mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
s3:gse: Correctly handle external trusts with MIT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
parent
ada31d65d6
commit
b8bca7d08f
@ -348,6 +348,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
|
||||
const char *client_realm = cli_credentials_get_realm(cli_creds);
|
||||
char *server_principal = NULL;
|
||||
char *server_realm = NULL;
|
||||
bool fallback = false;
|
||||
|
||||
in_data.value = token_in->data;
|
||||
in_data.length = token_in->length;
|
||||
@ -394,6 +395,50 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
|
||||
* want to autodetect support for transitive forest trusts, would have
|
||||
* to do the fallback ourself.
|
||||
*/
|
||||
#ifndef SAMBA4_USES_HEIMDAL
|
||||
if (gse_ctx->server_name == NULL) {
|
||||
OM_uint32 gss_min2 = 0;
|
||||
|
||||
status = gse_setup_server_principal(mem_ctx,
|
||||
target_principal,
|
||||
service,
|
||||
hostname,
|
||||
client_realm,
|
||||
&server_principal,
|
||||
&gse_ctx->server_name);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return status;
|
||||
}
|
||||
|
||||
gss_maj = gss_init_sec_context(&gss_min,
|
||||
gse_ctx->creds,
|
||||
&gse_ctx->gssapi_context,
|
||||
gse_ctx->server_name,
|
||||
&gse_ctx->gss_mech,
|
||||
gse_ctx->gss_want_flags,
|
||||
0,
|
||||
GSS_C_NO_CHANNEL_BINDINGS,
|
||||
&in_data,
|
||||
NULL,
|
||||
&out_data,
|
||||
&gse_ctx->gss_got_flags,
|
||||
&time_rec);
|
||||
if (gss_maj != GSS_S_FAILURE) {
|
||||
goto init_sec_context_done;
|
||||
}
|
||||
if (gss_min != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
|
||||
goto init_sec_context_done;
|
||||
}
|
||||
if (target_principal != NULL) {
|
||||
goto init_sec_context_done;
|
||||
}
|
||||
|
||||
fallback = true;
|
||||
TALLOC_FREE(server_principal);
|
||||
gss_release_name(&gss_min2, &gse_ctx->server_name);
|
||||
}
|
||||
#endif /* !SAMBA4_USES_HEIMDAL */
|
||||
|
||||
if (gse_ctx->server_name == NULL) {
|
||||
server_realm = smb_krb5_get_realm_from_hostname(mem_ctx,
|
||||
hostname,
|
||||
@ -402,6 +447,11 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
if (fallback &&
|
||||
strequal(client_realm, server_realm)) {
|
||||
goto init_sec_context_done;
|
||||
}
|
||||
|
||||
status = gse_setup_server_principal(mem_ctx,
|
||||
target_principal,
|
||||
service,
|
||||
@ -426,6 +476,10 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
|
||||
0, GSS_C_NO_CHANNEL_BINDINGS,
|
||||
&in_data, NULL, &out_data,
|
||||
&gse_ctx->gss_got_flags, &time_rec);
|
||||
goto init_sec_context_done;
|
||||
/* JUMP! */
|
||||
init_sec_context_done:
|
||||
|
||||
switch (gss_maj) {
|
||||
case GSS_S_COMPLETE:
|
||||
/* we are done with it */
|
||||
|
Loading…
Reference in New Issue
Block a user