Rev 5368: merge from upstream in http://samba.sernet.de/ma/bzr/SAMBA_3_0-registry.bzr/

Michael Adam ma at sernet.de
Wed Apr 18 11:38:18 GMT 2007


At http://samba.sernet.de/ma/bzr/SAMBA_3_0-registry.bzr/

------------------------------------------------------------
revno: 5368
revision-id: ma at sernet.de-20070418113812-9c0c3214f32524be
parent: ma at sernet.de-20070418111737-d6f0d4da2e435822
parent: jra at samba.org-20070418050155-9pwpbark0woks5q6
committer: Michael Adam <ma at sernet.de>
branch nick: SAMBA_3_0-registry.bzr
timestamp: Wed 2007-04-18 13:38:12 +0200
message:
  merge from upstream
modified:
  REVISION                       REVISION-20060530022625-68239662668b41c3
  source/Makefile.in             Makefile.in-20060530022626-b16dac2328ebe703
  source/lib/fault.c             fault.c-20060530022627-d2883d4c08c20703
  source/lib/tdb/common/freelist.c freelist.c-20070416111147-cebijg5x16vcb45j-16
  source/lib/tdb/common/freelistcheck.c freelistcheck.c-20070416111147-cebijg5x16vcb45j-17
  source/lib/tdb/common/tdb_private.h tdb_private.h-20070416111147-cebijg5x16vcb45j-22
  source/lib/tdb/common/transaction.c transaction.c-20070416111147-cebijg5x16vcb45j-24
  source/libsmb/clifsinfo.c      clifsinfo.c-20060530022627-9360212d14f20006
  source/libsmb/errormap.c       errormap.c-20060530022627-f469e8a07ae28ddc
  source/smbd/seal.c             seal.c-20070320050326-brtwj05flzzelvyk-1
    ------------------------------------------------------------
    merged: jra at samba.org-20070418050155-9pwpbark0woks5q6
    parent: jerry at samba.org-20070417231055-nsqlf0n9bi00la0r
    committer: jra at samba.org
    branch nick: SAMBA_3_0.bzr
    timestamp: Wed 2007-04-18 00:01:55 -0500
    message:
      jra at samba.org (r22327)  2007-04-17 19:34:10 -0500 (Tue, 17 Apr 2007)
          
          Finish the gss-spnego part of the seal code. Now
          for testing....
          Jeremy.
          
    ------------------------------------------------------------
    merged: jerry at samba.org-20070417231055-nsqlf0n9bi00la0r
    parent: lmuelle at samba.org-20070417230834-tbhy2j2ut6it5ods
    committer: jerry at samba.org
    branch nick: SAMBA_3_0.bzr
    timestamp: Tue 2007-04-17 18:10:55 -0500
    message:
      jerry at samba.org (r22321)  2007-04-17 16:32:59 -0500 (Tue, 17 Apr 2007)
          
          BUG 4509: Makefile fix linking the sfu.so and rfc2307.so 
          plugins in $libdir/nss_info to idmap/ad.so
          
          
    ------------------------------------------------------------
    merged: lmuelle at samba.org-20070417230834-tbhy2j2ut6it5ods
    parent: lmuelle at samba.org-20070417230610-j32kpxs31xsvrb2r
    committer: lmuelle at samba.org
    branch nick: SAMBA_3_0.bzr
    timestamp: Tue 2007-04-17 18:08:34 -0500
    message:
      lmuelle at samba.org (r22320)  2007-04-17 13:35:10 -0500 (Tue, 17 Apr 2007)
          
          Be more careful and check for the euid instead of the uid.
          
          Thx for the hint James!
          
    ------------------------------------------------------------
    merged: lmuelle at samba.org-20070417230610-j32kpxs31xsvrb2r
    parent: metze at samba.org-20070417230418-t8nztbn7ea6mwz9e
    committer: lmuelle at samba.org
    branch nick: SAMBA_3_0.bzr
    timestamp: Tue 2007-04-17 18:06:10 -0500
    message:
      lmuelle at samba.org (r22318)  2007-04-17 12:17:19 -0500 (Tue, 17 Apr 2007)
          
          If we're running as non root we might not be able to dump the core file
          to the corepath.
          
          Even the chdir() will fail if the LOGFILEBASE path is set 0700.
          
          If the currrent user doesn't have the permission to create the core file
          we end with:
          unable to change to <LOGFILEBASE>
          refusing to dump core
          
          The alternative would be to change the permissions of the directory.
          But taht would not ensure core dumps are working out of the box.
          
    ------------------------------------------------------------
    merged: metze at samba.org-20070417230418-t8nztbn7ea6mwz9e
    parent: metze at samba.org-20070417230206-yyt6sohsspghv723
    committer: metze at samba.org
    branch nick: SAMBA_3_0.bzr
    timestamp: Tue 2007-04-17 18:04:18 -0500
    message:
      metze at samba.org (r22317)  2007-04-17 12:07:14 -0500 (Tue, 17 Apr 2007)
          
          add tdb_ prefix to non static function
          
          metze
    ------------------------------------------------------------
    merged: metze at samba.org-20070417230206-yyt6sohsspghv723
    parent: metze at samba.org-20070417170717-d21x3e2w4vg57tcd
    committer: metze at samba.org
    branch nick: SAMBA_3_0.bzr
    timestamp: Tue 2007-04-17 18:02:06 -0500
    message:
      metze at samba.org (r22316)  2007-04-17 12:03:38 -0500 (Tue, 17 Apr 2007)
          
          merge from samba4:
          
          this function should be static
          
          metze
=== modified file 'REVISION'
--- a/REVISION	2007-04-17 17:07:17 +0000
+++ b/REVISION	2007-04-18 05:01:55 +0000
@@ -2,9 +2,9 @@
 URL: svn+ssh://svn.samba.org/home/svn/samba/branches/SAMBA_3_0
 Repository Root: svn+ssh://svn.samba.org/home/svn/samba
 Repository UUID: 0c0555d6-39d7-0310-84fc-f1cc0bd64818
-Revision: 22315
+Revision: 22327
 Node Kind: directory
-Last Changed Author: metze
-Last Changed Rev: 22315
-Last Changed Date: 2007-04-17 11:53:06 -0500 (Tue, 17 Apr 2007)
+Last Changed Author: jra
+Last Changed Rev: 22327
+Last Changed Date: 2007-04-17 19:34:10 -0500 (Tue, 17 Apr 2007)
 

=== modified file 'source/Makefile.in'
--- a/source/Makefile.in	2007-04-17 20:33:14 +0000
+++ b/source/Makefile.in	2007-04-18 11:38:12 +0000
@@ -77,6 +77,7 @@
 PDBLIBDIR = $(LIBDIR)/pdb
 RPCLIBDIR = $(LIBDIR)/rpc
 IDMAPLIBDIR = $(LIBDIR)/idmap
+NSSINFOLIBDIR = $(LIBDIR)/nss_info
 CHARSETLIBDIR = $(LIBDIR)/charset
 AUTHLIBDIR = $(LIBDIR)/auth
 CONFIGLIBDIR = $(LIBDIR)/config
@@ -1807,6 +1808,7 @@
 	@$(SHELL) $(srcdir)/script/installmodules.sh $(INSTALLPERMS) $(DESTDIR) $(prefix) $(PDBLIBDIR) $(PDB_MODULES)
 	@$(SHELL) $(srcdir)/script/installmodules.sh $(INSTALLPERMS) $(DESTDIR) $(prefix) $(RPCLIBDIR) $(RPC_MODULES)
 	@$(SHELL) $(srcdir)/script/installmodules.sh $(INSTALLPERMS) $(DESTDIR) $(prefix) $(IDMAPLIBDIR) $(IDMAP_MODULES)
+	@$(SHELL) $(srcdir)/script/installmodules.sh $(INSTALLPERMS) $(DESTDIR) $(prefix) $(NSSINFOLIBDIR) $(NSS_INFO_MODULES)
 	@$(SHELL) $(srcdir)/script/installmodules.sh $(INSTALLPERMS) $(DESTDIR) $(prefix) $(CHARSETLIBDIR) $(CHARSET_MODULES)
 	@$(SHELL) $(srcdir)/script/installmodules.sh $(INSTALLPERMS) $(DESTDIR) $(prefix) $(AUTHLIBDIR) $(AUTH_MODULES)
 	@$(SHELL) $(srcdir)/script/linkmodules.sh $(DESTDIR)$(PDBLIBDIR) ldapsam. at SHLIBEXT@ ldapsam_compat. at SHLIBEXT@
@@ -1814,6 +1816,7 @@
 	@$(SHELL) $(srcdir)/script/linkmodules.sh $(DESTDIR)$(AUTHLIBDIR) sam. at SHLIBEXT@ sam_ignoredomain. at SHLIBEXT@
 	@$(SHELL) $(srcdir)/script/linkmodules.sh $(DESTDIR)$(AUTHLIBDIR) domain. at SHLIBEXT@ trustdomain. at SHLIBEXT@ ntdomain. at SHLIBEXT@
 	@$(SHELL) $(srcdir)/script/linkmodules.sh $(DESTDIR)$(AUTHLIBDIR) builtin. at SHLIBEXT@ guest. at SHLIBEXT@ fixed_challenge. at SHLIBEXT@ name_to_ntstatus. at SHLIBEXT@
+	@$(SHELL) $(srcdir)/script/linkmodules.sh $(DESTDIR)$(NSSINFOLIBDIR) ../idmap/ad. at SHLIBEXT@ rfc2307. at SHLIBEXT@ sfu. at SHLIBEXT@
 
 installscripts: installdirs
 	@$(SHELL) $(srcdir)/script/installscripts.sh $(INSTALLPERMS) $(DESTDIR)$(BINDIR) $(SCRIPTS)

=== modified file 'source/lib/fault.c'
--- a/source/lib/fault.c	2007-04-06 23:08:29 +0000
+++ b/source/lib/fault.c	2007-04-17 23:08:34 +0000
@@ -161,6 +161,13 @@
 	}
 
 #if DUMP_CORE
+	/* If we're running as non root we might not be able to dump the core
+	 * file to the corepath.  There must not be an unbecome_root() before
+	 * we call abort(). */
+	if (geteuid() != 0) {
+		become_root();
+	}
+
 	if (*corepath != '\0') {
 		/* The chdir might fail if we dump core before we finish
 		 * processing the config file.

=== modified file 'source/lib/tdb/common/freelist.c'
--- a/source/lib/tdb/common/freelist.c	2007-04-16 11:11:51 +0000
+++ b/source/lib/tdb/common/freelist.c	2007-04-17 23:04:18 +0000
@@ -29,7 +29,7 @@
 #include "tdb_private.h"
 
 /* read a freelist record and check for simple errors */
-int rec_free_read(struct tdb_context *tdb, tdb_off_t off, struct list_struct *rec)
+int tdb_rec_free_read(struct tdb_context *tdb, tdb_off_t off, struct list_struct *rec)
 {
 	if (tdb->methods->tdb_read(tdb, off, rec, sizeof(*rec),DOCONV()) == -1)
 		return -1;
@@ -37,7 +37,7 @@
 	if (rec->magic == TDB_MAGIC) {
 		/* this happens when a app is showdown while deleting a record - we should
 		   not completely fail when this happens */
-		TDB_LOG((tdb, TDB_DEBUG_WARNING, "rec_free_read non-free magic 0x%x at offset=%d - fixing\n", 
+		TDB_LOG((tdb, TDB_DEBUG_WARNING, "tdb_rec_free_read non-free magic 0x%x at offset=%d - fixing\n", 
 			 rec->magic, off));
 		rec->magic = TDB_FREE_MAGIC;
 		if (tdb->methods->tdb_write(tdb, off, rec, sizeof(*rec)) == -1)
@@ -47,7 +47,7 @@
 	if (rec->magic != TDB_FREE_MAGIC) {
 		/* Ensure ecode is set for log fn. */
 		tdb->ecode = TDB_ERR_CORRUPT;
-		TDB_LOG((tdb, TDB_DEBUG_WARNING, "rec_free_read bad magic 0x%x at offset=%d\n", 
+		TDB_LOG((tdb, TDB_DEBUG_WARNING, "tdb_rec_free_read bad magic 0x%x at offset=%d\n", 
 			   rec->magic, off));
 		return TDB_ERRCODE(TDB_ERR_CORRUPT, -1);
 	}
@@ -286,7 +286,7 @@
 	   issues when faced with a slowly increasing record size.
 	 */
 	while (rec_ptr) {
-		if (rec_free_read(tdb, rec_ptr, rec) == -1) {
+		if (tdb_rec_free_read(tdb, rec_ptr, rec) == -1) {
 			goto fail;
 		}
 
@@ -311,7 +311,7 @@
 	}
 
 	if (bestfit.rec_ptr != 0) {
-		if (rec_free_read(tdb, bestfit.rec_ptr, rec) == -1) {
+		if (tdb_rec_free_read(tdb, bestfit.rec_ptr, rec) == -1) {
 			goto fail;
 		}
 

=== modified file 'source/lib/tdb/common/freelistcheck.c'
--- a/source/lib/tdb/common/freelistcheck.c	2007-04-16 11:11:51 +0000
+++ b/source/lib/tdb/common/freelistcheck.c	2007-04-17 23:04:18 +0000
@@ -88,7 +88,7 @@
 			goto fail;
 		}
 
-		if (rec_free_read(tdb, rec_ptr, &rec) == -1) {
+		if (tdb_rec_free_read(tdb, rec_ptr, &rec) == -1) {
 			goto fail;
 		}
 

=== modified file 'source/lib/tdb/common/tdb_private.h'
--- a/source/lib/tdb/common/tdb_private.h	2007-04-16 11:11:51 +0000
+++ b/source/lib/tdb/common/tdb_private.h	2007-04-17 23:04:18 +0000
@@ -206,7 +206,7 @@
 			   struct list_struct *rec);
 void tdb_io_init(struct tdb_context *tdb);
 int tdb_expand(struct tdb_context *tdb, tdb_off_t size);
-int rec_free_read(struct tdb_context *tdb, tdb_off_t off,
-		  struct list_struct *rec);
+int tdb_rec_free_read(struct tdb_context *tdb, tdb_off_t off,
+		      struct list_struct *rec);
 
 

=== modified file 'source/lib/tdb/common/transaction.c'
--- a/source/lib/tdb/common/transaction.c	2007-04-16 11:11:51 +0000
+++ b/source/lib/tdb/common/transaction.c	2007-04-17 23:02:06 +0000
@@ -358,8 +358,8 @@
 /*
   brlock during a transaction - ignore them
 */
-int transaction_brlock(struct tdb_context *tdb, tdb_off_t offset, 
-		       int rw_type, int lck_type, int probe, size_t len)
+static int transaction_brlock(struct tdb_context *tdb, tdb_off_t offset, 
+			      int rw_type, int lck_type, int probe, size_t len)
 {
 	return 0;
 }

=== modified file 'source/libsmb/clifsinfo.c'
--- a/source/libsmb/clifsinfo.c	2007-03-30 15:35:10 +0000
+++ b/source/libsmb/clifsinfo.c	2007-04-18 05:01:55 +0000
@@ -2,6 +2,7 @@
    Unix SMB/CIFS implementation.
    FS info functions
    Copyright (C) Stefan (metze) Metzmacher	2003
+   Copyright (C) Jeremy Allison 2007.
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -355,6 +356,22 @@
 }
 
 /******************************************************************************
+ Make a client state struct.
+******************************************************************************/
+
+static struct smb_trans_enc_state *make_cli_enc_state(enum smb_trans_enc_type smb_enc_type)
+{
+	struct smb_trans_enc_state *es = NULL;
+	es = SMB_MALLOC_P(struct smb_trans_enc_state);
+	if (!es) {
+		return NULL;
+	}
+	ZERO_STRUCTP(es);
+	es->smb_enc_type = smb_enc_type;
+	return es;
+}
+
+/******************************************************************************
  Start a raw ntlmssp encryption.
 ******************************************************************************/
 
@@ -367,14 +384,11 @@
 	DATA_BLOB blob_out = data_blob(NULL, 0);
 	DATA_BLOB param_out = data_blob(NULL, 0);
 	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
-	struct smb_trans_enc_state *es = NULL;
+	struct smb_trans_enc_state *es = make_cli_enc_state(SMB_TRANS_ENC_NTLM);
 
-	es = SMB_MALLOC_P(struct smb_trans_enc_state);
 	if (!es) {
 		return NT_STATUS_NO_MEMORY;
 	}
-	ZERO_STRUCTP(es);
-	es->smb_enc_type = SMB_TRANS_ENC_NTLM;
 	status = ntlmssp_client_start(&es->s.ntlmssp_state);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto fail;
@@ -423,3 +437,166 @@
 	common_free_encryption_state(&es);
 	return status;
 }
+
+#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
+
+#ifndef SMB_GSS_REQUIRED_FLAGS
+#define SMB_GSS_REQUIRED_FLAGS (GSS_C_CONF_FLAG|GSS_C_INTEG_FLAG|GSS_C_MUTUAL_FLAG|GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG)
+#endif
+
+/******************************************************************************
+ Get client gss blob to send to a server.
+******************************************************************************/
+
+static NTSTATUS make_cli_gss_blob(struct smb_trans_enc_state *es,
+				const char *service,
+				const char *host,
+				NTSTATUS status_in,
+				DATA_BLOB spnego_blob_in,
+				DATA_BLOB *p_blob_out)
+{
+	const char *krb_mechs[] = {OID_KERBEROS5_OLD, OID_KERBEROS5, NULL};
+	OM_uint32 ret;
+	OM_uint32 min;
+	gss_name_t srv_name;
+	gss_buffer_desc input_name;
+	gss_buffer_desc *p_tok_in;
+	gss_buffer_desc tok_out, tok_in;
+	DATA_BLOB blob_out = data_blob(NULL, 0);
+	DATA_BLOB blob_in = data_blob(NULL, 0);
+	char *host_princ_s = NULL;
+	OM_uint32 ret_flags = 0;
+	NTSTATUS status = NT_STATUS_OK;
+
+	memset(&tok_out, '\0', sizeof(tok_out));
+
+	/* Get a ticket for the service at host */
+	asprintf(&host_princ_s, "%s@%s", service, host);
+	if (host_princ_s == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	input_name.value = host_princ_s;
+	input_name.length = strlen(host_princ_s) + 1;
+
+	ret = gss_import_name(&min,
+				&input_name,
+				GSS_C_NT_HOSTBASED_SERVICE,
+				&srv_name);
+
+	if (ret != GSS_S_COMPLETE) {
+		SAFE_FREE(host_princ_s);
+		return map_nt_error_from_gss(ret, min);
+	}
+
+	if (spnego_blob_in.length == 0) {
+		p_tok_in = GSS_C_NO_BUFFER;
+	} else {
+		/* Remove the SPNEGO wrapper */
+		if (!spnego_parse_auth_response(spnego_blob_in, status_in, OID_KERBEROS5, &blob_in)) {
+			status = NT_STATUS_UNSUCCESSFUL;
+			goto fail;
+		}
+		tok_in.value = blob_in.data;
+		tok_in.length = blob_in.length;
+		p_tok_in = &tok_in;
+	}
+
+	ret = gss_init_sec_context(&min,
+				GSS_C_NO_CREDENTIAL, /* Use our default cred. */
+				&es->s.gss_state->gss_ctx,
+				srv_name,
+				GSS_C_NO_OID, /* default OID. */
+				GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG,
+				GSS_C_INDEFINITE,	/* requested ticket lifetime. */
+				NULL,   /* no channel bindings */
+				p_tok_in,
+				NULL,   /* ignore mech type */
+				&tok_out,
+				&ret_flags,
+				NULL);  /* ignore time_rec */
+
+	status = map_nt_error_from_gss(ret, min);
+	if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status,NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+		goto fail;
+	}
+
+	if ((ret_flags & SMB_GSS_REQUIRED_FLAGS) != SMB_GSS_REQUIRED_FLAGS) {
+		status = NT_STATUS_ACCESS_DENIED;
+	}
+
+	blob_out = data_blob(tok_out.value, tok_out.length);
+
+	/* Wrap in an SPNEGO wrapper */
+	*p_blob_out = gen_negTokenTarg(krb_mechs, blob_out);
+
+  fail:
+
+	data_blob_free(&blob_out);
+	data_blob_free(&blob_in);
+	SAFE_FREE(host_princ_s);
+	gss_release_name(&min, &srv_name);
+	if (tok_out.value) {
+		gss_release_buffer(&min, &tok_out);
+	}
+	return status;
+}
+
+/******************************************************************************
+ Start a SPNEGO gssapi encryption context.
+******************************************************************************/
+
+NTSTATUS cli_gss_smb_encryption_start(struct cli_state *cli)
+{
+	DATA_BLOB blob_recv = data_blob(NULL, 0);
+	DATA_BLOB blob_send = data_blob(NULL, 0);
+	DATA_BLOB param_out = data_blob(NULL, 0);
+	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+	fstring fqdn;
+	const char *servicename;
+	struct smb_trans_enc_state *es = make_cli_enc_state(SMB_TRANS_ENC_GSS);
+
+	if (!es) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	name_to_fqdn(fqdn, cli->desthost);
+	strlower_m(fqdn);
+
+	servicename = "cifs";
+	status = make_cli_gss_blob(es, servicename, fqdn, NT_STATUS_OK, blob_recv, &blob_send);
+	if (!NT_STATUS_EQUAL(status,NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+		servicename = "host";
+		status = make_cli_gss_blob(es, servicename, fqdn, NT_STATUS_OK, blob_recv, &blob_send);
+		if (!NT_STATUS_EQUAL(status,NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+			goto fail;
+		}
+	}
+
+	do {
+		data_blob_free(&blob_recv);
+		status = enc_blob_send_receive(cli, &blob_send, &blob_recv, &param_out);
+		if (param_out.length == 2) {
+			es->enc_ctx_num = SVAL(param_out.data, 0);
+		}
+		data_blob_free(&blob_send);
+		status = make_cli_gss_blob(es, servicename, fqdn, status, blob_recv, &blob_send);
+	} while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED));
+	data_blob_free(&blob_recv);
+
+	if (NT_STATUS_IS_OK(status)) {
+		/* Replace the old state, if any. */
+		if (cli->trans_enc_state) {
+			common_free_encryption_state(&cli->trans_enc_state);
+		}
+		cli->trans_enc_state = es;
+		cli->trans_enc_state->enc_on = True;
+		es = NULL;
+	}
+
+  fail:
+
+	common_free_encryption_state(&es);
+	return status;
+}
+#endif

=== modified file 'source/libsmb/errormap.c'
--- a/source/libsmb/errormap.c	2007-03-30 15:26:58 +0000
+++ b/source/libsmb/errormap.c	2007-04-18 05:01:55 +0000
@@ -1652,6 +1652,10 @@
 		return NT_STATUS_OK;
 	}
 
+	if (gss_maj == GSS_S_CONTINUE_NEEDED) {
+		return NT_STATUS_MORE_PROCESSING_REQUIRED;
+	}
+
 	if (gss_maj == GSS_S_FAILURE) {
 		return map_nt_error_from_unix((int)minor);
 	}

=== modified file 'source/smbd/seal.c'
--- a/source/smbd/seal.c	2007-04-16 17:01:59 +0000
+++ b/source/smbd/seal.c	2007-04-18 05:01:55 +0000
@@ -333,9 +333,12 @@
 	OM_uint32 flags = 0;
 	gss_buffer_desc in_buf, out_buf;
 	struct smb_tran_enc_state_gss *gss_state;
+	DATA_BLOB auth_reply = data_blob(NULL,0);
+	DATA_BLOB response = data_blob(NULL,0);
+	NTSTATUS status;
 
 	if (!partial_srv_trans_enc_ctx) {
-		NTSTATUS status = make_srv_encryption_context(SMB_TRANS_ENC_GSS, &partial_srv_trans_enc_ctx);
+		status = make_srv_encryption_context(SMB_TRANS_ENC_GSS, &partial_srv_trans_enc_ctx);
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
 		}
@@ -361,8 +364,9 @@
 				NULL,		/* Ingore time. */
 				NULL);		/* Ignore delegated creds. */
 
+	status = gss_err_to_ntstatus(ret, min);
 	if (ret != GSS_S_COMPLETE && ret != GSS_S_CONTINUE_NEEDED) {
-		return gss_err_to_ntstatus(ret, min);
+		return status;
 	}
 
 	/* Ensure we've got sign+seal available. */
@@ -376,20 +380,18 @@
 		}
 	}
 
-	SAFE_FREE(*ppdata);
-	*ppdata = memdup(out_buf.value, out_buf.length);
-	if (!*ppdata) {
-		gss_release_buffer(&min, &out_buf);
-		return NT_STATUS_NO_MEMORY;
-	}
-	*p_data_size = out_buf.length;
+	auth_reply = data_blob(out_buf.value, out_buf.length);
 	gss_release_buffer(&min, &out_buf);
 
-	if (ret != GSS_S_CONTINUE_NEEDED) {
-		return NT_STATUS_MORE_PROCESSING_REQUIRED;
-	} else {
-		return NT_STATUS_OK;
-	}
+	/* Wrap in SPNEGO. */
+	response = spnego_gen_auth_response(&auth_reply, status, OID_KERBEROS5);
+	data_blob_free(&auth_reply);
+
+	SAFE_FREE(*ppdata);
+	*ppdata = response.data;
+	*p_data_size = response.length;
+
+	return status;
 }
 #endif
 



More information about the samba-cvs mailing list