From 6ec4306f8c3fed7ec5b5bd164c5829b2661589b7 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 16 Apr 2011 15:41:50 +1000
Subject: auth/kerberos: Create common helper to get the verified PAC from
 GSSAPI

This only works for Heimdal and MIT Krb5 1.8, other versions will get
an ACCESS_DEINED error.

We no longer manually verify any details of the PAC in Samba for
GSSAPI logins, as we never had the information to do it properly, and
it is better to have the GSSAPI library handle it.

Andrew Bartlett
---
 libcli/auth/krb5_wrap.h   | 5 +++++
 libcli/auth/wscript_build | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

(limited to 'libcli')

diff --git a/libcli/auth/krb5_wrap.h b/libcli/auth/krb5_wrap.h
index 31bee352ab..82769aede9 100644
--- a/libcli/auth/krb5_wrap.h
+++ b/libcli/auth/krb5_wrap.h
@@ -72,3 +72,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
 			     krb5_const_principal client_principal,
 			     time_t tgs_authtime,
 			     struct PAC_DATA **pac_data_out);
+
+NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
+				gss_ctx_id_t gssapi_context,
+				gss_name_t gss_client_name,
+				DATA_BLOB *pac_data);
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index 541eaf0434..262d483e06 100644
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -41,4 +41,4 @@ bld.SAMBA_SUBSYSTEM('SPNEGO_PARSE',
 
 bld.SAMBA_SUBSYSTEM('KRB5_WRAP',
                     source='krb5_wrap.c kerberos_pac.c',
-                    deps='gssapi krb5 ndr-krb5pac com_err')
+                    deps='gssapi_krb5 krb5 ndr-krb5pac com_err KRB5_PAC')
-- 
cgit