s4:auth: add samba_server_gensec_krb5_start()

This will be used by the dns services to only allow
spnego/krb5. This makes sure the accepting backend
doesn't require any RPC or IPC communication for now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index de3a8bd5b2272dad79bd5c9ed811a265c28e72de..e1b642eb92d963925d8b60ceedede7562a1f69cb 100644 (file)
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -187,5 +187,12 @@ NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx,
                                   struct cli_credentials *server_credentials,
                                   const char *target_service,
                                   struct gensec_security **gensec_context);
+NTSTATUS samba_server_gensec_krb5_start(TALLOC_CTX *mem_ctx,
+                                       struct tevent_context *event_ctx,
+                                       struct imessaging_context *msg_ctx,
+                                       struct loadparm_context *lp_ctx,
+                                       struct cli_credentials *server_credentials,
+                                       const char *target_service,
+                                       struct gensec_security **gensec_context);
 
 #endif /* _SMBAUTH_H_ */

diff --git a/source4/auth/samba_server_gensec.c b/source4/auth/samba_server_gensec.c
index af26f9972fa36258ff9bb354000dddaf1f9308bc..ee3396a4abe84ae611d251407dfd1a3a71221ce7 100644 (file)
--- a/source4/auth/samba_server_gensec.c
+++ b/source4/auth/samba_server_gensec.c
@@ -105,3 +105,48 @@ NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx,
        talloc_reparent(mem_ctx, *gensec_context, settings);
        return NT_STATUS_OK;
 }
+
+NTSTATUS samba_server_gensec_krb5_start(TALLOC_CTX *mem_ctx,
+                                       struct tevent_context *event_ctx,
+                                       struct imessaging_context *msg_ctx,
+                                       struct loadparm_context *lp_ctx,
+                                       struct cli_credentials *server_credentials,
+                                       const char *target_service,
+                                       struct gensec_security **gensec_context)
+{
+       struct gensec_settings *settings = NULL;
+       const struct gensec_security_ops **backends = NULL;
+       size_t idx = 0;
+       NTSTATUS status;
+
+       settings = lpcfg_gensec_settings(mem_ctx, lp_ctx);
+       if (settings == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       backends = talloc_zero_array(settings,
+                                    const struct gensec_security_ops *, 3);
+       if (backends == NULL) {
+                       TALLOC_FREE(settings);
+               return NT_STATUS_NO_MEMORY;
+       }
+       settings->backends = backends;
+
+       gensec_init();
+
+       backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_KERBEROS5);
+
+       backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
+
+       status = samba_server_gensec_start_settings(mem_ctx, event_ctx,
+                                                   msg_ctx, lp_ctx,
+                                                   settings, server_credentials,
+                                                   target_service,
+                                                   gensec_context);
+       if (!NT_STATUS_IS_OK(status)) {
+               TALLOC_FREE(settings);
+               return status;
+       }
+
+       talloc_steal(*gensec_context, settings);
+       return NT_STATUS_OK;
+}