From 0299edbc02f4185020bae8e66c02d1081d07279f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 28 Jul 2008 09:29:42 +0200 Subject: auth/credentials: explain why we need to the enctypes for the gssapi layer metze (This used to be commit 88970c4d4192635544cf63e79e929e9bb05ecb5f) --- source4/auth/credentials/credentials_krb5.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'source4/auth') diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c index c4c58398c3..1a2d5faddd 100644 --- a/source4/auth/credentials/credentials_krb5.c +++ b/source4/auth/credentials/credentials_krb5.c @@ -392,7 +392,17 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, return ret; } - /* transfer the enctypes from the smb_krb5_context to the gssapi layer */ + /* + * transfer the enctypes from the smb_krb5_context to the gssapi layer + * + * We use 'our' smb_krb5_context to do the AS-REQ and it is possible + * to configure the enctypes via the krb5.conf. + * + * And the gss_init_sec_context() creates it's own krb5_context and + * the TGS-REQ had all enctypes in it and only the ones configured + * and used for the AS-REQ, so it wasn't possible to disable the usage + * of AES keys. + */ min_stat = krb5_get_default_in_tkt_etypes(ccache->smb_krb5_context->krb5_context, &etypes); if (min_stat == 0) { -- cgit From c4c79aa1b61b48eca47dffecb4ad847fae3bffed Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 28 Jul 2008 16:11:30 +0200 Subject: gensec_gssapi: use gsskrb5_get_subkey() to make smb2 signing with aes keys work SMB signing with aes doesn't work, but still works with arcfour-hmac-md5, des-cbc-md5 and des-cbc-crc. metze (This used to be commit 73964f069056f46f2f27fc690e42e5c91ae1fe19) --- source4/auth/gensec/gensec_gssapi.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/auth') diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 205d8a0f9b..c20cf4f5bd 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1152,9 +1152,9 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit return NT_STATUS_OK; } - maj_stat = gsskrb5_get_initiator_subkey(&min_stat, - gensec_gssapi_state->gssapi_context, - &subkey); + maj_stat = gsskrb5_get_subkey(&min_stat, + gensec_gssapi_state->gssapi_context, + &subkey); if (maj_stat != 0) { DEBUG(1, ("NO session key for this mech\n")); return NT_STATUS_NO_USER_SESSION_KEY; -- cgit From e45c3e127d389a2cb63879ca12bbbfed048f4eb1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 28 Jul 2008 17:59:17 +0200 Subject: Revert "gensec_gssapi: use gsskrb5_get_subkey() to make smb2 signing with aes keys work" This reverts commit 73964f069056f46f2f27fc690e42e5c91ae1fe19. This breaks more than it gains:-( It seems to break the ncacn_np session key metze (This used to be commit 9678085f75b6cb0ed068e22f3d9f94247b200ce2) --- source4/auth/gensec/gensec_gssapi.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/auth') diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index c20cf4f5bd..205d8a0f9b 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1152,9 +1152,9 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit return NT_STATUS_OK; } - maj_stat = gsskrb5_get_subkey(&min_stat, - gensec_gssapi_state->gssapi_context, - &subkey); + maj_stat = gsskrb5_get_initiator_subkey(&min_stat, + gensec_gssapi_state->gssapi_context, + &subkey); if (maj_stat != 0) { DEBUG(1, ("NO session key for this mech\n")); return NT_STATUS_NO_USER_SESSION_KEY; -- cgit