From dbbb626dc0ad7b0100aec3ee3a787e1ac18f528a Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 6 Dec 2011 14:18:41 +1100
Subject: [PATCH] s4-dns Use match-by-key in GSSAPI server if principal is not
 specified

This allows dlz_bind9 to match on exactly the same key as bind9 itself

Andrew Bartlett

Autobuild-User: Amitay Isaacs <amitay@samba.org>
Autobuild-Date: Wed Dec  7 02:20:10 CET 2011 on sn-devel-104
---
 auth/credentials/credentials_krb5.c | 12 +++++++++---
 source4/dns_server/dlz_bind9.c      | 27 +++++----------------------
 2 files changed, 14 insertions(+), 25 deletions(-)

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 1b7be3f63cb..1e5600c2b15 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -794,9 +794,15 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
 		return ENOMEM;
 	}
 
-	/* This creates a GSSAPI cred_id_t with the principal and keytab set */
-	maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab, 
-					&gcc->creds);
+	if (obtained < CRED_SPECIFIED) {
+		/* This creates a GSSAPI cred_id_t with the principal and keytab set */
+		maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab,
+						&gcc->creds);
+	} else {
+		/* This creates a GSSAPI cred_id_t with the principal and keytab set */
+		maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab,
+						&gcc->creds);
+	}
 	if (maj_stat) {
 		if (min_stat) {
 			ret = min_stat;
diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c
index 1240ab7cc34..97eaac8564f 100644
--- a/source4/dns_server/dlz_bind9.c
+++ b/source4/dns_server/dlz_bind9.c
@@ -1043,17 +1043,6 @@ _PUBLIC_ isc_result_t dlz_configure(dns_view_t *view, void *dbdata)
 	return ISC_R_SUCCESS;
 }
 
-static char *strlower(char *str)
-{
-	int i;
-
-	for (i=0; i<strlen(str); i++) {
-		str[i] = (char) tolower(str[i]);
-	}
-
-	return str;
-}
-
 /*
   authorize a zone update
  */
@@ -1065,8 +1054,8 @@ _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
 	TALLOC_CTX *tmp_ctx;
 	DATA_BLOB ap_req;
 	struct cli_credentials *server_credentials;
-	char *keytab_name, *username;
-	bool ret;
+	char *keytab_name;
+	int ret;
 	int ldb_ret;
 	NTSTATUS nt_status;
 	struct gensec_security *gensec_ctx;
@@ -1104,22 +1093,17 @@ _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
 	cli_credentials_set_krb5_context(server_credentials, state->smb_krb5_ctx);
 	cli_credentials_set_conf(server_credentials, state->lp);
 
-	username = talloc_asprintf(tmp_ctx, "dns-%s", lpcfg_netbios_name(state->lp));
-	username = strlower(username);
-	cli_credentials_set_username(server_credentials, username, CRED_SPECIFIED);
-	talloc_free(username);
-
 	keytab_name = talloc_asprintf(tmp_ctx, "file:%s/dns.keytab",
 					lpcfg_private_dir(state->lp));
 	ret = cli_credentials_set_keytab_name(server_credentials, state->lp, keytab_name,
 						CRED_SPECIFIED);
-	talloc_free(keytab_name);
 	if (ret != 0) {
-		state->log(ISC_LOG_ERROR, "samba_dlz: failed to obtain server credentials for %s",
-				username);
+		state->log(ISC_LOG_ERROR, "samba_dlz: failed to obtain server credentials from %s",
+			   keytab_name);
 		talloc_free(tmp_ctx);
 		return false;
 	}
+	talloc_free(keytab_name);
 
 	nt_status = gensec_server_start(tmp_ctx,
 					lpcfg_gensec_settings(tmp_ctx, state->lp),
@@ -1131,7 +1115,6 @@ _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
 	}
 
 	gensec_set_credentials(gensec_ctx, server_credentials);
-	gensec_set_target_service(gensec_ctx, "dns");
 
 	nt_status = gensec_start_mech_by_name(gensec_ctx, "spnego");
 	if (!NT_STATUS_IS_OK(nt_status)) {
-- 
2.34.1