Samba3 smbclient/smbmount to smbd kerberos auth working

Maurice Massar massar at unix-ag.uni-kl.de
Mon Oct 18 14:17:28 GMT 2004 

hello,

I can report success on using Kerberos for authentication of access from
smbclient/smbmount to smbd. I'm using the attached patch from abartlet.
This enables me to use smbmount in login-scripts without hacks to get
a password (:

cu
maurice
-------------- next part --------------
diff -ur samba-3.0.7/source/libads/kerberos_verify.c samba-3.0.7-new/source/libads/kerberos_verify.c
--- samba-3.0.7/source/libads/kerberos_verify.c	2004-08-19 15:39:13.000000000 +0200
+++ samba-3.0.7-new/source/libads/kerberos_verify.c	2004-10-05 15:22:59.000000000 +0200
@@ -326,6 +326,7 @@
 	file_save("/tmp/ticket.dat", ticket->data, ticket->length);
 #endif
 
+#if 0
 	get_auth_data_from_tkt(auth_data, tkt);
 
 	{
@@ -333,6 +334,7 @@
 		decode_pac_data(auth_data, ctx);
 		talloc_destroy(ctx);
 	}
+#endif
 
 #if 0
 	if (tkt->enc_part2) {
diff -ur samba-3.0.7/source/smbd/sesssetup.c samba-3.0.7-new/source/smbd/sesssetup.c
--- samba-3.0.7/source/smbd/sesssetup.c	2004-07-08 19:06:10.000000000 +0200
+++ samba-3.0.7-new/source/smbd/sesssetup.c	2004-10-05 12:27:48.000000000 +0200
@@ -447,7 +447,7 @@
 	DEBUG(3,("Got secblob of size %lu\n", (unsigned long)secblob.length));
 
 #ifdef HAVE_KRB5
-	if (got_kerberos && (SEC_ADS == lp_security())) {
+	if (got_kerberos && (SEC_ADS == lp_security() || lp_use_kerberos_keytab())) {
 		int ret = reply_spnego_kerberos(conn, inbuf, outbuf, 
 						length, bufsize, &secblob);
 		data_blob_free(&secblob);
diff -ur samba-3.0.7/source/smbd/negprot.c samba-3.0.7-new/source/smbd/negprot.c
--- samba-3.0.7/source/smbd/negprot.c	2004-07-08 19:06:10.000000000 +0200
+++ samba-3.0.7-new/source/smbd/negprot.c	2004-10-05 12:27:48.000000000 +0200
@@ -210,12 +210,16 @@
 		return 16;
 	}
 #endif
-	if (lp_security() != SEC_ADS) {
+	if (lp_security() != SEC_ADS && !lp_use_kerberos_keytab()) {
 		blob = spnego_gen_negTokenInit(guid, OIDs_plain, "NONE");
 	} else {
-		asprintf(&principal, "%s$@%s", guid, lp_realm());
-		blob = spnego_gen_negTokenInit(guid, OIDs_krb5, principal);
-		free(principal);
+		fstring myname;
+		char *host_princ_s = NULL;
+		name_to_fqdn(myname, global_myname());
+		strlower_m(myname);
+		asprintf(&host_princ_s, "cifs/%s@%s", myname, lp_realm());
+		blob = spnego_gen_negTokenInit(guid, OIDs_krb5, host_princ_s);
+		SAFE_FREE(host_princ_s);
 	}
 	memcpy(p, blob.data, blob.length);
 	len = blob.length;

More information about the samba-technical mailing list