svn commit: samba r10565 - in branches/SAMBA_4_0/source/auth/gensec: .

abartlet at samba.org abartlet at samba.org
Wed Sep 28 04:50:03 GMT 2005


Author: abartlet
Date: 2005-09-28 04:50:02 +0000 (Wed, 28 Sep 2005)
New Revision: 10565

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10565

Log:
Try to make Kerberos authentication a bit more friendly.

This disables it for 'localhost' as well as for any host our KDC does
not recognise.  

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
   branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c	2005-09-28 02:58:53 UTC (rev 10564)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c	2005-09-28 04:50:02 UTC (rev 10565)
@@ -239,9 +239,13 @@
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 	if (is_ipaddress(hostname)) {
-		DEBUG(2, ("Cannot do GSSAPI to an IP address"));
+		DEBUG(2, ("Cannot do GSSAPI to an IP address\n"));
 		return NT_STATUS_INVALID_PARAMETER;
 	}
+	if (strequal(hostname, "localhost")) {
+		DEBUG(2, ("GSSAPI to 'localhost' does not make sense\n"));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
 
 	nt_status = gensec_gssapi_start(gensec_security);
 	if (!NT_STATUS_IS_OK(nt_status)) {
@@ -269,7 +273,7 @@
 		DEBUG(2, ("GSS Import name of %s failed: %s\n",
 			  (char *)name_token.value,
 			  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
-		return NT_STATUS_UNSUCCESSFUL;
+		return NT_STATUS_INVALID_PARAMETER;
 	}
 
 	principal = gensec_get_target_principal(gensec_security);
@@ -306,9 +310,16 @@
 					NULL, 
 					NULL);
 	if (maj_stat) {
-		DEBUG(1, ("Aquiring initiator credentails failed: %s\n", 
-			  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
-		return NT_STATUS_UNSUCCESSFUL;
+		switch (min_stat) {
+		case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
+			DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n", 
+				  hostname, gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+			return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
+		default:
+			DEBUG(1, ("Aquiring initiator credentails failed: %s\n", 
+				  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+			return NT_STATUS_UNSUCCESSFUL;
+		}
 	}
 
 	return NT_STATUS_OK;
@@ -408,12 +419,23 @@
 		gss_release_buffer(&min_stat2, &output_token);
 
 		return NT_STATUS_MORE_PROCESSING_REQUIRED;
-	} else {
-		if (maj_stat == GSS_S_FAILURE
-		    && (min_stat == KRB5KRB_AP_ERR_BADVERSION || min_stat == KRB5KRB_AP_ERR_MSG_TYPE)) {
+	} else if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length)
+	    && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, 
+		       gensec_gssapi_state->gss_oid->length) == 0)) {
+		switch (min_stat) {
+		case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
+			DEBUG(3, ("Server is not registered with our KDC: %s\n", 
+				  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+			return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
+		case KRB5KRB_AP_ERR_MSG_TYPE:
 			/* garbage input, possibly from the auto-mech detection */
 			return NT_STATUS_INVALID_PARAMETER;
+		default:
+			DEBUG(1, ("GSS(krb5) Update failed: %s\n", 
+				  gssapi_error_string(out_mem_ctx, maj_stat, min_stat)));
+			return nt_status;
 		}
+	} else {
 		DEBUG(1, ("GSS Update failed: %s\n", 
 			  gssapi_error_string(out_mem_ctx, maj_stat, min_stat)));
 		return nt_status;

Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c	2005-09-28 02:58:53 UTC (rev 10564)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c	2005-09-28 04:50:02 UTC (rev 10565)
@@ -172,7 +172,10 @@
 		DEBUG(2, ("Cannot do krb5 to an IP address"));
 		return NT_STATUS_INVALID_PARAMETER;
 	}
-
+	if (strequal(hostname, "localhost")) {
+		DEBUG(2, ("krb5 to 'localhost' does not make sense"));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
 			
 	nt_status = gensec_krb5_start(gensec_security);
 	if (!NT_STATUS_IS_OK(nt_status)) {
@@ -235,7 +238,7 @@
 	case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
 		DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n", 
 			  hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
-		return NT_STATUS_ACCESS_DENIED;
+		return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
 	case KRB5KDC_ERR_PREAUTH_FAILED:
 	case KRB5KRB_AP_ERR_TKT_EXPIRED:
 	case KRB5_CC_END:



More information about the samba-cvs mailing list