1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

s3:gse: Correctly handle external trusts with MIT

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Andreas Schneider 2017-03-09 08:18:27 +01:00 committed by Andreas Schneider
parent ada31d65d6
commit b8bca7d08f

View File

@ -348,6 +348,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
const char *client_realm = cli_credentials_get_realm(cli_creds);
char *server_principal = NULL;
char *server_realm = NULL;
bool fallback = false;
in_data.value = token_in->data;
in_data.length = token_in->length;
@ -394,6 +395,50 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
* want to autodetect support for transitive forest trusts, would have
* to do the fallback ourself.
*/
#ifndef SAMBA4_USES_HEIMDAL
if (gse_ctx->server_name == NULL) {
OM_uint32 gss_min2 = 0;
status = gse_setup_server_principal(mem_ctx,
target_principal,
service,
hostname,
client_realm,
&server_principal,
&gse_ctx->server_name);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
gss_maj = gss_init_sec_context(&gss_min,
gse_ctx->creds,
&gse_ctx->gssapi_context,
gse_ctx->server_name,
&gse_ctx->gss_mech,
gse_ctx->gss_want_flags,
0,
GSS_C_NO_CHANNEL_BINDINGS,
&in_data,
NULL,
&out_data,
&gse_ctx->gss_got_flags,
&time_rec);
if (gss_maj != GSS_S_FAILURE) {
goto init_sec_context_done;
}
if (gss_min != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
goto init_sec_context_done;
}
if (target_principal != NULL) {
goto init_sec_context_done;
}
fallback = true;
TALLOC_FREE(server_principal);
gss_release_name(&gss_min2, &gse_ctx->server_name);
}
#endif /* !SAMBA4_USES_HEIMDAL */
if (gse_ctx->server_name == NULL) {
server_realm = smb_krb5_get_realm_from_hostname(mem_ctx,
hostname,
@ -402,6 +447,11 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
if (fallback &&
strequal(client_realm, server_realm)) {
goto init_sec_context_done;
}
status = gse_setup_server_principal(mem_ctx,
target_principal,
service,
@ -426,6 +476,10 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
0, GSS_C_NO_CHANNEL_BINDINGS,
&in_data, NULL, &out_data,
&gse_ctx->gss_got_flags, &time_rec);
goto init_sec_context_done;
/* JUMP! */
init_sec_context_done:
switch (gss_maj) {
case GSS_S_COMPLETE:
/* we are done with it */