From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 6 Dec 2019 22:30:32 +0000 (+0100)
Subject: source3/auth/auth_generic.c auth_generic_prepare gse_krb5_create_server_keytab()
X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=e379e120598c8e0dcdb9348940817986dce0e49a;p=metze%2Fsamba%2Fwip.git

source3/auth/auth_generic.c auth_generic_prepare gse_krb5_create_server_keytab()
---

diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 0e9500ac08d1..2c783c9b46e7 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -33,7 +33,9 @@
 #include "nsswitch/libwbclient/wbclient.h"
 #endif
 #include "librpc/crypto/gse.h"
+#include "librpc/crypto/gse_krb5.h"
 #include "auth/credentials/credentials.h"
+#include "../source4/auth/kerberos/krb5_init_context.h"
 #include "lib/param/loadparm.h"
 #include "librpc/gen_ndr/dcerpc.h"
 
@@ -350,12 +352,56 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
 		server_credentials = cli_credentials_init_anon(tmp_ctx);
 		if (!server_credentials) {
 			DEBUG(0, ("auth_generic_prepare: Failed to init server credentials\n"));
+			TALLOC_FREE(tmp_ctx);
 			return NT_STATUS_NO_MEMORY;
 		}
 
 		cli_credentials_set_conf(server_credentials, lp_ctx);
 
 		if (lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) {
+			struct smb_krb5_context *smb_k5ctx = NULL;
+			char *keytab_name = NULL;
+			krb5_error_code k5ret;
+			krb5_keytab k5keytab = NULL;
+
+			keytab_name = talloc_asprintf(server_credentials,
+					"MEMORY:auth_generic_prepare_%u_%p",
+					(unsigned int)getpid(),
+					server_credentials);
+			if (keytab_name == NULL) {
+				TALLOC_FREE(tmp_ctx);
+				return NT_STATUS_NO_MEMORY;
+			}
+
+			k5ret = cli_credentials_get_krb5_context(server_credentials,
+								 lp_ctx,
+								 &smb_k5ctx);
+			nt_status = krb5_to_nt_status(k5ret);
+			if (!NT_STATUS_IS_OK(nt_status)) {
+				TALLOC_FREE(tmp_ctx);
+				return nt_status;
+			}
+
+			k5ret = gse_krb5_create_server_keytab(smb_k5ctx->krb5_context,
+							      keytab_name,
+							      &k5keytab);
+			nt_status = krb5_to_nt_status(k5ret);
+			if (!NT_STATUS_IS_OK(nt_status)) {
+				TALLOC_FREE(tmp_ctx);
+				return nt_status;
+			}
+
+			k5ret = cli_credentials_set_keytab_name(server_credentials,
+								lp_ctx,
+								keytab_name,
+								CRED_SPECIFIED);
+			krb5_kt_close(smb_k5ctx->krb5_context, k5keytab);
+			nt_status = krb5_to_nt_status(k5ret);
+			if (!NT_STATUS_IS_OK(nt_status)) {
+				TALLOC_FREE(tmp_ctx);
+				return nt_status;
+			}
+
 			cli_credentials_set_kerberos_state(server_credentials, CRED_AUTO_USE_KERBEROS);
 		} else {
 			cli_credentials_set_kerberos_state(server_credentials, CRED_DONT_USE_KERBEROS);