svn commit: samba r4045 - in branches/SAMBA_4_0/source: lib/cmdline libcli/auth param

metze at samba.org metze at samba.org
Thu Dec 2 18:27:08 GMT 2004 

Author: metze
Date: 2004-12-02 18:27:08 +0000 (Thu, 02 Dec 2004)
New Revision: 4045

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=4045

Log:
readd krb5 support defaulted to disable

use:
gensec:krb5=yes
gensec:ms_krb5=yes

to enable it

or -k on the client tools on the command line

metze

Modified:
   branches/SAMBA_4_0/source/lib/cmdline/popt_common.c
   branches/SAMBA_4_0/source/libcli/auth/clikrb5.c
   branches/SAMBA_4_0/source/libcli/auth/gensec.m4
   branches/SAMBA_4_0/source/libcli/auth/gensec.mk
   branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c
   branches/SAMBA_4_0/source/libcli/auth/kerberos.c
   branches/SAMBA_4_0/source/libcli/auth/kerberos_verify.c
   branches/SAMBA_4_0/source/param/loadparm.c


Changeset:
Modified: branches/SAMBA_4_0/source/lib/cmdline/popt_common.c
===================================================================
--- branches/SAMBA_4_0/source/lib/cmdline/popt_common.c	2004-12-02 18:15:39 UTC (rev 4044)
+++ branches/SAMBA_4_0/source/lib/cmdline/popt_common.c	2004-12-02 18:27:08 UTC (rev 4045)
@@ -373,6 +373,8 @@
 #else
 		cmdline_auth_info.use_kerberos = True;
 		cmdline_auth_info.got_pass = True;
+		lp_set_cmdline("gensec:krb5", "True");
+		lp_set_cmdline("gensec:ms_krb5", "True");
 #endif
 		break;
 

Modified: branches/SAMBA_4_0/source/libcli/auth/clikrb5.c
===================================================================
--- branches/SAMBA_4_0/source/libcli/auth/clikrb5.c	2004-12-02 18:15:39 UTC (rev 4044)
+++ branches/SAMBA_4_0/source/libcli/auth/clikrb5.c	2004-12-02 18:27:08 UTC (rev 4045)
@@ -22,6 +22,7 @@
 #include "includes.h"
 #include "system/network.h"
 #include "system/kerberos.h"
+#include "libcli/auth/kerberos.h"
 #include "system/time.h"
 
 #ifdef HAVE_KRB5

Modified: branches/SAMBA_4_0/source/libcli/auth/gensec.m4
===================================================================
--- branches/SAMBA_4_0/source/libcli/auth/gensec.m4	2004-12-02 18:15:39 UTC (rev 4044)
+++ branches/SAMBA_4_0/source/libcli/auth/gensec.m4	2004-12-02 18:27:08 UTC (rev 4045)
@@ -2,5 +2,5 @@
 
 if test x"$SMB_EXT_LIB_ENABLE_KRB5" = x"YES"; then
 	/* enable this when krb5 is fully working */
-	SMB_MODULE_DEFAULT(gensec_krb5, NOT)
+	SMB_MODULE_DEFAULT(gensec_krb5, STATIC)
 fi

Modified: branches/SAMBA_4_0/source/libcli/auth/gensec.mk
===================================================================
--- branches/SAMBA_4_0/source/libcli/auth/gensec.mk	2004-12-02 18:15:39 UTC (rev 4044)
+++ branches/SAMBA_4_0/source/libcli/auth/gensec.mk	2004-12-02 18:27:08 UTC (rev 4045)
@@ -19,7 +19,7 @@
 		libcli/auth/kerberos.o \
 		libcli/auth/kerberos_verify.o \
 		libcli/auth/gssapi_parse.o
-REQUIRED_SUBSYSTEMS = EXT_LIB_KRB5
+REQUIRED_SUBSYSTEMS = NDR_KRB5PAC EXT_LIB_KRB5
 # End MODULE gensec_krb5
 ################################################
 

Modified: branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c
===================================================================
--- branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c	2004-12-02 18:15:39 UTC (rev 4044)
+++ branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c	2004-12-02 18:27:08 UTC (rev 4045)
@@ -512,9 +512,14 @@
 	{
 		char *principal;
 		DATA_BLOB unwrapped_in;
-		DATA_BLOB unwrapped_out;
+		DATA_BLOB unwrapped_out = data_blob(NULL, 0);
 		uint8 tok_id[2];
 
+		if (!in.data) {
+			*out = unwrapped_out;
+			return NT_STATUS_MORE_PROCESSING_REQUIRED;
+		}	
+
 		/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
 		if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
 			nt_status = ads_verify_ticket(out_mem_ctx, 
@@ -544,8 +549,11 @@
 		if (NT_STATUS_IS_OK(nt_status)) {
 			gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
 			/* wrap that up in a nice GSS-API wrapping */
+#ifndef GENSEC_SEND_UNWRAPPED_KRB5
 			*out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
-
+#else
+			*out = unwrapped_out;
+#endif
 			gensec_krb5_state->peer_principal = talloc_steal(gensec_krb5_state, principal);
 		}
 		return nt_status;

Modified: branches/SAMBA_4_0/source/libcli/auth/kerberos.c
===================================================================
--- branches/SAMBA_4_0/source/libcli/auth/kerberos.c	2004-12-02 18:15:39 UTC (rev 4044)
+++ branches/SAMBA_4_0/source/libcli/auth/kerberos.c	2004-12-02 18:27:08 UTC (rev 4045)
@@ -22,6 +22,7 @@
 
 #include "includes.h"
 #include "system/kerberos.h"
+#include "libcli/auth/kerberos.h"
 #include "system/time.h"
 
 #ifdef HAVE_KRB5

Modified: branches/SAMBA_4_0/source/libcli/auth/kerberos_verify.c
===================================================================
--- branches/SAMBA_4_0/source/libcli/auth/kerberos_verify.c	2004-12-02 18:15:39 UTC (rev 4044)
+++ branches/SAMBA_4_0/source/libcli/auth/kerberos_verify.c	2004-12-02 18:27:08 UTC (rev 4045)
@@ -101,7 +101,9 @@
 		}
 		DEBUG(10, ("Checking principal: %s\n", princ_name));
 		/* Look for a CIFS ticket */
-		if (!strncasecmp(princ_name, "cifs/", 5) || (!strncasecmp(princ_name, "host/", 5))) {
+		if (!strncasecmp(princ_name, "cifs/", 5) || 
+		    !strncasecmp(princ_name, "host/", 5) ||
+		    !strncasecmp(princ_name, "ldap/", 5)) {
 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK
 			krb5_auth_con_setuseruserkey(context, auth_context, &kt_entry.keyblock);
 #else

Modified: branches/SAMBA_4_0/source/param/loadparm.c
===================================================================
--- branches/SAMBA_4_0/source/param/loadparm.c	2004-12-02 18:15:39 UTC (rev 4044)
+++ branches/SAMBA_4_0/source/param/loadparm.c	2004-12-02 18:27:08 UTC (rev 4045)
@@ -3071,6 +3071,9 @@
 		lp_do_parameter(-1, "wins server", "127.0.0.1");
 	}
 
+	lp_do_parameter(-1, "gensec:krb5", "False");
+	lp_do_parameter(-1, "gensec:ms_krb5", "False");
+
 	init_iconv();
 
 	return (bRetval);

More information about the samba-cvs mailing list