gss_name_t gss_client_name,
DATA_BLOB *pac_blob)
{
+ NTSTATUS status;
OM_uint32 gss_maj, gss_min;
- gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
+#ifdef HAVE_GSS_GET_NAME_ATTRIBUTE
gss_buffer_desc pac_buffer;
gss_buffer_desc pac_display_buffer;
gss_buffer_desc pac_name = {
.value = "urn:mspac:",
.length = sizeof("urn:mspac:")-1
};
- NTSTATUS status;
int more = -1;
int authenticated = false;
int complete = false;
-#ifdef HAVE_GSS_GET_NAME_ATTRIBUTE
gss_maj = gss_get_name_attribute(
&gss_min, gss_client_name, &pac_name,
&authenticated, &complete,
return NT_STATUS_ACCESS_DENIED;
}
-#endif
+#elif defined(HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID)
+
+ gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
+
/* If we didn't have the routine to get a verified, validated
* PAC (supplied only by MIT at the time of writing), then try
* with the Heimdal OID (fetches the PAC directly and always
gss_maj = gss_release_buffer_set(&gss_min, &set);
return status;
}
+#else
+ DEBUG(1, ("unable to obtain a PAC against this GSSAPI library. "
+ "GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8\n"));
+#endif
return NT_STATUS_ACCESS_DENIED;
}
#endif
AC_CHECK_FUNC_EXT(gss_krb5_import_cred, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(gss_get_name_attribute, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(gss_oid_equal, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(gss_inquire_sec_context_by_oid, $KRB5_LIBS)
# MIT krb5 1.8 does not expose this call (yet)
AC_CHECK_DECLS(krb5_get_credentials_for_user, [], [], [#include <krb5.h>])
if conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi') or \
conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi_krb5'):
have_gssapi=True
- conf.CHECK_FUNCS_IN('gss_wrap_iov gss_krb5_import_cred gss_get_name_attribute gss_oid_equal', 'gssapi gssapi_krb5 krb5')
+ conf.CHECK_FUNCS_IN('gss_wrap_iov gss_krb5_import_cred gss_get_name_attribute gss_oid_equal gss_inquire_sec_context_by_oid', 'gssapi gssapi_krb5 krb5')
conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5')
conf.CHECK_FUNCS('''
krb5_set_real_time krb5_set_default_in_tkt_etypes krb5_set_default_tgs_enctypes
conf.define('HAVE_GSS_WRAP_IOV', 1)
conf.define('HAVE_GSS_KRB5_IMPORT_CRED', 1)
conf.define('HAVE_GSS_OID_EQUAL', 1)
+conf.define('HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID', 1)
conf.define('HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT', 1)
conf.define('HAVE_LIBGSSAPI', 1)
conf.define('HAVE_ADDR_TYPE_IN_KRB5_ADDRESS', 1)