svn commit: samba r7398 - branches/SAMBA_3_0/source/smbd trunk/source/smbd

Andrew Bartlett abartlet at samba.org
Fri Jun 10 00:21:28 GMT 2005 

On Wed, 2005-06-08 at 14:57 +0000, jerry at samba.org wrote:
> Author: jerry
> Date: 2005-06-08 14:57:37 +0000 (Wed, 08 Jun 2005)
> New Revision: 7398
> 
> WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=7398
> 
> Log:
> commiting abartlet's patch for kerberos authentication when using a keytab and security != ads
> Modified:
>    branches/SAMBA_3_0/source/smbd/negprot.c
>    branches/SAMBA_3_0/source/smbd/sesssetup.c
>    trunk/source/smbd/negprot.c
>    trunk/source/smbd/sesssetup.c

Just a note that the following part of the diff may or may not be a
wanted change in behaviour.  This changes the (only honoured by Samba
clients) mechListMIC to return the cifs/ name, rather than the machine
$@realm name.  

This actually should make Samba better behaved in AD (closer to what AD
clients do), and it makes a lot of sense for the MIT environment (why
would it have a machine$@realm entry?), but it is a change.

Andrew Bartlett

> Modified: trunk/source/smbd/negprot.c
> ===================================================================
> --- trunk/source/smbd/negprot.c	2005-06-08 14:45:04 UTC (rev 7397)
> +++ trunk/source/smbd/negprot.c	2005-06-08 14:57:37 UTC (rev 7398)
> @@ -178,7 +178,6 @@
>  				   OID_NTLMSSP,
>  				   NULL};
>  	const char *OIDs_plain[] = {OID_NTLMSSP, NULL};
> -	char *principal;
>  	int len;
>  
>  	global_spnego_negotiated = True;
> @@ -211,12 +210,16 @@
>  		return 16;
>  	}
>  #endif
> -	if (lp_security() != SEC_ADS) {
> +	if (lp_security() != SEC_ADS && !lp_use_kerberos_keytab()) {
>  		blob = spnego_gen_negTokenInit(guid, OIDs_plain, "NONE");
>  	} else {
> -		asprintf(&principal, "%s$@%s", guid, lp_realm());
> -		blob = spnego_gen_negTokenInit(guid, OIDs_krb5, principal);
> -		free(principal);
> +		fstring myname;
> +		char *host_princ_s = NULL;
> +		name_to_fqdn(myname, global_myname());
> +		strlower_m(myname);
> +		asprintf(&host_princ_s, "cifs/%s@%s", myname, lp_realm());
> +		blob = spnego_gen_negTokenInit(guid, OIDs_krb5, host_princ_s);
> +		SAFE_FREE(host_princ_s);
>  	}
>  	memcpy(p, blob.data, blob.length);
>  	len = blob.length;
> 

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050610/31fb79f3/attachment.bin

More information about the samba-technical mailing list