1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

auth/credentials: Add cli_credentials_{set,get}_forced_sasl_mech()

This will allow us to force the use of only DIGEST-MD5, for example, which is useful
to avoid hitting GSSAPI, SPNEGO or NTLM when talking to OpenLDAP and Cyrus-SASL.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
This commit is contained in:
Andrew Bartlett 2013-09-16 09:38:09 -07:00 committed by Nadezhda Ivanova
parent 68f7cd1724
commit 3f464ca1f5
5 changed files with 60 additions and 0 deletions

View File

@ -112,6 +112,8 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
cli_credentials_set_gensec_features(cred, 0); cli_credentials_set_gensec_features(cred, 0);
cli_credentials_set_krb_forwardable(cred, CRED_AUTO_KRB_FORWARDABLE); cli_credentials_set_krb_forwardable(cred, CRED_AUTO_KRB_FORWARDABLE);
cred->forced_sasl_mech = NULL;
return cred; return cred;
} }
@ -161,6 +163,13 @@ _PUBLIC_ void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
creds->use_kerberos = use_kerberos; creds->use_kerberos = use_kerberos;
} }
_PUBLIC_ void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds,
const char *sasl_mech)
{
TALLOC_FREE(creds->forced_sasl_mech);
creds->forced_sasl_mech = talloc_strdup(creds, sasl_mech);
}
_PUBLIC_ void cli_credentials_set_krb_forwardable(struct cli_credentials *creds, _PUBLIC_ void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
enum credentials_krb_forwardable krb_forwardable) enum credentials_krb_forwardable krb_forwardable)
{ {
@ -172,6 +181,11 @@ _PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct
return creds->use_kerberos; return creds->use_kerberos;
} }
_PUBLIC_ const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *creds)
{
return creds->forced_sasl_mech;
}
_PUBLIC_ enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds) _PUBLIC_ enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds)
{ {
return creds->krb_forwardable; return creds->krb_forwardable;

View File

@ -118,6 +118,8 @@ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
struct loadparm_context *lp_ctx, struct loadparm_context *lp_ctx,
struct gssapi_creds_container **_gcc, struct gssapi_creds_container **_gcc,
const char **error_string); const char **error_string);
void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds,
const char *sasl_mech);
void cli_credentials_set_kerberos_state(struct cli_credentials *creds, void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
enum credentials_use_kerberos use_kerberos); enum credentials_use_kerberos use_kerberos);
void cli_credentials_set_krb_forwardable(struct cli_credentials *creds, void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
@ -206,6 +208,7 @@ const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cr
const char *cli_credentials_get_self_service(struct cli_credentials *cred); const char *cli_credentials_get_self_service(struct cli_credentials *cred);
const char *cli_credentials_get_target_service(struct cli_credentials *cred); const char *cli_credentials_get_target_service(struct cli_credentials *cred);
enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds); enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *cred);
enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds); enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
struct loadparm_context *lp_ctx, struct loadparm_context *lp_ctx,

View File

@ -101,6 +101,9 @@ struct cli_credentials {
/* Should we get a forwardable ticket? */ /* Should we get a forwardable ticket? */
enum credentials_krb_forwardable krb_forwardable; enum credentials_krb_forwardable krb_forwardable;
/* Forced SASL mechansim */
char *forced_sasl_mech;
/* gensec features which should be used for connections */ /* gensec features which should be used for connections */
uint32_t gensec_features; uint32_t gensec_features;

View File

@ -229,6 +229,27 @@ static PyObject *py_creds_set_krb_forwardable(pytalloc_Object *self, PyObject *a
Py_RETURN_NONE; Py_RETURN_NONE;
} }
static PyObject *py_creds_get_forced_sasl_mech(pytalloc_Object *self)
{
return PyString_FromStringOrNULL(cli_credentials_get_forced_sasl_mech(PyCredentials_AsCliCredentials(self)));
}
static PyObject *py_creds_set_forced_sasl_mech(pytalloc_Object *self, PyObject *args)
{
char *newval;
enum credentials_obtained obt = CRED_SPECIFIED;
int _obt = obt;
if (!PyArg_ParseTuple(args, "s", &newval)) {
return NULL;
}
obt = _obt;
cli_credentials_set_forced_sasl_mech(PyCredentials_AsCliCredentials(self), newval);
Py_RETURN_NONE;
}
static PyObject *py_creds_guess(pytalloc_Object *self, PyObject *args) static PyObject *py_creds_guess(pytalloc_Object *self, PyObject *args)
{ {
PyObject *py_lp_ctx = Py_None; PyObject *py_lp_ctx = Py_None;
@ -440,6 +461,11 @@ static PyMethodDef py_creds_methods[] = {
{ "get_named_ccache", (PyCFunction)py_creds_get_named_ccache, METH_VARARGS, NULL }, { "get_named_ccache", (PyCFunction)py_creds_get_named_ccache, METH_VARARGS, NULL },
{ "set_gensec_features", (PyCFunction)py_creds_set_gensec_features, METH_VARARGS, NULL }, { "set_gensec_features", (PyCFunction)py_creds_set_gensec_features, METH_VARARGS, NULL },
{ "get_gensec_features", (PyCFunction)py_creds_get_gensec_features, METH_NOARGS, NULL }, { "get_gensec_features", (PyCFunction)py_creds_get_gensec_features, METH_NOARGS, NULL },
{ "get_forced_sasl_mech", (PyCFunction)py_creds_get_forced_sasl_mech, METH_NOARGS,
"S.get_forced_sasl_mech() -> SASL mechanism\nObtain forced SASL mechanism." },
{ "set_forced_sasl_mech", (PyCFunction)py_creds_set_forced_sasl_mech, METH_VARARGS,
"S.set_forced_sasl_mech(name) -> None\n"
"Set forced SASL mechanism." },
{ NULL } { NULL }
}; };

View File

@ -668,6 +668,20 @@ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
NTSTATUS gensec_start_mech(struct gensec_security *gensec_security) NTSTATUS gensec_start_mech(struct gensec_security *gensec_security)
{ {
NTSTATUS status; NTSTATUS status;
if (gensec_security->credentials) {
const char *forced_mech = cli_credentials_get_forced_sasl_mech(gensec_security->credentials);
if (forced_mech &&
(gensec_security->ops->sasl_name == NULL ||
strcasecmp(forced_mech, gensec_security->ops->sasl_name) != 0)) {
DEBUG(5, ("GENSEC mechanism %s (%s) skipped, as it "
"did not match forced mechanism %s\n",
gensec_security->ops->name,
gensec_security->ops->sasl_name,
forced_mech));
return NT_STATUS_INVALID_PARAMETER;
}
}
DEBUG(5, ("Starting GENSEC %smechanism %s\n", DEBUG(5, ("Starting GENSEC %smechanism %s\n",
gensec_security->subcontext ? "sub" : "", gensec_security->subcontext ? "sub" : "",
gensec_security->ops->name)); gensec_security->ops->name));