auth/credentials: Support match-by-key in cli_credentials_get_server_gss_creds()

This allows a password alone to be used to accept kerberos tickets.

Of course, we need to have got the salt right, but we do not need also
the correct kvno.  This allows gensec_gssapi to accept tickets based on
a secrets.tdb entry.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Aug 30 01:26:12 CEST 2012 on sn-devel-104

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 2a23688ffdbbf04f8dc51f58e642b65e826aaf0c..459e9487f4822cf8f37d52ab98e7a6d4acbf23e8 100644 (file)
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -717,6 +717,11 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
        cred->keytab_obtained = (MAX(cred->principal_obtained, 
                                     cred->username_obtained));
 
+       /* We make this keytab up based on a password.  Therefore
+        * match-by-key is acceptable, we can't match on the wrong
+        * principal */
+       ktc->password_based = true;
+
        talloc_steal(cred, ktc);
        cred->keytab = ktc;
        *_ktc = cred->keytab;
@@ -818,12 +823,12 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
                return ENOMEM;
        }
 
-       if (obtained < CRED_SPECIFIED) {
-               /* This creates a GSSAPI cred_id_t with the principal and keytab set */
+       if (ktc->password_based || obtained < CRED_SPECIFIED) {
+               /* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */
                maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab,
                                                &gcc->creds);
        } else {
-               /* This creates a GSSAPI cred_id_t with the principal and keytab set */
+               /* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */
                maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab,
                                                &gcc->creds);
        }

diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 51b80556bf81cb131000ce6d98f9972b695e06ca..45975f16f3686b0163edc03061aaa7078eb290e1 100644 (file)
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -40,6 +40,7 @@ struct ccache_container {
 struct keytab_container {
        struct smb_krb5_context *smb_krb5_context;
        krb5_keytab keytab;
+       bool password_based;
 };
 
 /* not really ASN.1, but RFC 1964 */

diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 17ae99c6cd4b862824c95e4c015ce949aa5bcec6..b65a2adc5efc2327bf3fc2ab149c430489c32819 100644 (file)
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -378,6 +378,7 @@ krb5_error_code smb_krb5_get_keytab_container(TALLOC_CTX *mem_ctx,
 
        (*ktc)->smb_krb5_context = talloc_reference(*ktc, smb_krb5_context);
        (*ktc)->keytab = keytab;
+       (*ktc)->password_based = false;
        talloc_set_destructor(*ktc, free_keytab_container);
 
        return 0;