From 64b516b10546619d3b1adef7fcc4cfef3ad610f9 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 2 Dec 2004 18:27:08 +0000 Subject: r4045: readd krb5 support defaulted to disable use: gensec:krb5=yes gensec:ms_krb5=yes to enable it or -k on the client tools on the command line metze (This used to be commit 0ae5794cf44933d2554e0356baaca24c7a784f71) --- source4/libcli/auth/clikrb5.c | 1 + source4/libcli/auth/gensec.m4 | 2 +- source4/libcli/auth/gensec.mk | 2 +- source4/libcli/auth/gensec_krb5.c | 12 ++++++++++-- source4/libcli/auth/kerberos.c | 1 + source4/libcli/auth/kerberos_verify.c | 4 +++- 6 files changed, 17 insertions(+), 5 deletions(-) (limited to 'source4/libcli') diff --git a/source4/libcli/auth/clikrb5.c b/source4/libcli/auth/clikrb5.c index b5158a038a..48e1f88503 100644 --- a/source4/libcli/auth/clikrb5.c +++ b/source4/libcli/auth/clikrb5.c @@ -22,6 +22,7 @@ #include "includes.h" #include "system/network.h" #include "system/kerberos.h" +#include "libcli/auth/kerberos.h" #include "system/time.h" #ifdef HAVE_KRB5 diff --git a/source4/libcli/auth/gensec.m4 b/source4/libcli/auth/gensec.m4 index dd72d967dd..9b814014ca 100644 --- a/source4/libcli/auth/gensec.m4 +++ b/source4/libcli/auth/gensec.m4 @@ -2,5 +2,5 @@ SMB_MODULE_DEFAULT(gensec_krb5, NOT) if test x"$SMB_EXT_LIB_ENABLE_KRB5" = x"YES"; then /* enable this when krb5 is fully working */ - SMB_MODULE_DEFAULT(gensec_krb5, NOT) + SMB_MODULE_DEFAULT(gensec_krb5, STATIC) fi diff --git a/source4/libcli/auth/gensec.mk b/source4/libcli/auth/gensec.mk index 30da8aaa0e..66abfd10b7 100644 --- a/source4/libcli/auth/gensec.mk +++ b/source4/libcli/auth/gensec.mk @@ -19,7 +19,7 @@ ADD_OBJ_FILES = \ libcli/auth/kerberos.o \ libcli/auth/kerberos_verify.o \ libcli/auth/gssapi_parse.o -REQUIRED_SUBSYSTEMS = EXT_LIB_KRB5 +REQUIRED_SUBSYSTEMS = NDR_KRB5PAC EXT_LIB_KRB5 # End MODULE gensec_krb5 ################################################ diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c index 97025fa6c4..0f1bf8e700 100644 --- a/source4/libcli/auth/gensec_krb5.c +++ b/source4/libcli/auth/gensec_krb5.c @@ -512,9 +512,14 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL { char *principal; DATA_BLOB unwrapped_in; - DATA_BLOB unwrapped_out; + DATA_BLOB unwrapped_out = data_blob(NULL, 0); uint8 tok_id[2]; + if (!in.data) { + *out = unwrapped_out; + return NT_STATUS_MORE_PROCESSING_REQUIRED; + } + /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */ if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) { nt_status = ads_verify_ticket(out_mem_ctx, @@ -544,8 +549,11 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL if (NT_STATUS_IS_OK(nt_status)) { gensec_krb5_state->state_position = GENSEC_KRB5_DONE; /* wrap that up in a nice GSS-API wrapping */ +#ifndef GENSEC_SEND_UNWRAPPED_KRB5 *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP); - +#else + *out = unwrapped_out; +#endif gensec_krb5_state->peer_principal = talloc_steal(gensec_krb5_state, principal); } return nt_status; diff --git a/source4/libcli/auth/kerberos.c b/source4/libcli/auth/kerberos.c index 50f2e0f24e..9510aaa7fb 100644 --- a/source4/libcli/auth/kerberos.c +++ b/source4/libcli/auth/kerberos.c @@ -22,6 +22,7 @@ #include "includes.h" #include "system/kerberos.h" +#include "libcli/auth/kerberos.h" #include "system/time.h" #ifdef HAVE_KRB5 diff --git a/source4/libcli/auth/kerberos_verify.c b/source4/libcli/auth/kerberos_verify.c index 6d87cf8d8b..d00394fd79 100644 --- a/source4/libcli/auth/kerberos_verify.c +++ b/source4/libcli/auth/kerberos_verify.c @@ -101,7 +101,9 @@ static krb5_error_code ads_keytab_verify_ticket(krb5_context context, krb5_auth_ } DEBUG(10, ("Checking principal: %s\n", princ_name)); /* Look for a CIFS ticket */ - if (!strncasecmp(princ_name, "cifs/", 5) || (!strncasecmp(princ_name, "host/", 5))) { + if (!strncasecmp(princ_name, "cifs/", 5) || + !strncasecmp(princ_name, "host/", 5) || + !strncasecmp(princ_name, "ldap/", 5)) { #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK krb5_auth_con_setuseruserkey(context, auth_context, &kt_entry.keyblock); #else -- cgit