auth: Allow a NULL principal to be obtained from the credentials

author Andrew Bartlett <abartlet@samba.org>

Tue, 6 Dec 2011 04:56:44 +0000 (15:56 +1100)

committer Amitay Isaacs <amitay@gmail.com>

Tue, 6 Dec 2011 23:43:52 +0000 (10:43 +1100)
author Andrew Bartlett <abartlet@samba.org>
Tue, 6 Dec 2011 04:56:44 +0000 (15:56 +1100)
committer Amitay Isaacs <amitay@gmail.com>
Tue, 6 Dec 2011 23:43:52 +0000 (10:43 +1100)
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c

index 2a3bd22d32eef98c30492e81efa7ee6de45b728c..0c86177960153498ad5e92d124bd591ce8fc0a76 100644 (file)
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -521,7 +521,10 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
                 }
                 
-               /* This ensures we lookup the correct entry in that keytab */
+               /* This ensures we lookup the correct entry in that
+                * keytab.  A NULL principal is acceptable, and means
+                * that the krb5 libs should search the keytab at
+                * accept time for any matching key */
                 ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security), 
                                                  gensec_krb5_state->smb_krb5_context, 
                                                  &server_in_keytab, &obtained, &error_string);
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c

index c255e6605ac954fe8c29b24e513db72f3e12a717..0a42c3078d85f6036967d259d349f85e43670afb 100644 (file)
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -293,14 +293,16 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
         krb5_error_code ret;
         const char *princ_string;
         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
+       *obtained = CRED_UNINITIALISED;
+
         if (!mem_ctx) {
                 (*error_string) = error_message(ENOMEM);
                 return ENOMEM;
         }
         princ_string = cli_credentials_get_principal_and_obtained(credentials, mem_ctx, obtained);
         if (!princ_string) {
-               (*error_string) = error_message(ENOMEM);
-               return ENOMEM;
+               *princ = NULL;
+               return 0;
         }
  
         ret = parse_principal(parent_ctx, princ_string,
@@ -359,6 +361,12 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
                 return ret;
         }
  
+       if (princ == NULL) {
+               (*error_string) = talloc_asprintf(credentials, "principal, username or realm was not specified in the credentials");
+               talloc_free(mem_ctx);
+               return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+       }
+
         ret = impersonate_principal_from_credentials(mem_ctx, credentials, smb_krb5_context, &impersonate_principal, error_string);
         if (ret) {
                 talloc_free(mem_ctx);
author	Andrew Bartlett <abartlet@samba.org>
	Tue, 6 Dec 2011 04:56:44 +0000 (15:56 +1100)
committer	Amitay Isaacs <amitay@gmail.com>
	Tue, 6 Dec 2011 23:43:52 +0000 (10:43 +1100)
source4/auth/gensec/gensec_krb5.c		patch \| blob \| history
source4/auth/kerberos/kerberos_util.c		patch \| blob \| history