From 372ca26b2052e267711a45c8bf341f55505f3f8f Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 20 Oct 2005 03:47:55 +0000
Subject: r11200: Reposition the creation of the kerberos keytab for GSSAPI and
 Krb5 authentication.  This pulls the creating of the keytab back to the
 credentials code, and removes the special case of 'use keberos keytab = yes'
 for now.

This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC.  This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.

The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.

We also now allow for the old secret to be stored into the
credentials, allowing service password changes.

Andrew Bartlett
(This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
---
 source4/rpc_server/dcesrv_auth.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'source4/rpc_server')

diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index a2ba709f56..6caef7424d 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -32,6 +32,7 @@
 */
 BOOL dcesrv_auth_bind(struct dcesrv_call_state *call)
 {
+	struct cli_credentials *server_credentials;
 	struct ncacn_packet *pkt = &call->pkt;
 	struct dcesrv_connection *dce_conn = call->conn;
 	struct dcesrv_auth *auth = &dce_conn->auth_state;
@@ -61,6 +62,23 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call)
 		return False;
 	}
 
+	server_credentials 
+		= cli_credentials_init(call);
+	if (!server_credentials) {
+		DEBUG(1, ("Failed to init server credentials\n"));
+		return False;
+	}
+	
+	cli_credentials_set_conf(server_credentials);
+	status = cli_credentials_set_machine_account(server_credentials);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
+		talloc_free(server_credentials);
+		server_credentials = NULL;
+	}
+
+	gensec_set_credentials(auth->gensec_security, server_credentials);
+
 	status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type, 
 					       auth->auth_info->auth_level);
 
-- 
cgit