return ret;
}
+#ifdef SAMBA4_USES_HEIMDAL /* MIT lacks krb5_get_default_in_tkt_etypes */
/*
* transfer the enctypes from the smb_krb5_context to the gssapi layer
*
return ret;
}
}
+#endif
+#ifdef SAMBA4_USES_HEIMDAL /* MIT lacks GSS_KRB5_CRED_NO_CI_FLAGS_X */
/* don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG */
maj_stat = gss_set_cred_option(&min_stat, &gcc->creds,
(*error_string) = talloc_asprintf(cred, "gss_set_cred_option failed: %s", error_message(ret));
return ret;
}
-
+#endif
cred->client_gss_creds_obtained = cred->ccache_obtained;
talloc_set_destructor(gcc, free_gssapi_creds);
cred->client_gss_creds = gcc;
cred->keytab_obtained = (MAX(cred->principal_obtained,
cred->username_obtained));
+ /* We make this keytab up based on a password. Therefore
+ * match-by-key is acceptable, we can't match on the wrong
+ * principal */
+ ktc->password_based = true;
+
talloc_steal(cred, ktc);
cred->keytab = ktc;
*_ktc = cred->keytab;
return ENOMEM;
}
- if (obtained < CRED_SPECIFIED) {
- /* This creates a GSSAPI cred_id_t with the principal and keytab set */
+ if (ktc->password_based || obtained < CRED_SPECIFIED) {
+ /* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */
maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab,
&gcc->creds);
} else {
- /* This creates a GSSAPI cred_id_t with the principal and keytab set */
+ /* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */
maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab,
&gcc->creds);
}