[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Tue Jul 19 22:36:01 MDT 2011 

The branch, master has been updated
       via  481f05c s3-gse Work around the MIT 1.9 gss_krb5_import_cred
       via  8ee3ba7 s3-gse Allow printing the partial error string
       via  57ab47c s3-auth fix dummy function in the not-with-kerberos case
      from  d8cce7d s3-auth Replace False with false in auth_util.c

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 481f05ce02df4069ba8ecb5a6ad76cb35299b14c
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Jul 20 12:06:30 2011 +1000

    s3-gse Work around the MIT 1.9 gss_krb5_import_cred
    
    We detect this function at configure time, but it currently fails to
    operate the way we need - that is, when the principal is not
    specified, it gives this error.  When the principal is specified we
    get 'wrong principal in request' in the GSS acceptor, so for now the
    best option is to fall back to the alternate approach.
    
    Andrew Bartlett
    
    Autobuild-User: Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date: Wed Jul 20 06:35:05 CEST 2011 on sn-devel-104

commit 8ee3ba791d38542e88995fa3beebdd183891ce60
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Jul 20 12:04:45 2011 +1000

    s3-gse Allow printing the partial error string
    
    We may not be able to obtain the full error string, so print what we can get.
    
    This is required when the error is the the GSSAPI layer, not the mechanism.
    
    Andrew Bartlett

commit 57ab47c02ed9eae2bbd92c3e5cae5d08b83025f4
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Jul 20 11:40:02 2011 +1000

    s3-auth fix dummy function in the not-with-kerberos case

-----------------------------------------------------------------------

Summary of changes:
 source3/auth/user_krb5.c    |    2 +-
 source3/librpc/crypto/gse.c |   34 ++++++++++++++++++++++------------
 2 files changed, 23 insertions(+), 13 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index c980f28..923c500 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -296,7 +296,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
 				struct PAC_LOGON_INFO *logon_info,
 				bool mapped_to_guest, bool username_was_mapped,
 				DATA_BLOB *session_key,
-				struct auth_serversupplied_info **session_info)
+				struct auth_session_info **session_info)
 {
 	return NT_STATUS_NOT_IMPLEMENTED;
 }
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index c311c77..a61288b 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -374,16 +374,26 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
 	}
 
 #ifdef HAVE_GSS_KRB5_IMPORT_CRED
-	/* This creates a GSSAPI cred_id_t with the principal and keytab set */
+
+	/* This creates a GSSAPI cred_id_t with the keytab set */
 	gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab, 
-					&gse_ctx->creds);
-	if (gss_maj) {
+				       &gse_ctx->creds);
+
+	if (gss_maj != 0
+	    && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
 		DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n",
 			  gse_errstr(gse_ctx, gss_maj, gss_min)));
 		status = NT_STATUS_INTERNAL_ERROR;
 		goto done;
-	}
-#else
+
+		/* This is the error the MIT krb5 1.9 gives when it
+		 * implements the function, but we do not specify the
+		 * principal.  However, when we specify the principal
+		 * as host$@REALM the GSS acceptor fails with 'wrong
+		 * principal in request'.  Work around the issue by
+		 * falling back to the alternate approach below. */
+	} else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME))
+#endif
 	/* FIXME!!!
 	 * This call sets the default keytab for the whole server, not
 	 * just for this context. Need to find a way that does not alter
@@ -423,7 +433,7 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
 			goto done;
 		}
 	}
-#endif
+
 	status = NT_STATUS_OK;
 
 done:
@@ -558,6 +568,12 @@ static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min)
 	if (gss_maj) {
 		goto done;
 	}
+	errstr = talloc_strndup(mem_ctx,
+				(char *)msg_maj.value,
+					msg_maj.length);
+	if (!errstr) {
+		goto done;
+	}
 	gss_maj = gss_display_status(&gss_min, min, GSS_C_MECH_CODE,
 				     (gss_OID)discard_const(gss_mech_krb5),
 				     &msg_ctx, &msg_min);
@@ -565,12 +581,6 @@ static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min)
 		goto done;
 	}
 
-	errstr = talloc_strndup(mem_ctx,
-				(char *)msg_maj.value,
-					msg_maj.length);
-	if (!errstr) {
-		goto done;
-	}
 	errstr = talloc_strdup_append_buffer(errstr, ": ");
 	if (!errstr) {
 		goto done;


-- 
Samba Shared Repository

More information about the samba-cvs mailing list