svn commit: samba r10364 - in branches/SAMBA_4_0/source: auth/gensec auth/kerberos lib lib/cmdline

abartlet at samba.org abartlet at samba.org
Tue Sep 20 21:29:30 GMT 2005


Author: abartlet
Date: 2005-09-20 21:29:29 +0000 (Tue, 20 Sep 2005)
New Revision: 10364

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10364

Log:
Turn gensec:gssapi on by default, except for a login of the form
-Udomain\\user.

This will probably break in a few configurations, so please let me
know.  I'll also work to have a way to inhibit kerberos/ntlmssp, as
this removes -k.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
   branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c
   branches/SAMBA_4_0/source/lib/cmdline/popt_common.c
   branches/SAMBA_4_0/source/lib/credentials.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c	2005-09-20 20:54:25 UTC (rev 10363)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c	2005-09-20 21:29:29 UTC (rev 10364)
@@ -250,6 +250,28 @@
 
 	gensec_gssapi_state = gensec_security->private_data;
 
+	ret = cli_credentials_get_ccache(creds, 
+					 &ccache);
+	if (ret) {
+		DEBUG(1, ("Failed to get CCACHE for gensec_gssapi: %s\n", error_message(ret)));
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	name_token.value = cli_credentials_get_principal(creds, 
+							 gensec_gssapi_state);
+	name_token.length = strlen(name_token.value);
+
+	maj_stat = gss_import_name (&min_stat,
+				    &name_token,
+				    GSS_C_NT_USER_NAME,
+				    &gensec_gssapi_state->client_name);
+	if (maj_stat) {
+		DEBUG(2, ("GSS Import name of %s failed: %s\n",
+			  (char *)name_token.value,
+			  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
 	principal = gensec_get_target_principal(gensec_security);
 	if (principal && lp_client_use_spnego_principal()) {
 		name_token.value = gensec_get_target_principal(gensec_security);
@@ -274,28 +296,6 @@
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	ret = cli_credentials_get_ccache(creds, 
-					 &ccache);
-	if (ret) {
-		DEBUG(1, ("Failed to get CCACHE for gensec_gssapi: %s\n", error_message(ret)));
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-
-	name_token.value = cli_credentials_get_principal(creds, 
-							 gensec_gssapi_state);
-	name_token.length = strlen(name_token.value);
-
-	maj_stat = gss_import_name (&min_stat,
-				    &name_token,
-				    GSS_C_NT_USER_NAME,
-				    &gensec_gssapi_state->client_name);
-	if (maj_stat) {
-		DEBUG(2, ("GSS Import name of %s failed: %s\n",
-			  (char *)name_token.value,
-			  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-
 	maj_stat = gsskrb5_acquire_cred(&min_stat, 
 					NULL, ccache->ccache,
 					gensec_gssapi_state->client_name,
@@ -964,7 +964,7 @@
 	.wrap           = gensec_gssapi_wrap,
 	.unwrap         = gensec_gssapi_unwrap,
 	.have_feature   = gensec_gssapi_have_feature,
-	.enabled        = False
+	.enabled        = True
 };
 
 NTSTATUS gensec_gssapi_init(void)

Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c	2005-09-20 20:54:25 UTC (rev 10363)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c	2005-09-20 21:29:29 UTC (rev 10364)
@@ -111,7 +111,7 @@
 
 	if (!princ_string) {
 		talloc_free(mem_ctx);
-		return ENOMEM;
+		return EINVAL;
 	}
 
 	ret = krb5_parse_name(smb_krb5_context->krb5_context,

Modified: branches/SAMBA_4_0/source/lib/cmdline/popt_common.c
===================================================================
--- branches/SAMBA_4_0/source/lib/cmdline/popt_common.c	2005-09-20 20:54:25 UTC (rev 10363)
+++ branches/SAMBA_4_0/source/lib/cmdline/popt_common.c	2005-09-20 21:29:29 UTC (rev 10364)
@@ -241,17 +241,7 @@
 		cli_credentials_set_machine_account_pending(cmdline_credentials);
 		
 		/* machine accounts only work with kerberos (fall though)*/
-
-	case 'k':
-#ifndef HAVE_KRB5
-		d_printf("No kerberos support compiled in\n");
-		exit(1);
-#else
-		lp_set_cmdline("gensec:krb5", "True");
-#endif
 		break;
-
-
 	}
 }
 
@@ -261,7 +251,6 @@
 	{ NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, popt_common_credentials_callback },
 	{ "user", 'U', POPT_ARG_STRING, NULL, 'U', "Set the network username", "[DOMAIN\\]USERNAME[%PASSWORD]" },
 	{ "no-pass", 'N', POPT_ARG_NONE, &dont_ask, True, "Don't ask for a password" },
-	{ "kerberos", 'k', POPT_ARG_NONE, NULL, 'k', "Use kerberos (active directory) authentication" },
 	{ "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" },
 	{ "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" },
 	{ "machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password (implies -k)" },

Modified: branches/SAMBA_4_0/source/lib/credentials.c
===================================================================
--- branches/SAMBA_4_0/source/lib/credentials.c	2005-09-20 20:54:25 UTC (rev 10363)
+++ branches/SAMBA_4_0/source/lib/credentials.c	2005-09-20 21:29:29 UTC (rev 10364)
@@ -121,9 +121,13 @@
 	}
 
 	if (cred->principal_obtained < cred->username_obtained) {
-		return talloc_asprintf(mem_ctx, "%s@%s", 
-				       cli_credentials_get_username(cred, mem_ctx),
-				       cli_credentials_get_realm(cred));
+		if (cred->domain_obtained > cred->realm_obtained) {
+			return NULL;
+		} else {
+			return talloc_asprintf(mem_ctx, "%s@%s", 
+					       cli_credentials_get_username(cred, mem_ctx),
+					       cli_credentials_get_realm(cred));
+		}
 	}
 	return talloc_reference(mem_ctx, cred->principal);
 }



More information about the samba-cvs mailing list