2 Unix SMB/CIFS implementation.
3 GSSAPI/GENSEC helper functions
5 Copyright (C) Stefan Metzmacher 2016
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "system/gssapi.h"
23 #include "auth/credentials/credentials.h"
24 #include "auth/gensec/gensec.h"
25 #include "auth/kerberos/gensec_gssapi_helper.h"
26 #include "lib/util/util_net.h"
28 NTSTATUS gensec_gssapi_try_kerberos(struct gensec_security *gensec_security)
30 TALLOC_CTX *frame = talloc_stackframe();
31 struct cli_credentials *creds = gensec_get_credentials(gensec_security);
32 const char *target_principal = gensec_get_target_principal(gensec_security);
33 const char *target_hostname = gensec_get_target_hostname(gensec_security);
34 const char *user_principal = NULL;
35 const char *user_account = NULL;
36 const char *user_domain = NULL;
37 const char *realm = NULL;
38 enum credentials_use_kerberos krb5_state;
39 bool try_kerberos = false;
40 bool auth_requested = true;
42 auth_requested = cli_credentials_authentication_requested(creds);
44 user_principal = cli_credentials_get_principal(creds, frame);
45 if (user_principal == NULL) {
47 return NT_STATUS_NO_MEMORY;
49 realm = cli_credentials_get_realm(creds);
51 user_account = cli_credentials_get_username(creds);
52 user_domain = cli_credentials_get_domain(creds);
54 krb5_state = cli_credentials_get_kerberos_state(creds);
56 if (krb5_state != CRED_DONT_USE_KERBEROS) {
60 if (!auth_requested) {
62 } else if (target_principal != NULL) {
64 } else if (target_hostname == NULL) {
66 } else if (is_ipaddress(target_hostname)) {
68 } else if (strequal(target_hostname, "localhost")) {
70 } else if (strequal(target_hostname, "*SMBSERVER")) {
74 if (krb5_state == CRED_MUST_USE_KERBEROS && !try_kerberos) {
75 DEBUG(0, ("Kerberos auth with '%s' (%s\\%s %s) to access "
76 "'%s' not possible\n",
77 user_principal, user_domain, user_account, realm,
78 target_principal ? target_principal : target_hostname));
80 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
85 return NT_STATUS_INVALID_PARAMETER;
92 NTSTATUS gensec_gssapi_map_krb5_error(struct gensec_security *gensec_security,
93 uint32_t gss_maj, uint32_t gss_min)
95 TALLOC_CTX *frame = talloc_stackframe();