diff options
| author | Andreas Schneider <asn@samba.org> | 2017-03-09 08:18:27 +0100 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2017-03-10 11:37:22 +0100 |
| commit | b8bca7d08fe05758e536767b1146cdcdd8b9fee3 (patch) | |
| tree | 3f8c50b7bfce6f0cd0877473bbc1d0f2449647f5 /source3/librpc/crypto | |
| parent | ada31d65d6c5929d2fbddfea5611a5f5fe5a0d74 (diff) | |
| download | samba-b8bca7d08fe05758e536767b1146cdcdd8b9fee3.tar.gz | |
s3:gse: Correctly handle external trusts with MIT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source3/librpc/crypto')
| -rw-r--r-- | source3/librpc/crypto/gse.c | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index 83e152f7239..1d9e8dc5b2c 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -348,6 +348,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, const char *client_realm = cli_credentials_get_realm(cli_creds); char *server_principal = NULL; char *server_realm = NULL; + bool fallback = false; in_data.value = token_in->data; in_data.length = token_in->length; @@ -394,6 +395,50 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, * want to autodetect support for transitive forest trusts, would have * to do the fallback ourself. */ +#ifndef SAMBA4_USES_HEIMDAL + if (gse_ctx->server_name == NULL) { + OM_uint32 gss_min2 = 0; + + status = gse_setup_server_principal(mem_ctx, + target_principal, + service, + hostname, + client_realm, + &server_principal, + &gse_ctx->server_name); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + gss_maj = gss_init_sec_context(&gss_min, + gse_ctx->creds, + &gse_ctx->gssapi_context, + gse_ctx->server_name, + &gse_ctx->gss_mech, + gse_ctx->gss_want_flags, + 0, + GSS_C_NO_CHANNEL_BINDINGS, + &in_data, + NULL, + &out_data, + &gse_ctx->gss_got_flags, + &time_rec); + if (gss_maj != GSS_S_FAILURE) { + goto init_sec_context_done; + } + if (gss_min != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) { + goto init_sec_context_done; + } + if (target_principal != NULL) { + goto init_sec_context_done; + } + + fallback = true; + TALLOC_FREE(server_principal); + gss_release_name(&gss_min2, &gse_ctx->server_name); + } +#endif /* !SAMBA4_USES_HEIMDAL */ + if (gse_ctx->server_name == NULL) { server_realm = smb_krb5_get_realm_from_hostname(mem_ctx, hostname, @@ -402,6 +447,11 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } + if (fallback && + strequal(client_realm, server_realm)) { + goto init_sec_context_done; + } + status = gse_setup_server_principal(mem_ctx, target_principal, service, @@ -426,6 +476,10 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, 0, GSS_C_NO_CHANNEL_BINDINGS, &in_data, NULL, &out_data, &gse_ctx->gss_got_flags, &time_rec); + goto init_sec_context_done; + /* JUMP! */ +init_sec_context_done: + switch (gss_maj) { case GSS_S_COMPLETE: /* we are done with it */ |