Samba3 smbclient/smbmount to smbd kerberos auth working
Maurice Massar
massar at unix-ag.uni-kl.de
Mon Oct 18 14:17:28 GMT 2004
hello,
I can report success on using Kerberos for authentication of access from
smbclient/smbmount to smbd. I'm using the attached patch from abartlet.
This enables me to use smbmount in login-scripts without hacks to get
a password (:
cu
maurice
-------------- next part --------------
diff -ur samba-3.0.7/source/libads/kerberos_verify.c samba-3.0.7-new/source/libads/kerberos_verify.c
--- samba-3.0.7/source/libads/kerberos_verify.c 2004-08-19 15:39:13.000000000 +0200
+++ samba-3.0.7-new/source/libads/kerberos_verify.c 2004-10-05 15:22:59.000000000 +0200
@@ -326,6 +326,7 @@
file_save("/tmp/ticket.dat", ticket->data, ticket->length);
#endif
+#if 0
get_auth_data_from_tkt(auth_data, tkt);
{
@@ -333,6 +334,7 @@
decode_pac_data(auth_data, ctx);
talloc_destroy(ctx);
}
+#endif
#if 0
if (tkt->enc_part2) {
diff -ur samba-3.0.7/source/smbd/sesssetup.c samba-3.0.7-new/source/smbd/sesssetup.c
--- samba-3.0.7/source/smbd/sesssetup.c 2004-07-08 19:06:10.000000000 +0200
+++ samba-3.0.7-new/source/smbd/sesssetup.c 2004-10-05 12:27:48.000000000 +0200
@@ -447,7 +447,7 @@
DEBUG(3,("Got secblob of size %lu\n", (unsigned long)secblob.length));
#ifdef HAVE_KRB5
- if (got_kerberos && (SEC_ADS == lp_security())) {
+ if (got_kerberos && (SEC_ADS == lp_security() || lp_use_kerberos_keytab())) {
int ret = reply_spnego_kerberos(conn, inbuf, outbuf,
length, bufsize, &secblob);
data_blob_free(&secblob);
diff -ur samba-3.0.7/source/smbd/negprot.c samba-3.0.7-new/source/smbd/negprot.c
--- samba-3.0.7/source/smbd/negprot.c 2004-07-08 19:06:10.000000000 +0200
+++ samba-3.0.7-new/source/smbd/negprot.c 2004-10-05 12:27:48.000000000 +0200
@@ -210,12 +210,16 @@
return 16;
}
#endif
- if (lp_security() != SEC_ADS) {
+ if (lp_security() != SEC_ADS && !lp_use_kerberos_keytab()) {
blob = spnego_gen_negTokenInit(guid, OIDs_plain, "NONE");
} else {
- asprintf(&principal, "%s$@%s", guid, lp_realm());
- blob = spnego_gen_negTokenInit(guid, OIDs_krb5, principal);
- free(principal);
+ fstring myname;
+ char *host_princ_s = NULL;
+ name_to_fqdn(myname, global_myname());
+ strlower_m(myname);
+ asprintf(&host_princ_s, "cifs/%s@%s", myname, lp_realm());
+ blob = spnego_gen_negTokenInit(guid, OIDs_krb5, host_princ_s);
+ SAFE_FREE(host_princ_s);
}
memcpy(p, blob.data, blob.length);
len = blob.length;
More information about the samba-technical
mailing list