--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+ GSSAPI/GENSEC helper functions
+
+ Copyright (C) Stefan Metzmacher 2016
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "system/gssapi.h"
+#include "auth/credentials/credentials.h"
+#include "auth/gensec/gensec.h"
+#include "auth/kerberos/gensec_gssapi_helper.h"
+#include "lib/util/util_net.h"
+
+NTSTATUS gensec_gssapi_try_kerberos(struct gensec_security *gensec_security)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ struct cli_credentials *creds = gensec_get_credentials(gensec_security);
+ const char *target_principal = gensec_get_target_principal(gensec_security);
+ const char *target_hostname = gensec_get_target_hostname(gensec_security);
+ const char *user_principal = NULL;
+ const char *user_account = NULL;
+ const char *user_domain = NULL;
+ const char *realm = NULL;
+ enum credentials_use_kerberos krb5_state;
+ bool try_kerberos = false;
+ bool auth_requested = true;
+
+ auth_requested = cli_credentials_authentication_requested(creds);
+ if (auth_requested) {
+ user_principal = cli_credentials_get_principal(creds, frame);
+ if (user_principal == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+ realm = cli_credentials_get_realm(creds);
+ }
+ user_account = cli_credentials_get_username(creds);
+ user_domain = cli_credentials_get_domain(creds);
+
+ krb5_state = cli_credentials_get_kerberos_state(creds);
+
+ if (krb5_state != CRED_DONT_USE_KERBEROS) {
+ try_kerberos = true;
+ }
+
+ if (!auth_requested) {
+ try_kerberos = false;
+ } else if (target_principal != NULL) {
+ /* noop */
+ } else if (target_hostname == NULL) {
+ try_kerberos = false;
+ } else if (is_ipaddress(target_hostname)) {
+ try_kerberos = false;
+ } else if (strequal(target_hostname, "localhost")) {
+ try_kerberos = false;
+ } else if (strequal(target_hostname, "*SMBSERVER")) {
+ try_kerberos = false;
+ }
+
+ if (krb5_state == CRED_MUST_USE_KERBEROS && !try_kerberos) {
+ DEBUG(0, ("Kerberos auth with '%s' (%s\\%s %s) to access "
+ "'%s' not possible\n",
+ user_principal, user_domain, user_account, realm,
+ target_principal ? target_principal : target_hostname));
+ TALLOC_FREE(frame);
+ return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
+ }
+
+ if (!try_kerberos) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+}
--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+ GSSAPI/GENSEC helper functions
+
+ Copyright (C) Stefan Metzmacher 2016
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef AUTH_KERBEROS_GENSEC_GSSAPI_HELPER_H
+#define AUTH_KERBEROS_GENSEC_GSSAPI_HELPER_H 1
+
+struct gensec_security;
+
+NTSTATUS gensec_gssapi_try_kerberos(struct gensec_security *gensec_security);
+
+#endif /* AUTH_KERBEROS_GENSEC_GSSAPI_HELPER_H */