[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Dec 28 17:12:02 MST 2011
The branch, master has been updated
via 149f8f1 s4-gensec: Move parsing of the PAC blob and creating the session_info into auth
via fc226f8 s4-gensec: fix cyrus sasl module after update() protype change
via f320fb3 auth/kerberos: Make pac_data_out in kerberos_decode_pac() optional
via 5815a1b s4-auth Remove unused auth_context_create_from_ldb()
via f7a866a s4-gensec: Allow a PAC to be obtained from any GSS mech
via 9a085b0 auth/kerberos: Move gssapi_parse.c to the top level
via 1baf916 credentials: Always honour the return value of E_deshash()
via cfb9a9d s4-ntlmssp Do not allow LM key without a LM password
via e387721 s3-auth Fix talloc parent for s4 event context in auth_samba4
via d76abd1 s3-auth: Remove protype for already-removed auth_ntlmssp_start
via 4b7b26e gensec: Allow an alternate set of modules to be specified
from 1364eb7 lib/charset: Remove an unused variable
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 149f8f16be79dc9d142971fb74633cfc5b186840
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 28 17:48:45 2011 +1100
s4-gensec: Move parsing of the PAC blob and creating the session_info into auth
This uses a single callback to handle the PAC from the DATA_BLOB
format until it becomes a struct auth_session_info.
This allows a seperation between the GSS acceptor code and the PAC
interpretation code based on the supplied auth context.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
commit fc226f81c6c14b1afc9b98692463ff1e2f9b2464
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 28 17:31:03 2011 +1100
s4-gensec: fix cyrus sasl module after update() protype change
commit f320fb3df4fd9f52ecb18b1f2ef3dc34e85ccc8e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 28 16:01:38 2011 +1100
auth/kerberos: Make pac_data_out in kerberos_decode_pac() optional
commit 5815a1b7778cd93ca4aad568535e63d06b29fece
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 28 10:38:52 2011 +1100
s4-auth Remove unused auth_context_create_from_ldb()
commit f7a866a17cd66d95e36248d7b88d9316d7e86e99
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Dec 27 22:02:16 2011 +1100
s4-gensec: Allow a PAC to be obtained from any GSS mech
This may allow Luke Howard's moonshot to work with a little less effort
at some point in the future.
Andrew Bartlett
commit 9a085b0b80d1528e2b7a65ae8a4647cffff74a0c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Dec 27 22:00:22 2011 +1100
auth/kerberos: Move gssapi_parse.c to the top level
This will help with writing a gensec module for the s3 gse layer.
Andrew Bartlett
commit 1baf91639919a96d305196da03e38097ed6ba46f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Dec 27 21:30:49 2011 +1100
credentials: Always honour the return value of E_deshash()
When this returns false, the hash value is not correct as the password
could not be converted into an uppercase, 14 char or less ASCII string.
Andrew Bartlett
commit cfb9a9d650a0217eaa751963f055f8cdd7aa3392
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Dec 27 19:50:36 2011 +1100
s4-ntlmssp Do not allow LM key without a LM password
commit e387721bc53d7caa6d8f578ada242f4c5fa78716
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 26 22:59:17 2011 +1100
s3-auth Fix talloc parent for s4 event context in auth_samba4
commit d76abd1c45de32eea0b7a001eb819152435d66ef
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 26 11:51:08 2011 +1100
s3-auth: Remove protype for already-removed auth_ntlmssp_start
commit 4b7b26e3c05f0fe38fe6c843df48d665db75c0f6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 26 10:53:56 2011 +1100
gensec: Allow an alternate set of modules to be specified
This will allow s3 to specify modules to use as a list, rather than
needing to start the individual module with gensec_start_mech_by_ops()
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_ntlm.c | 6 +-
auth/gensec/gensec.h | 6 +
auth/gensec/gensec_start.c | 7 +-
{source4/auth => auth}/kerberos/gssapi_parse.c | 10 +-
auth/kerberos/kerberos_pac.c | 35 ++++++-
auth/kerberos/wscript_build | 4 +-
lib/param/loadparm.c | 2 +-
libcli/auth/krb5_wrap.h | 4 +
source3/auth/auth_samba4.c | 2 +-
source3/auth/proto.h | 1 -
source4/auth/auth.h | 17 ++--
source4/auth/gensec/cyrus_sasl.c | 1 +
source4/auth/gensec/gensec_gssapi.c | 123 +++++++-----------------
source4/auth/gensec/gensec_krb5.c | 79 ++++------------
source4/auth/gensec/gensec_util.c | 97 ++++++++++++++++++
source4/auth/gensec/wscript_build | 6 +-
source4/auth/kerberos/kerberos_pac.c | 1 +
source4/auth/kerberos/wscript_build | 4 +-
source4/auth/ntlm/auth.c | 125 ++++++++++++++++--------
source4/auth/ntlm/wscript_build | 2 +-
source4/auth/ntlmssp/ntlmssp_client.c | 8 +-
21 files changed, 313 insertions(+), 227 deletions(-)
rename {source4/auth => auth}/kerberos/gssapi_parse.c (99%)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
index 7f4af4f..2d6d6f6 100644
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -174,8 +174,7 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
lm_response = nt_response;
/* LM Key is incompatible with 'long' passwords */
*flags &= ~CLI_CRED_LANMAN_AUTH;
- } else {
- E_deshash(password, lm_hash);
+ } else if (E_deshash(password, lm_hash)) {
lm_session_key = data_blob_talloc(mem_ctx, NULL, 16);
memcpy(lm_session_key.data, lm_hash, 8);
memset(&lm_session_key.data[8], '\0', 8);
@@ -193,8 +192,7 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
*flags &= ~CLI_CRED_LANMAN_AUTH;
password = cli_credentials_get_password(cred);
- if (password) {
- E_deshash(password, lm_hash);
+ if (password && E_deshash(password, lm_hash)) {
lm_session_key = data_blob_talloc(mem_ctx, NULL, 16);
memcpy(lm_session_key.data, lm_hash, 8);
memset(&lm_session_key.data[8], '\0', 8);
diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index acfc549..be330e9 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -73,10 +73,16 @@ struct cli_credentials;
struct gensec_settings;
struct tevent_context;
struct tevent_req;
+struct smb_krb5_context;
struct gensec_settings {
struct loadparm_context *lp_ctx;
const char *target_hostname;
+
+ /* this allows callers to specify a specific set of ops that
+ * should be used, rather than those loaded by the plugin
+ * mechanism */
+ struct gensec_security_ops **backends;
};
struct gensec_security_ops {
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index c38b970..9576e53 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -118,14 +118,19 @@ struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gense
TALLOC_CTX *mem_ctx)
{
struct gensec_security_ops **backends;
- backends = gensec_security_all();
if (!gensec_security) {
+ backends = gensec_security_all();
if (!talloc_reference(mem_ctx, backends)) {
return NULL;
}
return backends;
} else {
struct cli_credentials *creds = gensec_get_credentials(gensec_security);
+ if (gensec_security->settings->backends) {
+ backends = gensec_security->settings->backends;
+ } else {
+ backends = gensec_security_all();
+ }
if (!creds) {
if (!talloc_reference(mem_ctx, backends)) {
return NULL;
diff --git a/source4/auth/kerberos/gssapi_parse.c b/auth/kerberos/gssapi_parse.c
similarity index 99%
rename from source4/auth/kerberos/gssapi_parse.c
rename to auth/kerberos/gssapi_parse.c
index b538d82..6e9eddc 100644
--- a/source4/auth/kerberos/gssapi_parse.c
+++ b/auth/kerberos/gssapi_parse.c
@@ -1,4 +1,4 @@
-/*
+/*
Unix SMB/CIFS implementation.
simple GSSAPI wrappers
@@ -6,17 +6,17 @@
Copyright (C) Andrew Tridgell 2001
Copyright (C) Jim McDonough <jmcd at us.ibm.com> 2002
Copyright (C) Luke Howard 2003
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -117,5 +117,3 @@ bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid)
return ret;
}
-
-
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 79d51b2..a262c01 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -77,7 +77,7 @@ krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
*
* @return - A NTSTATUS error code
*/
-NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
+NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx_out,
DATA_BLOB pac_data_blob,
krb5_context context,
const krb5_keyblock *krbtgt_keyblock,
@@ -109,13 +109,21 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
bool bool_ret;
- *pac_data_out = NULL;
+ TALLOC_CTX *mem_ctx = talloc_new(mem_ctx_out);
+ if (!mem_ctx) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (pac_data_out) {
+ *pac_data_out = NULL;
+ }
pac_data = talloc(mem_ctx, struct PAC_DATA);
pac_data_raw = talloc(mem_ctx, struct PAC_DATA_RAW);
kdc_sig_wipe = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
srv_sig_wipe = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
if (!pac_data_raw || !pac_data || !kdc_sig_wipe || !srv_sig_wipe) {
+ talloc_free(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
@@ -125,12 +133,14 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the PAC: %s\n",
nt_errstr(status)));
+ talloc_free(mem_ctx);
return status;
}
if (pac_data->num_buffers < 4) {
/* we need logon_ingo, service_key and kdc_key */
DEBUG(0,("less than 4 PAC buffers\n"));
+ talloc_free(mem_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
@@ -141,12 +151,14 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the PAC: %s\n",
nt_errstr(status)));
+ talloc_free(mem_ctx);
return status;
}
if (pac_data_raw->num_buffers < 4) {
/* we need logon_ingo, service_key and kdc_key */
DEBUG(0,("less than 4 PAC buffers\n"));
+ talloc_free(mem_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
@@ -155,6 +167,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
DEBUG(0, ("misparse! PAC_DATA has %d buffers while "
"PAC_DATA_RAW has %d\n", pac_data->num_buffers,
pac_data_raw->num_buffers));
+ talloc_free(mem_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
@@ -166,6 +179,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
DEBUG(0, ("misparse! PAC_DATA buffer %d has type "
"%d while PAC_DATA_RAW has %d\n", i,
data_buf->type, raw_buf->type));
+ talloc_free(mem_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
switch (data_buf->type) {
@@ -199,21 +213,25 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
if (!logon_info) {
DEBUG(0,("PAC no logon_info\n"));
+ talloc_free(mem_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
if (!logon_name) {
DEBUG(0,("PAC no logon_name\n"));
+ talloc_free(mem_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
if (!srv_sig_ptr || !srv_sig_blob) {
DEBUG(0,("PAC no srv_key\n"));
+ talloc_free(mem_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
if (!kdc_sig_ptr || !kdc_sig_blob) {
DEBUG(0,("PAC no kdc_key\n"));
+ talloc_free(mem_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
@@ -229,6 +247,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the KDC signature: %s\n",
nt_errstr(status)));
+ talloc_free(mem_ctx);
return status;
}
@@ -239,6 +258,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the SRV signature: %s\n",
nt_errstr(status)));
+ talloc_free(mem_ctx);
return status;
}
@@ -256,6 +276,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't repack the KDC signature: %s\n",
nt_errstr(status)));
+ talloc_free(mem_ctx);
return status;
}
ndr_err = ndr_push_struct_blob(
@@ -265,6 +286,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't repack the SRV signature: %s\n",
nt_errstr(status)));
+ talloc_free(mem_ctx);
return status;
}
@@ -276,6 +298,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't repack the RAW PAC: %s\n",
nt_errstr(status)));
+ talloc_free(mem_ctx);
return status;
}
@@ -299,6 +322,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
if (ret) {
DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n",
smb_get_krb5_error_message(context, ret, mem_ctx)));
+ talloc_free(mem_ctx);
return NT_STATUS_ACCESS_DENIED;
}
}
@@ -315,6 +339,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
nt_time_string(mem_ctx, logon_name->logon_time)));
DEBUG(2, ("PAC Decode: Ticket: %s\n",
nt_time_string(mem_ctx, tgs_authtime_nttime)));
+ talloc_free(mem_ctx);
return NT_STATUS_ACCESS_DENIED;
}
}
@@ -326,6 +351,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
if (ret) {
DEBUG(2, ("Could not parse name from PAC: [%s]:%s\n",
logon_name->account_name, error_message(ret)));
+ talloc_free(mem_ctx);
return NT_STATUS_INVALID_PARAMETER;
}
@@ -338,6 +364,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
if (!bool_ret) {
DEBUG(2, ("Name in PAC [%s] does not match principal name "
"in ticket\n", logon_name->account_name));
+ talloc_free(mem_ctx);
return NT_STATUS_ACCESS_DENIED;
}
}
@@ -356,7 +383,9 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
}
}
- *pac_data_out = pac_data;
+ if (pac_data_out) {
+ *pac_data_out = talloc_steal(mem_ctx_out, pac_data);
+ }
return NT_STATUS_OK;
}
diff --git a/auth/kerberos/wscript_build b/auth/kerberos/wscript_build
index 2421b16..fe38b76 100644
--- a/auth/kerberos/wscript_build
+++ b/auth/kerberos/wscript_build
@@ -1,3 +1,3 @@
bld.SAMBA_SUBSYSTEM('KRB5_PAC',
- source='gssapi_pac.c kerberos_pac.c',
- deps='gssapi_krb5 krb5 ndr-krb5pac com_err')
+ source='gssapi_pac.c kerberos_pac.c gssapi_parse.c',
+ deps='gssapi_krb5 krb5 ndr-krb5pac com_err asn1util')
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 006fa8a..949c404 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3727,7 +3727,7 @@ _PUBLIC_ char *lpcfg_tls_dhpfile(TALLOC_CTX *mem_ctx, struct loadparm_context *l
struct gensec_settings *lpcfg_gensec_settings(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx)
{
- struct gensec_settings *settings = talloc(mem_ctx, struct gensec_settings);
+ struct gensec_settings *settings = talloc_zero(mem_ctx, struct gensec_settings);
if (settings == NULL)
return NULL;
SMB_ASSERT(lp_ctx != NULL);
diff --git a/libcli/auth/krb5_wrap.h b/libcli/auth/krb5_wrap.h
index 82769ae..affb892 100644
--- a/libcli/auth/krb5_wrap.h
+++ b/libcli/auth/krb5_wrap.h
@@ -77,3 +77,7 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
gss_ctx_id_t gssapi_context,
gss_name_t gss_client_name,
DATA_BLOB *pac_data);
+DATA_BLOB gensec_gssapi_gen_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *ticket, const uint8_t tok_id[2]);
+
+bool gensec_gssapi_parse_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, DATA_BLOB *ticket, uint8_t tok_id[2]);
+bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid);
diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c
index 21c7b44..119099d 100644
--- a/source3/auth/auth_samba4.c
+++ b/source3/auth/auth_samba4.c
@@ -114,7 +114,7 @@ static NTSTATUS prepare_gensec(TALLOC_CTX *mem_ctx,
TALLOC_FREE(frame);
return NT_STATUS_INVALID_SERVER_STATE;
}
- event_ctx = s4_event_context_init(mem_ctx);
+ event_ctx = s4_event_context_init(frame);
if (event_ctx == NULL) {
DEBUG(1, ("s4_event_context_init failed\n"));
TALLOC_FREE(frame);
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 125ac14..074da79 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -71,7 +71,6 @@ NTSTATUS auth_netlogond_init(void);
NTSTATUS auth_generic_prepare(const struct tsocket_address *remote_address,
struct auth_generic_state **auth_ntlmssp_state);
-NTSTATUS auth_ntlmssp_start(struct auth_generic_state *auth_ntlmssp_state);
NTSTATUS auth_generic_start(struct auth_generic_state *auth_ntlmssp_state, const char *oid);
NTSTATUS auth_generic_authtype_start(struct auth_generic_state *auth_ntlmssp_state,
uint8_t auth_type, uint8_t auth_level);
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index ac2327d..bb2cd57 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -55,6 +55,7 @@ struct auth_check_password_request;
struct auth4_context;
struct auth_session_info;
struct ldb_dn;
+struct smb_krb5_context;
struct auth_operations {
const char *name;
@@ -129,17 +130,20 @@ struct auth4_context {
NTSTATUS (*set_challenge)(struct auth4_context *auth_ctx, const uint8_t chal[8], const char *set_by);
- NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx,
- struct auth4_context *auth_ctx,
- const char *principal,
- struct ldb_dn *user_dn,
- struct auth_user_info_dc **user_info_dc);
-
NTSTATUS (*generate_session_info)(TALLOC_CTX *mem_ctx,
struct auth4_context *auth_context,
struct auth_user_info_dc *user_info_dc,
uint32_t session_info_flags,
struct auth_session_info **session_info);
+
+ NTSTATUS (*generate_session_info_pac)(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx_out,
+ struct smb_krb5_context *smb_krb5_context,
+ DATA_BLOB *pac_blob,
+ const char *principal_name,
+ const struct tsocket_address *remote_address,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info);
};
/* this structure is used by backends to determine the size of some critical types */
@@ -204,7 +208,6 @@ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
struct imessaging_context *msg,
struct loadparm_context *lp_ctx,
struct auth4_context **auth_ctx);
-NTSTATUS auth_context_create_from_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct auth4_context **auth_ctx);
NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
TALLOC_CTX *mem_ctx,
diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c
index 136bb8d..2e733bf 100644
--- a/source4/auth/gensec/cyrus_sasl.c
+++ b/source4/auth/gensec/cyrus_sasl.c
@@ -205,6 +205,7 @@ static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security
static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
+ struct tevent_context *ev,
const DATA_BLOB in, DATA_BLOB *out)
{
struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data,
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 55c2970..1e7a0a3 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1307,23 +1307,38 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
TALLOC_CTX *mem_ctx;
struct gensec_gssapi_state *gensec_gssapi_state
= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
- struct auth_user_info_dc *user_info_dc = NULL;
struct auth_session_info *session_info = NULL;
OM_uint32 maj_stat, min_stat;
- DATA_BLOB pac_blob;
- struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL;
- struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL;
+ DATA_BLOB pac_blob, *pac_blob_ptr = NULL;
+
+ gss_buffer_desc name_token;
+ char *principal_string;
- if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length)
- || (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements,
- gensec_gssapi_state->gss_oid->length) != 0)) {
- DEBUG(1, ("NO session info available for this mech\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context");
NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+ maj_stat = gss_display_name (&min_stat,
+ gensec_gssapi_state->client_name,
+ &name_token,
+ NULL);
+ if (GSS_ERROR(maj_stat)) {
+ DEBUG(1, ("GSS display_name failed: %s\n",
+ gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_FOOBAR;
+ }
+
+ principal_string = talloc_strndup(mem_ctx,
+ (const char *)name_token.value,
+ name_token.length);
+
+ gss_release_buffer(&min_stat, &name_token);
+
+ if (!principal_string) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
nt_status = gssapi_obtain_pac_blob(mem_ctx, gensec_gssapi_state->gssapi_context,
gensec_gssapi_state->client_name,
&pac_blob);
@@ -1333,78 +1348,14 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
* kind...
*/
if (NT_STATUS_IS_OK(nt_status)) {
- pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
- if (!pac_srv_sig) {
- talloc_free(mem_ctx);
- return NT_STATUS_NO_MEMORY;
- }
- pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
- if (!pac_kdc_sig) {
- talloc_free(mem_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-
- nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
- pac_blob,
- gensec_gssapi_state->smb_krb5_context->krb5_context,
- &user_info_dc,
- pac_srv_sig,
- pac_kdc_sig);
- if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(mem_ctx);
- return nt_status;
- }
- } else {
--
Samba Shared Repository
More information about the samba-cvs
mailing list