From 47e28702288f065d539baab70907d50b7d59d27e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 27 Apr 2011 14:34:03 +1000 Subject: auth/kerberos Add check for gss_inquire_sec_context_by_oid Not all kerberos distributions have this function. Andrew Bartlett Autobuild-User: Andrew Bartlett Autobuild-Date: Wed Apr 27 07:39:08 CEST 2011 on sn-devel-104 --- auth/kerberos/gssapi_pac.c | 14 ++++++++++---- source3/configure.in | 1 + source3/wscript | 2 +- source4/heimdal_build/wscript_configure | 1 + 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c index dd2fb7e0a7..d89a649ff2 100644 --- a/auth/kerberos/gssapi_pac.c +++ b/auth/kerberos/gssapi_pac.c @@ -38,20 +38,19 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx, gss_name_t gss_client_name, DATA_BLOB *pac_blob) { + NTSTATUS status; OM_uint32 gss_maj, gss_min; - gss_buffer_set_t set = GSS_C_NO_BUFFER_SET; +#ifdef HAVE_GSS_GET_NAME_ATTRIBUTE gss_buffer_desc pac_buffer; gss_buffer_desc pac_display_buffer; gss_buffer_desc pac_name = { .value = "urn:mspac:", .length = sizeof("urn:mspac:")-1 }; - NTSTATUS status; int more = -1; int authenticated = false; int complete = false; -#ifdef HAVE_GSS_GET_NAME_ATTRIBUTE gss_maj = gss_get_name_attribute( &gss_min, gss_client_name, &pac_name, &authenticated, &complete, @@ -83,7 +82,10 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx, return NT_STATUS_ACCESS_DENIED; } -#endif +#elif defined(HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID) + + gss_buffer_set_t set = GSS_C_NO_BUFFER_SET; + /* If we didn't have the routine to get a verified, validated * PAC (supplied only by MIT at the time of writing), then try * with the Heimdal OID (fetches the PAC directly and always @@ -118,6 +120,10 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx, gss_maj = gss_release_buffer_set(&gss_min, &set); return status; } +#else + DEBUG(1, ("unable to obtain a PAC against this GSSAPI library. " + "GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8\n")); +#endif return NT_STATUS_ACCESS_DENIED; } #endif diff --git a/source3/configure.in b/source3/configure.in index a463aa910d..3624c25e62 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -3871,6 +3871,7 @@ if test x"$with_ads_support" != x"no"; then AC_CHECK_FUNC_EXT(gss_krb5_import_cred, $KRB5_LIBS) AC_CHECK_FUNC_EXT(gss_get_name_attribute, $KRB5_LIBS) AC_CHECK_FUNC_EXT(gss_oid_equal, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(gss_inquire_sec_context_by_oid, $KRB5_LIBS) # MIT krb5 1.8 does not expose this call (yet) AC_CHECK_DECLS(krb5_get_credentials_for_user, [], [], [#include ]) diff --git a/source3/wscript b/source3/wscript index cdafc1683a..d9cc0c6124 100644 --- a/source3/wscript +++ b/source3/wscript @@ -632,7 +632,7 @@ msg.msg_acctrightslen = sizeof(fd); if conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi') or \ conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi_krb5'): have_gssapi=True - conf.CHECK_FUNCS_IN('gss_wrap_iov gss_krb5_import_cred gss_get_name_attribute gss_oid_equal', 'gssapi gssapi_krb5 krb5') + conf.CHECK_FUNCS_IN('gss_wrap_iov gss_krb5_import_cred gss_get_name_attribute gss_oid_equal gss_inquire_sec_context_by_oid', 'gssapi gssapi_krb5 krb5') conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5') conf.CHECK_FUNCS(''' krb5_set_real_time krb5_set_default_in_tkt_etypes krb5_set_default_tgs_enctypes diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure index f96c683baf..cd2a70f320 100644 --- a/source4/heimdal_build/wscript_configure +++ b/source4/heimdal_build/wscript_configure @@ -83,6 +83,7 @@ conf.define('HAVE_GSS_DISPLAY_STATUS', 1) conf.define('HAVE_GSS_WRAP_IOV', 1) conf.define('HAVE_GSS_KRB5_IMPORT_CRED', 1) conf.define('HAVE_GSS_OID_EQUAL', 1) +conf.define('HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID', 1) conf.define('HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT', 1) conf.define('HAVE_LIBGSSAPI', 1) conf.define('HAVE_ADDR_TYPE_IN_KRB5_ADDRESS', 1) -- cgit