypto/gse.h1
-rw-r--r--source3/rpc_server/dcesrv_gssapi.c2
-rw-r--r--source3/wscript2
5 files changed, 32 insertions, 24 deletions
diff --git a/source3/configure.in b/source3/configure.in
index c9518280c7..b2c1856bec 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3860,6 +3860,7 @@ if test x"$with_ads_support" != x"no"; then
AC_CHECK_FUNC_EXT(krb5_get_credentials_for_user, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_get_host_realm, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_free_host_realm, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(gss_krb5_import_cred, $KRB5_LIBS)
# MIT krb5 1.8 does not expose this call (yet)
AC_CHECK_DECLS(krb5_get_credentials_for_user, [], [], [#include <krb5.h>])
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 6e3066a9d0..0d9eead082 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -342,15 +342,14 @@ done:
NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
bool do_sign, bool do_seal,
uint32_t add_gss_c_flags,
- const char *keytab_name,
struct gse_context **_gse_ctx)
{
struct gse_context *gse_ctx;
OM_uint32 gss_maj, gss_min;
- gss_OID_set_desc mech_set;
krb5_error_code ret;
- const char *ktname;
NTSTATUS status;
+ const char *ktname;
+ gss_OID_set_desc mech_set;
status = gse_context_init(mem_ctx, do_sign, do_seal,
NULL, add_gss_c_flags, &gse_ctx);
@@ -358,27 +357,36 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- if (!keytab_name) {
- ret = gse_krb5_get_server_keytab(gse_ctx->k5ctx,
- &gse_ctx->keytab);
- if (ret) {
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
- }
- ret = smb_krb5_keytab_name(gse_ctx, gse_ctx->k5ctx,
- gse_ctx->keytab, &ktname);
- if (ret) {
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
- }
- } else {
- ktname = keytab_name;
+ ret = gse_krb5_get_server_keytab(gse_ctx->k5ctx,
+ &gse_ctx->keytab);
+ if (ret) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto done;
}
+#ifdef HAVE_GSS_KRB5_IMPORT_CRED
+ /* This creates a GSSAPI cred_id_t with the principal and keytab set */
+ gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab,
+ &gse_ctx->creds);
+ if (gss_maj) {
+ DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n",
+ gse_errstr(gse_ctx, gss_maj, gss_min)));
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto done;
+ }
+#else
/* FIXME!!!
* This call sets the default keytab for the whole server, not
* just for this context. Need to find a way that does not alter
* the state of the whole server ... */
+
+ ret = smb_krb5_keytab_name(gse_ctx, gse_ctx->k5ctx,
+ gse_ctx->keytab, &ktname);
+ if (ret) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto done;
+ }
+
ret = gsskrb5_register_acceptor_identity(ktname);
if (ret) {
status = NT_STATUS_INTERNAL_ERROR;
@@ -387,7 +395,7 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
mech_set.count = 1;
mech_set.elements = &gse_ctx->gss_mech;
-
+
gss_maj = gss_acquire_cred(&gss_min,
GSS_C_NO_NAME,
GSS_C_INDEFINITE,
@@ -395,13 +403,14 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
GSS_C_ACCEPT,
&gse_ctx->creds,
NULL, NULL);
+
if (gss_maj) {
DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
gse_errstr(gse_ctx, gss_maj, gss_min)));
status = NT_STATUS_INTERNAL_ERROR;
goto done;
}
-
+#endif
status = NT_STATUS_OK;
done:
@@ -932,7 +941,6 @@ NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
bool do_sign, bool do_seal,
uint32_t add_gss_c_flags,
- const char *keytab,
struct gse_context **_gse_ctx)
{
return NT_STATUS_NOT_IMPLEMENTED;
diff --git a/source3/librpc/crypto/gse.h b/source3/librpc/crypto/gse.h
index a6d9a35a7f..fbcf5b6e10 100644
--- a/source3/librpc/crypto/gse.h
+++ b/source3/librpc/crypto/gse.h
@@ -42,7 +42,6 @@ NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
bool do_sign, bool do_seal,
uint32_t add_gss_c_flags,
- const char *keytab,
struct gse_context **_gse_ctx);
NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx,
struct gse_context *gse_ctx,
diff --git a/source3/rpc_server/dcesrv_gssapi.c b/source3/rpc_server/dcesrv_gssapi.c
index c8a015e066..ec02459633 100644
--- a/source3/rpc_server/dcesrv_gssapi.c
+++ b/source3/rpc_server/dcesrv_gssapi.c
@@ -47,7 +47,7 @@ NTSTATUS gssapi_server_auth_start(TALLOC_CTX *mem_ctx,
/* by passing NULL, the code will attempt to set a default
* keytab based on configuration options */
status = gse_init_server(mem_ctx, do_sign, do_seal,
- add_flags, NULL, &gse_ctx);
+ add_flags, &gse_ctx);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n",
nt_errstr(status)));
diff --git a/source3/wscript b/source3/wscript
index 2d454c57fa..673fdf30b9 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -630,7 +630,7 @@ msg.msg_acctrightslen = sizeof(fd);
if conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi') or \
conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi_krb5'):
have_gssapi=True
- conf.CHECK_FUNCS_IN('gss_wrap_iov', 'gssapi gssapi_krb5 krb5')
+ conf.CHECK_FUNCS_IN('gss_wrap_iov gss_krb5_import_cred', 'gssapi gssapi_krb5 krb5')
conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5')
conf.CHECK_FUNCS('''
krb5_set_real_time krb5_set_default_in_tkt_etypes krb5_set_default_tgs_enctypes