[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Thu Feb 16 13:20:03 MST 2012


The branch, master has been updated
       via  91c325b s3-librpc: Remove gse_verify_server_auth_flags
       via  0247376 docs-xml: remove docs for "send spnego principal"
       via  d54404e s3-param Remove off-by-default and unused "send spnego principal"
       via  eb3e34e s3-smbd Remove unused code now we always have SPNEGO via gensec
       via  2b511f0 s3-librpc: Use gensec_spnego for DCE/RPC authentication
       via  5c9b6db s3-gse: Use the session key type, not the lucid context to set NEW_SPNEGO
       via  1d0684c s3-librpc: Remove unused bool gensec_hook
       via  0c5cbb5 s3:rpc_client: fix comment
       via  bd2a7aa s3-librpc: make gensec result handling more generic
      from  a389632 wafsamba: exclude '.brzignore' from "make dist"

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 91c325bb706c5a7df32710dff3b781fca13bbc54
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Feb 7 22:27:53 2012 +1100

    s3-librpc: Remove gse_verify_server_auth_flags
    
    gensec_update() ensures that DCE-style and sign/seal are negotiated correctly
    for DCE/RPC pipes.  Also, the smb sealing client/server already check for the
    gensec_have_feature().
    
    This additional check just keeps causing trouble, and is 'protecting'
    an already secure negoitated exchange.
    
    Andrew Bartlett
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User: Stefan Metzmacher <metze at samba.org>
    Autobuild-Date: Thu Feb 16 21:19:44 CET 2012 on sn-devel-104

commit 024737698eb9d1fd1aa82432c6a7ed09195de98d
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Feb 6 14:06:10 2012 +0100

    docs-xml: remove docs for "send spnego principal"
    
    metze

commit d54404e56535e68702e363e623d3695f39fbfa82
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Feb 3 11:57:30 2012 +1100

    s3-param Remove off-by-default and unused "send spnego principal"
    
    This is not honoured by the common SPNEGO code.
    
    This matches mondern windows versions which do not send this value, as
    it would be insecure for a client to rely on it.  (See also the
    depricated client use spnego principal directive).
    
    Andrew Bartlett
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit eb3e34e965c04d286c31d6951d781a814bf4ab42
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Feb 3 11:54:32 2012 +1100

    s3-smbd Remove unused code now we always have SPNEGO via gensec
    
    This was previously needed because SPNEGO was only available in the AD DC.
    
    Andrew Bartlett
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 2b511f0e9280e0b918265bac8090d79d3c9d5115
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Feb 6 12:40:38 2012 +1100

    s3-librpc: Use gensec_spnego for DCE/RPC authentication
    
    This ensures that we use the same SPNEGO code on session setup and on
    DCE/RPC binds, and simplfies the calling code as spnego is no longer
    a special case in cli_pipe.c
    
    A special case wrapper function remains to avoid changing the
    application layer callers in this patch.
    
    Andrew Bartlett
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 5c9b6db68e0f535ed2b42bbfee310b7cebf65ca4
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Feb 14 18:29:54 2012 +1100

    s3-gse: Use the session key type, not the lucid context to set NEW_SPNEGO
    
    Using gss_krb5_export_lucid_sec_context() is a problem with MIT krb5, as
    it (reasonably, I suppose) invalidates the gssapi context on which it
    is called.  Instead, we look to the type of session key which is
    negotiated, and see if it not AES (or newer).
    
    If we negotiated AES or newer, then we set GENSEC_FEATURE_NEW_SPENGO
    so that we know to generate valid mechListMic values in SPNEGO.
    
    Andrew Bartlett
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 1d0684c8452ddaec3ab3f715382503c87b0ec534
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Feb 6 12:25:41 2012 +1100

    s3-librpc: Remove unused bool gensec_hook
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 0c5cbb557bf5577825230740985cf75483797042
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Feb 6 08:14:54 2012 +0100

    s3:rpc_client: fix comment
    
    metze

commit bd2a7aac2c131f9875d3f555784e4c869a159ca5
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Feb 6 13:37:12 2012 +1100

    s3-librpc: make gensec result handling more generic
    
    This prepares us for handling SPNEGO via gensec
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 .../smbdotconf/security/sendspengoprincipal.xml    |   28 --
 source3/Makefile.in                                |    4 +-
 source3/include/proto.h                            |    1 -
 source3/librpc/crypto/cli_spnego.c                 |  334 --------------------
 source3/librpc/crypto/gse.c                        |  186 ++++-------
 source3/librpc/crypto/spnego.h                     |   92 ------
 source3/librpc/rpc/dcerpc.h                        |    2 -
 source3/librpc/rpc/dcerpc_helpers.c                |   42 ---
 source3/param/loadparm.c                           |   10 -
 source3/rpc_client/cli_pipe.c                      |  181 +++--------
 source3/rpc_server/dcesrv_spnego.c                 |  297 -----------------
 source3/rpc_server/dcesrv_spnego.h                 |   38 ---
 source3/rpc_server/srv_pipe.c                      |   82 +-----
 source3/rpc_server/wscript_build                   |    2 +-
 source3/smbd/globals.h                             |    3 -
 source3/smbd/negprot.c                             |   40 +--
 source3/smbd/sesssetup.c                           |    7 +-
 source3/smbd/smb2_sesssetup.c                      |    6 +-
 source3/wscript_build                              |    1 -
 19 files changed, 129 insertions(+), 1227 deletions(-)
 delete mode 100644 docs-xml/smbdotconf/security/sendspengoprincipal.xml
 delete mode 100644 source3/librpc/crypto/cli_spnego.c
 delete mode 100644 source3/librpc/crypto/spnego.h
 delete mode 100644 source3/rpc_server/dcesrv_spnego.c
 delete mode 100644 source3/rpc_server/dcesrv_spnego.h


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/security/sendspengoprincipal.xml b/docs-xml/smbdotconf/security/sendspengoprincipal.xml
deleted file mode 100644
index 03794de..0000000
--- a/docs-xml/smbdotconf/security/sendspengoprincipal.xml
+++ /dev/null
@@ -1,28 +0,0 @@
-<samba:parameter name="send spnego principal"
-                 context="G"
-				 type="boolean"
-                 advanced="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
-    <para>This parameter determines whether or not
-    <citerefentry><refentrytitle>smbd</refentrytitle>
-    <manvolnum>8</manvolnum></citerefentry> will send the
-    server-supplied principal sometimes given in the SPNEGO
-    exchange.</para>
-
-    <para>If enabled, Samba can attempt to help clients to use
-    Kerberos to contact it, even when known only by IP address or a
-    name not registered with our KDC as a service principal name.
-    Kerberos relies on names, so ordinarily cannot function in this
-    situation. </para>
-
-    <para>If disabled, Samba will send the string
-    not_defined_in_RFC4178 at please_ignore as the 'rfc4178 hint',
-    following the updated RFC and Windows 2008 behaviour in this area.
-    </para>
-
-    <para>Note that Windows XP SP2 and later versions already ignored
-    this value in all circumstances. </para>
-</description>
-<value type="default">no</value>
-</samba:parameter>
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 2920347..e668dd1 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -632,7 +632,6 @@ LIBMSRPC_OBJ = $(SCHANNEL_OBJ) \
 	       librpc/crypto/gse.o \
 	       ../auth/kerberos/gssapi_pac.o \
 	       ../auth/kerberos/gssapi_parse.o \
-	       librpc/crypto/cli_spnego.o \
 	       librpc/rpc/rpc_common.o \
 	       rpc_client/rpc_transport_np.o \
 	       rpc_client/rpc_transport_sock.o \
@@ -760,8 +759,7 @@ RPC_CONFIG = rpc_server/rpc_config.o
 
 RPC_SERVICE = rpc_server/rpc_server.o
 
-RPC_CRYPTO = rpc_server/dcesrv_auth_generic.o \
-		rpc_server/dcesrv_spnego.o
+RPC_CRYPTO = rpc_server/dcesrv_auth_generic.o
 
 RPC_PIPE_OBJ = rpc_server/srv_pipe.o rpc_server/srv_pipe_hnd.o \
 	       $(RPC_CONFIG) $(RPC_NCACN_NP) $(RPC_SERVICE) $(RPC_CRYPTO)
diff --git a/source3/include/proto.h b/source3/include/proto.h
index b61fdf1..7ca2f87 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1277,7 +1277,6 @@ bool lp_unix_extensions(void);
 bool lp_use_spnego(void);
 bool lp_client_use_spnego(void);
 bool lp_client_use_spnego_principal(void);
-bool lp_send_spnego_principal(void);
 bool lp_hostname_lookups(void);
 bool lp_change_notify(const struct share_params *p );
 bool lp_kernel_change_notify(const struct share_params *p );
diff --git a/source3/librpc/crypto/cli_spnego.c b/source3/librpc/crypto/cli_spnego.c
deleted file mode 100644
index e676703..0000000
--- a/source3/librpc/crypto/cli_spnego.c
+++ /dev/null
@@ -1,334 +0,0 @@
-/*
- *  SPNEGO Encapsulation
- *  Client functions
- *  Copyright (C) Simo Sorce 2010.
- *  Copyright (C) Andrew Bartlett 2011.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 3 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License
- *  along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "includes.h"
-#include "../libcli/auth/spnego.h"
-#include "include/auth_generic.h"
-#include "librpc/gen_ndr/ntlmssp.h"
-#include "auth/ntlmssp/ntlmssp.h"
-#include "librpc/crypto/gse.h"
-#include "librpc/crypto/spnego.h"
-#include "auth/gensec/gensec.h"
-
-static NTSTATUS spnego_context_init(TALLOC_CTX *mem_ctx,
-				    bool do_sign, bool do_seal,
-				    struct spnego_context **spnego_ctx)
-{
-	struct spnego_context *sp_ctx;
-
-	sp_ctx = talloc_zero(mem_ctx, struct spnego_context);
-	if (!sp_ctx) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	sp_ctx->do_sign = do_sign;
-	sp_ctx->do_seal = do_seal;
-	sp_ctx->state = SPNEGO_CONV_INIT;
-
-	*spnego_ctx = sp_ctx;
-	return NT_STATUS_OK;
-}
-
-NTSTATUS spnego_generic_init_client(TALLOC_CTX *mem_ctx,
-				    const char *oid,
-				    bool do_sign, bool do_seal,
-				    bool is_dcerpc,
-				    const char *server,
-				    const char *target_service,
-				    const char *domain,
-				    const char *username,
-				    const char *password,
-				    struct spnego_context **spnego_ctx)
-{
-	struct spnego_context *sp_ctx = NULL;
-	struct auth_generic_state *auth_generic_state;
-	NTSTATUS status;
-
-	status = spnego_context_init(mem_ctx, do_sign, do_seal, &sp_ctx);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-	if (strcmp(oid, GENSEC_OID_NTLMSSP) == 0) {
-		sp_ctx->mech = SPNEGO_NTLMSSP;
-	} else if (strcmp(oid, GENSEC_OID_KERBEROS5) == 0) {
-		sp_ctx->mech = SPNEGO_KRB5;
-	} else {
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	status = auth_generic_client_prepare(sp_ctx,
-					&auth_generic_state);
-	if (!NT_STATUS_IS_OK(status)) {
-		TALLOC_FREE(sp_ctx);
-		return status;
-	}
-
-	status = auth_generic_set_username(auth_generic_state,
-					   username);
-	if (!NT_STATUS_IS_OK(status)) {
-		TALLOC_FREE(sp_ctx);
-		return status;
-	}
-
-	status = auth_generic_set_domain(auth_generic_state,
-					 domain);
-	if (!NT_STATUS_IS_OK(status)) {
-		TALLOC_FREE(sp_ctx);
-		return status;
-	}
-
-	status = auth_generic_set_password(auth_generic_state,
-					   password);
-	if (!NT_STATUS_IS_OK(status)) {
-		TALLOC_FREE(sp_ctx);
-		return status;
-	}
-
-	if (do_sign) {
-		gensec_want_feature(auth_generic_state->gensec_security,
-					  GENSEC_FEATURE_SIGN);
-	} else if (do_seal) {
-		gensec_want_feature(auth_generic_state->gensec_security,
-					  GENSEC_FEATURE_SEAL);
-	}
-
-	if (is_dcerpc) {
-		gensec_want_feature(auth_generic_state->gensec_security,
-				    GENSEC_FEATURE_DCE_STYLE);
-	}
-
-	status = gensec_set_target_service(auth_generic_state->gensec_security, target_service);
-	if (!NT_STATUS_IS_OK(status)) {
-		TALLOC_FREE(sp_ctx);
-		return status;
-	}
-
-	status = gensec_set_target_hostname(auth_generic_state->gensec_security, server);
-	if (!NT_STATUS_IS_OK(status)) {
-		TALLOC_FREE(sp_ctx);
-		return status;
-	}
-
-	status = auth_generic_client_start(auth_generic_state, oid);
-	if (!NT_STATUS_IS_OK(status)) {
-		TALLOC_FREE(sp_ctx);
-		return status;
-	}
-
-	sp_ctx->gensec_security = talloc_move(sp_ctx, &auth_generic_state->gensec_security);
-	TALLOC_FREE(auth_generic_state);
-	*spnego_ctx = sp_ctx;
-	return NT_STATUS_OK;
-}
-
-NTSTATUS spnego_get_client_auth_token(TALLOC_CTX *mem_ctx,
-				      struct spnego_context *sp_ctx,
-				      DATA_BLOB *spnego_in,
-				      DATA_BLOB *spnego_out)
-{
-	struct gensec_security *gensec_security;
-	struct spnego_data sp_in, sp_out;
-	DATA_BLOB token_in = data_blob_null;
-	DATA_BLOB token_out = data_blob_null;
-	const char *mech_oids[2] = { NULL, NULL };
-	char *principal = NULL;
-	ssize_t len_in = 0;
-	ssize_t len_out = 0;
-	NTSTATUS status;
-
-	if (!spnego_in->length) {
-		/* server didn't send anything, is init ? */
-		if (sp_ctx->state != SPNEGO_CONV_INIT) {
-			return NT_STATUS_INVALID_PARAMETER;
-		}
-	} else {
-		len_in = spnego_read_data(mem_ctx, *spnego_in, &sp_in);
-		if (len_in == -1) {
-			status = NT_STATUS_INVALID_PARAMETER;
-			goto done;
-		}
-		if (sp_in.type != SPNEGO_NEG_TOKEN_TARG) {
-			status = NT_STATUS_INVALID_PARAMETER;
-			goto done;
-		}
-		if (sp_in.negTokenTarg.negResult == SPNEGO_REJECT) {
-			status = NT_STATUS_ACCESS_DENIED;
-			goto done;
-		}
-		token_in = sp_in.negTokenTarg.responseToken;
-	}
-
-	if (sp_ctx->state == SPNEGO_CONV_AUTH_CONFIRM) {
-		if (sp_in.negTokenTarg.negResult == SPNEGO_ACCEPT_COMPLETED) {
-			sp_ctx->state = SPNEGO_CONV_AUTH_DONE;
-			*spnego_out = data_blob_null;
-			status = NT_STATUS_OK;
-		} else {
-			status = NT_STATUS_ACCESS_DENIED;
-		}
-		goto done;
-	}
-
-	switch (sp_ctx->mech) {
-	case SPNEGO_KRB5:
-		mech_oids[0] = OID_KERBEROS5;
-		break;
-
-	case SPNEGO_NTLMSSP:
-		mech_oids[0] = OID_NTLMSSP;
-		break;
-
-	default:
-		status = NT_STATUS_INTERNAL_ERROR;
-		goto done;
-	}
-
-	gensec_security = sp_ctx->gensec_security;
-	status = gensec_update(gensec_security, mem_ctx, NULL,
-			       token_in, &token_out);
-	sp_ctx->more_processing = false;
-	if (NT_STATUS_EQUAL(status,
-			    NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-		sp_ctx->more_processing = true;
-	} else if (!NT_STATUS_IS_OK(status)) {
-		goto done;
-	}
-
-	switch (sp_ctx->state) {
-	case SPNEGO_CONV_INIT:
-		*spnego_out = spnego_gen_negTokenInit(mem_ctx, mech_oids,
-						      &token_out, principal);
-		if (!spnego_out->data) {
-			status = NT_STATUS_INTERNAL_ERROR;
-			goto done;
-		}
-		sp_ctx->state = SPNEGO_CONV_AUTH_MORE;
-		break;
-
-	case SPNEGO_CONV_AUTH_MORE:
-		/* server says it's done and we do not seem to agree */
-		if (sp_in.negTokenTarg.negResult ==
-						SPNEGO_ACCEPT_COMPLETED) {
-			status = NT_STATUS_INVALID_PARAMETER;
-			goto done;
-		}
-
-		sp_out.type = SPNEGO_NEG_TOKEN_TARG;
-		sp_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
-		sp_out.negTokenTarg.supportedMech = NULL;
-		sp_out.negTokenTarg.responseToken = token_out;
-		sp_out.negTokenTarg.mechListMIC = data_blob_null;
-
-		len_out = spnego_write_data(mem_ctx, spnego_out, &sp_out);
-		if (len_out == -1) {
-			status = NT_STATUS_INTERNAL_ERROR;
-			goto done;
-		}
-
-		if (!sp_ctx->more_processing) {
-			/* we still need to get an ack from the server */
-			sp_ctx->state = SPNEGO_CONV_AUTH_CONFIRM;
-		}
-
-		break;
-
-	default:
-		status = NT_STATUS_INTERNAL_ERROR;
-		goto done;
-	}
-
-	status = NT_STATUS_OK;
-
-done:
-	if (len_in > 0) {
-		spnego_free_data(&sp_in);
-	}
-	data_blob_free(&token_out);
-	return status;
-}
-
-bool spnego_require_more_processing(struct spnego_context *sp_ctx)
-{
-
-	/* see if spnego processing itself requires more */
-	if (sp_ctx->state == SPNEGO_CONV_AUTH_MORE ||
-	    sp_ctx->state == SPNEGO_CONV_AUTH_CONFIRM) {
-		return true;
-	}
-
-	return sp_ctx->more_processing;
-}
-
-NTSTATUS spnego_get_negotiated_mech(struct spnego_context *sp_ctx,
-				    struct gensec_security **auth_context)
-{
-	*auth_context = sp_ctx->gensec_security;
-	return NT_STATUS_OK;
-}
-
-NTSTATUS spnego_sign(TALLOC_CTX *mem_ctx,
-			struct spnego_context *sp_ctx,
-			DATA_BLOB *data, DATA_BLOB *full_data,
-			DATA_BLOB *signature)
-{
-	return gensec_sign_packet(
-		sp_ctx->gensec_security,
-		mem_ctx,
-		data->data, data->length,
-		full_data->data, full_data->length,
-		signature);
-}
-
-NTSTATUS spnego_sigcheck(TALLOC_CTX *mem_ctx,
-			 struct spnego_context *sp_ctx,
-			 DATA_BLOB *data, DATA_BLOB *full_data,
-			 DATA_BLOB *signature)
-{
-	return gensec_check_packet(
-		sp_ctx->gensec_security,
-		data->data, data->length,
-		full_data->data, full_data->length,
-		signature);
-}
-
-NTSTATUS spnego_seal(TALLOC_CTX *mem_ctx,
-			struct spnego_context *sp_ctx,
-			DATA_BLOB *data, DATA_BLOB *full_data,
-			DATA_BLOB *signature)
-{
-	return gensec_seal_packet(
-		sp_ctx->gensec_security,
-		mem_ctx,
-		data->data, data->length,
-		full_data->data, full_data->length,
-		signature);
-}
-
-NTSTATUS spnego_unseal(TALLOC_CTX *mem_ctx,
-			struct spnego_context *sp_ctx,
-			DATA_BLOB *data, DATA_BLOB *full_data,
-			DATA_BLOB *signature)
-{
-	return gensec_unseal_packet(
-		sp_ctx->gensec_security,
-		data->data, data->length,
-		full_data->data, full_data->length,
-		signature);
-}
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index ec37073..fba2c2f 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -28,6 +28,7 @@
 #include "auth/gensec/gensec.h"
 #include "auth/credentials/credentials.h"
 #include "../librpc/gen_ndr/dcerpc.h"
+#include "lib/util/asn1.h"
 
 #if defined(HAVE_KRB5) && defined(HAVE_GSS_WRAP_IOV)
 
@@ -77,8 +78,6 @@ struct gse_context {
 
 	gss_cred_id_t delegated_cred_handle;
 
-	gss_krb5_lucid_context_v1_t *lucid;
-
 	/* gensec_gse only */
 	krb5_context k5ctx;
 	krb5_ccache ccache;
@@ -149,11 +148,6 @@ static int gse_context_destructor(void *ptr)
 					   &gse_ctx->delegated_cred_handle);
 	}
 
-	if (gse_ctx->lucid) {
-		gss_krb5_free_lucid_sec_context(&gss_min, gse_ctx->lucid);
-		gse_ctx->lucid = NULL;
-	}
-
 	/* MIT and Heimdal differ as to if you can call
 	 * gss_release_oid() on this OID, generated by
 	 * gss_{accept,init}_sec_context().  However, as long as the
@@ -531,52 +525,6 @@ done:
 	return status;
 }
 
-static NTSTATUS gse_verify_server_auth_flags(struct gse_context *gse_ctx)
-{
-	if (memcmp(gse_ctx->ret_mech,
-		   gss_mech_krb5, sizeof(gss_OID_desc)) != 0) {
-		return NT_STATUS_ACCESS_DENIED;
-	}
-
-	/* GSS_C_MUTUAL_FLAG */
-	/* GSS_C_DELEG_FLAG */
-	/* GSS_C_DELEG_POLICY_FLAG */
-	/* GSS_C_REPLAY_FLAG */
-	/* GSS_C_SEQUENCE_FLAG */
-
-	/* GSS_C_INTEG_FLAG */
-	if (gse_ctx->gss_want_flags & GSS_C_INTEG_FLAG) {
-		if (!(gse_ctx->gss_got_flags & GSS_C_INTEG_FLAG)) {
-			return NT_STATUS_ACCESS_DENIED;
-		}
-	}
-
-	/* GSS_C_CONF_FLAG */
-	if (gse_ctx->gss_want_flags & GSS_C_CONF_FLAG) {
-		if (!(gse_ctx->gss_got_flags & GSS_C_CONF_FLAG)) {
-			return NT_STATUS_ACCESS_DENIED;
-		}
-
-		/* GSS_C_CONF_FLAG implies GSS_C_INTEG_FLAG */
-		if (!(gse_ctx->gss_got_flags & GSS_C_INTEG_FLAG)) {
-			return NT_STATUS_ACCESS_DENIED;
-		}
-	}
-
-	/* GSS_C_DCE_STYLE */
-	if (gse_ctx->gss_want_flags & GSS_C_DCE_STYLE) {
-		if (!(gse_ctx->gss_got_flags & GSS_C_DCE_STYLE)) {
-			return NT_STATUS_ACCESS_DENIED;
-		}
-		/* GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG */
-		if (!(gse_ctx->gss_got_flags & GSS_C_MUTUAL_FLAG)) {
-			return NT_STATUS_ACCESS_DENIED;
-		}
-	}
-
-	return NT_STATUS_OK;
-}
-
 static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min)
 {
 	OM_uint32 gss_min, gss_maj;
@@ -628,42 +576,13 @@ done:
 	return errstr;
 }
 
-static NTSTATUS gse_init_lucid(struct gse_context *gse_ctx)
-{


-- 
Samba Shared Repository


More information about the samba-cvs mailing list