The branch, master has been updated via 481f05c s3-gse Work around the MIT 1.9 gss_krb5_import_cred via 8ee3ba7 s3-gse Allow printing the partial error string via 57ab47c s3-auth fix dummy function in the not-with-kerberos case from d8cce7d s3-auth Replace False with false in auth_util.c
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 481f05ce02df4069ba8ecb5a6ad76cb35299b14c Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jul 20 12:06:30 2011 +1000 s3-gse Work around the MIT 1.9 gss_krb5_import_cred We detect this function at configure time, but it currently fails to operate the way we need - that is, when the principal is not specified, it gives this error. When the principal is specified we get 'wrong principal in request' in the GSS acceptor, so for now the best option is to fall back to the alternate approach. Andrew Bartlett Autobuild-User: Andrew Bartlett <abart...@samba.org> Autobuild-Date: Wed Jul 20 06:35:05 CEST 2011 on sn-devel-104 commit 8ee3ba791d38542e88995fa3beebdd183891ce60 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jul 20 12:04:45 2011 +1000 s3-gse Allow printing the partial error string We may not be able to obtain the full error string, so print what we can get. This is required when the error is the the GSSAPI layer, not the mechanism. Andrew Bartlett commit 57ab47c02ed9eae2bbd92c3e5cae5d08b83025f4 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jul 20 11:40:02 2011 +1000 s3-auth fix dummy function in the not-with-kerberos case ----------------------------------------------------------------------- Summary of changes: source3/auth/user_krb5.c | 2 +- source3/librpc/crypto/gse.c | 34 ++++++++++++++++++++++------------ 2 files changed, 23 insertions(+), 13 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c index c980f28..923c500 100644 --- a/source3/auth/user_krb5.c +++ b/source3/auth/user_krb5.c @@ -296,7 +296,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, struct PAC_LOGON_INFO *logon_info, bool mapped_to_guest, bool username_was_mapped, DATA_BLOB *session_key, - struct auth_serversupplied_info **session_info) + struct auth_session_info **session_info) { return NT_STATUS_NOT_IMPLEMENTED; } diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index c311c77..a61288b 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -374,16 +374,26 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, } #ifdef HAVE_GSS_KRB5_IMPORT_CRED - /* This creates a GSSAPI cred_id_t with the principal and keytab set */ + + /* This creates a GSSAPI cred_id_t with the keytab set */ gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab, - &gse_ctx->creds); - if (gss_maj) { + &gse_ctx->creds); + + if (gss_maj != 0 + && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) { DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n", gse_errstr(gse_ctx, gss_maj, gss_min))); status = NT_STATUS_INTERNAL_ERROR; goto done; - } -#else + + /* This is the error the MIT krb5 1.9 gives when it + * implements the function, but we do not specify the + * principal. However, when we specify the principal + * as host$@REALM the GSS acceptor fails with 'wrong + * principal in request'. Work around the issue by + * falling back to the alternate approach below. */ + } else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) +#endif /* FIXME!!! * This call sets the default keytab for the whole server, not * just for this context. Need to find a way that does not alter @@ -423,7 +433,7 @@ NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, goto done; } } -#endif + status = NT_STATUS_OK; done: @@ -558,6 +568,12 @@ static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min) if (gss_maj) { goto done; } + errstr = talloc_strndup(mem_ctx, + (char *)msg_maj.value, + msg_maj.length); + if (!errstr) { + goto done; + } gss_maj = gss_display_status(&gss_min, min, GSS_C_MECH_CODE, (gss_OID)discard_const(gss_mech_krb5), &msg_ctx, &msg_min); @@ -565,12 +581,6 @@ static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min) goto done; } - errstr = talloc_strndup(mem_ctx, - (char *)msg_maj.value, - msg_maj.length); - if (!errstr) { - goto done; - } errstr = talloc_strdup_append_buffer(errstr, ": "); if (!errstr) { goto done; -- Samba Shared Repository