From 351e749246a278b60a7e18c1eeafdc8ec70efea2 Mon Sep 17 00:00:00 2001
From: Günther Deschner <gd@samba.org>
Date: Tue, 25 Apr 2006 12:24:25 +0000
Subject: r15240: Correctly disallow unauthorized access when logging on with
 the kerberized pam_winbind and workstation restrictions are in effect.

The krb5 AS-REQ needs to add the host netbios-name in the address-list.

We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from
the edata of the KRB_ERROR but the login at least fails when the local
machine is not in the workstation list on the DC.

Guenther
(This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
---
 source3/include/ads.h | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'source3/include/ads.h')

diff --git a/source3/include/ads.h b/source3/include/ads.h
index 2c7999e24f..711dd2aa70 100644
--- a/source3/include/ads.h
+++ b/source3/include/ads.h
@@ -266,3 +266,15 @@ typedef void **ADS_MODLIST;
 
 #define WELL_KNOWN_GUID_COMPUTERS	"AA312825768811D1ADED00C04FD8D5CD" 
 #define WELL_KNOWN_GUID_USERS		"A9D1CA15768811D1ADED00C04FD8D5CD"
+
+#ifndef KRB5_ADDR_NETBIOS
+#define KRB5_ADDR_NETBIOS 0x14
+#endif
+
+typedef struct {
+#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
+	krb5_address **addrs;
+#else /* Heimdal has the krb5_addresses type */
+	krb5_addresses *addrs;
+#endif
+} smb_krb5_addresses;
-- 
cgit