diff options
Diffstat (limited to 'source3')
| -rw-r--r-- | source3/configure.in | 1 | ||||
| -rw-r--r-- | source3/librpc/crypto/gse.c | 50 | ||||
| -rw-r--r-- | source3/librpc/crypto/gse.h | 1 | ||||
| -rw-r--r-- | source3/rpc_server/dcesrv_gssapi.c | 2 | ||||
| -rw-r--r-- | source3/wscript | 2 |
5 files changed, 32 insertions, 24 deletions
diff --git a/source3/configure.in b/source3/configure.in index c9518280c7..b2c1856bec 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -3860,6 +3860,7 @@ if test x"$with_ads_support" != x"no"; then AC_CHECK_FUNC_EXT(krb5_get_credentials_for_user, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_get_host_realm, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_free_host_realm, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(gss_krb5_import_cred, $KRB5_LIBS) # MIT krb5 1.8 does not expose this call (yet) AC_CHECK_DECLS(krb5_get_credentials_for_user, [], [], [#include <krb5.h>]) diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index 6e3066a9d0..0d9eead082 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -342,15 +342,14 @@ done: NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, bool do_sign, bool do_seal, uint32_t add_gss_c_flags, - const char *keytab_name, struct gse_context **_gse_ctx) { struct gse_context *gse_ctx; OM_uint32 gss_maj, gss_min; - gss_OID_set_desc mech_set; krb5_error_code ret; - const char *ktname; NTSTATUS status; + const char *ktname; + gss_OID_set_desc mech_set; status = gse_context_init(mem_ctx, do_sign, do_seal, NULL, add_gss_c_flags, &gse_ctx); @@ -358,27 +357,36 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - if (!keytab_name) { - ret = gse_krb5_get_server_keytab(gse_ctx->k5ctx, - &gse_ctx->keytab); - if (ret) { - status = NT_STATUS_INTERNAL_ERROR; - goto done; - } - ret = smb_krb5_keytab_name(gse_ctx, gse_ctx->k5ctx, - gse_ctx->keytab, &ktname); - if (ret) { - status = NT_STATUS_INTERNAL_ERROR; - goto done; - } - } else { - ktname = keytab_name; + ret = gse_krb5_get_server_keytab(gse_ctx->k5ctx, + &gse_ctx->keytab); + if (ret) { + status = NT_STATUS_INTERNAL_ERROR; + goto done; } +#ifdef HAVE_GSS_KRB5_IMPORT_CRED + /* This creates a GSSAPI cred_id_t with the principal and keytab set */ + gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab, + &gse_ctx->creds); + if (gss_maj) { + DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n", + gse_errstr(gse_ctx, gss_maj, gss_min))); + status = NT_STATUS_INTERNAL_ERROR; + goto done; + } +#else /* FIXME!!! * This call sets the default keytab for the whole server, not * just for this context. Need to find a way that does not alter * the state of the whole server ... */ + + ret = smb_krb5_keytab_name(gse_ctx, gse_ctx->k5ctx, + gse_ctx->keytab, &ktname); + if (ret) { + status = NT_STATUS_INTERNAL_ERROR; + goto done; + } + ret = gsskrb5_register_acceptor_identity(ktname); if (ret) { status = NT_STATUS_INTERNAL_ERROR; @@ -387,7 +395,7 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, mech_set.count = 1; mech_set.elements = &gse_ctx->gss_mech; - + gss_maj = gss_acquire_cred(&gss_min, GSS_C_NO_NAME, GSS_C_INDEFINITE, @@ -395,13 +403,14 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, GSS_C_ACCEPT, &gse_ctx->creds, NULL, NULL); + if (gss_maj) { DEBUG(0, ("gss_acquire_creds failed with [%s]\n", gse_errstr(gse_ctx, gss_maj, gss_min))); status = NT_STATUS_INTERNAL_ERROR; goto done; } - +#endif status = NT_STATUS_OK; done: @@ -932,7 +941,6 @@ NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, bool do_sign, bool do_seal, uint32_t add_gss_c_flags, - const char *keytab, struct gse_context **_gse_ctx) { return NT_STATUS_NOT_IMPLEMENTED; diff --git a/source3/librpc/crypto/gse.h b/source3/librpc/crypto/gse.h index a6d9a35a7f..fbcf5b6e10 100644 --- a/source3/librpc/crypto/gse.h +++ b/source3/librpc/crypto/gse.h @@ -42,7 +42,6 @@ NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, bool do_sign, bool do_seal, uint32_t add_gss_c_flags, - const char *keytab, struct gse_context **_gse_ctx); NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx, diff --git a/source3/rpc_server/dcesrv_gssapi.c b/source3/rpc_server/dcesrv_gssapi.c index c8a015e066..ec02459633 100644 --- a/source3/rpc_server/dcesrv_gssapi.c +++ b/source3/rpc_server/dcesrv_gssapi.c @@ -47,7 +47,7 @@ NTSTATUS gssapi_server_auth_start(TALLOC_CTX *mem_ctx, /* by passing NULL, the code will attempt to set a default * keytab based on configuration options */ status = gse_init_server(mem_ctx, do_sign, do_seal, - add_flags, NULL, &gse_ctx); + add_flags, &gse_ctx); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n", nt_errstr(status))); diff --git a/source3/wscript b/source3/wscript index 2d454c57fa..673fdf30b9 100644 --- a/source3/wscript +++ b/source3/wscript @@ -630,7 +630,7 @@ msg.msg_acctrightslen = sizeof(fd); if conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi') or \ conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi_krb5'): have_gssapi=True - conf.CHECK_FUNCS_IN('gss_wrap_iov', 'gssapi gssapi_krb5 krb5') + conf.CHECK_FUNCS_IN('gss_wrap_iov gss_krb5_import_cred', 'gssapi gssapi_krb5 krb5') conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5') conf.CHECK_FUNCS(''' krb5_set_real_time krb5_set_default_in_tkt_etypes krb5_set_default_tgs_enctypes |