diff options
| -rw-r--r-- | auth/credentials/credentials_krb5.c | 11 | ||||
| -rw-r--r-- | source4/auth/kerberos/kerberos.h | 1 | ||||
| -rw-r--r-- | source4/auth/kerberos/kerberos_util.c | 1 |
3 files changed, 10 insertions, 3 deletions
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index 2a23688ffd..459e9487f4 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -717,6 +717,11 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, cred->keytab_obtained = (MAX(cred->principal_obtained, cred->username_obtained)); + /* We make this keytab up based on a password. Therefore + * match-by-key is acceptable, we can't match on the wrong + * principal */ + ktc->password_based = true; + talloc_steal(cred, ktc); cred->keytab = ktc; *_ktc = cred->keytab; @@ -818,12 +823,12 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, return ENOMEM; } - if (obtained < CRED_SPECIFIED) { - /* This creates a GSSAPI cred_id_t with the principal and keytab set */ + if (ktc->password_based || obtained < CRED_SPECIFIED) { + /* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */ maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab, &gcc->creds); } else { - /* This creates a GSSAPI cred_id_t with the principal and keytab set */ + /* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */ maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab, &gcc->creds); } diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h index 51b80556bf..45975f16f3 100644 --- a/source4/auth/kerberos/kerberos.h +++ b/source4/auth/kerberos/kerberos.h @@ -40,6 +40,7 @@ struct ccache_container { struct keytab_container { struct smb_krb5_context *smb_krb5_context; krb5_keytab keytab; + bool password_based; }; /* not really ASN.1, but RFC 1964 */ diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index 17ae99c6cd..b65a2adc5e 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -378,6 +378,7 @@ krb5_error_code smb_krb5_get_keytab_container(TALLOC_CTX *mem_ctx, (*ktc)->smb_krb5_context = talloc_reference(*ktc, smb_krb5_context); (*ktc)->keytab = keytab; + (*ktc)->password_based = false; talloc_set_destructor(*ktc, free_keytab_container); return 0; |