diff options
Diffstat (limited to 'source4/auth/gensec/gensec_krb5.c')
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 68 |
1 files changed, 41 insertions, 27 deletions
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 09bdec512d..f4ef36a24d 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -57,6 +57,7 @@ struct gensec_krb5_state { krb5_keyblock *keyblock; krb5_ticket *ticket; bool gssapi; + krb5_flags ap_req_options; }; static int gensec_krb5_destroy(struct gensec_krb5_state *gensec_krb5_state) @@ -88,7 +89,7 @@ static int gensec_krb5_destroy(struct gensec_krb5_state *gensec_krb5_state) return 0; } -static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) +static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool gssapi) { krb5_error_code ret; struct gensec_krb5_state *gensec_krb5_state; @@ -114,7 +115,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) gensec_krb5_state->keyblock = NULL; gensec_krb5_state->session_key = data_blob(NULL, 0); gensec_krb5_state->pac = data_blob(NULL, 0); - gensec_krb5_state->gssapi = false; + gensec_krb5_state->gssapi = gssapi; talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy); @@ -186,12 +187,12 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) return NT_STATUS_OK; } -static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security) +static NTSTATUS gensec_krb5_common_server_start(struct gensec_security *gensec_security, bool gssapi) { NTSTATUS nt_status; struct gensec_krb5_state *gensec_krb5_state; - nt_status = gensec_krb5_start(gensec_security); + nt_status = gensec_krb5_start(gensec_security, gssapi); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } @@ -202,26 +203,23 @@ static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security return NT_STATUS_OK; } -static NTSTATUS gensec_fake_gssapi_krb5_server_start(struct gensec_security *gensec_security) +static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security) { - NTSTATUS nt_status = gensec_krb5_server_start(gensec_security); + return gensec_krb5_common_server_start(gensec_security, false); +} - if (NT_STATUS_IS_OK(nt_status)) { - struct gensec_krb5_state *gensec_krb5_state; - gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; - gensec_krb5_state->gssapi = true; - } - return nt_status; +static NTSTATUS gensec_fake_gssapi_krb5_server_start(struct gensec_security *gensec_security) +{ + return gensec_krb5_common_server_start(gensec_security, true); } -static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security) +static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_security, bool gssapi) { struct gensec_krb5_state *gensec_krb5_state; krb5_error_code ret; NTSTATUS nt_status; struct ccache_container *ccache_container; const char *hostname; - krb5_flags ap_req_options = AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED; const char *principal; krb5_data in_data; @@ -240,13 +238,26 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security return NT_STATUS_INVALID_PARAMETER; } - nt_status = gensec_krb5_start(gensec_security); + nt_status = gensec_krb5_start(gensec_security, gssapi); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START; + gensec_krb5_state->ap_req_options = AP_OPTS_USE_SUBKEY; + + if (gensec_krb5_state->gssapi) { + /* The Fake GSSAPI modal emulates Samba3, which does not do mutual authentication */ + if (gensec_setting_bool(gensec_security->settings, "gensec_fake_gssapi_krb5", "mutual", false)) { + gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED; + } + } else { + /* The wrapping for KPASSWD (a user of the raw KRB5 API) should be mutually authenticated */ + if (gensec_setting_bool(gensec_security->settings, "gensec_krb5", "mutual", true)) { + gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED; + } + } principal = gensec_get_target_principal(gensec_security); @@ -274,7 +285,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security if (ret == 0) { ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context, - ap_req_options, + gensec_krb5_state->ap_req_options, target_principal, &in_data, ccache_container->ccache, &gensec_krb5_state->enc_ticket); @@ -284,7 +295,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security } else { ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context, - ap_req_options, + gensec_krb5_state->ap_req_options, gensec_get_target_service(gensec_security), hostname, &in_data, ccache_container->ccache, @@ -328,16 +339,14 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security } } -static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gensec_security) +static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security) { - NTSTATUS nt_status = gensec_krb5_client_start(gensec_security); + return gensec_krb5_common_client_start(gensec_security, false); +} - if (NT_STATUS_IS_OK(nt_status)) { - struct gensec_krb5_state *gensec_krb5_state; - gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; - gensec_krb5_state->gssapi = true; - } - return nt_status; +static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gensec_security) +{ + return gensec_krb5_common_client_start(gensec_security, true); } /** @@ -392,8 +401,13 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, } else { *out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length); } - gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH; - nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED; + if (gensec_krb5_state->ap_req_options & AP_OPTS_MUTUAL_REQUIRED) { + gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH; + nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED; + } else { + gensec_krb5_state->state_position = GENSEC_KRB5_DONE; + nt_status = NT_STATUS_OK; + } return nt_status; } |