diff options
author | Andreas Schneider <asn@samba.org> | 2017-03-08 13:10:05 +0100 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2017-03-10 11:37:22 +0100 |
commit | 2dd4887648bf006a577e03fc027e881738ca04ab (patch) | |
tree | f16d5753ec0f3713bc072ab05abc064478021618 /source4/auth | |
parent | 3781eb250173981a8890b82d1ff9358f144034cd (diff) | |
download | samba-2dd4887648bf006a577e03fc027e881738ca04ab.tar.gz |
s4:gensec_gssapi: Correctly handle external trusts with MIT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 8a2eb95599b..cfe2ea88aad 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -464,6 +464,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, switch (gensec_security->gensec_role) { case GENSEC_CLIENT: { + bool fallback = false; #ifdef SAMBA4_USES_HEIMDAL struct gsskrb5_send_to_kdc send_to_kdc; krb5_error_code ret; @@ -537,6 +538,48 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, * transitive forest trusts, would have to do the * fallback ourself. */ +#ifndef SAMBA4_USES_HEIMDAL + if (gensec_gssapi_state->server_name == NULL) { + nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, + target_principal, + service, + hostname, + client_realm, + gensec_gssapi_state->gss_oid, + &gensec_gssapi_state->target_principal, + &gensec_gssapi_state->server_name); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + maj_stat = gss_init_sec_context(&min_stat, + gensec_gssapi_state->client_cred->creds, + &gensec_gssapi_state->gssapi_context, + gensec_gssapi_state->server_name, + gensec_gssapi_state->gss_oid, + gensec_gssapi_state->gss_want_flags, + time_req, + gensec_gssapi_state->input_chan_bindings, + &input_token, + &gss_oid_p, + &output_token, + &gensec_gssapi_state->gss_got_flags, /* ret flags */ + &time_rec); + if (maj_stat != GSS_S_FAILURE) { + goto init_sec_context_done; + } + if (min_stat != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) { + goto init_sec_context_done; + } + if (target_principal != NULL) { + goto init_sec_context_done; + } + + fallback = true; + TALLOC_FREE(gensec_gssapi_state->target_principal); + gss_release_name(&min_stat2, &gensec_gssapi_state->server_name); + } +#endif /* !SAMBA4_USES_HEIMDAL */ if (gensec_gssapi_state->server_name == NULL) { server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state, hostname, @@ -545,6 +588,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, return NT_STATUS_NO_MEMORY; } + if (fallback && + strequal(client_realm, server_realm)) { + goto init_sec_context_done; + } + nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, target_principal, service, @@ -571,6 +619,9 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, &output_token, &gensec_gssapi_state->gss_got_flags, /* ret flags */ &time_rec); + goto init_sec_context_done; + /* JUMP! */ +init_sec_context_done: if (gss_oid_p) { gensec_gssapi_state->gss_oid = gss_oid_p; } |