return major_status;
}
+uint32_t smb_gss_krb5_prepare_acceptor_cred(uint32_t *minor_status,
+ bool skip_transited_check,
+ gss_cred_id_t *cred)
+{
+#ifdef HAVE_GSS_KRB5_CRED_SKIP_TRANSIT_CHECK_X
+ OM_uint32 gss_maj, gss_min;
+ gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
+ gss_OID skip_transit_oid = discard_const(GSS_KRB5_CRED_SKIP_TRANSIT_CHECK_X);
+#ifdef HAVE_GSS_KRB5_CRED_ITERATE_ACCEPTOR_KEYTAB_X /* only heimdal */
+ gss_OID iterate_keytab_oid =
+ discard_const(GSS_KRB5_CRED_ITERATE_ACCEPTOR_KEYTAB_X);
+
+ gss_maj = gss_set_cred_option(&gss_min, cred,
+ iterate_keytab_oid,
+ &empty_buffer);
+ if (gss_maj) {
+ DBG_ERR("gss_set_cred_option(ITERATE_ACCEPTOR_KEYTAB_X)\n");
+ *minor_status = gss_min;
+ return gss_maj;
+ }
+#endif /* HAVE_GSS_KRB5_CRED_ITERATE_ACCEPTOR_KEYTAB_X */
+
+ if (!skip_transited_check) {
+ goto done;
+ }
+
+ /*
+ * If we require a valid PAC we can
+ * skip the transit checks in the krb5
+ * code.
+ */
+ gss_maj = gss_set_cred_option(&gss_min, cred,
+ skip_transit_oid,
+ &empty_buffer);
+ if (gss_maj) {
+ DBG_ERR("gss_set_cred_option(NO_TRANSIT_CHECK_X)\n");
+ *minor_status = gss_min;
+ return gss_maj;
+ }
+
+done:
+#endif /* HAVE_GSS_KRB5_CRED_SKIP_TRANSIT_CHECK_X */
+ *minor_status = 0;
+ return 0;
+}
#endif /* HAVE_GSSAPI */
krb5_ccache id, krb5_principal keytab_principal,
krb5_keytab keytab, gss_cred_id_t *cred);
+uint32_t smb_gss_krb5_prepare_acceptor_cred(uint32_t *minor_status,
+ bool skip_transited_check,
+ gss_cred_id_t *cred);
+
#endif /* HAVE_GSSAPI */
#endif /* _GSS_SAMBA_H */
git.samba.org / metze / samba / wip.git / commitdiff