r6803: Try to bring in the correct GSSAPI headers for the krb5 mech. This

should allow us to ditch the local static storage for OIDs, as well as
fix the build on non-heimdal platforms.

Andrew Bartlett
(This used to be commit a7e2ecfac9aaacd673e3583b62139e4f4e114429)

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index e57739c85c8a0479bcc0e9ff3a2453b25d28ac28..d186e3ed1f5f7adf013f9b788ebb562ee39c6701 100644 (file)
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -32,9 +32,6 @@
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
 
-static const gss_OID_desc gensec_gss_krb5_mechanism_oid_desc =
-        {9, (void *)discard_const_p(char, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")};
-
 struct gensec_gssapi_state {
        gss_ctx_id_t gssapi_context;
        struct gss_channel_bindings_struct *input_chan_bindings;
@@ -162,7 +159,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 #endif
        }
 
-       gensec_gssapi_state->gss_oid = &gensec_gss_krb5_mechanism_oid_desc;
+       gensec_gssapi_state->gss_oid = gss_mech_krb5;
        
        ret = krb5_init_context(&gensec_gssapi_state->krb5_context);
        if (ret) {
@@ -359,6 +356,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
        } else if (maj_stat == GSS_S_CONTINUE_NEEDED) {
                return NT_STATUS_MORE_PROCESSING_REQUIRED;
        } else {
+               if (maj_stat == GSS_S_FAILURE
+                   && (min_stat == KRB5KRB_AP_ERR_BADVERSION || min_stat == KRB5KRB_AP_ERR_MSG_TYPE)) {
+                       /* garbage input, possibly from the auto-mech detection */
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
                DEBUG(1, ("GSS Update failed: %s\n", 
                          gssapi_error_string(out_mem_ctx, maj_stat, min_stat)));
                return nt_status;
@@ -641,8 +643,8 @@ static BOOL gensec_gssapi_have_feature(struct gensec_security *gensec_security,
        }
        if (feature & GENSEC_FEATURE_SESSION_KEY) {
 #ifdef HAVE_GSSKRB5_GET_INITIATOR_SUBKEY
-               if ((gensec_gssapi_state->gss_oid->length == gensec_gss_krb5_mechanism_oid_desc.length)
-                   && (memcmp(gensec_gssapi_state->gss_oid->elements, gensec_gss_krb5_mechanism_oid_desc.elements, gensec_gssapi_state->gss_oid->length) == 0)) {
+               if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length)
+                   && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, gensec_gssapi_state->gss_oid->length) == 0)) {
                        return True;
                }
 #endif 
@@ -662,8 +664,8 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit
 
 #ifdef HAVE_GSSKRB5_GET_INITIATOR_SUBKEY
        /* Ensure we only call this for GSSAPI/krb5, otherwise things could get very ugly */
-       if ((gensec_gssapi_state->gss_oid->length == gensec_gss_krb5_mechanism_oid_desc.length)
-           && (memcmp(gensec_gssapi_state->gss_oid->elements, gensec_gss_krb5_mechanism_oid_desc.elements, 
+       if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length)
+           && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, 
                       gensec_gssapi_state->gss_oid->length) == 0)) {
                OM_uint32 maj_stat, min_stat;
                gss_buffer_desc skey;

diff --git a/source4/auth/gensec/schannel_state.c b/source4/auth/gensec/schannel_state.c
index 99d5fdef5358f854a5671a7c2af5982e1cec2667..0c5ce09637a75a826f2339b9e74b5dae7f910896 100644 (file)
--- a/source4/auth/gensec/schannel_state.c
+++ b/source4/auth/gensec/schannel_state.c
@@ -26,9 +26,6 @@
 #include "lib/ldb/include/ldb.h"
 #include "db_wrap.h"
 
-/* a reasonable amount of time to keep credentials live */
-#define SCHANNEL_CREDENTIALS_EXPIRY 600
-
 /*
   connect to the schannel ldb
 */
@@ -72,11 +69,9 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
        struct ldb_context *ldb;
        struct ldb_message *msg;
        struct ldb_val val, seed;
-       char *s;
        char *f;
        char *sct;
        char *rid;
-       time_t expiry = time(NULL) + SCHANNEL_CREDENTIALS_EXPIRY;
        int ret;
 
        ldb = schannel_db_connect(mem_ctx);
@@ -84,13 +79,6 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
                return NT_STATUS_NO_MEMORY;
        }
 
-       s = talloc_asprintf(mem_ctx, "%u", (unsigned int)expiry);
-
-       if (s == NULL) {
-               talloc_free(ldb);
-               return NT_STATUS_NO_MEMORY;
-       }
-
        f = talloc_asprintf(mem_ctx, "%u", (unsigned int)creds->negotiate_flags);
 
        if (f == NULL) {
@@ -133,7 +121,6 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
 
        ldb_msg_add_value(ldb, msg, "sessionKey", &val);
        ldb_msg_add_value(ldb, msg, "seed", &seed);
-       ldb_msg_add_string(ldb, msg, "expiry", s);
        ldb_msg_add_string(ldb, msg, "negotiateFlags", f);
        ldb_msg_add_string(ldb, msg, "secureChannelType", sct);
        ldb_msg_add_string(ldb, msg, "accountName", creds->account_name);
@@ -145,8 +132,6 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
 
        ret = ldb_add(ldb, msg);
 
-       talloc_free(s);
-
        if (ret != 0) {
                DEBUG(0,("Unable to add %s to session key db - %s\n", 
                         msg->dn, ldb_errstring(ldb)));
@@ -171,7 +156,6 @@ NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx,
                                    struct creds_CredentialState **creds)
 {
        struct ldb_context *ldb;
-       time_t expiry;
        struct ldb_message **res;
        int ret;
        const struct ldb_val *val;
@@ -199,13 +183,6 @@ NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx,
                return NT_STATUS_INVALID_HANDLE;
        }
 
-       expiry = ldb_msg_find_uint(res[0], "expiry", 0);
-       if (expiry < time(NULL)) {
-               DEBUG(1,("schannel: attempt to use expired session key for %s\n", computer_name));
-               talloc_free(ldb);
-               return NT_STATUS_INVALID_HANDLE;
-       }
-
        val = ldb_msg_find_ldb_val(res[0], "sessionKey");
        if (val == NULL || val->length != 16) {
                DEBUG(1,("schannel: record in schannel DB must contain a sessionKey of length 16, when searching for client: %s\n", computer_name));

diff --git a/source4/auth/kerberos/kerberos.m4 b/source4/auth/kerberos/kerberos.m4
index f9a2d66c0ab2d3cb44e64ae02bee00a9ea83865c..b78f96a877ed2f452a514bcf5e64e0690c6e9c76 100644 (file)
--- a/source4/auth/kerberos/kerberos.m4
+++ b/source4/auth/kerberos/kerberos.m4
@@ -195,7 +195,7 @@ if test x"$with_krb5_support" != x"no"; then
 
        # now check for gssapi headers.  This is also done here to allow for
        # different kerberos include paths
-       AC_CHECK_HEADERS(gssapi.h gssapi/gssapi_generic.h gssapi/gssapi.h com_err.h)
+       AC_CHECK_HEADERS(gssapi.h gssapi_krb5.h gssapi/gssapi.h gssapi/gssapi_generic.h gssapi/gssapi_krb5.h com_err.h)
 
        ##################################################################
        # we might need the k5crypto and com_err libraries on some systems

diff --git a/source4/include/system/kerberos.h b/source4/include/system/kerberos.h
index 392300267e10ace0211c03e9a62fd279750883e3..d5fc0209e50d51a40c176b4b89dcd09367fad5dd 100644 (file)
--- a/source4/include/system/kerberos.h
+++ b/source4/include/system/kerberos.h
@@ -27,7 +27,11 @@
 #undef HAVE_KRB5
 #endif
 
-#ifdef HAVE_GSSAPI_H
+#ifdef HAVE_GSSAPI_KRB5_H
+#include <gssapi_krb5.h>
+#elif defined(HAVE_GSSAPI_KRB5_H)
+#include <gssapi/gssapi_krb5.h>
+#elif defined(HAVE_GSSAPI_H)
 #include <gssapi.h>
 #elif defined(HAVE_GSSAPI_GSSAPI_H)
 #include <gssapi/gssapi.h>