struct security_token *security_token;
struct auth_serversupplied_info *server_info;
DATA_BLOB session_key;
+ struct cli_credentials *credentials;
};
struct auth_method_context;
&session_info->security_token);
NT_STATUS_NOT_OK_RETURN(nt_status);
+ session_info->credentials = NULL;
+
*_session_info = session_info;
return NT_STATUS_OK;
}
cred->domain_obtained = CRED_UNINITIALISED;
cred->realm_obtained = CRED_UNINITIALISED;
cred->ccache_obtained = CRED_UNINITIALISED;
+ cred->gss_creds_obtained = CRED_UNINITIALISED;
cred->keytab_obtained = CRED_UNINITIALISED;
cred->principal_obtained = CRED_UNINITIALISED;
enum credentials_obtained domain_obtained;
enum credentials_obtained realm_obtained;
enum credentials_obtained ccache_obtained;
+ enum credentials_obtained gss_creds_obtained;
enum credentials_obtained principal_obtained;
enum credentials_obtained keytab_obtained;
struct samr_Password *nt_hash;
struct ccache_container *ccache;
+ struct gssapi_creds_container *gssapi_creds;
struct keytab_container *keytab;
const char *(*workstation_cb) (struct cli_credentials *);
return 0;
}
-
+/* Free a memory ccache */
static int free_mccache(void *ptr) {
struct ccache_container *ccc = ptr;
krb5_cc_destroy(ccc->smb_krb5_context->krb5_context, ccc->ccache);
return 0;
}
+/* Free a disk-based ccache */
static int free_dccache(void *ptr) {
struct ccache_container *ccc = ptr;
krb5_cc_close(ccc->smb_krb5_context->krb5_context, ccc->ccache);
}
-int cli_credentials_new_ccache(struct cli_credentials *cred)
+int cli_credentials_new_ccache(struct cli_credentials *cred, struct ccache_container **_ccc)
{
krb5_error_code ret;
char *rand_string;
talloc_steal(cred, ccc);
talloc_free(ccache_name);
+ if (_ccc) {
+ *_ccc = ccc;
+ }
+
return ret;
}
return EINVAL;
}
- ret = cli_credentials_new_ccache(cred);
+ ret = cli_credentials_new_ccache(cred, NULL);
if (ret) {
return ret;
}
return ret;
}
+static int free_gssapi_creds(void *ptr) {
+ OM_uint32 min_stat, maj_stat;
+ struct gssapi_creds_container *gcc = ptr;
+ maj_stat = gss_release_cred(&min_stat,
+ &gcc->creds);
+ return 0;
+}
+
+int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
+ struct gssapi_creds_container **_gcc)
+{
+ int ret = 0;
+ OM_uint32 maj_stat, min_stat;
+ struct gssapi_creds_container *gcc;
+ struct ccache_container *ccache;
+ if (cred->gss_creds_obtained >= (MAX(cred->ccache_obtained,
+ MAX(cred->principal_obtained,
+ cred->username_obtained)))) {
+ *_gcc = cred->gssapi_creds;
+ return 0;
+ }
+ ret = cli_credentials_get_ccache(cred,
+ &ccache);
+ if (ret) {
+ DEBUG(1, ("Failed to get CCACHE for GSSAPI client: %s\n", error_message(ret)));
+ return ret;
+ }
+
+ gcc = talloc(cred, struct gssapi_creds_container);
+ if (!gcc) {
+ return ENOMEM;
+ }
+
+ maj_stat = gss_krb5_import_ccache(&min_stat, ccache->ccache,
+ &gcc->creds);
+ if (maj_stat) {
+ if (min_stat) {
+ ret = min_stat;
+ } else {
+ ret = EINVAL;
+ }
+ }
+ if (ret == 0) {
+ cred->gss_creds_obtained = cred->ccache_obtained;
+ talloc_set_destructor(gcc, free_gssapi_creds);
+ cred->gssapi_creds = gcc;
+ *_gcc = gcc;
+ }
+ return ret;
+}
+
+/**
+ Set a gssapi cred_id_t into the credentails system.
+
+ This grabs the credentials both 'intact' and getting the krb5
+ ccache out of it. This routine can be generalised in future for
+ the case where we deal with GSSAPI mechs other than krb5.
+
+ On sucess, the caller must not free gssapi_cred, as it now belongs
+ to the credentials system.
+*/
+
+ int cli_credentials_set_client_gss_creds(struct cli_credentials *cred,
+ gss_cred_id_t gssapi_cred,
+ enum credentials_obtained obtained)
+{
+ int ret;
+ OM_uint32 maj_stat, min_stat;
+ struct ccache_container *ccc;
+ struct gssapi_creds_container *gcc = talloc(cred, struct gssapi_creds_container);
+ if (!gcc) {
+ return ENOMEM;
+ }
+
+ ret = cli_credentials_new_ccache(cred, &ccc);
+ if (ret != 0) {
+ return ret;
+ }
+
+ maj_stat = gss_krb5_copy_ccache(&min_stat,
+ gssapi_cred, ccc->ccache);
+ if (maj_stat) {
+ if (min_stat) {
+ ret = min_stat;
+ } else {
+ ret = EINVAL;
+ }
+ }
+
+ if (ret == 0) {
+ ret = cli_credentials_set_from_ccache(cred, obtained);
+ }
+ if (ret == 0) {
+ gcc->creds = gssapi_cred;
+ talloc_set_destructor(gcc, free_gssapi_creds);
+
+ cred->gss_creds_obtained = obtained;
+ cred->gssapi_creds = gcc;
+ }
+ return ret;
+}
+
int cli_credentials_get_keytab(struct cli_credentials *cred,
struct keytab_container **_ktc)
{
krb5_ccache ccache;
const char *ccache_name;
struct keytab_container *keytab;
+ struct gssapi_creds_container *client_cred;
gss_cred_id_t cred;
+ gss_cred_id_t delegated_cred_handle;
};
static char *gssapi_error_string(TALLOC_CTX *mem_ctx,
maj_stat = gss_release_cred(&min_stat,
&gensec_gssapi_state->cred);
}
+ if (gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
+ maj_stat = gss_release_cred(&min_stat,
+ &gensec_gssapi_state->delegated_cred_handle);
+ }
if (gensec_gssapi_state->gssapi_context != GSS_C_NO_CONTEXT) {
maj_stat = gss_delete_sec_context (&min_stat,
/* TODO: Fill in channel bindings */
gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
- gensec_gssapi_state->want_flags = GSS_C_MUTUAL_FLAG;
+ gensec_gssapi_state->want_flags = GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG;
gensec_gssapi_state->got_flags = 0;
gensec_gssapi_state->session_key = data_blob(NULL, 0);
gensec_gssapi_state->pac = data_blob(NULL, 0);
gensec_gssapi_state->cred = GSS_C_NO_CREDENTIAL;
+ gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destory);
}
maj_stat = gsskrb5_acquire_cred(&min_stat,
- gensec_gssapi_state->keytab->keytab, NULL,
+ gensec_gssapi_state->keytab->keytab,
gensec_gssapi_state->server_name,
GSS_C_INDEFINITE,
GSS_C_NULL_OID_SET,
{
struct gensec_gssapi_state *gensec_gssapi_state;
struct cli_credentials *creds = gensec_get_credentials(gensec_security);
- struct ccache_container *ccache;
krb5_error_code ret;
NTSTATUS nt_status;
gss_buffer_desc name_token;
OM_uint32 maj_stat, min_stat;
const char *hostname = gensec_get_target_hostname(gensec_security);
const char *principal;
+ struct gssapi_creds_container *gcc;
if (!hostname) {
DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
gensec_gssapi_state = gensec_security->private_data;
- ret = cli_credentials_get_ccache(creds,
- &ccache);
- if (ret) {
- DEBUG(1, ("Failed to get CCACHE for gensec_gssapi: %s\n", error_message(ret)));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- principal = cli_credentials_get_principal(creds,
- gensec_gssapi_state);
- name_token.value = discard_const_p(uint8_t, principal);
- name_token.length = strlen(principal);
-
- maj_stat = gss_import_name (&min_stat,
- &name_token,
- GSS_C_NT_USER_NAME,
- &gensec_gssapi_state->client_name);
- if (maj_stat) {
- DEBUG(2, ("GSS Import name of %s failed: %s\n",
- (char *)name_token.value,
- gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
principal = gensec_get_target_principal(gensec_security);
if (principal && lp_client_use_spnego_principal()) {
name_token.value = discard_const_p(uint8_t, principal);
return NT_STATUS_INVALID_PARAMETER;
}
- maj_stat = gsskrb5_acquire_cred(&min_stat,
- NULL, ccache->ccache,
- gensec_gssapi_state->client_name,
- GSS_C_INDEFINITE,
- GSS_C_NULL_OID_SET,
- GSS_C_INITIATE,
- &gensec_gssapi_state->cred,
- NULL,
- NULL);
- if (maj_stat) {
- switch (min_stat) {
- case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
- DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n",
- hostname, gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
- return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
- default:
- DEBUG(1, ("Aquiring initiator credentails failed: %s\n",
- gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
- return NT_STATUS_UNSUCCESSFUL;
- }
+ ret = cli_credentials_get_client_gss_creds(creds, &gcc);
+ switch (ret) {
+ case 0:
+ break;
+ case KRB5_KDC_UNREACH:
+ DEBUG(3, ("Cannot reach a KDC we require\n"));
+ return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
+ default:
+ DEBUG(1, ("Aquiring initiator credentails failed\n"));
+ return NT_STATUS_UNSUCCESSFUL;
}
+ gensec_gssapi_state->client_cred = gcc;
+
return NT_STATUS_OK;
}
const DATA_BLOB in, DATA_BLOB *out)
{
struct gensec_gssapi_state *gensec_gssapi_state = gensec_security->private_data;
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
OM_uint32 maj_stat, min_stat;
OM_uint32 min_stat2;
gss_buffer_desc input_token, output_token;
case GENSEC_CLIENT:
{
maj_stat = gss_init_sec_context(&min_stat,
- gensec_gssapi_state->cred,
+ gensec_gssapi_state->client_cred->creds,
&gensec_gssapi_state->gssapi_context,
gensec_gssapi_state->server_name,
discard_const_p(gss_OID_desc, gensec_gssapi_state->gss_oid),
&output_token,
&gensec_gssapi_state->got_flags,
NULL,
- NULL);
+ &gensec_gssapi_state->delegated_cred_handle);
gensec_gssapi_state->gss_oid = gss_oid_p;
break;
}
*out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
gss_release_buffer(&min_stat2, &output_token);
+ if (gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG) {
+ DEBUG(5, ("gensec_gssapi: credentials were delegated\n"));
+ } else {
+ DEBUG(5, ("gensec_gssapi: NO credentials were delegated\n"));
+ }
+
return NT_STATUS_OK;
} else if (maj_stat == GSS_S_CONTINUE_NEEDED) {
*out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
nt_status = gensec_gssapi_session_key(gensec_security, &session_info->session_key);
NT_STATUS_NOT_OK_RETURN(nt_status);
+ if (!(gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG)) {
+ DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client"));
+ } else {
+ krb5_error_code ret;
+ DEBUG(10, ("gensec_gssapi: delegated credentials supplied by client\n"));
+ session_info->credentials = cli_credentials_init(session_info);
+ if (!session_info->credentials) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ cli_credentials_set_conf(session_info->credentials);
+
+ ret = cli_credentials_set_client_gss_creds(session_info->credentials,
+ gensec_gssapi_state->delegated_cred_handle,
+ CRED_SPECIFIED);
+ if (ret) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ /* It has been taken from this place... */
+ gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
+ }
*_session_info = session_info;
return NT_STATUS_OK;
};
+struct gssapi_creds_container {
+ gss_cred_id_t creds;
+};
+
+
struct keytab_container {
struct smb_krb5_context *smb_krb5_context;
krb5_keytab keytab;
krb5_principal client_principal,
time_t tgs_authtime,
DATA_BLOB *pac);
+
+ int cli_credentials_set_client_gss_creds(struct cli_credentials *cred,
+ gss_cred_id_t gssapi_cred,
+ enum credentials_obtained obtained);
+
#endif /* HAVE_KRB5 */
OM_uint32 ret;
int32_t seq_number;
int is_cfx = 0;
- u_int32_t flags = (*context_handle)->flags;
+ u_int32_t *flags = &(*context_handle)->flags;
krb5_auth_getremoteseqnumber (gssapi_krb5_context,
(*context_handle)->auth_context,
ret = _gssapi_msg_order_create(minor_status,
&(*context_handle)->order,
- _gssapi_msg_order_f(flags),
+ _gssapi_msg_order_f(*flags),
seq_number, 0, is_cfx);
if (ret) return ret;
- if (!(flags & GSS_C_MUTUAL_FLAG) && _gssapi_msg_order_f(flags)) {
+ if (!(*flags & GSS_C_MUTUAL_FLAG) && _gssapi_msg_order_f(*flags)) {
krb5_auth_con_setlocalseqnumber(gssapi_krb5_context,
(*context_handle)->auth_context,
seq_number);
/*
* We should handle the delegation ticket, in case it's there
*/
- if ((*context_handle)->fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) {
+ if ((*context_handle)->fwd_data.length > 0 && (*flags & GSS_C_DELEG_FLAG)) {
ret = gsskrb5_accept_delegated_token(minor_status,
context_handle,
delegated_cred_handle);
if (ret) return ret;
+ } else {
+ /* Well, looks like it wasn't there after all */
+ *flags &= ~GSS_C_DELEG_FLAG;
}
(*context_handle)->state = ACCEPTOR_READY;
krb5_ticket *ticket = NULL;
krb5_keytab keytab = NULL;
krb5_keyblock *keyblock = NULL;
- krb5_data fwd_data;
int is_cfx = 0;
- krb5_data_zero (&fwd_data);
+ krb5_data_zero (&(*context_handle)->fwd_data);
/*
* We may, or may not, have an escapsulation.
input_chan_bindings,
authenticator->cksum,
&flags,
- &fwd_data);
+ &(*context_handle)->fwd_data);
krb5_free_authenticator(gssapi_krb5_context, &authenticator);
if (ret) {
return ret;
}
}
- /*
- * We need to send the flags back to the caller
- */
flags |= GSS_C_TRANS_FLAG;
- if (ret_flags)
- *ret_flags = flags;
-
- /* And remember them for later */
+ /* Remember the flags */
(*context_handle)->lifetime = ticket->ticket.endtime;
(*context_handle)->flags = flags;
* When GSS_C_DCE_STYLE is in use, we need ask for a AP-REP from the client
*/
if (flags & GSS_C_DCE_STYLE) {
+ if (ret_flags) {
+ /* Return flags to caller, but we haven't processed delgations yet */
+ *ret_flags = flags & ~GSS_C_DELEG_FLAG;
+ }
+
(*context_handle)->state = ACCEPTOR_WAIT_FOR_DCESTYLE;
return GSS_S_CONTINUE_NEEDED;
}
- return gsskrb5_acceptor_ready(minor_status, context_handle, delegated_cred_handle);
+ ret = gsskrb5_acceptor_ready(minor_status, context_handle, delegated_cred_handle);
+
+ /*
+ * We need to send the flags back to the caller
+ */
+
+ *ret_flags = (*context_handle)->flags;
+ return ret;
}
static OM_uint32
#include "gssapi_locl.h"
-RCSID("$Id: acquire_cred.c,v 1.23 2005/10/21 12:44:08 lha Exp $");
+RCSID("$Id: acquire_cred.c,v 1.24 2005/10/26 11:25:16 lha Exp $");
+
+OM_uint32
+_gssapi_krb5_ccache_lifetime(OM_uint32 *minor_status,
+ krb5_ccache id,
+ krb5_principal principal,
+ OM_uint32 *lifetime)
+{
+ krb5_creds in_cred, *out_cred;
+ krb5_const_realm realm;
+ krb5_error_code kret;
+
+ memset(&in_cred, 0, sizeof(in_cred));
+ in_cred.client = principal;
+
+ realm = krb5_principal_get_realm(gssapi_krb5_context, principal);
+ if (realm == NULL) {
+ gssapi_krb5_clear_status ();
+ *minor_status = KRB5_PRINC_NOMATCH; /* XXX */
+ return GSS_S_FAILURE;
+ }
+
+ kret = krb5_make_principal(gssapi_krb5_context, &in_cred.server,
+ realm, KRB5_TGS_NAME, realm, NULL);
+ if (kret) {
+ gssapi_krb5_set_error_string();
+ *minor_status = kret;
+ return GSS_S_FAILURE;
+ }
+
+ kret = krb5_get_credentials(gssapi_krb5_context, 0,
+ id, &in_cred, &out_cred);
+ krb5_free_principal(gssapi_krb5_context, in_cred.server);
+ if (kret) {
+ gssapi_krb5_set_error_string();
+ *minor_status = kret;
+ return GSS_S_FAILURE;
+ }
+
+ *lifetime = out_cred->times.endtime;
+ krb5_free_creds(gssapi_krb5_context, out_cred);
+
+ return GSS_S_COMPLETE;
+}
+
+
+
static krb5_error_code
get_keytab(krb5_context context, krb5_keytab *keytab)
(OM_uint32 * minor_status,
krb5_context context,
krb5_keytab keytab,
- krb5_ccache ccache,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
krb5_creds cred;
krb5_principal def_princ;
krb5_get_init_creds_opt *opt;
+ krb5_ccache ccache;
krb5_error_code kret;
- krb5_boolean made_ccache = FALSE;
krb5_boolean made_keytab = FALSE;
+ ccache = NULL;
def_princ = NULL;
ret = GSS_S_FAILURE;
memset(&cred, 0, sizeof(cred));
/* If we have a preferred principal, lets try to find it in all
* caches, otherwise, fall back to default cache. Ignore
* errors. */
- if (ccache == NULL && handle->principal) {
+ if (handle->principal)
kret = krb5_cc_cache_match (gssapi_krb5_context,
handle->principal,
NULL,
&ccache);
- if (kret) {
- ccache = NULL;
- } else {
- made_ccache = TRUE;
- }
- }
+
if (ccache == NULL) {
kret = krb5_cc_default(gssapi_krb5_context, &ccache);
if (kret)
goto end;
- made_ccache = TRUE;
}
kret = krb5_cc_get_principal(context, ccache,
&def_princ);
if (kret != 0) {
/* we'll try to use a keytab below */
krb5_cc_destroy(context, ccache);
- made_ccache = FALSE;
ccache = NULL;
kret = 0;
} else if (handle->principal == NULL) {
if (kret)
goto end;
}
- if (keytab != NULL) {
- kret = get_keytab(context, &keytab);
- if (kret)
- goto end;
- made_keytab = TRUE;
- }
- kret = krb5_get_init_creds_opt_alloc(context, &opt);
+ kret = get_keytab(context, &keytab);
+ if (kret)
+ goto end;
+ kret = krb5_get_init_creds_opt_alloc(gssapi_krb5_context, &opt);
if (kret)
goto end;
- kret = krb5_get_init_creds_keytab(context, &cred,
+ kret = krb5_get_init_creds_keytab(gssapi_krb5_context, &cred,
handle->principal, keytab, 0, NULL, opt);
krb5_get_init_creds_opt_free(opt);
if (kret)
goto end;
- if (ccache == NULL) {
- kret = krb5_cc_gen_new(context, &krb5_mcc_ops,
- &ccache);
- if (kret)
- goto end;
- made_ccache = TRUE;
- }
- kret = krb5_cc_initialize(context, ccache, cred.client);
+ kret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops,
+ &ccache);
if (kret)
goto end;
- kret = krb5_cc_store_cred(context, ccache, &cred);
+ kret = krb5_cc_initialize(gssapi_krb5_context, ccache, cred.client);
if (kret)
goto end;
- handle->lifetime = cred.times.endtime;
- } else {
- krb5_creds in_cred, *out_cred;
- krb5_const_realm realm;
-
- memset(&in_cred, 0, sizeof(in_cred));
- in_cred.client = handle->principal;
-
- realm = krb5_principal_get_realm(context,
- handle->principal);
- if (realm == NULL) {
- kret = KRB5_PRINC_NOMATCH; /* XXX */
- goto end;
- }
-
- kret = krb5_make_principal(context, &in_cred.server,
- realm, KRB5_TGS_NAME, realm, NULL);
+ kret = krb5_cc_store_cred(gssapi_krb5_context, ccache, &cred);
if (kret)
goto end;
+ handle->lifetime = cred.times.endtime;
+ handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
+ } else {
- kret = krb5_get_credentials(context, 0,
- ccache, &in_cred, &out_cred);
- krb5_free_principal(context, in_cred.server);
- if (kret)
+ ret = _gssapi_krb5_ccache_lifetime(minor_status,
+ ccache,
+ handle->principal,
+ &handle->lifetime);
+ if (ret != GSS_S_COMPLETE)
goto end;
-
- handle->lifetime = out_cred->times.endtime;
- krb5_free_creds(context, out_cred);
+ kret = 0;
}
handle->ccache = ccache;
- handle->made_ccache = made_ccache;
ret = GSS_S_COMPLETE;
end:
if (made_keytab)
krb5_kt_close(context, keytab);
if (ret != GSS_S_COMPLETE) {
- if (made_ccache)
- krb5_cc_close(context, ccache);
+ if (ccache != NULL)
+ krb5_cc_close(gssapi_krb5_context, ccache);
if (kret != 0) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
OM_uint32 gsskrb5_acquire_cred
(OM_uint32 * minor_status,
struct krb5_keytab_data *keytab,
- struct krb5_ccache_data *ccache,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
}
if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
ret = acquire_initiator_cred(minor_status, gssapi_krb5_context,
- keytab, ccache,
+ keytab,
desired_name, time_req,
desired_mechs, cred_usage,
handle, actual_mechs, time_rec);
)
{
return gsskrb5_acquire_cred(minor_status,
- NULL, NULL,
+ NULL,
desired_name,
time_req,
desired_mechs,
#include "gssapi_locl.h"
-RCSID("$Id: copy_ccache.c,v 1.7 2003/09/01 15:11:09 lha Exp $");
+RCSID("$Id: copy_ccache.c,v 1.9 2005/10/31 16:02:08 lha Exp $");
OM_uint32
gss_krb5_copy_ccache(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
}
+
+OM_uint32
+gss_krb5_import_ccache(OM_uint32 *minor_status,
+ krb5_ccache in,
+ gss_cred_id_t *cred)
+{
+ krb5_error_code kret;
+ gss_cred_id_t handle;
+ OM_uint32 ret;
+
+ *cred = NULL;
+
+ GSSAPI_KRB5_INIT ();
+
+ handle = (gss_cred_id_t)calloc(1, sizeof(*handle));
+ if (handle == GSS_C_NO_CREDENTIAL) {
+ gssapi_krb5_clear_status ();
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+ HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
+
+ handle->usage = GSS_C_INITIATE;
+
+ kret = krb5_cc_get_principal(gssapi_krb5_context, in, &handle->principal);
+ if (kret) {
+ free(handle);
+ gssapi_krb5_set_error_string ();
+ *minor_status = kret;
+ return GSS_S_FAILURE;
+ }
+
+ ret = _gssapi_krb5_ccache_lifetime(minor_status,
+ in,
+ handle->principal,
+ &handle->lifetime);
+ if (ret != GSS_S_COMPLETE) {
+ krb5_free_principal(gssapi_krb5_context, handle->principal);
+ free(handle);
+ return ret;
+ }
+
+ ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
+ if (ret == GSS_S_COMPLETE)
+ ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
+ &handle->mechanisms);
+ if (ret != GSS_S_COMPLETE) {
+ krb5_free_principal(gssapi_krb5_context, handle->principal);
+ free(handle);
+ *minor_status = kret;
+ return GSS_S_FAILURE;
+ }
+
+ {
+ const char *type, *name;
+ char *str;
+
+ type = krb5_cc_get_type(gssapi_krb5_context, in);
+ name = krb5_cc_get_name(gssapi_krb5_context, in);
+
+ if (asprintf(&str, "%s:%s", type, name) == -1) {
+ krb5_set_error_string(gssapi_krb5_context,
+ "malloc - out of memory");
+ kret = ENOMEM;
+ goto out;
+ }
+
+ kret = krb5_cc_resolve(gssapi_krb5_context, str, &handle->ccache);
+ free(str);
+ if (kret)
+ goto out;
+ }
+
+ *minor_status = 0;
+ *cred = handle;
+ return GSS_S_COMPLETE;
+
+out:
+ gssapi_krb5_set_error_string ();
+ if (handle->principal)
+ krb5_free_principal(gssapi_krb5_context, handle->principal);
+ HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
+ free(handle);
+ *minor_status = kret;
+ return GSS_S_FAILURE;
+}
+
+
OM_uint32
gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
(*context_handle)->service_keyblock);
if((*context_handle)->order)
_gssapi_msg_order_destroy(&(*context_handle)->order);
+ if ((*context_handle)->fwd_data.length > 0)
+ free((*context_handle)->fwd_data.data);
HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex);
HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex);
* SUCH DAMAGE.
*/
-/* $Id: gssapi.h,v 1.37 2005/02/21 08:48:15 lukeh Exp $ */
+/* $Id: gssapi.h,v 1.38 2005/10/26 11:22:13 lha Exp $ */
#ifndef GSSAPI_H_
#define GSSAPI_H_
OM_uint32 gsskrb5_acquire_cred
(OM_uint32 * minor_status,
struct krb5_keytab_data *keytab,
- struct krb5_ccache_data *ccache,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_ctx_id_t context_handle,
struct EncryptionKey **out);
+OM_uint32
+gss_krb5_import_ccache(OM_uint32 */*minor*/,
+ struct krb5_ccache_data * /*in*/,
+ gss_cred_id_t */*out*/);
+
OM_uint32 gss_krb5_get_tkt_flags
(OM_uint32 */*minor*/,
gss_ctx_id_t /*context_handle*/,
/*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* SUCH DAMAGE.
*/
-/* $Id: gssapi_locl.h,v 1.41 2005/10/12 15:20:37 lha Exp $ */
+/* $Id: gssapi_locl.h,v 1.42 2005/10/26 11:23:48 lha Exp $ */
#ifndef GSSAPI_LOCL_H
#define GSSAPI_LOCL_H
typedef struct gss_cred_id_t_desc_struct {
gss_name_t principal;
+ int cred_flags;
+#define GSS_CF_DESTROY_CRED_ON_RELEASE 1
krb5_boolean made_keytab;
struct krb5_keytab_data *keytab;
OM_uint32 lifetime;
gss_cred_usage_t usage;
gss_OID_set mechanisms;
- krb5_boolean made_ccache;
struct krb5_ccache_data *ccache;
HEIMDAL_MUTEX cred_id_mutex;
} gss_cred_id_t_desc;
*/
krb5_error_code gssapi_krb5_init (void);
-krb5_error_code gssapi_krb5_init_ev (void *event_context);
#define GSSAPI_KRB5_INIT() do { \
krb5_error_code kret_gss_init; \
OM_uint32
gssapi_lifetime_left(OM_uint32 *, OM_uint32, OM_uint32 *);
+OM_uint32
+_gssapi_krb5_ccache_lifetime(OM_uint32 *, krb5_ccache,
+ krb5_principal, OM_uint32 *);
+
/* sequence */
OM_uint32
static OM_uint32
gsskrb5_get_creds(
OM_uint32 * minor_status,
- const gss_cred_id_t initiator_cred_handle,
+ krb5_ccache ccache,
gss_ctx_id_t * context_handle,
const gss_name_t target_name,
OM_uint32 time_req,
OM_uint32 ret;
krb5_error_code kret;
krb5_creds this_cred;
- krb5_ccache ccache = NULL;
OM_uint32 lifetime_rec;
*cred = NULL;
- if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) {
- kret = krb5_cc_default (gssapi_krb5_context, &ccache);
- if (kret) {
- gssapi_krb5_set_error_string ();
- *minor_status = kret;
- return GSS_S_FAILURE;
- }
- } else {
- ccache = initiator_cred_handle->ccache;
- }
-
kret = krb5_cc_get_principal(gssapi_krb5_context,
ccache,
&(*context_handle)->source);
if (time_rec) *time_rec = lifetime_rec;
- if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) {
- krb5_cc_close(gssapi_krb5_context, ccache);
- }
-
return GSS_S_COMPLETE;
}
static OM_uint32
gsskrb5_initiator_start
(OM_uint32 * minor_status,
- const gss_cred_id_t initiator_cred_handle,
+ krb5_ccache ccache,
gss_ctx_id_t * context_handle,
const gss_name_t target_name,
const gss_OID mech_type,
krb5_flags ap_options;
krb5_creds *cred = NULL;
krb5_data outbuf;
- krb5_ccache ccache = NULL;
u_int32_t flags;
krb5_data authenticator;
Checksum cksum;
/* We need to get the credentials for the requested target */
ret = gsskrb5_get_creds(minor_status,
- initiator_cred_handle,
+ ccache,
context_handle,
target_name,
time_req,
static OM_uint32
gsskrb5_initiator_wait_for_mutual(
OM_uint32 * minor_status,
- const gss_cred_id_t initiator_cred_handle,
+ krb5_ccache ccache,
gss_ctx_id_t * context_handle,
const gss_name_t target_name,
const gss_OID mech_type,
)
{
OM_uint32 ret;
+ krb5_error_code kret;
+ krb5_ccache ccache = NULL;
if (*context_handle == GSS_C_NO_CONTEXT) {
ret = _gsskrb5_create_ctx(minor_status,
if (actual_mech_type) *actual_mech_type = GSS_KRB5_MECHANISM;
+ if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) {
+ kret = krb5_cc_default (gssapi_krb5_context, &ccache);
+ if (kret) {
+ gssapi_krb5_set_error_string ();
+ *minor_status = kret;
+ return GSS_S_FAILURE;
+ }
+ } else {
+ ccache = initiator_cred_handle->ccache;
+ }
+
HEIMDAL_MUTEX_lock(&(*context_handle)->ctx_id_mutex);
switch ((*context_handle)->state) {
case INITIATOR_START:
ret = gsskrb5_initiator_start(minor_status,
- initiator_cred_handle,
+ ccache,
context_handle,
target_name,
mech_type,
break;
case INITIATOR_WAIT_FOR_MUTAL:
ret = gsskrb5_initiator_wait_for_mutual(minor_status,
- initiator_cred_handle,
+ ccache,
context_handle,
target_name,
mech_type,
break;
}
+ if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) {
+ krb5_cc_close(gssapi_krb5_context, ccache);
+ }
+
HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex);
return ret;
/*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal);
if ((*cred_handle)->made_keytab)
krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab);
- if ((*cred_handle)->made_ccache) {
+ if ((*cred_handle)->ccache != NULL) {
const krb5_cc_ops *ops;
ops = krb5_cc_get_ops(gssapi_krb5_context, (*cred_handle)->ccache);
- if (ops == &krb5_mcc_ops)
+ if ((*cred_handle)->cred_flags & GSS_CF_DESTROY_CRED_ON_RELEASE)
krb5_cc_destroy(gssapi_krb5_context, (*cred_handle)->ccache);
else
krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache);
#include "krb5_locl.h"
-RCSID("$Id: ticket.c,v 1.12 2004/05/25 21:44:47 lha Exp $");
+RCSID("$Id: ticket.c,v 1.14 2005/10/27 13:21:42 lha Exp $");
krb5_error_code KRB5_LIB_FUNCTION
krb5_free_ticket(krb5_context context,
goto out;
break;
}
+#if 0 /* XXX test */
case KRB5_AUTHDATA_KDC_ISSUED: {
AD_KDCIssued child;
goto out;
break;
}
+#endif
case KRB5_AUTHDATA_AND_OR:
if (!failp)
break;
/*
* Extract the authorization data type of `type' from the
* 'ticket'. Store the field in `data'. This function is to use for
- * kerberos applications
+ * kerberos applications.
*/
krb5_error_code KRB5_LIB_FUNCTION
#include "libcli/smb_composite/smb_composite.h"
#include "smb_server/smb_server.h"
#include "smbd/service_stream.h"
+#include "auth/auth.h"
/* this is stored in ntvfs_private */
struct cvfs_private {
remote_share = sharename;
}
- if (!host || !user || !pass || !domain) {
- DEBUG(1,("CIFS backend: You must supply server, user, password and domain\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
private = talloc(req->tcon, struct cvfs_private);
if (!private) {
return NT_STATUS_NO_MEMORY;
ntvfs->private_data = private;
- credentials = cli_credentials_init(private);
- cli_credentials_set_username(credentials, user, CRED_SPECIFIED);
- cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED);
- cli_credentials_set_password(credentials, pass, CRED_SPECIFIED);
- cli_credentials_set_workstation(credentials, "vfs_cifs", CRED_SPECIFIED);
+ if (!host) {
+ DEBUG(1,("CIFS backend: You must supply server\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (user && pass && domain) {
+ credentials = cli_credentials_init(private);
+ cli_credentials_set_username(credentials, user, CRED_SPECIFIED);
+ cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED);
+ cli_credentials_set_password(credentials, pass, CRED_SPECIFIED);
+ cli_credentials_set_workstation(credentials, "vfs_cifs", CRED_SPECIFIED);
+ } else if (req->session->session_info->credentials) {
+ credentials = req->session->session_info->credentials;
+ } else {
+ DEBUG(1,("CIFS backend: You must supply server, user, password and domain or have delegated credentials\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
/* connect to the server, using the smbd event context */
io.in.dest_host = host;
git.samba.org / gd / samba-autobuild / .git / commitdiff