[PATCH 4/7] cifs.upcall: try getting a "cifs/" principal and fall back to "host/"
Jeff Layton
jlayton at redhat.com
Fri Aug 7 13:43:14 MDT 2009
cifs.upcall takes a "-c" flag that tells the upcall to get a principal
in the form of "cifs/hostname.example.com at REALM" instead of
"host/hostname.example.com at REALM". This has turned out to be a source of
great confusion for users.
Instead of requiring this flag, have the upcall try to get a "cifs/"
principal first. If that fails, fall back to getting a "host/"
principal.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
---
client/cifs.upcall.c | 28 ++++++++++++++++------------
docs-xml/manpages-3/cifs.upcall.8.xml | 4 ++--
2 files changed, 18 insertions(+), 14 deletions(-)
diff --git a/client/cifs.upcall.c b/client/cifs.upcall.c
index 0ddcc75..e60fb50 100644
--- a/client/cifs.upcall.c
+++ b/client/cifs.upcall.c
@@ -30,7 +30,7 @@ create dns_resolver * * /usr/local/sbin/cifs.upcall %k
#include "cifs_spnego.h"
-const char *CIFSSPNEGO_VERSION = "1.2";
+const char *CIFSSPNEGO_VERSION = "1.3";
static const char *prog = "cifs.upcall";
typedef enum _sectype {
NONE = 0,
@@ -291,8 +291,8 @@ cifs_resolver(const key_serial_t key, const char *key_descr)
static void
usage(void)
{
- syslog(LOG_INFO, "Usage: %s [-c] [-v] key_serial", prog);
- fprintf(stderr, "Usage: %s [-c] [-v] key_serial\n", prog);
+ syslog(LOG_INFO, "Usage: %s [-v] key_serial", prog);
+ fprintf(stderr, "Usage: %s [-v] key_serial\n", prog);
}
int main(const int argc, char *const argv[])
@@ -303,7 +303,7 @@ int main(const int argc, char *const argv[])
key_serial_t key = 0;
size_t datalen;
long rc = 1;
- int c, use_cifs_service_prefix = 0;
+ int c;
char *buf, *princ, *ccname = NULL;
struct decoded_args arg = { };
const char *oid;
@@ -313,7 +313,7 @@ int main(const int argc, char *const argv[])
while ((c = getopt(argc, argv, "cv")) != -1) {
switch (c) {
case 'c':
- use_cifs_service_prefix = 1;
+ /* legacy option -- skip it */
break;
case 'v':
printf("version: %s\n", CIFSSPNEGO_VERSION);
@@ -395,19 +395,23 @@ int main(const int argc, char *const argv[])
break;
}
- if (use_cifs_service_prefix)
- strlcpy(princ, "cifs/", datalen);
- else
- strlcpy(princ, "host/", datalen);
-
- strlcpy(princ + 5, arg.hostname, datalen - 5);
-
if (arg.sec == MS_KRB5)
oid = OID_KERBEROS5_OLD;
else
oid = OID_KERBEROS5;
+ /*
+ * try getting a cifs/ principal first and then fall back to
+ * getting a host/ principal if that doesn't work.
+ */
+ strlcpy(princ, "cifs/", datalen);
+ strlcpy(princ + 5, arg.hostname, datalen - 5);
rc = handle_krb5_mech(oid, princ, &secblob, &sess_key, ccname);
+ if (rc) {
+ memcpy(princ, "host/", 5);
+ rc = handle_krb5_mech(oid, princ, &secblob, &sess_key,
+ ccname);
+ }
SAFE_FREE(princ);
break;
default:
diff --git a/docs-xml/manpages-3/cifs.upcall.8.xml b/docs-xml/manpages-3/cifs.upcall.8.xml
index 6e22bff..427bb44 100644
--- a/docs-xml/manpages-3/cifs.upcall.8.xml
+++ b/docs-xml/manpages-3/cifs.upcall.8.xml
@@ -48,7 +48,7 @@ to be run that way.</para>
<variablelist>
<varlistentry>
<term>-c</term>
- <listitem><para>When handling a kerberos upcall, use a service principal that starts with "cifs/". The default is to use the "host/" service principal.
+ <listitem><para>This option is deprecated and is currently ignored.
</para></listitem>
</varlistentry>
@@ -86,7 +86,7 @@ to be run that way.</para>
<programlisting>
#OPERATION TYPE D C PROGRAM ARG1 ARG2...
#========= ============= = = ==========================================
-create cifs.spnego * * /usr/local/sbin/cifs.upcall -c %k
+create cifs.spnego * * /usr/local/sbin/cifs.upcall %k
create dns_resolver * * /usr/local/sbin/cifs.upcall %k
</programlisting>
<para>
--
1.6.0.6
More information about the samba-technical
mailing list