summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--auth/kerberos/gssapi_pac.c14
-rw-r--r--source3/configure.in1
-rw-r--r--source3/wscript2
-rw-r--r--source4/heimdal_build/wscript_configure1
4 files changed, 13 insertions, 5 deletions
diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c
index dd2fb7e0a7..d89a649ff2 100644
--- a/auth/kerberos/gssapi_pac.c
+++ b/auth/kerberos/gssapi_pac.c
@@ -38,20 +38,19 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
gss_name_t gss_client_name,
DATA_BLOB *pac_blob)
{
+ NTSTATUS status;
OM_uint32 gss_maj, gss_min;
- gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
+#ifdef HAVE_GSS_GET_NAME_ATTRIBUTE
gss_buffer_desc pac_buffer;
gss_buffer_desc pac_display_buffer;
gss_buffer_desc pac_name = {
.value = "urn:mspac:",
.length = sizeof("urn:mspac:")-1
};
- NTSTATUS status;
int more = -1;
int authenticated = false;
int complete = false;
-#ifdef HAVE_GSS_GET_NAME_ATTRIBUTE
gss_maj = gss_get_name_attribute(
&gss_min, gss_client_name, &pac_name,
&authenticated, &complete,
@@ -83,7 +82,10 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
return NT_STATUS_ACCESS_DENIED;
}
-#endif
+#elif defined(HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID)
+
+ gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
+
/* If we didn't have the routine to get a verified, validated
* PAC (supplied only by MIT at the time of writing), then try
* with the Heimdal OID (fetches the PAC directly and always
@@ -118,6 +120,10 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
gss_maj = gss_release_buffer_set(&gss_min, &set);
return status;
}
+#else
+ DEBUG(1, ("unable to obtain a PAC against this GSSAPI library. "
+ "GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8\n"));
+#endif
return NT_STATUS_ACCESS_DENIED;
}
#endif
diff --git a/source3/configure.in b/source3/configure.in
index a463aa910d..3624c25e62 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3871,6 +3871,7 @@ if test x"$with_ads_support" != x"no"; then
AC_CHECK_FUNC_EXT(gss_krb5_import_cred, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(gss_get_name_attribute, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(gss_oid_equal, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(gss_inquire_sec_context_by_oid, $KRB5_LIBS)
# MIT krb5 1.8 does not expose this call (yet)
AC_CHECK_DECLS(krb5_get_credentials_for_user, [], [], [#include <krb5.h>])
diff --git a/source3/wscript b/source3/wscript
index cdafc1683a..d9cc0c6124 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -632,7 +632,7 @@ msg.msg_acctrightslen = sizeof(fd);
if conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi') or \
conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi_krb5'):
have_gssapi=True
- conf.CHECK_FUNCS_IN('gss_wrap_iov gss_krb5_import_cred gss_get_name_attribute gss_oid_equal', 'gssapi gssapi_krb5 krb5')
+ conf.CHECK_FUNCS_IN('gss_wrap_iov gss_krb5_import_cred gss_get_name_attribute gss_oid_equal gss_inquire_sec_context_by_oid', 'gssapi gssapi_krb5 krb5')
conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5')
conf.CHECK_FUNCS('''
krb5_set_real_time krb5_set_default_in_tkt_etypes krb5_set_default_tgs_enctypes
diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure
index f96c683baf..cd2a70f320 100644
--- a/source4/heimdal_build/wscript_configure
+++ b/source4/heimdal_build/wscript_configure
@@ -83,6 +83,7 @@ conf.define('HAVE_GSS_DISPLAY_STATUS', 1)
conf.define('HAVE_GSS_WRAP_IOV', 1)
conf.define('HAVE_GSS_KRB5_IMPORT_CRED', 1)
conf.define('HAVE_GSS_OID_EQUAL', 1)
+conf.define('HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID', 1)
conf.define('HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT', 1)
conf.define('HAVE_LIBGSSAPI', 1)
conf.define('HAVE_ADDR_TYPE_IN_KRB5_ADDRESS', 1)