3 files changed, 11 insertions, 32 deletions

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index e57739c85c..d186e3ed1f 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -32,9 +32,6 @@
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
 
-static const gss_OID_desc gensec_gss_krb5_mechanism_oid_desc =
-        {9, (void *)discard_const_p(char, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")};
-
 struct gensec_gssapi_state {
 	gss_ctx_id_t gssapi_context;
 	struct gss_channel_bindings_struct *input_chan_bindings;
@@ -162,7 +159,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 #endif
 	}
 
-	gensec_gssapi_state->gss_oid = &gensec_gss_krb5_mechanism_oid_desc;
+	gensec_gssapi_state->gss_oid = gss_mech_krb5;
 	
 	ret = krb5_init_context(&gensec_gssapi_state->krb5_context);
 	if (ret) {
@@ -359,6 +356,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
 	} else if (maj_stat == GSS_S_CONTINUE_NEEDED) {
 		return NT_STATUS_MORE_PROCESSING_REQUIRED;
 	} else {
+		if (maj_stat == GSS_S_FAILURE
+		    && (min_stat == KRB5KRB_AP_ERR_BADVERSION || min_stat == KRB5KRB_AP_ERR_MSG_TYPE)) {
+			/* garbage input, possibly from the auto-mech detection */
+			return NT_STATUS_INVALID_PARAMETER;
+		}
 		DEBUG(1, ("GSS Update failed: %s\n", 
 			  gssapi_error_string(out_mem_ctx, maj_stat, min_stat)));
 		return nt_status;
@@ -641,8 +643,8 @@ static BOOL gensec_gssapi_have_feature(struct gensec_security *gensec_security,
 	}
 	if (feature & GENSEC_FEATURE_SESSION_KEY) {
 #ifdef HAVE_GSSKRB5_GET_INITIATOR_SUBKEY
-		if ((gensec_gssapi_state->gss_oid->length == gensec_gss_krb5_mechanism_oid_desc.length)
-		    && (memcmp(gensec_gssapi_state->gss_oid->elements, gensec_gss_krb5_mechanism_oid_desc.elements, gensec_gssapi_state->gss_oid->length) == 0)) {
+		if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length)
+		    && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, gensec_gssapi_state->gss_oid->length) == 0)) {
 			return True;
 		}
 #endif 
@@ -662,8 +664,8 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit
 
 #ifdef HAVE_GSSKRB5_GET_INITIATOR_SUBKEY
 	/* Ensure we only call this for GSSAPI/krb5, otherwise things could get very ugly */
-	if ((gensec_gssapi_state->gss_oid->length == gensec_gss_krb5_mechanism_oid_desc.length)
-	    && (memcmp(gensec_gssapi_state->gss_oid->elements, gensec_gss_krb5_mechanism_oid_desc.elements, 
+	if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length)
+	    && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, 
 		       gensec_gssapi_state->gss_oid->length) == 0)) {
 		OM_uint32 maj_stat, min_stat;
 		gss_buffer_desc skey;
diff --git a/source4/auth/gensec/schannel_state.c b/source4/auth/gensec/schannel_state.c
index 99d5fdef53..0c5ce09637 100644
--- a/source4/auth/gensec/schannel_state.c
+++ b/source4/auth/gensec/schannel_state.c
@@ -26,9 +26,6 @@
 #include "lib/ldb/include/ldb.h"
 #include "db_wrap.h"
 
-/* a reasonable amount of time to keep credentials live */
-#define SCHANNEL_CREDENTIALS_EXPIRY 600
-
 /*
   connect to the schannel ldb
 */
@@ -72,11 +69,9 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
 	struct ldb_context *ldb;
 	struct ldb_message *msg;
 	struct ldb_val val, seed;
-	char *s;
 	char *f;
 	char *sct;
 	char *rid;
-	time_t expiry = time(NULL) + SCHANNEL_CREDENTIALS_EXPIRY;
 	int ret;
 
 	ldb = schannel_db_connect(mem_ctx);
@@ -84,13 +79,6 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	s = talloc_asprintf(mem_ctx, "%u", (unsigned int)expiry);
-
-	if (s == NULL) {
-		talloc_free(ldb);
-		return NT_STATUS_NO_MEMORY;
-	}
-
 	f = talloc_asprintf(mem_ctx, "%u", (unsigned int)creds->negotiate_flags);
 
 	if (f == NULL) {
@@ -133,7 +121,6 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
 
 	ldb_msg_add_value(ldb, msg, "sessionKey", &val);
 	ldb_msg_add_value(ldb, msg, "seed", &seed);
-	ldb_msg_add_string(ldb, msg, "expiry", s);
 	ldb_msg_add_string(ldb, msg, "negotiateFlags", f);
 	ldb_msg_add_string(ldb, msg, "secureChannelType", sct);
 	ldb_msg_add_string(ldb, msg, "accountName", creds->account_name);
@@ -145,8 +132,6 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
 
 	ret = ldb_add(ldb, msg);
 
-	talloc_free(s);
-
 	if (ret != 0) {
 		DEBUG(0,("Unable to add %s to session key db - %s\n", 
 			 msg->dn, ldb_errstring(ldb)));
@@ -171,7 +156,6 @@ NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx,
 				    struct creds_CredentialState **creds)
 {
 	struct ldb_context *ldb;
-	time_t expiry;
 	struct ldb_message **res;
 	int ret;
 	const struct ldb_val *val;
@@ -199,13 +183,6 @@ NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_INVALID_HANDLE;
 	}
 
-	expiry = ldb_msg_find_uint(res[0], "expiry", 0);
-	if (expiry < time(NULL)) {
-		DEBUG(1,("schannel: attempt to use expired session key for %s\n", computer_name));
-		talloc_free(ldb);
-		return NT_STATUS_INVALID_HANDLE;
-	}
-
 	val = ldb_msg_find_ldb_val(res[0], "sessionKey");
 	if (val == NULL || val->length != 16) {
 		DEBUG(1,("schannel: record in schannel DB must contain a sessionKey of length 16, when searching for client: %s\n", computer_name));
diff --git a/source4/auth/kerberos/kerberos.m4 b/source4/auth/kerberos/kerberos.m4
index f9a2d66c0a..b78f96a877 100644
--- a/source4/auth/kerberos/kerberos.m4
+++ b/source4/auth/kerberos/kerberos.m4
@@ -195,7 +195,7 @@ if test x"$with_krb5_support" != x"no"; then
 
 	# now check for gssapi headers.  This is also done here to allow for
 	# different kerberos include paths
-	AC_CHECK_HEADERS(gssapi.h gssapi/gssapi_generic.h gssapi/gssapi.h com_err.h)
+	AC_CHECK_HEADERS(gssapi.h gssapi_krb5.h gssapi/gssapi.h gssapi/gssapi_generic.h gssapi/gssapi_krb5.h com_err.h)
 
 	##################################################################
 	# we might need the k5crypto and com_err libraries on some systems