diff options
Diffstat (limited to 'source4')
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 46 | ||||
-rw-r--r-- | source4/auth/kerberos/kerberos_util.c | 2 | ||||
-rw-r--r-- | source4/lib/cmdline/popt_common.c | 11 | ||||
-rw-r--r-- | source4/lib/credentials.c | 10 |
4 files changed, 31 insertions, 38 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index c462cf0ecd..4e1d1e3015 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -250,6 +250,28 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi gensec_gssapi_state = gensec_security->private_data; + ret = cli_credentials_get_ccache(creds, + &ccache); + if (ret) { + DEBUG(1, ("Failed to get CCACHE for gensec_gssapi: %s\n", error_message(ret))); + return NT_STATUS_UNSUCCESSFUL; + } + + name_token.value = cli_credentials_get_principal(creds, + gensec_gssapi_state); + name_token.length = strlen(name_token.value); + + maj_stat = gss_import_name (&min_stat, + &name_token, + GSS_C_NT_USER_NAME, + &gensec_gssapi_state->client_name); + if (maj_stat) { + DEBUG(2, ("GSS Import name of %s failed: %s\n", + (char *)name_token.value, + gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); + return NT_STATUS_UNSUCCESSFUL; + } + principal = gensec_get_target_principal(gensec_security); if (principal && lp_client_use_spnego_principal()) { name_token.value = gensec_get_target_principal(gensec_security); @@ -274,28 +296,6 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi return NT_STATUS_INVALID_PARAMETER; } - ret = cli_credentials_get_ccache(creds, - &ccache); - if (ret) { - DEBUG(1, ("Failed to get CCACHE for gensec_gssapi: %s\n", error_message(ret))); - return NT_STATUS_UNSUCCESSFUL; - } - - name_token.value = cli_credentials_get_principal(creds, - gensec_gssapi_state); - name_token.length = strlen(name_token.value); - - maj_stat = gss_import_name (&min_stat, - &name_token, - GSS_C_NT_USER_NAME, - &gensec_gssapi_state->client_name); - if (maj_stat) { - DEBUG(2, ("GSS Import name of %s failed: %s\n", - (char *)name_token.value, - gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat))); - return NT_STATUS_UNSUCCESSFUL; - } - maj_stat = gsskrb5_acquire_cred(&min_stat, NULL, ccache->ccache, gensec_gssapi_state->client_name, @@ -964,7 +964,7 @@ static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = { .wrap = gensec_gssapi_wrap, .unwrap = gensec_gssapi_unwrap, .have_feature = gensec_gssapi_have_feature, - .enabled = False + .enabled = True }; NTSTATUS gensec_gssapi_init(void) diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index 922869af5c..d0bb2f4f52 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -111,7 +111,7 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx, if (!princ_string) { talloc_free(mem_ctx); - return ENOMEM; + return EINVAL; } ret = krb5_parse_name(smb_krb5_context->krb5_context, diff --git a/source4/lib/cmdline/popt_common.c b/source4/lib/cmdline/popt_common.c index fe76292acb..43ea203b78 100644 --- a/source4/lib/cmdline/popt_common.c +++ b/source4/lib/cmdline/popt_common.c @@ -241,17 +241,7 @@ static void popt_common_credentials_callback(poptContext con, cli_credentials_set_machine_account_pending(cmdline_credentials); /* machine accounts only work with kerberos (fall though)*/ - - case 'k': -#ifndef HAVE_KRB5 - d_printf("No kerberos support compiled in\n"); - exit(1); -#else - lp_set_cmdline("gensec:krb5", "True"); -#endif break; - - } } @@ -261,7 +251,6 @@ struct poptOption popt_common_credentials[] = { { NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, popt_common_credentials_callback }, { "user", 'U', POPT_ARG_STRING, NULL, 'U', "Set the network username", "[DOMAIN\\]USERNAME[%PASSWORD]" }, { "no-pass", 'N', POPT_ARG_NONE, &dont_ask, True, "Don't ask for a password" }, - { "kerberos", 'k', POPT_ARG_NONE, NULL, 'k', "Use kerberos (active directory) authentication" }, { "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" }, { "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" }, { "machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password (implies -k)" }, diff --git a/source4/lib/credentials.c b/source4/lib/credentials.c index cdef9042b8..4650fee1af 100644 --- a/source4/lib/credentials.c +++ b/source4/lib/credentials.c @@ -121,9 +121,13 @@ const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_C } if (cred->principal_obtained < cred->username_obtained) { - return talloc_asprintf(mem_ctx, "%s@%s", - cli_credentials_get_username(cred, mem_ctx), - cli_credentials_get_realm(cred)); + if (cred->domain_obtained > cred->realm_obtained) { + return NULL; + } else { + return talloc_asprintf(mem_ctx, "%s@%s", + cli_credentials_get_username(cred, mem_ctx), + cli_credentials_get_realm(cred)); + } } return talloc_reference(mem_ctx, cred->principal); } |