summaryrefslogtreecommitdiff
path: root/source4/auth/gensec
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r--source4/auth/gensec/gensec_gssapi.c6
-rw-r--r--source4/auth/gensec/gensec_krb5.c69
2 files changed, 44 insertions, 31 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 9f796dc9d1..7094692fb2 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1123,9 +1123,9 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit
return NT_STATUS_OK;
}
- maj_stat = gsskrb5_get_initiator_subkey(&min_stat,
- gensec_gssapi_state->gssapi_context,
- &subkey);
+ maj_stat = gsskrb5_get_subkey(&min_stat,
+ gensec_gssapi_state->gssapi_context,
+ &subkey);
if (maj_stat != 0) {
DEBUG(1, ("NO session key for this mech\n"));
return NT_STATUS_NO_USER_SESSION_KEY;
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 66d2801520..044c7df1de 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -427,48 +427,61 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
{
DATA_BLOB unwrapped_in;
DATA_BLOB unwrapped_out = data_blob(NULL, 0);
+ krb5_data inbuf, outbuf;
uint8_t tok_id[2];
+ struct keytab_container *keytab;
+ krb5_principal server_in_keytab;
if (!in.data) {
return NT_STATUS_INVALID_PARAMETER;
}
+ /* Grab the keytab, however generated */
+ ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), &keytab);
+ if (ret) {
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ /* This ensures we lookup the correct entry in that keytab */
+ ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security),
+ gensec_krb5_state->smb_krb5_context,
+ &server_in_keytab);
+
+ if (ret) {
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
if (gensec_krb5_state->gssapi
&& gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
- nt_status = ads_verify_ticket(out_mem_ctx,
- gensec_krb5_state->smb_krb5_context,
- &gensec_krb5_state->auth_context,
- gensec_get_credentials(gensec_security),
- gensec_get_target_service(gensec_security), &unwrapped_in,
- &gensec_krb5_state->ticket, &unwrapped_out,
- &gensec_krb5_state->keyblock);
+ inbuf.data = unwrapped_in.data;
+ inbuf.length = unwrapped_in.length;
} else {
- /* TODO: check the tok_id */
- nt_status = ads_verify_ticket(out_mem_ctx,
- gensec_krb5_state->smb_krb5_context,
- &gensec_krb5_state->auth_context,
- gensec_get_credentials(gensec_security),
- gensec_get_target_service(gensec_security),
- &in,
- &gensec_krb5_state->ticket, &unwrapped_out,
- &gensec_krb5_state->keyblock);
+ inbuf.data = in.data;
+ inbuf.length = in.length;
}
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
+ ret = smb_rd_req_return_stuff(gensec_krb5_state->smb_krb5_context->krb5_context,
+ &gensec_krb5_state->auth_context,
+ &inbuf, keytab->keytab, server_in_keytab,
+ &outbuf,
+ &gensec_krb5_state->ticket,
+ &gensec_krb5_state->keyblock);
- if (NT_STATUS_IS_OK(nt_status)) {
- gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
- /* wrap that up in a nice GSS-API wrapping */
- if (gensec_krb5_state->gssapi) {
- *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
- } else {
- *out = unwrapped_out;
- }
+ if (ret) {
+ return NT_STATUS_LOGON_FAILURE;
}
- return nt_status;
+ unwrapped_out.data = outbuf.data;
+ unwrapped_out.length = outbuf.length;
+ gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
+ /* wrap that up in a nice GSS-API wrapping */
+ if (gensec_krb5_state->gssapi) {
+ *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
+ } else {
+ *out = data_blob_talloc(out_mem_ctx, outbuf.data, outbuf.length);
+ }
+ krb5_data_free(&outbuf);
+ return NT_STATUS_OK;
}
case GENSEC_KRB5_DONE: