From 5131359edae7a5c7092c0d41bb225941596ddcac Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 30 Aug 2012 07:49:21 +1000 Subject: auth/credentials: Support match-by-key in cli_credentials_get_server_gss_creds() This allows a password alone to be used to accept kerberos tickets. Of course, we need to have got the salt right, but we do not need also the correct kvno. This allows gensec_gssapi to accept tickets based on a secrets.tdb entry. Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Aug 30 01:26:12 CEST 2012 on sn-devel-104 --- auth/credentials/credentials_krb5.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'auth') diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index 2a23688ffd..459e9487f4 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -717,6 +717,11 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, cred->keytab_obtained = (MAX(cred->principal_obtained, cred->username_obtained)); + /* We make this keytab up based on a password. Therefore + * match-by-key is acceptable, we can't match on the wrong + * principal */ + ktc->password_based = true; + talloc_steal(cred, ktc); cred->keytab = ktc; *_ktc = cred->keytab; @@ -818,12 +823,12 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, return ENOMEM; } - if (obtained < CRED_SPECIFIED) { - /* This creates a GSSAPI cred_id_t with the principal and keytab set */ + if (ktc->password_based || obtained < CRED_SPECIFIED) { + /* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */ maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab, &gcc->creds); } else { - /* This creates a GSSAPI cred_id_t with the principal and keytab set */ + /* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */ maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab, &gcc->creds); } -- cgit