summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/gensec/gensec_gssapi.c46
-rw-r--r--source4/auth/kerberos/kerberos_util.c2
-rw-r--r--source4/lib/cmdline/popt_common.c11
-rw-r--r--source4/lib/credentials.c10
4 files changed, 31 insertions, 38 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index c462cf0ecd..4e1d1e3015 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -250,6 +250,28 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
gensec_gssapi_state = gensec_security->private_data;
+ ret = cli_credentials_get_ccache(creds,
+ &ccache);
+ if (ret) {
+ DEBUG(1, ("Failed to get CCACHE for gensec_gssapi: %s\n", error_message(ret)));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ name_token.value = cli_credentials_get_principal(creds,
+ gensec_gssapi_state);
+ name_token.length = strlen(name_token.value);
+
+ maj_stat = gss_import_name (&min_stat,
+ &name_token,
+ GSS_C_NT_USER_NAME,
+ &gensec_gssapi_state->client_name);
+ if (maj_stat) {
+ DEBUG(2, ("GSS Import name of %s failed: %s\n",
+ (char *)name_token.value,
+ gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
principal = gensec_get_target_principal(gensec_security);
if (principal && lp_client_use_spnego_principal()) {
name_token.value = gensec_get_target_principal(gensec_security);
@@ -274,28 +296,6 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
return NT_STATUS_INVALID_PARAMETER;
}
- ret = cli_credentials_get_ccache(creds,
- &ccache);
- if (ret) {
- DEBUG(1, ("Failed to get CCACHE for gensec_gssapi: %s\n", error_message(ret)));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- name_token.value = cli_credentials_get_principal(creds,
- gensec_gssapi_state);
- name_token.length = strlen(name_token.value);
-
- maj_stat = gss_import_name (&min_stat,
- &name_token,
- GSS_C_NT_USER_NAME,
- &gensec_gssapi_state->client_name);
- if (maj_stat) {
- DEBUG(2, ("GSS Import name of %s failed: %s\n",
- (char *)name_token.value,
- gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
maj_stat = gsskrb5_acquire_cred(&min_stat,
NULL, ccache->ccache,
gensec_gssapi_state->client_name,
@@ -964,7 +964,7 @@ static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
.wrap = gensec_gssapi_wrap,
.unwrap = gensec_gssapi_unwrap,
.have_feature = gensec_gssapi_have_feature,
- .enabled = False
+ .enabled = True
};
NTSTATUS gensec_gssapi_init(void)
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 922869af5c..d0bb2f4f52 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -111,7 +111,7 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
if (!princ_string) {
talloc_free(mem_ctx);
- return ENOMEM;
+ return EINVAL;
}
ret = krb5_parse_name(smb_krb5_context->krb5_context,
diff --git a/source4/lib/cmdline/popt_common.c b/source4/lib/cmdline/popt_common.c
index fe76292acb..43ea203b78 100644
--- a/source4/lib/cmdline/popt_common.c
+++ b/source4/lib/cmdline/popt_common.c
@@ -241,17 +241,7 @@ static void popt_common_credentials_callback(poptContext con,
cli_credentials_set_machine_account_pending(cmdline_credentials);
/* machine accounts only work with kerberos (fall though)*/
-
- case 'k':
-#ifndef HAVE_KRB5
- d_printf("No kerberos support compiled in\n");
- exit(1);
-#else
- lp_set_cmdline("gensec:krb5", "True");
-#endif
break;
-
-
}
}
@@ -261,7 +251,6 @@ struct poptOption popt_common_credentials[] = {
{ NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, popt_common_credentials_callback },
{ "user", 'U', POPT_ARG_STRING, NULL, 'U', "Set the network username", "[DOMAIN\\]USERNAME[%PASSWORD]" },
{ "no-pass", 'N', POPT_ARG_NONE, &dont_ask, True, "Don't ask for a password" },
- { "kerberos", 'k', POPT_ARG_NONE, NULL, 'k', "Use kerberos (active directory) authentication" },
{ "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" },
{ "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" },
{ "machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password (implies -k)" },
diff --git a/source4/lib/credentials.c b/source4/lib/credentials.c
index cdef9042b8..4650fee1af 100644
--- a/source4/lib/credentials.c
+++ b/source4/lib/credentials.c
@@ -121,9 +121,13 @@ const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_C
}
if (cred->principal_obtained < cred->username_obtained) {
- return talloc_asprintf(mem_ctx, "%s@%s",
- cli_credentials_get_username(cred, mem_ctx),
- cli_credentials_get_realm(cred));
+ if (cred->domain_obtained > cred->realm_obtained) {
+ return NULL;
+ } else {
+ return talloc_asprintf(mem_ctx, "%s@%s",
+ cli_credentials_get_username(cred, mem_ctx),
+ cli_credentials_get_realm(cred));
+ }
}
return talloc_reference(mem_ctx, cred->principal);
}