diff options
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 36 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 12 |
2 files changed, 32 insertions, 16 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 51d59d9f21..4729ed6062 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -147,7 +147,6 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) { struct gensec_gssapi_state *gensec_gssapi_state; krb5_error_code ret; - struct gsskrb5_send_to_kdc send_to_kdc; const char *realm; gensec_gssapi_state = talloc(gensec_security, struct gensec_gssapi_state); @@ -209,7 +208,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) gensec_gssapi_state->pac = data_blob(NULL, 0); ret = smb_krb5_init_context(gensec_gssapi_state, - gensec_security->event_ctx, + NULL, gensec_security->settings->lp_ctx, &gensec_gssapi_state->smb_krb5_context); if (ret) { @@ -237,16 +236,6 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destructor); - send_to_kdc.func = smb_krb5_send_and_recv_func; - send_to_kdc.ptr = gensec_security->event_ctx; - - ret = gsskrb5_set_send_to_kdc(&send_to_kdc); - if (ret) { - DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n")); - talloc_free(gensec_gssapi_state); - return NT_STATUS_INTERNAL_ERROR; - } - realm = lpcfg_realm(gensec_security->settings->lp_ctx); if (realm != NULL) { ret = gsskrb5_set_default_realm(realm); @@ -290,7 +279,6 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } else { ret = cli_credentials_get_server_gss_creds(machine_account, - gensec_security->event_ctx, gensec_security->settings->lp_ctx, &gcc); if (ret) { DEBUG(1, ("Aquiring acceptor credentials failed: %s\n", @@ -469,6 +457,17 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, switch (gensec_security->gensec_role) { case GENSEC_CLIENT: { + struct gsskrb5_send_to_kdc send_to_kdc; + krb5_error_code ret; + send_to_kdc.func = smb_krb5_send_and_recv_func; + send_to_kdc.ptr = gensec_security->event_ctx; + + min_stat = gsskrb5_set_send_to_kdc(&send_to_kdc); + if (min_stat) { + DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n")); + return NT_STATUS_INTERNAL_ERROR; + } + maj_stat = gss_init_sec_context(&min_stat, gensec_gssapi_state->client_cred->creds, &gensec_gssapi_state->gssapi_context, @@ -485,6 +484,16 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, if (gss_oid_p) { gensec_gssapi_state->gss_oid = gss_oid_p; } + + send_to_kdc.func = smb_krb5_send_and_recv_func; + send_to_kdc.ptr = NULL; + + ret = gsskrb5_set_send_to_kdc(&send_to_kdc); + if (ret) { + DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n")); + return NT_STATUS_INTERNAL_ERROR; + } + break; } case GENSEC_SERVER: @@ -1369,7 +1378,6 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi cli_credentials_set_anonymous(session_info->credentials); ret = cli_credentials_set_client_gss_creds(session_info->credentials, - gensec_security->event_ctx, gensec_security->settings->lp_ctx, gensec_gssapi_state->delegated_cred_handle, CRED_SPECIFIED, &error_string); diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index a0d880f5b2..345ef361ed 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -119,7 +119,6 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy); if (cli_credentials_get_krb5_context(creds, - gensec_security->event_ctx, gensec_security->settings->lp_ctx, &gensec_krb5_state->smb_krb5_context)) { talloc_free(gensec_krb5_state); return NT_STATUS_INTERNAL_ERROR; @@ -240,6 +239,7 @@ static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_s const char *error_string; const char *principal; krb5_data in_data; + struct tevent_context *previous_ev; hostname = gensec_get_target_hostname(gensec_security); if (!hostname) { @@ -299,6 +299,12 @@ static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_s } in_data.length = 0; + /* Do this every time, in case we have weird recursive issues here */ + ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, gensec_security->event_ctx, &previous_ev); + if (ret != 0) { + DEBUG(1, ("gensec_krb5_start: Setting event context failed\n")); + return NT_STATUS_NO_MEMORY; + } if (principal) { krb5_principal target_principal; ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal, @@ -322,6 +328,9 @@ static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_s &in_data, ccache_container->ccache, &gensec_krb5_state->enc_ticket); } + + smb_krb5_context_remove_event_ctx(gensec_krb5_state->smb_krb5_context, previous_ev, gensec_security->event_ctx); + switch (ret) { case 0: return NT_STATUS_OK; @@ -488,7 +497,6 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, /* Grab the keytab, however generated */ ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), - gensec_security->event_ctx, gensec_security->settings->lp_ctx, &keytab); if (ret) { return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; |