mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
r4045: readd krb5 support defaulted to disable
use:
gensec:krb5=yes
gensec:ms_krb5=yes
to enable it
or -k on the client tools on the command line
metze
(This used to be commit 0ae5794cf4
)
This commit is contained in:
parent
00948a8072
commit
64b516b105
@ -373,6 +373,8 @@ static void popt_common_credentials_callback(poptContext con,
|
||||
#else
|
||||
cmdline_auth_info.use_kerberos = True;
|
||||
cmdline_auth_info.got_pass = True;
|
||||
lp_set_cmdline("gensec:krb5", "True");
|
||||
lp_set_cmdline("gensec:ms_krb5", "True");
|
||||
#endif
|
||||
break;
|
||||
|
||||
|
@ -22,6 +22,7 @@
|
||||
#include "includes.h"
|
||||
#include "system/network.h"
|
||||
#include "system/kerberos.h"
|
||||
#include "libcli/auth/kerberos.h"
|
||||
#include "system/time.h"
|
||||
|
||||
#ifdef HAVE_KRB5
|
||||
|
@ -2,5 +2,5 @@ SMB_MODULE_DEFAULT(gensec_krb5, NOT)
|
||||
|
||||
if test x"$SMB_EXT_LIB_ENABLE_KRB5" = x"YES"; then
|
||||
/* enable this when krb5 is fully working */
|
||||
SMB_MODULE_DEFAULT(gensec_krb5, NOT)
|
||||
SMB_MODULE_DEFAULT(gensec_krb5, STATIC)
|
||||
fi
|
||||
|
@ -19,7 +19,7 @@ ADD_OBJ_FILES = \
|
||||
libcli/auth/kerberos.o \
|
||||
libcli/auth/kerberos_verify.o \
|
||||
libcli/auth/gssapi_parse.o
|
||||
REQUIRED_SUBSYSTEMS = EXT_LIB_KRB5
|
||||
REQUIRED_SUBSYSTEMS = NDR_KRB5PAC EXT_LIB_KRB5
|
||||
# End MODULE gensec_krb5
|
||||
################################################
|
||||
|
||||
|
@ -512,9 +512,14 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
|
||||
{
|
||||
char *principal;
|
||||
DATA_BLOB unwrapped_in;
|
||||
DATA_BLOB unwrapped_out;
|
||||
DATA_BLOB unwrapped_out = data_blob(NULL, 0);
|
||||
uint8 tok_id[2];
|
||||
|
||||
if (!in.data) {
|
||||
*out = unwrapped_out;
|
||||
return NT_STATUS_MORE_PROCESSING_REQUIRED;
|
||||
}
|
||||
|
||||
/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
|
||||
if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
|
||||
nt_status = ads_verify_ticket(out_mem_ctx,
|
||||
@ -544,8 +549,11 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
|
||||
if (NT_STATUS_IS_OK(nt_status)) {
|
||||
gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
|
||||
/* wrap that up in a nice GSS-API wrapping */
|
||||
#ifndef GENSEC_SEND_UNWRAPPED_KRB5
|
||||
*out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
|
||||
|
||||
#else
|
||||
*out = unwrapped_out;
|
||||
#endif
|
||||
gensec_krb5_state->peer_principal = talloc_steal(gensec_krb5_state, principal);
|
||||
}
|
||||
return nt_status;
|
||||
|
@ -22,6 +22,7 @@
|
||||
|
||||
#include "includes.h"
|
||||
#include "system/kerberos.h"
|
||||
#include "libcli/auth/kerberos.h"
|
||||
#include "system/time.h"
|
||||
|
||||
#ifdef HAVE_KRB5
|
||||
|
@ -101,7 +101,9 @@ static krb5_error_code ads_keytab_verify_ticket(krb5_context context, krb5_auth_
|
||||
}
|
||||
DEBUG(10, ("Checking principal: %s\n", princ_name));
|
||||
/* Look for a CIFS ticket */
|
||||
if (!strncasecmp(princ_name, "cifs/", 5) || (!strncasecmp(princ_name, "host/", 5))) {
|
||||
if (!strncasecmp(princ_name, "cifs/", 5) ||
|
||||
!strncasecmp(princ_name, "host/", 5) ||
|
||||
!strncasecmp(princ_name, "ldap/", 5)) {
|
||||
#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK
|
||||
krb5_auth_con_setuseruserkey(context, auth_context, &kt_entry.keyblock);
|
||||
#else
|
||||
|
@ -3071,6 +3071,9 @@ BOOL lp_load(const char *pszFname, BOOL global_only, BOOL save_defaults,
|
||||
lp_do_parameter(-1, "wins server", "127.0.0.1");
|
||||
}
|
||||
|
||||
lp_do_parameter(-1, "gensec:krb5", "False");
|
||||
lp_do_parameter(-1, "gensec:ms_krb5", "False");
|
||||
|
||||
init_iconv();
|
||||
|
||||
return (bRetval);
|
||||
|
Loading…
Reference in New Issue
Block a user