diff options
| -rw-r--r-- | source4/auth/auth_util.c | 34 | ||||
| -rw-r--r-- | source4/auth/credentials/credentials_krb5.c | 61 |
2 files changed, 64 insertions, 31 deletions
diff --git a/source4/auth/auth_util.c b/source4/auth/auth_util.c index d4a2fa93e8..649928ac9b 100644 --- a/source4/auth/auth_util.c +++ b/source4/auth/auth_util.c @@ -581,8 +581,9 @@ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx) return session_info; } -NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, - struct auth_session_info **_session_info) +static NTSTATUS _auth_system_session_info(TALLOC_CTX *parent_ctx, + BOOL anonymous_credentials, + struct auth_session_info **_session_info) { NTSTATUS nt_status; struct auth_serversupplied_info *server_info = NULL; @@ -609,7 +610,7 @@ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, cli_credentials_set_conf(session_info->credentials); - if (lp_parm_bool(-1,"system","anonymous", False)) { + if (anonymous_credentials) { cli_credentials_set_anonymous(session_info->credentials); } else { cli_credentials_set_machine_account_pending(session_info->credentials); @@ -619,11 +620,36 @@ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, return NT_STATUS_OK; } +_PUBLIC_ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, + struct auth_session_info **_session_info) +{ + return _auth_system_session_info(parent_ctx, lp_parm_bool(-1,"system","anonymous", False), + _session_info); +} + +/* + Create a system session, with machine account credentials +*/ _PUBLIC_ struct auth_session_info *system_session(TALLOC_CTX *mem_ctx) { NTSTATUS nt_status; struct auth_session_info *session_info = NULL; - nt_status = auth_system_session_info(mem_ctx, &session_info); + nt_status = auth_system_session_info(mem_ctx, + &session_info); + if (!NT_STATUS_IS_OK(nt_status)) { + return NULL; + } + return session_info; +} + +/* + Create a system session, but with anonymous credentials (so we do not need to open secrets.ldb) +*/ +_PUBLIC_ struct auth_session_info *system_session_anon(TALLOC_CTX *mem_ctx) +{ + NTSTATUS nt_status; + struct auth_session_info *session_info = NULL; + nt_status = _auth_system_session_info(mem_ctx, False, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { return NULL; } diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c index 2f0ca35d76..06308a09ff 100644 --- a/source4/auth/credentials/credentials_krb5.c +++ b/source4/auth/credentials/credentials_krb5.c @@ -60,7 +60,8 @@ NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred, return NT_STATUS_OK; } -int cli_credentials_set_from_ccache(struct cli_credentials *cred, +static int cli_credentials_set_from_ccache(struct cli_credentials *cred, + struct ccache_container *ccache, enum credentials_obtained obtained) { @@ -73,37 +74,37 @@ int cli_credentials_set_from_ccache(struct cli_credentials *cred, return 0; } - ret = krb5_cc_get_principal(cred->ccache->smb_krb5_context->krb5_context, - cred->ccache->ccache, &princ); + ret = krb5_cc_get_principal(ccache->smb_krb5_context->krb5_context, + ccache->ccache, &princ); if (ret) { - char *err_mess = smb_get_krb5_error_message(cred->ccache->smb_krb5_context->krb5_context, ret, cred); + char *err_mess = smb_get_krb5_error_message(ccache->smb_krb5_context->krb5_context, + ret, cred); DEBUG(1,("failed to get principal from ccache: %s\n", err_mess)); talloc_free(err_mess); return ret; } - ret = krb5_unparse_name(cred->ccache->smb_krb5_context->krb5_context, princ, &name); + ret = krb5_unparse_name(ccache->smb_krb5_context->krb5_context, princ, &name); if (ret) { - char *err_mess = smb_get_krb5_error_message(cred->ccache->smb_krb5_context->krb5_context, ret, cred); + char *err_mess = smb_get_krb5_error_message(ccache->smb_krb5_context->krb5_context, ret, cred); DEBUG(1,("failed to unparse principal from ccache: %s\n", err_mess)); talloc_free(err_mess); return ret; } - realm = krb5_princ_realm(cred->ccache->smb_krb5_context->krb5_context, princ); + realm = krb5_princ_realm(ccache->smb_krb5_context->krb5_context, princ); cli_credentials_set_principal(cred, name, obtained); free(name); - krb5_free_principal(cred->ccache->smb_krb5_context->krb5_context, princ); + krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ); /* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */ cred->ccache_obtained = obtained; - cli_credentials_invalidate_client_gss_creds(cred, cred->ccache_obtained); return 0; } @@ -181,20 +182,22 @@ int cli_credentials_set_ccache(struct cli_credentials *cred, krb5_free_principal(ccc->smb_krb5_context->krb5_context, princ); - cred->ccache = ccc; - talloc_steal(cred, ccc); - - ret = cli_credentials_set_from_ccache(cred, obtained); + ret = cli_credentials_set_from_ccache(cred, ccc, obtained); if (ret) { return ret; } + cred->ccache = ccc; + cred->ccache_obtained = obtained; + talloc_steal(cred, ccc); + + cli_credentials_invalidate_client_gss_creds(cred, cred->ccache_obtained); return 0; } -int cli_credentials_new_ccache(struct cli_credentials *cred, struct ccache_container **_ccc) +static int cli_credentials_new_ccache(struct cli_credentials *cred, struct ccache_container **_ccc) { krb5_error_code ret; char *rand_string; @@ -241,17 +244,10 @@ int cli_credentials_new_ccache(struct cli_credentials *cred, struct ccache_conta talloc_set_destructor(ccc, free_mccache); - cred->ccache = ccc; - talloc_steal(cred, ccc); talloc_free(ccache_name); - if (_ccc) { - *_ccc = ccc; - } + *_ccc = ccc; - cred->ccache_obtained = (MAX(MAX(cred->principal_obtained, - cred->username_obtained), - cred->password_obtained)); return ret; } @@ -272,20 +268,27 @@ int cli_credentials_get_ccache(struct cli_credentials *cred, return EINVAL; } - ret = cli_credentials_new_ccache(cred, NULL); + ret = cli_credentials_new_ccache(cred, ccc); if (ret) { return ret; } - ret = kinit_to_ccache(cred, cred, cred->ccache->smb_krb5_context, cred->ccache->ccache); + + ret = kinit_to_ccache(cred, cred, (*ccc)->smb_krb5_context, (*ccc)->ccache); if (ret) { return ret; } - ret = cli_credentials_set_from_ccache(cred, cred->principal_obtained); + ret = cli_credentials_set_from_ccache(cred, *ccc, + (MAX(MAX(cred->principal_obtained, + cred->username_obtained), + cred->password_obtained))); + + cred->ccache = *ccc; + cred->ccache_obtained = cred->principal_obtained; if (ret) { return ret; } - *ccc = cred->ccache; + cli_credentials_invalidate_client_gss_creds(cred, cred->ccache_obtained); return ret; } @@ -297,6 +300,7 @@ void cli_credentials_invalidate_client_gss_creds(struct cli_credentials *cred, if (obtained >= cred->client_gss_creds_obtained) { if (cred->client_gss_creds_obtained > CRED_UNINITIALISED) { talloc_free(cred->client_gss_creds); + cred->client_gss_creds = NULL; } cred->client_gss_creds_obtained = CRED_UNINITIALISED; } @@ -317,6 +321,7 @@ void cli_credentials_invalidate_ccache(struct cli_credentials *cred, if (obtained >= cred->ccache_obtained) { if (cred->ccache_obtained > CRED_UNINITIALISED) { talloc_free(cred->ccache); + cred->ccache = NULL; } cred->ccache_obtained = CRED_UNINITIALISED; } @@ -424,8 +429,10 @@ int cli_credentials_set_client_gss_creds(struct cli_credentials *cred, } if (ret == 0) { - ret = cli_credentials_set_from_ccache(cred, obtained); + ret = cli_credentials_set_from_ccache(cred, ccc, obtained); } + cred->ccache = ccc; + cred->ccache_obtained = obtained; if (ret == 0) { gcc->creds = gssapi_cred; talloc_set_destructor(gcc, free_gssapi_creds); |