diff options
author | Alexander Bokovoy <ab@samba.org> | 2017-03-08 12:38:49 +0200 |
---|---|---|
committer | Alexander Bokovoy <ab@samba.org> | 2017-03-08 22:00:24 +0100 |
commit | 57286d57732d49fdb8b8e21f584787cdbc917c32 (patch) | |
tree | c3ba06cc8fc0c832e4ca5b9f07077bfa1999e5f8 /source3/librpc | |
parent | 3d733d5791a6d82edda13ac39790bd8ba893f3d7 (diff) | |
download | samba-57286d57732d49fdb8b8e21f584787cdbc917c32.tar.gz |
s3-gse: move krb5 fallback to smb_gss_krb5_import_cred wrapper
MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing
credentials from a keytab without specifying actual principal.
This was fixed in MIT krb5 1.9.2 (see commit
71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git
master's version is bd18687a705a8a6cdcb7c140764d1a7c6a3381b5).
Move fallback code to the smb_gss_krb5_import_cred wrapper. We only
expect this fallback to happen with krb5 GSSAPI mechanism, thus hard
code use of krb5 mech when calling to gss_acquire_cred.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Mar 8 22:00:24 CET 2017 on sn-devel-144
Diffstat (limited to 'source3/librpc')
-rw-r--r-- | source3/librpc/crypto/gse.c | 49 |
1 files changed, 1 insertions, 48 deletions
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index f4238f32441..a111320e829 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -435,58 +435,11 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, NULL, NULL, gse_ctx->keytab, &gse_ctx->creds); - if (gss_maj != 0 - && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) { + if (gss_maj != 0) { DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n", gse_errstr(gse_ctx, gss_maj, gss_min))); status = NT_STATUS_INTERNAL_ERROR; goto done; - - /* This is the error the MIT krb5 1.9 gives when it - * implements the function, but we do not specify the - * principal. However, when we specify the principal - * as host$@REALM the GSS acceptor fails with 'wrong - * principal in request'. Work around the issue by - * falling back to the alternate approach below. */ - } else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) - /* FIXME!!! - * This call sets the default keytab for the whole server, not - * just for this context. Need to find a way that does not alter - * the state of the whole server ... */ - { - const char *ktname; - gss_OID_set_desc mech_set; - - ret = smb_krb5_kt_get_name(gse_ctx, gse_ctx->k5ctx, - gse_ctx->keytab, &ktname); - if (ret) { - status = NT_STATUS_INTERNAL_ERROR; - goto done; - } - - ret = gsskrb5_register_acceptor_identity(ktname); - if (ret) { - status = NT_STATUS_INTERNAL_ERROR; - goto done; - } - - mech_set.count = 1; - mech_set.elements = &gse_ctx->gss_mech; - - gss_maj = gss_acquire_cred(&gss_min, - GSS_C_NO_NAME, - GSS_C_INDEFINITE, - &mech_set, - GSS_C_ACCEPT, - &gse_ctx->creds, - NULL, NULL); - - if (gss_maj) { - DEBUG(0, ("gss_acquire_creds failed with [%s]\n", - gse_errstr(gse_ctx, gss_maj, gss_min))); - status = NT_STATUS_INTERNAL_ERROR; - goto done; - } } status = NT_STATUS_OK; |