[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Fri Jan 20 17:29:05 MST 2012
The branch, master has been updated
via e175d25 s3-libsmb: Always allow SMB_TRANS_ENC_GSS to be defined
via 58916c0 s3-libsmb: Remove unused smb_tran_enc_state_gss and gssapi headers
via 41ed715 s3-libsmb: use struct gensec_security directly
via 06f7105 s3-libcli Change krb5 smb sealing to call via gensec and gensec_gse
via 30b1e72 s4:auth/gensec: make sure GSS_C_CONF_FLAG implies GSS_C_INTEG_FLAG
via 7fe1897 s3-gse: make sure GSS_C_CONF_FLAG implies GSS_C_INTEG_FLAG
via 6f0f10c s3-gse: implement fill_mem_keytab_from_[system|dedicated]_keytab
via 6158ea1 s3-gse: create memory keytab in gse_krb5_get_server_keytab()
via f86ab29 s3-gse: fix SECRETS_AND_KEYTAB fallback in gse_krb5_get_server_keytab()
via 4e444f0 s3:kerberos_verify: ads_dedicated_keytab_verify_ticket() only needs read access
via a7275e5 s3:smbd/proto.h: remove unused do_map_to_guest() prototype
from 88daf79 build: Add -lz to wbinfo to fix build on some hosts
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e175d25c68a83b6caf675cdc7f82e12cb5cad1f3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Jan 14 12:03:27 2012 +1100
s3-libsmb: Always allow SMB_TRANS_ENC_GSS to be defined
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User: Stefan Metzmacher <metze at samba.org>
Autobuild-Date: Sat Jan 21 01:28:54 CET 2012 on sn-devel-104
commit 58916c047d4e0441c878489f14581993bc65f130
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Jan 14 12:01:12 2012 +1100
s3-libsmb: Remove unused smb_tran_enc_state_gss and gssapi headers
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 41ed715d42434c5eba2fc4cd9fe267c5179330da
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Jan 14 12:00:53 2012 +1100
s3-libsmb: use struct gensec_security directly
This is rather than via a now one-element union.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 06f7105490ecd387f726d540b33c8eba960e9cfb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jan 13 20:34:10 2012 +1100
s3-libcli Change krb5 smb sealing to call via gensec and gensec_gse
This also fixes the support for smb sealing with krb5 in make test, as
this now relies on secrets.tdb rather than /etc/krb5.keytab.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 30b1e72556c0104fcedd95b8211e65056d1cac2e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 20 15:56:17 2012 +0100
s4:auth/gensec: make sure GSS_C_CONF_FLAG implies GSS_C_INTEG_FLAG
metze
commit 7fe189749edf5c081be6f3a350072caa0c8b3d98
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 20 15:55:55 2012 +0100
s3-gse: make sure GSS_C_CONF_FLAG implies GSS_C_INTEG_FLAG
metze
commit 6f0f10c798639923eb0500751fdcef3930d1ebea
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 20 09:31:55 2012 +0100
s3-gse: implement fill_mem_keytab_from_[system|dedicated]_keytab
metze
commit 6158ea1abd1aa12785022bfd1fa23924f144b45b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 20 11:51:59 2012 +0100
s3-gse: create memory keytab in gse_krb5_get_server_keytab()
The other functions just add entries to it.
metze
commit f86ab2947040f8e0cd6fd73da31ebe33ac18d2eb
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 20 11:50:20 2012 +0100
s3-gse: fix SECRETS_AND_KEYTAB fallback in gse_krb5_get_server_keytab()
metze
commit 4e444f00618161e11d13495d1402886c7e93866c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 20 12:20:47 2012 +0100
s3:kerberos_verify: ads_dedicated_keytab_verify_ticket() only needs read access
metze
commit a7275e57fd5a0404e6369b821ead51f2f01ffb45
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jan 14 12:30:21 2012 +0100
s3:smbd/proto.h: remove unused do_map_to_guest() prototype
metze
-----------------------------------------------------------------------
Summary of changes:
libcli/smb/smb_seal.c | 200 +------------------------
libcli/smb/smb_seal.h | 28 +---
selftest/knownfail | 3 -
source3/libads/kerberos_verify.c | 2 +-
source3/librpc/crypto/gse.c | 6 +
source3/librpc/crypto/gse_krb5.c | 289 +++++++++++++++++++++++++++++++----
source3/libsmb/clifsinfo.c | 150 +++++++------------
source3/smbd/proto.h | 4 -
source3/smbd/seal.c | 235 +++++------------------------
source4/auth/gensec/gensec_gssapi.c | 1 +
10 files changed, 367 insertions(+), 551 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/smb/smb_seal.c b/libcli/smb/smb_seal.c
index a6cfffb..a56dc60 100644
--- a/libcli/smb/smb_seal.c
+++ b/libcli/smb/smb_seal.c
@@ -169,150 +169,6 @@ static NTSTATUS common_gensec_encrypt_buffer(struct gensec_security *gensec,
/******************************************************************************
Generic code for client and server.
- gss-api decrypt an incoming buffer. We insist that the size of the
- unwrapped buffer must be smaller or identical to the incoming buffer.
-******************************************************************************/
-
-#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
-static NTSTATUS common_gss_decrypt_buffer(struct smb_tran_enc_state_gss *gss_state, char *buf)
-{
- gss_ctx_id_t gss_ctx = gss_state->gss_ctx;
- OM_uint32 ret = 0;
- OM_uint32 minor = 0;
- int flags_got = 0;
- gss_buffer_desc in_buf, out_buf;
- size_t buf_len = smb_len_nbt(buf) + 4; /* Don't forget the 4 length bytes. */
-
- if (buf_len < 8) {
- return NT_STATUS_BUFFER_TOO_SMALL;
- }
-
- in_buf.value = buf + 8;
- in_buf.length = buf_len - 8;
-
- ret = gss_unwrap(&minor,
- gss_ctx,
- &in_buf,
- &out_buf,
- &flags_got, /* did we get sign+seal ? */
- (gss_qop_t *) NULL);
-
- if (ret != GSS_S_COMPLETE) {
- NTSTATUS status = NT_STATUS_ACCESS_DENIED;
- char *gss_err;
-
- gss_err = gssapi_error_string(talloc_tos(),
- ret, minor,
- GSS_C_NULL_OID);
- DEBUG(0,("common_gss_decrypt_buffer: gss_unwrap failed. "
- "Error [%d/%d] - %s - %s\n",
- ret, minor, nt_errstr(status),
- gss_err ? gss_err : "<unknown>"));
- talloc_free(gss_err);
-
- return status;
- }
-
- if (out_buf.length > in_buf.length) {
- DEBUG(0,("common_gss_decrypt_buffer: gss_unwrap size (%u) too large (%u) !\n",
- (unsigned int)out_buf.length,
- (unsigned int)in_buf.length ));
- gss_release_buffer(&minor, &out_buf);
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- memcpy(buf + 8, out_buf.value, out_buf.length);
- /* Reset the length and overwrite the header. */
- smb_setlen_nbt(buf, out_buf.length + 4);
-
- gss_release_buffer(&minor, &out_buf);
- return NT_STATUS_OK;
-}
-
-/******************************************************************************
- Generic code for client and server.
- gss-api encrypt an outgoing buffer. Return the alloced encrypted pointer in buf_out.
-******************************************************************************/
-
-static NTSTATUS common_gss_encrypt_buffer(struct smb_tran_enc_state_gss *gss_state,
- uint16_t enc_ctx_num,
- char *buf,
- char **ppbuf_out)
-{
- gss_ctx_id_t gss_ctx = gss_state->gss_ctx;
- OM_uint32 ret = 0;
- OM_uint32 minor = 0;
- int flags_got = 0;
- gss_buffer_desc in_buf, out_buf;
- size_t buf_len = smb_len_nbt(buf) + 4; /* Don't forget the 4 length bytes. */
-
- *ppbuf_out = NULL;
-
- if (buf_len < 8) {
- return NT_STATUS_BUFFER_TOO_SMALL;
- }
-
- in_buf.value = buf + 8;
- in_buf.length = buf_len - 8;
-
- ret = gss_wrap(&minor,
- gss_ctx,
- true, /* we want sign+seal. */
- GSS_C_QOP_DEFAULT,
- &in_buf,
- &flags_got, /* did we get sign+seal ? */
- &out_buf);
-
- if (ret != GSS_S_COMPLETE) {
- NTSTATUS status = NT_STATUS_ACCESS_DENIED;
- char *gss_err;
-
- gss_err = gssapi_error_string(talloc_tos(),
- ret, minor,
- GSS_C_NULL_OID);
- DEBUG(0,("common_gss_encrypt_buffer: gss_unwrap failed. "
- "Error [%d/%d] - %s - %s\n",
- ret, minor, nt_errstr(status),
- gss_err ? gss_err : "<unknown>"));
- talloc_free(gss_err);
-
- return status;
- }
-
- if (!flags_got) {
- /* Sign+seal not supported. */
- gss_release_buffer(&minor, &out_buf);
- return NT_STATUS_NOT_SUPPORTED;
- }
-
- /* Ya see - this is why I *hate* gss-api. I don't
- * want to have to malloc another buffer of the
- * same size + 8 bytes just to get a continuous
- * header + buffer, but gss won't let me pass in
- * a pre-allocated buffer. Bastards (and you know
- * who you are....). I might fix this by
- * going to "encrypt_and_send" passing in a file
- * descriptor and doing scatter-gather write with
- * TCP cork on Linux. But I shouldn't have to
- * bother :-*(. JRA.
- */
-
- *ppbuf_out = (char *)malloc(out_buf.length + 8); /* We know this can't wrap. */
- if (!*ppbuf_out) {
- gss_release_buffer(&minor, &out_buf);
- return NT_STATUS_NO_MEMORY;
- }
-
- memcpy(*ppbuf_out+8, out_buf.value, out_buf.length);
- smb_set_enclen(*ppbuf_out, out_buf.length + 4, enc_ctx_num);
-
- gss_release_buffer(&minor, &out_buf);
- return NT_STATUS_OK;
-}
-#endif
-
-/******************************************************************************
- Generic code for client and server.
Encrypt an outgoing buffer. Return the alloced encrypted pointer in buf_out.
******************************************************************************/
@@ -324,16 +180,7 @@ NTSTATUS common_encrypt_buffer(struct smb_trans_enc_state *es, char *buffer, cha
return NT_STATUS_OK;
}
- switch (es->smb_enc_type) {
- case SMB_TRANS_ENC_NTLM:
- return common_gensec_encrypt_buffer(es->s.gensec_security, es->enc_ctx_num, buffer, buf_out);
-#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
- case SMB_TRANS_ENC_GSS:
- return common_gss_encrypt_buffer(es->s.gss_state, es->enc_ctx_num, buffer, buf_out);
-#endif
- default:
- return NT_STATUS_NOT_SUPPORTED;
- }
+ return common_gensec_encrypt_buffer(es->gensec_security, es->enc_ctx_num, buffer, buf_out);
}
/******************************************************************************
@@ -349,38 +196,9 @@ NTSTATUS common_decrypt_buffer(struct smb_trans_enc_state *es, char *buf)
return NT_STATUS_OK;
}
- switch (es->smb_enc_type) {
- case SMB_TRANS_ENC_NTLM:
- return common_gensec_decrypt_buffer(es->s.gensec_security, buf);
-#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
- case SMB_TRANS_ENC_GSS:
- return common_gss_decrypt_buffer(es->s.gss_state, buf);
-#endif
- default:
- return NT_STATUS_NOT_SUPPORTED;
- }
+ return common_gensec_decrypt_buffer(es->gensec_security, buf);
}
-#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
-/******************************************************************************
- Shutdown a gss encryption state.
-******************************************************************************/
-
-static void common_free_gss_state(struct smb_tran_enc_state_gss **pp_gss_state)
-{
- OM_uint32 minor = 0;
- struct smb_tran_enc_state_gss *gss_state = *pp_gss_state;
-
- if (gss_state->creds != GSS_C_NO_CREDENTIAL) {
- gss_release_cred(&minor, &gss_state->creds);
- }
- if (gss_state->gss_ctx != GSS_C_NO_CONTEXT) {
- gss_delete_sec_context(&minor, &gss_state->gss_ctx, NULL);
- }
- SAFE_FREE(*pp_gss_state);
-}
-#endif
-
/******************************************************************************
Shutdown an encryption state.
******************************************************************************/
@@ -393,19 +211,9 @@ void common_free_encryption_state(struct smb_trans_enc_state **pp_es)
return;
}
- if (es->smb_enc_type == SMB_TRANS_ENC_NTLM) {
- if (es->s.gensec_security) {
- TALLOC_FREE(es->s.gensec_security);
- }
- }
-#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
- if (es->smb_enc_type == SMB_TRANS_ENC_GSS) {
- /* Free the gss context handle. */
- if (es->s.gss_state) {
- common_free_gss_state(&es->s.gss_state);
- }
+ if (es->gensec_security) {
+ TALLOC_FREE(es->gensec_security);
}
-#endif
SAFE_FREE(es);
*pp_es = NULL;
}
diff --git a/libcli/smb/smb_seal.h b/libcli/smb/smb_seal.h
index 9f9a806..081208e 100644
--- a/libcli/smb/smb_seal.h
+++ b/libcli/smb/smb_seal.h
@@ -20,39 +20,17 @@
#ifndef _HEADER_SMB_CRYPT_H
#define _HEADER_SMB_CRYPT_H
-#if HAVE_GSSAPI_GSSAPI_H
-#include <gssapi/gssapi.h>
-#elif HAVE_GSSAPI_GSSAPI_GENERIC_H
-#include <gssapi/gssapi_generic.h>
-#elif HAVE_GSSAPI_H
-#include <gssapi.h>
-#endif
-
/* Transport encryption state. */
enum smb_trans_enc_type {
- SMB_TRANS_ENC_NTLM
-#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
- , SMB_TRANS_ENC_GSS
-#endif
-};
-
-#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
-struct smb_tran_enc_state_gss {
- gss_ctx_id_t gss_ctx;
- gss_cred_id_t creds;
+ SMB_TRANS_ENC_NTLM,
+ SMB_TRANS_ENC_GSS
};
-#endif
struct smb_trans_enc_state {
enum smb_trans_enc_type smb_enc_type;
uint16_t enc_ctx_num;
bool enc_on;
- union {
- struct gensec_security *gensec_security;
-#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
- struct smb_tran_enc_state_gss *gss_state;
-#endif
- } s;
+ struct gensec_security *gensec_security;
};
/* The following definitions come from smb_seal.c */
diff --git a/selftest/knownfail b/selftest/knownfail
index b0246e7..4a9f99e 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -20,9 +20,6 @@
^samba3.blackbox.rpcclient over ncacn_np with \[spnego,smb2,bigendian\]
^samba3.blackbox.rpcclient over ncacn_np with \[spnego,connect,smb2\]
^samba3.blackbox.rpcclient over ncacn_np with \[spnego,connect,smb2,bigendian\]
-# GSSAPI/krb5 encrypted CIFS fails in the test environment at the moment
-^samba3.blackbox.smbclient_krb5 -e.smbclient
-^samba3.blackbox.smbclient_krb5 old ccache -e.smbclient
# these show that we still have some differences between our system
# with our internal iconv because it passes except when we bypass our
# internal iconv modules
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 6fa8f43..0c44db9 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -58,7 +58,7 @@ static bool ads_dedicated_keytab_verify_ticket(krb5_context context,
ZERO_STRUCT(kt_entry);
- ret = smb_krb5_open_keytab(context, lp_dedicated_keytab_file(), true,
+ ret = smb_krb5_open_keytab(context, lp_dedicated_keytab_file(), false,
&keytab);
if (ret) {
DEBUG(1, ("smb_krb5_open_keytab failed (%s)\n",
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 7cf1165..5bd2740 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -189,6 +189,7 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
gse_ctx->gss_want_flags |= GSS_C_INTEG_FLAG;
}
if (do_seal) {
+ gse_ctx->gss_want_flags |= GSS_C_INTEG_FLAG;
gse_ctx->gss_want_flags |= GSS_C_CONF_FLAG;
}
@@ -548,6 +549,11 @@ static NTSTATUS gse_verify_server_auth_flags(struct gse_context *gse_ctx)
if (!(gse_ctx->gss_got_flags & GSS_C_CONF_FLAG)) {
return NT_STATUS_ACCESS_DENIED;
}
+
+ /* GSS_C_CONF_FLAG implies GSS_C_INTEG_FLAG */
+ if (!(gse_ctx->gss_got_flags & GSS_C_INTEG_FLAG)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
}
/* GSS_C_DCE_STYLE */
diff --git a/source3/librpc/crypto/gse_krb5.c b/source3/librpc/crypto/gse_krb5.c
index 81a9a07..c1eea7f 100644
--- a/source3/librpc/crypto/gse_krb5.c
+++ b/source3/librpc/crypto/gse_krb5.c
@@ -169,8 +169,8 @@ out:
#define SRV_MEM_KEYTAB_NAME "MEMORY:cifs_srv_keytab"
#define CLEARTEXT_PRIV_ENCTYPE -99
-static krb5_error_code get_mem_keytab_from_secrets(krb5_context krbctx,
- krb5_keytab *keytab)
+static krb5_error_code fill_mem_keytab_from_secrets(krb5_context krbctx,
+ krb5_keytab *keytab)
{
krb5_error_code ret;
char *pwd = NULL;
@@ -194,16 +194,6 @@ static krb5_error_code get_mem_keytab_from_secrets(krb5_context krbctx,
}
pwd_len = strlen(pwd);
- if (*keytab == NULL) {
- /* create memory keytab */
- ret = krb5_kt_resolve(krbctx, SRV_MEM_KEYTAB_NAME, keytab);
- if (ret) {
- DEBUG(1, (__location__ ": Failed to get memory "
- "keytab!\n"));
- return ret;
- }
- }
-
ZERO_STRUCT(kt_entry);
ZERO_STRUCT(kt_cursor);
@@ -331,57 +321,300 @@ out:
krb5_free_principal(krbctx, princ);
}
+ return ret;
+}
+
+static krb5_error_code fill_mem_keytab_from_system_keytab(krb5_context krbctx,
+ krb5_keytab *mkeytab)
+{
+ krb5_error_code ret = 0;
+ krb5_keytab keytab = NULL;
+ krb5_kt_cursor kt_cursor;
+ krb5_keytab_entry kt_entry;
+ char *valid_princ_formats[7] = { NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL };
+ char *entry_princ_s = NULL;
+ fstring my_name, my_fqdn;
+ int i;
+ int err;
+
+ /* Generate the list of principal names which we expect
+ * clients might want to use for authenticating to the file
+ * service. We allow name$,{host,cifs}/{name,fqdn,name.REALM}. */
+
+ fstrcpy(my_name, lp_netbios_name());
+
+ my_fqdn[0] = '\0';
+ name_to_fqdn(my_fqdn, lp_netbios_name());
+
+ err = asprintf(&valid_princ_formats[0],
+ "%s$@%s", my_name, lp_realm());
+ if (err == -1) {
+ ret = ENOMEM;
+ goto out;
+ }
+ err = asprintf(&valid_princ_formats[1],
+ "host/%s@%s", my_name, lp_realm());
+ if (err == -1) {
+ ret = ENOMEM;
+ goto out;
+ }
+ err = asprintf(&valid_princ_formats[2],
+ "host/%s@%s", my_fqdn, lp_realm());
+ if (err == -1) {
+ ret = ENOMEM;
+ goto out;
+ }
+ err = asprintf(&valid_princ_formats[3],
+ "host/%s.%s@%s", my_name, lp_realm(), lp_realm());
+ if (err == -1) {
+ ret = ENOMEM;
+ goto out;
+ }
+ err = asprintf(&valid_princ_formats[4],
+ "cifs/%s@%s", my_name, lp_realm());
+ if (err == -1) {
+ ret = ENOMEM;
+ goto out;
+ }
+ err = asprintf(&valid_princ_formats[5],
+ "cifs/%s@%s", my_fqdn, lp_realm());
+ if (err == -1) {
+ ret = ENOMEM;
+ goto out;
+ }
+ err = asprintf(&valid_princ_formats[6],
+ "cifs/%s.%s@%s", my_name, lp_realm(), lp_realm());
+ if (err == -1) {
+ ret = ENOMEM;
+ goto out;
+ }
+
+ ZERO_STRUCT(kt_entry);
+ ZERO_STRUCT(kt_cursor);
+
+ ret = smb_krb5_open_keytab(krbctx, NULL, false, &keytab);
+ if (ret) {
+ DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
+ error_message(ret)));
+ goto out;
+ }
+
+ /*
+ * Iterate through the keytab. For each key, if the principal
+ * name case-insensitively matches one of the allowed formats,
+ * copy it to the memory keytab.
+ */
+
+ ret = krb5_kt_start_seq_get(krbctx, keytab, &kt_cursor);
if (ret) {
- if (*keytab) {
- krb5_kt_close(krbctx, *keytab);
- *keytab = NULL;
+ DEBUG(1, (__location__ ": krb5_kt_start_seq_get failed (%s)\n",
+ error_message(ret)));
+ goto out;
+ }
+
+ while ((krb5_kt_next_entry(krbctx, keytab,
+ &kt_entry, &kt_cursor) == 0)) {
+ ret = smb_krb5_unparse_name(talloc_tos(), krbctx,
+ kt_entry.principal,
+ &entry_princ_s);
+ if (ret) {
+ DEBUG(1, (__location__ ": smb_krb5_unparse_name "
+ "failed (%s)\n", error_message(ret)));
+ goto out;
+ }
+
+ for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
+
+ if (!strequal(entry_princ_s, valid_princ_formats[i])) {
+ continue;
+ }
+
+ ret = krb5_kt_add_entry(krbctx, *mkeytab, &kt_entry);
+ if (ret) {
+ DEBUG(1, (__location__ ": smb_krb5_unparse_name "
+ "failed (%s)\n", error_message(ret)));
+ goto out;
+ }
}
+
+ /* Free the name we parsed. */
+ TALLOC_FREE(entry_princ_s);
+
+ /* Free the entry we just read. */
+ smb_krb5_kt_free_entry(krbctx, &kt_entry);
+ ZERO_STRUCT(kt_entry);
+ }
+ krb5_kt_end_seq_get(krbctx, keytab, &kt_cursor);
+
+ ZERO_STRUCT(kt_cursor);
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list