svn commit: samba r7398 - branches/SAMBA_3_0/source/smbd
trunk/source/smbd
Andrew Bartlett
abartlet at samba.org
Fri Jun 10 00:21:28 GMT 2005
On Wed, 2005-06-08 at 14:57 +0000, jerry at samba.org wrote:
> Author: jerry
> Date: 2005-06-08 14:57:37 +0000 (Wed, 08 Jun 2005)
> New Revision: 7398
>
> WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=7398
>
> Log:
> commiting abartlet's patch for kerberos authentication when using a keytab and security != ads
> Modified:
> branches/SAMBA_3_0/source/smbd/negprot.c
> branches/SAMBA_3_0/source/smbd/sesssetup.c
> trunk/source/smbd/negprot.c
> trunk/source/smbd/sesssetup.c
Just a note that the following part of the diff may or may not be a
wanted change in behaviour. This changes the (only honoured by Samba
clients) mechListMIC to return the cifs/ name, rather than the machine
$@realm name.
This actually should make Samba better behaved in AD (closer to what AD
clients do), and it makes a lot of sense for the MIT environment (why
would it have a machine$@realm entry?), but it is a change.
Andrew Bartlett
> Modified: trunk/source/smbd/negprot.c
> ===================================================================
> --- trunk/source/smbd/negprot.c 2005-06-08 14:45:04 UTC (rev 7397)
> +++ trunk/source/smbd/negprot.c 2005-06-08 14:57:37 UTC (rev 7398)
> @@ -178,7 +178,6 @@
> OID_NTLMSSP,
> NULL};
> const char *OIDs_plain[] = {OID_NTLMSSP, NULL};
> - char *principal;
> int len;
>
> global_spnego_negotiated = True;
> @@ -211,12 +210,16 @@
> return 16;
> }
> #endif
> - if (lp_security() != SEC_ADS) {
> + if (lp_security() != SEC_ADS && !lp_use_kerberos_keytab()) {
> blob = spnego_gen_negTokenInit(guid, OIDs_plain, "NONE");
> } else {
> - asprintf(&principal, "%s$@%s", guid, lp_realm());
> - blob = spnego_gen_negTokenInit(guid, OIDs_krb5, principal);
> - free(principal);
> + fstring myname;
> + char *host_princ_s = NULL;
> + name_to_fqdn(myname, global_myname());
> + strlower_m(myname);
> + asprintf(&host_princ_s, "cifs/%s@%s", myname, lp_realm());
> + blob = spnego_gen_negTokenInit(guid, OIDs_krb5, host_princ_s);
> + SAFE_FREE(host_princ_s);
> }
> memcpy(p, blob.data, blob.length);
> len = blob.length;
>
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050610/31fb79f3/attachment.bin
More information about the samba-technical
mailing list