r11468: Merge a bit more of init_sec_context from Heimdal CVS into our

DCE_STYLE modified version, and add parametric options to control
delegation.

It turns out the only remaining issue is sending delegated credentials
to a windows server, probably due to the bug lha mentions in his blog
(using the wrong key).

If I turn delgation on in smbclient, but off in smbd, I can proxy a
cifs session.

I can't wait till Heimdal 0.8, so I'll see if I can figure out the fix
myself :-)

Andrew Bartlett
(This used to be commit fd5fd03570)

source4/auth/gensec/gensec_gssapi.c

@@ -124,7 +124,14 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 	/* TODO: Fill in channel bindings */
 	gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
 	
-	gensec_gssapi_state->want_flags = GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG;
+	gensec_gssapi_state->want_flags = 0;
+	if (lp_parm_bool(-1, "gensec_gssapi", "mutual", True)) {
+		gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG;
+	}
+	if (lp_parm_bool(-1, "gensec_gssapi", "delegation", False)) {
+		gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG;
+	}
+
 	gensec_gssapi_state->got_flags = 0;
 
 	gensec_gssapi_state->session_key = data_blob(NULL, 0);

source4/heimdal/lib/gssapi/init_sec_context.c

@@ -275,7 +275,7 @@ do_delegation (krb5_auth_context ac,
 	       krb5_creds *cred,
 	       const gss_name_t target_name,
 	       krb5_data *fwd_data,
-	       int *flags)
+	       u_int32_t *flags)
 {
     krb5_creds creds;
     krb5_kdc_flags fwd_flags;
@@ -406,9 +406,26 @@ gsskrb5_initiator_start
 		flags = 0;
 		ap_options = 0;
 
+		/* 
+		 * If the realm policy approves a delegation, lets check local
+		 * policy if the credentials should be delegated, defafult to
+		 * false.
+		 */
+		if (cred->flags.b.ok_as_delegate) {
+			krb5_boolean delegate = FALSE;
+			
+			_gss_check_compat(NULL, target_name, "ok-as-delegate",
+					  &delegate, TRUE);
+			krb5_appdefault_boolean(gssapi_krb5_context,
+						"gssapi", target_name->realm,
+						"ok-as-delegate", delegate, &delegate);
+			if (delegate)
+				req_flags |= GSS_C_DELEG_FLAG;
+		}
+
 		if (req_flags & GSS_C_DELEG_FLAG) {
 			do_delegation((*context_handle)->auth_context,
-					      ccache, cred, target_name, &fwd_data, &flags);
+				      ccache, cred, target_name, &fwd_data, &flags);
 		}
 
 		if (req_flags & GSS_C_MUTUAL_FLAG) {
@@ -542,8 +559,8 @@ gsskrb5_initiator_wait_for_mutual(
 	krb5_error_code kret;
 	krb5_data inbuf;
 	u_int32_t flags = (*context_handle)->flags;
-	OM_uint32 l_seq_number;
-	OM_uint32 r_seq_number;
+	int32_t l_seq_number;
+	int32_t r_seq_number;
 	
 	/* We need to decapsulate the AP_REP if GSS_C_DCE_STYLE isn't in use */
 	{