2 Unix SMB/Netbios implementation.
5 Copyright (C) Andrew Tridgell 2001
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 this is a minimal interact function, just enough for SASL to talk
29 GSSAPI/kerberos to W2K
30 Error handling is a bit of a problem. I can't see how to get Cyrus-sasl
31 to give sensible errors
33 static int sasl_interact(LDAP *ld,unsigned flags,void *defaults,void *in)
35 sasl_interact_t *interact = in;
37 while (interact->id != SASL_CB_LIST_END) {
38 interact->result = strdup("");
39 interact->len = strlen(interact->result);
48 #define MAX_GSS_PASSES 3
50 /* this performs a SASL/gssapi bind
51 we avoid using cyrus-sasl to make Samba more robust. cyrus-sasl
52 is very dependent on correctly configured DNS whereas
53 this routine is much less fragile
54 see RFC2078 for details
56 ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
60 gss_buffer_desc input_name;
61 gss_ctx_id_t context_handle;
62 gss_OID mech_type = GSS_C_NULL_OID;
63 gss_buffer_desc output_token, input_token;
64 OM_uint32 ret_flags, conf_state;
73 krb5_principal principal;
75 krb5_enctype enc_types[] = {ENCTYPE_DES_CBC_MD5, ENCTYPE_NULL};
76 gss_OID_desc nt_principal =
77 {10, "\052\206\110\206\367\022\001\002\002\002"};
79 /* we need to fetch a service ticket as the ldap user in the
80 servers realm, regardless of our realm */
81 asprintf(&sname, "ldap/%s@%s", ads->ldap_server_name, ads->server_realm);
82 krb5_init_context(&ctx);
83 krb5_set_default_tgs_ktypes(ctx, enc_types);
84 krb5_parse_name(ctx, sname, &principal);
86 krb5_free_context(ctx);
88 input_name.value = &principal;
89 input_name.length = sizeof(principal);
91 gss_rc = gss_import_name(&minor_status,&input_name,&nt_principal, &serv_name);
93 return ADS_ERROR_GSS(gss_rc, minor_status);
96 context_handle = GSS_C_NO_CONTEXT;
98 input_token.value = NULL;
99 input_token.length = 0;
101 for (i=0; i < MAX_GSS_PASSES; i++) {
102 gss_rc = gss_init_sec_context(&minor_status,
107 GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
116 if (input_token.value) {
117 gss_release_buffer(&minor_status, &input_token);
120 if (gss_rc && gss_rc != GSS_S_CONTINUE_NEEDED) {
121 status = ADS_ERROR_GSS(gss_rc, minor_status);
125 cred.bv_val = output_token.value;
126 cred.bv_len = output_token.length;
128 rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL,
130 if (rc != LDAP_SASL_BIND_IN_PROGRESS) {
131 status = ADS_ERROR(rc);
135 if (output_token.value) {
136 gss_release_buffer(&minor_status, &output_token);
140 input_token.value = scred->bv_val;
141 input_token.length = scred->bv_len;
143 input_token.value = NULL;
144 input_token.length = 0;
147 if (gss_rc == 0) break;
150 gss_release_name(&minor_status, &serv_name);
152 gss_rc = gss_unwrap(&minor_status,context_handle,&input_token,&output_token,
155 status = ADS_ERROR_GSS(gss_rc, minor_status);
159 gss_release_buffer(&minor_status, &input_token);
161 p = (uint8 *)output_token.value;
163 max_msg_size = (p[1]<<16) | (p[2]<<8) | p[3];
165 gss_release_buffer(&minor_status, &output_token);
167 output_token.value = malloc(strlen(ads->bind_path) + 8);
168 p = output_token.value;
170 *p++ = 1; /* no sign or seal */
171 /* choose the same size as the server gave us */
172 *p++ = max_msg_size>>16;
173 *p++ = max_msg_size>>8;
175 snprintf(p, strlen(ads->bind_path)+1, "dn:%s", ads->bind_path);
176 p += strlen(ads->bind_path);
178 output_token.length = strlen(ads->bind_path) + 8;
180 gss_rc = gss_wrap(&minor_status, context_handle,0,GSS_C_QOP_DEFAULT,
181 &output_token, &conf_state,
184 status = ADS_ERROR_GSS(gss_rc, minor_status);
188 free(output_token.value);
190 cred.bv_val = input_token.value;
191 cred.bv_len = input_token.length;
193 rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL,
195 status = ADS_ERROR(rc);
197 gss_release_buffer(&minor_status, &input_token);
203 ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads)
207 rc = ldap_sasl_interactive_bind_s(ads->ld, NULL, NULL, NULL, NULL,
209 sasl_interact, NULL);
210 return ADS_ERROR(rc);
212 return ads_sasl_gssapi_bind(ads);