diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2017-09-26 15:10:12 +1300 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2021-12-09 07:42:38 +0000 |
| commit | 102ad9ee6a037e2aa6296d0dfbf17f3e4175a581 (patch) | |
| tree | 175a3b40969f86b320bf8f8aff4e4efc842adbba | |
| parent | cd5a5f590ff21587a45405977ab6bef9ff3c2db6 (diff) | |
| download | samba-102ad9ee6a037e2aa6296d0dfbf17f3e4175a581.tar.gz | |
librpc: match gensec_gssapi and call gsskrb5_set_dns_canonicalize() for Heimdal
This is needed to ensure Heimdal does not attempt to use nss to canonicalize the name.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Dec 9 07:42:38 UTC 2021 on sn-devel-184
| -rw-r--r-- | source3/librpc/crypto/gse.c | 42 |
1 files changed, 36 insertions, 6 deletions
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index 1cf111bd974..c50a8a036df 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -31,6 +31,7 @@ #include "auth/gensec/gensec_internal.h" #include "auth/credentials/credentials.h" #include "../librpc/gen_ndr/dcerpc.h" +#include "param/param.h" #if defined(HAVE_KRB5) @@ -248,7 +249,7 @@ err_out: return status; } -static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, +static NTSTATUS gse_init_client(struct gensec_security *gensec_security, bool do_sign, bool do_seal, const char *ccache_name, const char *server, @@ -271,13 +272,42 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - status = gse_context_init(mem_ctx, do_sign, do_seal, + status = gse_context_init(gensec_security, do_sign, do_seal, ccache_name, add_gss_c_flags, &gse_ctx); if (!NT_STATUS_IS_OK(status)) { return NT_STATUS_NO_MEMORY; } +#ifdef SAMBA4_USES_HEIMDAL + { + int ret; + bool set_dns_canon = gensec_setting_bool( + gensec_security->settings, + "krb5", "set_dns_canonicalize", + false); + const char *server_realm = lpcfg_realm( + gensec_security->settings->lp_ctx); + if (server_realm != NULL) { + ret = gsskrb5_set_default_realm(server_realm); + if (ret) { + DBG_ERR("gsskrb5_set_default_realm failed\n"); + return NT_STATUS_INTERNAL_ERROR; + } + } + + /* + * don't do DNS lookups of any kind, it might/will + * fail for a netbios name + */ + ret = gsskrb5_set_dns_canonicalize(set_dns_canon); + if (ret != GSS_S_COMPLETE) { + DBG_ERR("gsskrb5_set_dns_canonicalize failed\n"); + return NT_STATUS_INTERNAL_ERROR; + } + } +#endif + /* TODO: get krb5 ticket using username/password, if no valid * one already available in ccache */ @@ -1151,13 +1181,13 @@ static bool gensec_gse_have_feature(struct gensec_security *gensec_security, return false; } - status = gssapi_get_session_key(talloc_tos(), + status = gssapi_get_session_key(talloc_tos(), gse_ctx->gssapi_context, NULL, &keytype); - /* + /* * We should do a proper sig on the mechListMic unless * we know we have to be backwards compatible with - * earlier windows versions. - * + * earlier windows versions. + * * Negotiating a non-krb5 * mech for example should be regarded as having * NEW_SPNEGO |