r4045: readd krb5 support defaulted to disable
authorStefan Metzmacher <metze@samba.org>
Thu, 2 Dec 2004 18:27:08 +0000 (18:27 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 18:06:17 +0000 (13:06 -0500)
use:
gensec:krb5=yes
gensec:ms_krb5=yes

to enable it

or -k on the client tools on the command line

metze
(This used to be commit 0ae5794cf44933d2554e0356baaca24c7a784f71)

source4/lib/cmdline/popt_common.c
source4/libcli/auth/clikrb5.c
source4/libcli/auth/gensec.m4
source4/libcli/auth/gensec.mk
source4/libcli/auth/gensec_krb5.c
source4/libcli/auth/kerberos.c
source4/libcli/auth/kerberos_verify.c
source4/param/loadparm.c

index 6422b84b446586339a7ec9cfa51c8f13ff764d9d..c7bd35cbabe6e4a0e2c42e68391e0bacdd160a84 100644 (file)
@@ -373,6 +373,8 @@ static void popt_common_credentials_callback(poptContext con,
 #else
                cmdline_auth_info.use_kerberos = True;
                cmdline_auth_info.got_pass = True;
+               lp_set_cmdline("gensec:krb5", "True");
+               lp_set_cmdline("gensec:ms_krb5", "True");
 #endif
                break;
 
index b5158a038af697f9d561e7708bf4896f35c2071e..48e1f885038e7957f97d77194fcb47f65f5c3c97 100644 (file)
@@ -22,6 +22,7 @@
 #include "includes.h"
 #include "system/network.h"
 #include "system/kerberos.h"
+#include "libcli/auth/kerberos.h"
 #include "system/time.h"
 
 #ifdef HAVE_KRB5
index dd72d967dd858e4e8c11a2971ea0ad2c8e29b0c2..9b814014ca1e28b8ca51db7b32ad50bb4f63a27e 100644 (file)
@@ -2,5 +2,5 @@ SMB_MODULE_DEFAULT(gensec_krb5, NOT)
 
 if test x"$SMB_EXT_LIB_ENABLE_KRB5" = x"YES"; then
        /* enable this when krb5 is fully working */
-       SMB_MODULE_DEFAULT(gensec_krb5, NOT)
+       SMB_MODULE_DEFAULT(gensec_krb5, STATIC)
 fi
index 30da8aaa0e1f288c54ad4bcc2df90e2553d4a30f..66abfd10b7ed8ae869ade2bdfd6b197ca59b5671 100644 (file)
@@ -19,7 +19,7 @@ ADD_OBJ_FILES = \
                libcli/auth/kerberos.o \
                libcli/auth/kerberos_verify.o \
                libcli/auth/gssapi_parse.o
-REQUIRED_SUBSYSTEMS = EXT_LIB_KRB5
+REQUIRED_SUBSYSTEMS = NDR_KRB5PAC EXT_LIB_KRB5
 # End MODULE gensec_krb5
 ################################################
 
index 97025fa6c447beaa0c4888c229320f0b6b6005b2..0f1bf8e7006c77db60b897bde058b7671e983763 100644 (file)
@@ -512,9 +512,14 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
        {
                char *principal;
                DATA_BLOB unwrapped_in;
-               DATA_BLOB unwrapped_out;
+               DATA_BLOB unwrapped_out = data_blob(NULL, 0);
                uint8 tok_id[2];
 
+               if (!in.data) {
+                       *out = unwrapped_out;
+                       return NT_STATUS_MORE_PROCESSING_REQUIRED;
+               }       
+
                /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
                if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
                        nt_status = ads_verify_ticket(out_mem_ctx, 
@@ -544,8 +549,11 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
                if (NT_STATUS_IS_OK(nt_status)) {
                        gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
                        /* wrap that up in a nice GSS-API wrapping */
+#ifndef GENSEC_SEND_UNWRAPPED_KRB5
                        *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
-
+#else
+                       *out = unwrapped_out;
+#endif
                        gensec_krb5_state->peer_principal = talloc_steal(gensec_krb5_state, principal);
                }
                return nt_status;
index 50f2e0f24e320a59637e45f40be7d22e4365ff53..9510aaa7fb413bbb4080a7ffdfaa5ba2ea2a782b 100644 (file)
@@ -22,6 +22,7 @@
 
 #include "includes.h"
 #include "system/kerberos.h"
+#include "libcli/auth/kerberos.h"
 #include "system/time.h"
 
 #ifdef HAVE_KRB5
index 6d87cf8d8b6d527e75206c73ea9d627a5efae500..d00394fd790459d4ef43aa68671f1138ade64080 100644 (file)
@@ -101,7 +101,9 @@ static krb5_error_code ads_keytab_verify_ticket(krb5_context context, krb5_auth_
                }
                DEBUG(10, ("Checking principal: %s\n", princ_name));
                /* Look for a CIFS ticket */
-               if (!strncasecmp(princ_name, "cifs/", 5) || (!strncasecmp(princ_name, "host/", 5))) {
+               if (!strncasecmp(princ_name, "cifs/", 5) || 
+                   !strncasecmp(princ_name, "host/", 5) ||
+                   !strncasecmp(princ_name, "ldap/", 5)) {
 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK
                        krb5_auth_con_setuseruserkey(context, auth_context, &kt_entry.keyblock);
 #else
index 978d86a9a3ada1093c724b049b3d8ee48c887946..1d9553de3e12a13a2eab2f9742b56b9a87536923 100644 (file)
@@ -3071,6 +3071,9 @@ BOOL lp_load(const char *pszFname, BOOL global_only, BOOL save_defaults,
                lp_do_parameter(-1, "wins server", "127.0.0.1");
        }
 
+       lp_do_parameter(-1, "gensec:krb5", "False");
+       lp_do_parameter(-1, "gensec:ms_krb5", "False");
+
        init_iconv();
 
        return (bRetval);