Restrict GSSAPI query to the krb5 mechanism

Otherwise GSSAPI will consult other mechanisms if available and we can
only cope with krb5 credentials here.

Signed-off-by: Simo Sorce <idra@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Sep 30 20:45:23 UTC 2020 on sn-devel-184

diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
index 2a99661ddee2d5ec209bb197bb255fbfc9ef6d60..a5940561cdaf7cc1a209b21a0381904aa49a6850 100644 (file)
--- a/lib/krb5_wrap/gss_samba.c
+++ b/lib/krb5_wrap/gss_samba.c
@@ -80,7 +80,15 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
                .count = 1,
        };
 
-       gss_OID_set mech_set = GSS_C_NO_OID_SET;
+       /* we are interested exclusively in krb5 credentials,
+        * indicate to GSSAPI that we are not interested in any other
+        * mechanism here */
+       gss_OID_set_desc mech_set = {
+               .count = 1,
+               .elements = discard_const_p(struct gss_OID_desc_struct,
+                                           gss_mech_krb5),
+       };
+
        gss_cred_usage_t cred_usage = GSS_C_INITIATE;
        gss_name_t name = NULL;
        gss_buffer_desc pr_name = {
@@ -144,7 +152,7 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
        major_status = gss_acquire_cred_from(minor_status,
                                             name,
                                             0,
-                                            mech_set,
+                                            &mech_set,
                                             cred_usage,
                                             &cred_store,
                                             cred,