From d96248a9b46559552f53b0ecd3861387ea7ff050 Mon Sep 17 00:00:00 2001 From: Dan Sledz Date: Thu, 15 Jan 2009 17:02:41 -0800 Subject: Add two new parameters to control how we verify kerberos tickets. Removes lp_use_kerberos_keytab parameter. The first is "kerberos method" and replaces the "use kerberos keytab" with an enum. Valid options are: secrets only - use only the secrets for ticket verification (default) system keytab - use only the system keytab for ticket verification dedicated keytab - use a dedicated keytab for ticket verification. secrets and keytab - use the secrets.tdb first, then the system keytab For existing installs: "use kerberos keytab = yes" corresponds to secrets and keytab "use kerberos keytab = no" corresponds to secrets only The major difference between "system keytab" and "dedicated keytab" is that the latter method relies on kerberos to find the correct keytab entry instead of filtering based on expected principals. The second parameter is "dedicated keytab file", which is the keytab to use when in "dedicated keytab" mode. This keytab is only used in ads_verify_ticket. --- source3/smbd/negprot.c | 2 +- source3/smbd/sesssetup.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/smbd') diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index 729d144ea1..57608a9b40 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -212,7 +212,7 @@ static DATA_BLOB negprot_spnego(void) */ - if (lp_security() != SEC_ADS && !lp_use_kerberos_keytab()) { + if (lp_security() != SEC_ADS && !USE_KERBEROS_KEYTAB) { #if 0 /* Code for PocketPC client */ blob = data_blob(guid, 16); diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index a2ad56bea1..7a03ef7f3c 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -795,7 +795,7 @@ static void reply_spnego_negotiate(struct smb_request *req, #ifdef HAVE_KRB5 if (kerb_mech && ((lp_security()==SEC_ADS) || - lp_use_kerberos_keytab()) ) { + USE_KERBEROS_KEYTAB) ) { bool destroy_vuid = True; reply_spnego_kerberos(req, &secblob, kerb_mech, vuid, &destroy_vuid); @@ -887,7 +887,7 @@ static void reply_spnego_auth(struct smb_request *req, (unsigned long)secblob.length)); #ifdef HAVE_KRB5 if (kerb_mech && ((lp_security()==SEC_ADS) || - lp_use_kerberos_keytab()) ) { + USE_KERBEROS_KEYTAB)) { bool destroy_vuid = True; reply_spnego_kerberos(req, &secblob, kerb_mech, vuid, &destroy_vuid); -- cgit