OM_uint32 maj_stat, min_stat;
struct gssapi_creds_container *gcc;
struct ccache_container *ccache;
-#ifdef SAMBA4_USES_HEIMDAL
+#ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
+ gss_OID oid = discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X);
#endif
krb5_enctype *etypes = NULL;
* and used for the AS-REQ, so it wasn't possible to disable the usage
* of AES keys.
*/
- min_stat = get_kerberos_allowed_etypes(ccache->smb_krb5_context->krb5_context,
+ min_stat = smb_krb5_get_allowed_etypes(ccache->smb_krb5_context->krb5_context,
&etypes);
if (min_stat == 0) {
OM_uint32 num_ktypes;
}
}
-#ifdef SAMBA4_USES_HEIMDAL /* MIT lacks GSS_KRB5_CRED_NO_CI_FLAGS_X */
-
- /* don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG */
+#ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
+ /*
+ * Don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG.
+ *
+ * This allows us to disable SIGN and SEAL on a TLS connection with
+ * GSS-SPNENO. For example ldaps:// connections.
+ *
+ * https://groups.yahoo.com/neo/groups/cat-ietf/conversations/topics/575
+ * http://krbdev.mit.edu/rt/Ticket/Display.html?id=6938
+ */
maj_stat = gss_set_cred_option(&min_stat, &gcc->creds,
- GSS_KRB5_CRED_NO_CI_FLAGS_X,
+ oid,
&empty_buffer);
if (maj_stat) {
talloc_free(gcc);
return ret;
}
+static int cli_credentials_shallow_ccache(struct cli_credentials *cred)
+{
+ krb5_error_code ret;
+ const struct ccache_container *old_ccc = NULL;
+ struct ccache_container *ccc = NULL;
+ char *ccache_name = NULL;
+
+ old_ccc = cred->ccache;
+ if (old_ccc == NULL) {
+ return 0;
+ }
+
+ ccc = talloc(cred, struct ccache_container);
+ if (ccc == NULL) {
+ return ENOMEM;
+ }
+ *ccc = *old_ccc;
+ ccc->ccache = NULL;
+
+ ccache_name = talloc_asprintf(ccc, "MEMORY:%p", ccc);
+
+ ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context,
+ ccache_name, &ccc->ccache);
+ if (ret != 0) {
+ TALLOC_FREE(ccc);
+ return ret;
+ }
+
+ talloc_set_destructor(ccc, free_mccache);
+
+ TALLOC_FREE(ccache_name);
+
+ ret = smb_krb5_cc_copy_creds(ccc->smb_krb5_context->krb5_context,
+ old_ccc->ccache, ccc->ccache);
+ if (ret != 0) {
+ TALLOC_FREE(ccc);
+ return ret;
+ }
+
+ cred->ccache = ccc;
+ cred->client_gss_creds = NULL;
+ cred->client_gss_creds_obtained = CRED_UNINITIALISED;
+ return ret;
+}
+
+_PUBLIC_ struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx,
+ struct cli_credentials *src)
+{
+ struct cli_credentials *dst;
+ int ret;
+
+ dst = talloc(mem_ctx, struct cli_credentials);
+ if (dst == NULL) {
+ return NULL;
+ }
+
+ *dst = *src;
+
+ ret = cli_credentials_shallow_ccache(dst);
+ if (ret != 0) {
+ TALLOC_FREE(dst);
+ return NULL;
+ }
+
+ return dst;
+}
+
+static int smb_krb5_create_salt_principal(TALLOC_CTX *mem_ctx,
+ const char *samAccountName,
+ const char *realm,
+ const char **salt_principal,
+ const char **error_string)
+{
+ char *machine_username;
+ bool is_machine_account = false;
+ char *upper_realm;
+ TALLOC_CTX *tmp_ctx;
+ int rc = -1;
+
+ if (samAccountName == NULL) {
+ *error_string = "Cannot determine salt principal, no "
+ "saltPrincipal or samAccountName specified";
+ return rc;
+ }
+
+ if (realm == NULL) {
+ *error_string = "Cannot make principal without a realm";
+ return rc;
+ }
+
+ tmp_ctx = talloc_new(mem_ctx);
+ if (tmp_ctx == NULL) {
+ *error_string = "Cannot allocate talloc context";
+ return rc;
+ }
+
+ upper_realm = strupper_talloc(tmp_ctx, realm);
+ if (upper_realm == NULL) {
+ *error_string = "Cannot allocate to upper case realm";
+ goto out;
+ }
+
+ machine_username = strlower_talloc(tmp_ctx, samAccountName);
+ if (!machine_username) {
+ *error_string = "Cannot duplicate samAccountName";
+ goto out;
+ }
+
+ if (machine_username[strlen(machine_username) - 1] == '$') {
+ machine_username[strlen(machine_username) - 1] = '\0';
+ is_machine_account = true;
+ }
+
+ if (is_machine_account) {
+ char *lower_realm;
+
+ lower_realm = strlower_talloc(tmp_ctx, realm);
+ if (lower_realm == NULL) {
+ *error_string = "Cannot allocate to lower case realm";
+ goto out;
+ }
+
+ *salt_principal = talloc_asprintf(mem_ctx,
+ "host/%s.%s@%s",
+ machine_username,
+ lower_realm,
+ upper_realm);
+ } else {
+ *salt_principal = talloc_asprintf(mem_ctx,
+ "%s@%s",
+ machine_username,
+ upper_realm);
+ }
+ if (*salt_principal == NULL) {
+ *error_string = "Cannot create salt principal";
+ goto out;
+ }
+
+ rc = 0;
+out:
+ talloc_free(tmp_ctx);
+ return rc;
+}
+
/* Get the keytab (actually, a container containing the krb5_keytab)
* attached to this context. If this hasn't been done or set before,
* it will be generated from the password.
const char *keytab_name;
krb5_keytab keytab;
TALLOC_CTX *mem_ctx;
+ const char *username = cli_credentials_get_username(cred);
+ const char *realm = cli_credentials_get_realm(cred);
+ const char *error_string;
+ const char *salt_principal;
if (cred->keytab_obtained >= (MAX(cred->principal_obtained,
cred->username_obtained))) {
return ENOMEM;
}
+ /*
+ * FIXME: Currently there is no better way than to create the correct
+ * salt principal by checking if the username ends with a '$'. It would
+ * be better if it is part of the credentials.
+ */
+ ret = smb_krb5_create_salt_principal(mem_ctx,
+ username,
+ realm,
+ &salt_principal,
+ &error_string);
+ if (ret) {
+ talloc_free(mem_ctx);
+ return ret;
+ }
+
ret = smb_krb5_create_memory_keytab(mem_ctx,
- smb_krb5_context->krb5_context,
- cli_credentials_get_password(cred),
- cli_credentials_get_username(cred),
- cli_credentials_get_realm(cred),
- cli_credentials_get_kvno(cred),
- &keytab, &keytab_name);
+ smb_krb5_context->krb5_context,
+ cli_credentials_get_password(cred),
+ username,
+ realm,
+ salt_principal,
+ cli_credentials_get_kvno(cred),
+ &keytab,
+ &keytab_name);
if (ret) {
talloc_free(mem_ctx);
return ret;