gssapi

abartlet Tue, 01 Nov 2005 19:49:08 -0800

Author: abartlet
Date: 2005-11-02 03:48:49 +0000 (Wed, 02 Nov 2005)
New Revision: 11468


WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11468

Log:
Merge a bit more of init_sec_context from Heimdal CVS into our
DCE_STYLE modified version, and add parametric options to control
delegation.

It turns out the only remaining issue is sending delegated credentials
to a windows server, probably due to the bug lha mentions in his blog
(using the wrong key).

If I turn delgation on in smbclient, but off in smbd, I can proxy a
cifs session.

I can't wait till Heimdal 0.8, so I'll see if I can figure out the fix
myself :-)

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
   branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c       2005-11-02 
03:23:05 UTC (rev 11467)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c       2005-11-02 
03:48:49 UTC (rev 11468)
@@ -124,7 +124,14 @@
        /* TODO: Fill in channel bindings */
        gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
        
-       gensec_gssapi_state->want_flags = GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG;
+       gensec_gssapi_state->want_flags = 0;
+       if (lp_parm_bool(-1, "gensec_gssapi", "mutual", True)) {
+               gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG;
+       }
+       if (lp_parm_bool(-1, "gensec_gssapi", "delegation", False)) {
+               gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG;
+       }
+
        gensec_gssapi_state->got_flags = 0;
 
        gensec_gssapi_state->session_key = data_blob(NULL, 0);

Modified: branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c     
2005-11-02 03:23:05 UTC (rev 11467)
+++ branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c     
2005-11-02 03:48:49 UTC (rev 11468)
@@ -275,7 +275,7 @@
               krb5_creds *cred,
               const gss_name_t target_name,
               krb5_data *fwd_data,
-              int *flags)
+              u_int32_t *flags)
 {
     krb5_creds creds;
     krb5_kdc_flags fwd_flags;
@@ -406,9 +406,26 @@
                flags = 0;
                ap_options = 0;
 
+               /* 
+                * If the realm policy approves a delegation, lets check local
+                * policy if the credentials should be delegated, defafult to
+                * false.
+                */
+               if (cred->flags.b.ok_as_delegate) {
+                       krb5_boolean delegate = FALSE;
+                       
+                       _gss_check_compat(NULL, target_name, "ok-as-delegate",
+                                         &delegate, TRUE);
+                       krb5_appdefault_boolean(gssapi_krb5_context,
+                                               "gssapi", target_name->realm,
+                                               "ok-as-delegate", delegate, 
&delegate);
+                       if (delegate)
+                               req_flags |= GSS_C_DELEG_FLAG;
+               }
+
                if (req_flags & GSS_C_DELEG_FLAG) {
                        do_delegation((*context_handle)->auth_context,
-                                             ccache, cred, target_name, 
&fwd_data, &flags);
+                                     ccache, cred, target_name, &fwd_data, 
&flags);
                }
 
                if (req_flags & GSS_C_MUTUAL_FLAG) {
@@ -542,8 +559,8 @@
        krb5_error_code kret;
        krb5_data inbuf;
        u_int32_t flags = (*context_handle)->flags;
-       OM_uint32 l_seq_number;
-       OM_uint32 r_seq_number;
+       int32_t l_seq_number;
+       int32_t r_seq_number;
        
        /* We need to decapsulate the AP_REP if GSS_C_DCE_STYLE isn't in use */
        {

svn commit: samba r11468 - in branches/SAMBA_4_0/source: auth/gensec heimdal/lib/gssapi

Reply via email to