svn commit: samba r10364 - in branches/SAMBA_4_0/source:
auth/gensec auth/kerberos lib lib/cmdline
abartlet at samba.org
abartlet at samba.org
Tue Sep 20 21:29:30 GMT 2005
Author: abartlet
Date: 2005-09-20 21:29:29 +0000 (Tue, 20 Sep 2005)
New Revision: 10364
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10364
Log:
Turn gensec:gssapi on by default, except for a login of the form
-Udomain\\user.
This will probably break in a few configurations, so please let me
know. I'll also work to have a way to inhibit kerberos/ntlmssp, as
this removes -k.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c
branches/SAMBA_4_0/source/lib/cmdline/popt_common.c
branches/SAMBA_4_0/source/lib/credentials.c
Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c 2005-09-20 20:54:25 UTC (rev 10363)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c 2005-09-20 21:29:29 UTC (rev 10364)
@@ -250,6 +250,28 @@
gensec_gssapi_state = gensec_security->private_data;
+ ret = cli_credentials_get_ccache(creds,
+ &ccache);
+ if (ret) {
+ DEBUG(1, ("Failed to get CCACHE for gensec_gssapi: %s\n", error_message(ret)));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ name_token.value = cli_credentials_get_principal(creds,
+ gensec_gssapi_state);
+ name_token.length = strlen(name_token.value);
+
+ maj_stat = gss_import_name (&min_stat,
+ &name_token,
+ GSS_C_NT_USER_NAME,
+ &gensec_gssapi_state->client_name);
+ if (maj_stat) {
+ DEBUG(2, ("GSS Import name of %s failed: %s\n",
+ (char *)name_token.value,
+ gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
principal = gensec_get_target_principal(gensec_security);
if (principal && lp_client_use_spnego_principal()) {
name_token.value = gensec_get_target_principal(gensec_security);
@@ -274,28 +296,6 @@
return NT_STATUS_INVALID_PARAMETER;
}
- ret = cli_credentials_get_ccache(creds,
- &ccache);
- if (ret) {
- DEBUG(1, ("Failed to get CCACHE for gensec_gssapi: %s\n", error_message(ret)));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- name_token.value = cli_credentials_get_principal(creds,
- gensec_gssapi_state);
- name_token.length = strlen(name_token.value);
-
- maj_stat = gss_import_name (&min_stat,
- &name_token,
- GSS_C_NT_USER_NAME,
- &gensec_gssapi_state->client_name);
- if (maj_stat) {
- DEBUG(2, ("GSS Import name of %s failed: %s\n",
- (char *)name_token.value,
- gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
maj_stat = gsskrb5_acquire_cred(&min_stat,
NULL, ccache->ccache,
gensec_gssapi_state->client_name,
@@ -964,7 +964,7 @@
.wrap = gensec_gssapi_wrap,
.unwrap = gensec_gssapi_unwrap,
.have_feature = gensec_gssapi_have_feature,
- .enabled = False
+ .enabled = True
};
NTSTATUS gensec_gssapi_init(void)
Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c 2005-09-20 20:54:25 UTC (rev 10363)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c 2005-09-20 21:29:29 UTC (rev 10364)
@@ -111,7 +111,7 @@
if (!princ_string) {
talloc_free(mem_ctx);
- return ENOMEM;
+ return EINVAL;
}
ret = krb5_parse_name(smb_krb5_context->krb5_context,
Modified: branches/SAMBA_4_0/source/lib/cmdline/popt_common.c
===================================================================
--- branches/SAMBA_4_0/source/lib/cmdline/popt_common.c 2005-09-20 20:54:25 UTC (rev 10363)
+++ branches/SAMBA_4_0/source/lib/cmdline/popt_common.c 2005-09-20 21:29:29 UTC (rev 10364)
@@ -241,17 +241,7 @@
cli_credentials_set_machine_account_pending(cmdline_credentials);
/* machine accounts only work with kerberos (fall though)*/
-
- case 'k':
-#ifndef HAVE_KRB5
- d_printf("No kerberos support compiled in\n");
- exit(1);
-#else
- lp_set_cmdline("gensec:krb5", "True");
-#endif
break;
-
-
}
}
@@ -261,7 +251,6 @@
{ NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, popt_common_credentials_callback },
{ "user", 'U', POPT_ARG_STRING, NULL, 'U', "Set the network username", "[DOMAIN\\]USERNAME[%PASSWORD]" },
{ "no-pass", 'N', POPT_ARG_NONE, &dont_ask, True, "Don't ask for a password" },
- { "kerberos", 'k', POPT_ARG_NONE, NULL, 'k', "Use kerberos (active directory) authentication" },
{ "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" },
{ "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" },
{ "machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password (implies -k)" },
Modified: branches/SAMBA_4_0/source/lib/credentials.c
===================================================================
--- branches/SAMBA_4_0/source/lib/credentials.c 2005-09-20 20:54:25 UTC (rev 10363)
+++ branches/SAMBA_4_0/source/lib/credentials.c 2005-09-20 21:29:29 UTC (rev 10364)
@@ -121,9 +121,13 @@
}
if (cred->principal_obtained < cred->username_obtained) {
- return talloc_asprintf(mem_ctx, "%s@%s",
- cli_credentials_get_username(cred, mem_ctx),
- cli_credentials_get_realm(cred));
+ if (cred->domain_obtained > cred->realm_obtained) {
+ return NULL;
+ } else {
+ return talloc_asprintf(mem_ctx, "%s@%s",
+ cli_credentials_get_username(cred, mem_ctx),
+ cli_credentials_get_realm(cred));
+ }
}
return talloc_reference(mem_ctx, cred->principal);
}
More information about the samba-cvs
mailing list