diff options
author | Stefan Metzmacher <metze@samba.org> | 2017-05-15 07:17:30 +0200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-05-21 21:05:12 +0200 |
commit | d4f72d0b861e7db438084b8b30656a14a099948f (patch) | |
tree | 2f2dd273b2769eab3fa2e7c1a8d7dd13bc4e6308 | |
parent | 93a6b9da0f4cb0fb4764af4a8c488c6d06c1dff0 (diff) | |
download | samba-d4f72d0b861e7db438084b8b30656a14a099948f.tar.gz |
s4:auth: add samba_server_gensec_krb5_start()
This will be used by the dns services to only allow
spnego/krb5. This makes sure the accepting backend
doesn't require any RPC or IPC communication for now.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | source4/auth/auth.h | 7 | ||||
-rw-r--r-- | source4/auth/samba_server_gensec.c | 45 |
2 files changed, 52 insertions, 0 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h index de3a8bd5b22..e1b642eb92d 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -187,5 +187,12 @@ NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx, struct cli_credentials *server_credentials, const char *target_service, struct gensec_security **gensec_context); +NTSTATUS samba_server_gensec_krb5_start(TALLOC_CTX *mem_ctx, + struct tevent_context *event_ctx, + struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + struct cli_credentials *server_credentials, + const char *target_service, + struct gensec_security **gensec_context); #endif /* _SMBAUTH_H_ */ diff --git a/source4/auth/samba_server_gensec.c b/source4/auth/samba_server_gensec.c index af26f9972fa..ee3396a4abe 100644 --- a/source4/auth/samba_server_gensec.c +++ b/source4/auth/samba_server_gensec.c @@ -105,3 +105,48 @@ NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx, talloc_reparent(mem_ctx, *gensec_context, settings); return NT_STATUS_OK; } + +NTSTATUS samba_server_gensec_krb5_start(TALLOC_CTX *mem_ctx, + struct tevent_context *event_ctx, + struct imessaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + struct cli_credentials *server_credentials, + const char *target_service, + struct gensec_security **gensec_context) +{ + struct gensec_settings *settings = NULL; + const struct gensec_security_ops **backends = NULL; + size_t idx = 0; + NTSTATUS status; + + settings = lpcfg_gensec_settings(mem_ctx, lp_ctx); + if (settings == NULL) { + return NT_STATUS_NO_MEMORY; + } + backends = talloc_zero_array(settings, + const struct gensec_security_ops *, 3); + if (backends == NULL) { + TALLOC_FREE(settings); + return NT_STATUS_NO_MEMORY; + } + settings->backends = backends; + + gensec_init(); + + backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_KERBEROS5); + + backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO); + + status = samba_server_gensec_start_settings(mem_ctx, event_ctx, + msg_ctx, lp_ctx, + settings, server_credentials, + target_service, + gensec_context); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(settings); + return status; + } + + talloc_steal(*gensec_context, settings); + return NT_STATUS_OK; +} |