diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2006-02-13 00:08:16 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:51:55 -0500 |
| commit | 26421fb2dc995c4fc10195f451c4d7dce07034bf (patch) | |
| tree | 6d1f668aa31cc85927e1e00c88419dac7ee64b28 /source4/auth | |
| parent | e9815c38dddbb79c0cd47c3b81eae2cec850a760 (diff) | |
| download | samba-26421fb2dc995c4fc10195f451c4d7dce07034bf.tar.gz | |
r13481: As far as I can tell, my changes in -r 12863 were dangerously untested.
We do need the gsskrb5_get_initiator_subkey() routine. But we should
ensure that we do always get a valid key, to prevent any segfaults.
Without this code, we get a different session key compared with
Win2k3, and so kerberised smb signing fails.
Andrew Bartlett
(This used to be commit cfd0df16b74b0432670b33c7bf26316b741b1bde)
Diffstat (limited to 'source4/auth')
| -rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 15 | ||||
| -rw-r--r-- | source4/auth/kerberos/kerberos-notes.txt | 4 |
2 files changed, 12 insertions, 7 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index aaa79aa407b..eab8211525a 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1058,21 +1058,22 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit if ((gensec_gssapi_state->gss_oid->length == gss_mech_krb5->length) && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, gensec_gssapi_state->gss_oid->length) == 0)) { - OM_uint32 maj_stat; - krb5_keyblock *skey; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc skey; - maj_stat = gss_krb5_get_subkey(gensec_gssapi_state->gssapi_context, - &skey); + maj_stat = gsskrb5_get_initiator_subkey(&min_stat, + gensec_gssapi_state->gssapi_context, + &skey); if (maj_stat == 0) { DEBUG(10, ("Got KRB5 session key of length %d\n", - (int)KRB5_KEY_LENGTH(skey))); + (int)skey.length)); gensec_gssapi_state->session_key = data_blob_talloc(gensec_gssapi_state, - KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey)); + skey.value, skey.length); *session_key = gensec_gssapi_state->session_key; dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length); - krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, skey); + gss_release_buffer(&min_stat, &skey); return NT_STATUS_OK; } return NT_STATUS_NO_USER_SESSION_KEY; diff --git a/source4/auth/kerberos/kerberos-notes.txt b/source4/auth/kerberos/kerberos-notes.txt index 26cfa4dfba6..43881a20d33 100644 --- a/source4/auth/kerberos/kerberos-notes.txt +++ b/source4/auth/kerberos/kerberos-notes.txt @@ -247,6 +247,10 @@ the kerberos libraries - DCE_STYLE + - gsskrb5_get_initiator_subkey() (return the exact key that Samba3 + has always asked for. gsskrb5_get_subkey() might do what we need + anyway) + - gsskrb5_acquire_creds() (takes keytab and/or ccache as input parameters, see keytab and state machine discussion) |