s4:gensec Allow mutual auth to be turned off in 'fake_gssapi_krb5'

This allows the older 'like Samba3' GENSEC krb5 implementation to work
against Windows 2008.  I'm using this to track down interop issues in
this area.

Andrew Bartlett

diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 09bdec512d23bca9a9df7ac97d336a6b62a1ba22..aed6822b898d77492de10b89659671e6f1dbe219 100644 (file)
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -57,6 +57,7 @@ struct gensec_krb5_state {
        krb5_keyblock *keyblock;
        krb5_ticket *ticket;
        bool gssapi;
+       krb5_flags ap_req_options;
 };
 
 static int gensec_krb5_destroy(struct gensec_krb5_state *gensec_krb5_state)
@@ -221,7 +222,6 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
        NTSTATUS nt_status;
        struct ccache_container *ccache_container;
        const char *hostname;
-       krb5_flags ap_req_options = AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED;
 
        const char *principal;
        krb5_data in_data;
@@ -247,6 +247,11 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
 
        gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
        gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
+       gensec_krb5_state->ap_req_options = AP_OPTS_USE_SUBKEY;
+
+       if (gensec_setting_bool(gensec_security->settings, "gensec_krb5", "mutual", true)) {
+               gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
+       }
 
        principal = gensec_get_target_principal(gensec_security);
 
@@ -274,7 +279,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
                if (ret == 0) {
                        ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context, 
                                                &gensec_krb5_state->auth_context,
-                                               ap_req_options, 
+                                               gensec_krb5_state->ap_req_options, 
                                                target_principal,
                                                &in_data, ccache_container->ccache, 
                                                &gensec_krb5_state->enc_ticket);
@@ -284,7 +289,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
        } else {
                ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context, 
                                  &gensec_krb5_state->auth_context,
-                                 ap_req_options,
+                                 gensec_krb5_state->ap_req_options,
                                  gensec_get_target_service(gensec_security),
                                  hostname,
                                  &in_data, ccache_container->ccache, 
@@ -392,8 +397,13 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
                } else {
                        *out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
                }
-               gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
-               nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+               if (gensec_krb5_state->ap_req_options & AP_OPTS_MUTUAL_REQUIRED) {
+                       gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
+                       nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+               } else {
+                       gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
+                       nt_status = NT_STATUS_OK;
+               }
                return nt_status;
        }