source3/auth/auth_generic.c auth_generic_prepare gse_krb5_create_server_keytab()

diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 0e9500ac08d1c1bc590d353091ba38a3e251a778..2c783c9b46e7f0ce9a99e0f1daa7ec54e15574aa 100644 (file)
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -33,7 +33,9 @@
 #include "nsswitch/libwbclient/wbclient.h"
 #endif
 #include "librpc/crypto/gse.h"
+#include "librpc/crypto/gse_krb5.h"
 #include "auth/credentials/credentials.h"
+#include "../source4/auth/kerberos/krb5_init_context.h"
 #include "lib/param/loadparm.h"
 #include "librpc/gen_ndr/dcerpc.h"
 
@@ -350,12 +352,56 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
                server_credentials = cli_credentials_init_anon(tmp_ctx);
                if (!server_credentials) {
                        DEBUG(0, ("auth_generic_prepare: Failed to init server credentials\n"));
+                       TALLOC_FREE(tmp_ctx);
                        return NT_STATUS_NO_MEMORY;
                }
 
                cli_credentials_set_conf(server_credentials, lp_ctx);
 
                if (lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) {
+                       struct smb_krb5_context *smb_k5ctx = NULL;
+                       char *keytab_name = NULL;
+                       krb5_error_code k5ret;
+                       krb5_keytab k5keytab = NULL;
+
+                       keytab_name = talloc_asprintf(server_credentials,
+                                       "MEMORY:auth_generic_prepare_%u_%p",
+                                       (unsigned int)getpid(),
+                                       server_credentials);
+                       if (keytab_name == NULL) {
+                               TALLOC_FREE(tmp_ctx);
+                               return NT_STATUS_NO_MEMORY;
+                       }
+
+                       k5ret = cli_credentials_get_krb5_context(server_credentials,
+                                                                lp_ctx,
+                                                                &smb_k5ctx);
+                       nt_status = krb5_to_nt_status(k5ret);
+                       if (!NT_STATUS_IS_OK(nt_status)) {
+                               TALLOC_FREE(tmp_ctx);
+                               return nt_status;
+                       }
+
+                       k5ret = gse_krb5_create_server_keytab(smb_k5ctx->krb5_context,
+                                                             keytab_name,
+                                                             &k5keytab);
+                       nt_status = krb5_to_nt_status(k5ret);
+                       if (!NT_STATUS_IS_OK(nt_status)) {
+                               TALLOC_FREE(tmp_ctx);
+                               return nt_status;
+                       }
+
+                       k5ret = cli_credentials_set_keytab_name(server_credentials,
+                                                               lp_ctx,
+                                                               keytab_name,
+                                                               CRED_SPECIFIED);
+                       krb5_kt_close(smb_k5ctx->krb5_context, k5keytab);
+                       nt_status = krb5_to_nt_status(k5ret);
+                       if (!NT_STATUS_IS_OK(nt_status)) {
+                               TALLOC_FREE(tmp_ctx);
+                               return nt_status;
+                       }
+
                        cli_credentials_set_kerberos_state(server_credentials, CRED_AUTO_USE_KERBEROS);
                } else {
                        cli_credentials_set_kerberos_state(server_credentials, CRED_DONT_USE_KERBEROS);