From 351e749246a278b60a7e18c1eeafdc8ec70efea2 Mon Sep 17 00:00:00 2001
From: Günther Deschner <gd@samba.org>
Date: Tue, 25 Apr 2006 12:24:25 +0000
Subject: r15240: Correctly disallow unauthorized access when logging on with
 the kerberized pam_winbind and workstation restrictions are in effect.

The krb5 AS-REQ needs to add the host netbios-name in the address-list.

We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from
the edata of the KRB_ERROR but the login at least fails when the local
machine is not in the workstation list on the DC.

Guenther
(This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
---
 source3/configure.in | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

(limited to 'source3/configure.in')

diff --git a/source3/configure.in b/source3/configure.in
index c479d2d290..d700740c0d 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3655,6 +3655,18 @@ if test x"$with_ads_support" != x"no"; then
               [Whether krb5_keytab_entry has keyblock member])
   fi
 
+  AC_CACHE_CHECK([for magic in krb5_address],
+                 samba_cv_HAVE_MAGIC_IN_KRB5_ADDRESS,[
+    AC_TRY_COMPILE([#include <krb5.h>],
+      [krb5_address addr; addr.magic = 0;],
+      samba_cv_HAVE_MAGIC_IN_KRB5_ADDRESS=yes,
+      samba_cv_HAVE_MAGIC_IN_KRB5_ADDRESS=no)])
+
+  if test x"$samba_cv_HAVE_MAGIC_IN_KRB5_ADDRESS" = x"yes"; then
+    AC_DEFINE(HAVE_MAGIC_IN_KRB5_ADDRESS,1,
+              [Whether the krb5_address struct has a magic property])
+  fi
+
   if test x"$ac_cv_lib_ext_krb5_krb5_mk_req_extended" = x"yes"; then
     AC_DEFINE(HAVE_KRB5,1,[Whether to have KRB5 support])
     AC_DEFINE(WITH_ADS,1,[Whether to include Active Directory support])
@@ -3705,6 +3717,18 @@ if test x"$with_ads_support" != x"no"; then
               [Whether krb5_princ_realm returns krb5_realm or krb5_data])
   fi
 
+  AC_CACHE_CHECK([for krb5_addresses type],
+                samba_cv_HAVE_KRB5_ADDRESSES,[
+    AC_TRY_COMPILE([#include <krb5.h>],
+      [krb5_addresses addr;],
+      samba_cv_HAVE_KRB5_ADDRESSES=yes,
+      samba_cv_HAVE_KRB5_ADDRESSES=no)])
+
+  if test x"$samba_cv_HAVE_KRB5_ADDRESSES" = x"yes"; then
+    AC_DEFINE(HAVE_KRB5_ADDRESSES,1,
+               [Whether the type krb5_addresses type exists])
+  fi
+
 LIBS="$ac_save_LIBS"
 fi
 
-- 
cgit