The branch, master has been updated
via 7fb82a5 krb5: Require gss_get_name_attribute or Heimdal's PAC
parsing to build with krb5
via 19deda2 krb5: Require krb5_string_to_key be available to build with
krb5
via cfe68f2 krb5: Require krb5_set_real_time is available to build with
krb5
via 0c6af1e krb5: Require krb5_principal_compare_any_realm be available
to build with krb5
via 39d73e2 krb5: Require krb5_get_renewed_creds be available to build
with krb5
via a33d86a krb5: Remove now unused checks for krb5_verify_checksum
via 39b476d krb5: Require krb5_get_init_creds_opt_alloc/free for build
with krb5
via fc7b34c krb5: Require krb5_fwd_tgt_creds to be available to build
with krb5
via 016fc0a krb5: Require krb5_get_host_realm and krb5_free_host_realm
be available to build with krb5
via 6b2e742 krb5: Require krb5_c_verify_checksum is available to build
with krb5
via 17e61e4 krb5: Require krb5_c_enctype_compare is available to build
with krb5
from 803dc38 s4:provision: add "+dns" to server services if the dns
backend is SAMBA_INTERNAL
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7fb82a5a247b95bcd981574d6c0db013c954e026
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Jan 6 18:32:41 2012 +1100
krb5: Require gss_get_name_attribute or Heimdal's PAC parsing to build with
krb5
Autobuild-User: Andrew Bartlett <abart...@samba.org>
Autobuild-Date: Tue Jan 10 23:23:07 CET 2012 on sn-devel-104
commit 19deda26d0ee61b5e5b41a09181d156b9159663d
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jan 5 11:39:14 2012 +1100
krb5: Require krb5_string_to_key be available to build with krb5
commit cfe68f2d5fbd749c3dce7a1a5fa67d2d0a631bf2
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jan 5 11:34:12 2012 +1100
krb5: Require krb5_set_real_time is available to build with krb5
commit 0c6af1e2da4619634c3806b5c0ee022bef935bb5
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jan 5 11:30:22 2012 +1100
krb5: Require krb5_principal_compare_any_realm be available to build with
krb5
commit 39d73e2420be17cc7db16353e1a51a5d2123f9f1
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jan 5 11:16:24 2012 +1100
krb5: Require krb5_get_renewed_creds be available to build with krb5
commit a33d86a74592498ec731d57e8cd2ff6a260635bc
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jan 5 11:09:46 2012 +1100
krb5: Remove now unused checks for krb5_verify_checksum
commit 39b476d1c9f97b5d1fbc9b08d7a85ac0d59934f2
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jan 5 11:06:28 2012 +1100
krb5: Require krb5_get_init_creds_opt_alloc/free for build with krb5
This also assumes the modern API with a krb5_context argument.
Andrew Bartlett
commit fc7b34c83a2fe44b905e8af44dcb6d06154f688d
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jan 5 10:59:44 2012 +1100
krb5: Require krb5_fwd_tgt_creds to be available to build with krb5
commit 016fc0af0c30a22d0154ca6c67bb31bac893fb7b
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jan 5 10:54:50 2012 +1100
krb5: Require krb5_get_host_realm and krb5_free_host_realm be available to
build with krb5
commit 6b2e742d6c719258c8ff1c2309847e88bdae97e7
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jan 5 10:51:29 2012 +1100
krb5: Require krb5_c_verify_checksum is available to build with krb5
commit 17e61e4290d7d95b0bdd2accda24e526484a1c51
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jan 5 10:46:24 2012 +1100
krb5: Require krb5_c_enctype_compare is available to build with krb5
-----------------------------------------------------------------------
Summary of changes:
libcli/auth/krb5_wrap.c | 113 ++++++-------------------------
source3/configure.in | 92 +++++++++++++++++++++-----
source3/include/krb5_protos.h | 4 -
source3/libads/kerberos.c | 4 -
source3/libsmb/clikrb5.c | 112 ++----------------------------
source3/wscript | 59 ++++++++++++----
source4/auth/kerberos/kerberos.h | 4 -
source4/heimdal_build/wscript_configure | 4 -
8 files changed, 148 insertions(+), 244 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/auth/krb5_wrap.c b/libcli/auth/krb5_wrap.c
index e7e071d..f528822 100644
--- a/libcli/auth/krb5_wrap.c
+++ b/libcli/auth/krb5_wrap.c
@@ -27,7 +27,7 @@
#include "libcli/auth/krb5_wrap.h"
#include "librpc/gen_ndr/krb5pac.h"
-#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) &&
defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
+#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) &&
defined(HAVE_KRB5_ENCRYPT_BLOCK)
int create_kerberos_key_from_string_direct(krb5_context context,
krb5_principal host_princ,
krb5_data *password,
@@ -187,35 +187,7 @@ krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
krb5_const_principal princ1,
krb5_const_principal princ2)
{
-#ifdef HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM
-
return krb5_principal_compare_any_realm(context, princ1, princ2);
-
-/* krb5_princ_size is a macro in MIT */
-#elif defined(HAVE_KRB5_PRINC_SIZE) || defined(krb5_princ_size)
-
- int i, len1, len2;
- const krb5_data *p1, *p2;
-
- len1 = krb5_princ_size(context, princ1);
- len2 = krb5_princ_size(context, princ2);
-
- if (len1 != len2)
- return False;
-
- for (i = 0; i < len1; i++) {
-
- p1 = krb5_princ_component(context,
(krb5_principal)discard_const(princ1), i);
- p2 = krb5_princ_component(context,
(krb5_principal)discard_const(princ2), i);
-
- if (p1->length != p2->length || memcmp(p1->data, p2->data,
p1->length))
- return False;
- }
-
- return True;
-#else
-#error NO_SUITABLE_PRINCIPAL_COMPARE_FUNCTION
-#endif
}
void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
@@ -241,71 +213,28 @@ krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
{
krb5_error_code ret;
- /* verify the checksum */
-
- /* welcome to the wonderful world of samba's kerberos abstraction layer:
- *
- * function heimdal 0.6.1rc3 heimdal 0.7
MIT krb 1.4.2
- *
-----------------------------------------------------------------------------
- * krb5_c_verify_checksum - works
works
- * krb5_verify_checksum works (6 args) works (6 args)
broken (7 args)
- */
-
-#if defined(HAVE_KRB5_C_VERIFY_CHECKSUM)
- {
- krb5_boolean checksum_valid = false;
- krb5_data input;
-
- input.data = (char *)data;
- input.length = length;
-
- ret = krb5_c_verify_checksum(context,
- keyblock,
- usage,
- &input,
- cksum,
- &checksum_valid);
- if (ret) {
- DEBUG(3,("smb_krb5_verify_checksum:
krb5_c_verify_checksum() failed: %s\n",
- error_message(ret)));
- return ret;
- }
-
- if (!checksum_valid)
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
- }
-
-#elif KRB5_VERIFY_CHECKSUM_ARGS == 6 && defined(HAVE_KRB5_CRYPTO_INIT) &&
defined(HAVE_KRB5_CRYPTO) && defined(HAVE_KRB5_CRYPTO_DESTROY)
-
- /* Warning: MIT's krb5_verify_checksum cannot be used as it will use a
key
- * without enctype and it ignores any key_usage types - Guenther */
-
- {
-
- krb5_crypto crypto;
- ret = krb5_crypto_init(context,
- keyblock,
- 0,
- &crypto);
- if (ret) {
- DEBUG(0,("smb_krb5_verify_checksum: krb5_crypto_init()
failed: %s\n",
- error_message(ret)));
- return ret;
- }
+ /* verify the checksum, heimdal 0.7 and MIT krb 1.4.2 and above */
- ret = krb5_verify_checksum(context,
- crypto,
- usage,
- data,
- length,
- cksum);
-
- krb5_crypto_destroy(context, crypto);
+ krb5_boolean checksum_valid = false;
+ krb5_data input;
+
+ input.data = (char *)data;
+ input.length = length;
+
+ ret = krb5_c_verify_checksum(context,
+ keyblock,
+ usage,
+ &input,
+ cksum,
+ &checksum_valid);
+ if (ret) {
+ DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum()
failed: %s\n",
+ error_message(ret)));
+ return ret;
}
-
-#else
-#error UNKNOWN_KRB5_VERIFY_CHECKSUM_FUNCTION
-#endif
+
+ if (!checksum_valid)
+ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
return ret;
}
diff --git a/source3/configure.in b/source3/configure.in
index c671a42..c0ddc27 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3848,6 +3848,12 @@ if test x"$with_ads_support" != x"no"; then
fi
AC_CHECK_FUNC_EXT(krb5_set_real_time, $KRB5_LIBS)
+ ################################################################
+ # test for AD / GSSAPI support being enabled
+ if test x"$have_gssapi" != xyes ; then
+ AC_MSG_WARN([Samba cannot be supported without GSSAPI])
+ fi
+
AC_CHECK_FUNC_EXT(krb5_set_default_in_tkt_etypes, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_set_default_tgs_enctypes, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_set_default_tgs_ktypes, $KRB5_LIBS)
@@ -3869,19 +3875,16 @@ if test x"$with_ads_support" != x"no"; then
AC_CHECK_FUNC_EXT(krb5_krbhst_init, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_krbhst_get_addrinfo, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_c_enctype_compare, $KRB5_LIBS)
- AC_CHECK_FUNC_EXT(krb5_enctypes_compatible_keys, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_crypto_init, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_crypto_destroy, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_decode_ap_req, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(free_AP_REQ, $KRB5_LIBS)
- AC_CHECK_FUNC_EXT(krb5_verify_checksum, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_c_verify_checksum, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_principal_compare_any_realm, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_parse_name_norealm, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_princ_size, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_get_init_creds_opt_set_pac_request, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_get_renewed_creds, $KRB5_LIBS)
- AC_CHECK_FUNC_EXT(krb5_get_kdc_cred, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_free_error_contents, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(initialize_krb5_error_table, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_get_init_creds_opt_alloc, $KRB5_LIBS)
@@ -3898,6 +3901,7 @@ if test x"$with_ads_support" != x"no"; then
AC_CHECK_FUNC_EXT(krb5_free_host_realm, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(gss_krb5_import_cred, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(gss_get_name_attribute, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(gsskrb5_extract_authz_data_from_sec_context, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(gss_mech_krb5, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(gss_oid_equal, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(gss_inquire_sec_context_by_oid, $KRB5_LIBS)
@@ -3960,16 +3964,6 @@ if test x"$with_ads_support" != x"no"; then
[Whether krb5_get_init_creds_opt_free takes a context argument])
fi
- AC_CACHE_CHECK(whether krb5_verify_checksum takes 7 arguments,
smb_krb5_cv_verify_checksum, [
- AC_TRY_COMPILE([
- #include <krb5.h>],
- [krb5_verify_checksum(0, 0, 0, 0, 0, 0, 0);],
- [smb_krb5_cv_verify_checksum=7],
- [smb_krb5_cv_verify_checksum=6],
- )
- ])
- AC_DEFINE_UNQUOTED(KRB5_VERIFY_CHECKSUM_ARGS, $smb_krb5_cv_verify_checksum,
[Number of arguments to krb5_verify_checksum])
-
AC_CACHE_CHECK([for checksum in krb5_checksum],
samba_cv_HAVE_CHECKSUM_IN_KRB5_CHECKSUM,[
AC_TRY_COMPILE([#include <krb5.h>],
@@ -4414,11 +4408,69 @@ if test x"$with_ads_support" != x"no"; then
use_ads=no
fi
+ if test x"$ac_cv_func_ext_krb5_set_real_time" != x"yes"; then
+ AC_MSG_WARN(krb5_set_real_time encryption type not found in -lkrb5)
+ use_ads=no
+ fi
+
if test x"$ac_cv_lib_ext_krb5_krb5_mk_req_extended" != x"yes"; then
AC_MSG_WARN(krb5_mk_req_extended not found in -lkrb5)
use_ads=no
fi
+ if test x"$ac_cv_func_ext_krb5_c_enctype_compare" != x"yes"; then
+ AC_MSG_WARN(krb5_c_enctype_compare not found in -lkrb5)
+ use_ads=no
+ fi
+
+ if test x"$ac_cv_func_ext_krb5_get_host_realm" != x"yes"
+ then
+ AC_MSG_WARN(krb5_get_host_realm not found in -lkrb5)
+ use_ads=no
+ fi
+
+ if test x"$ac_cv_func_ext_krb5_free_host_realm" != x"yes"
+ then
+ AC_MSG_WARN(krb5_free_host_realm not found in -lkrb5)
+ use_ads=no
+ fi
+
+ if test x"$ac_cv_func_ext_krb5_fwd_tgt_creds" != x"yes"
+ then
+ AC_MSG_WARN(krb5_fwd_tgt_creds not found in -lkrb5)
+ use_ads=no
+ fi
+
+ if test x"$ac_cv_func_ext_krb5_get_init_creds_opt_alloc" != x"yes"
+ then
+ AC_MSG_WARN(krb5_get_init_creds_opt_alloc found in -lkrb5)
+ use_ads=no
+ fi
+
+ if test x"$smb_krb5_cv_creds_opt_free_context" != x"yes"
+ then
+ AC_MSG_WARN(krb5_get_init_creds_opt_free not found or was too old in
-lkrb5)
+ use_ads=no
+ fi
+
+ if test x"$ac_cv_func_ext_krb5_get_renewed_creds" != x"yes"
+ then
+ AC_MSG_WARN(krb5_get_renewed_creds not found in -lkrb5)
+ use_ads=no
+ fi
+
+ if test x"$ac_cv_func_ext_krb5_principal_compare_any_realm" != x"yes"
+ then
+ AC_MSG_WARN(krb5_principal_compare_any_realm not found in -lkrb5)
+ use_ads=no
+ fi
+
+ if test x"$ac_cv_func_ext_krb5_string_to_key" != x"yes"
+ then
+ AC_MSG_WARN(krb5_string_to_key not found in -lkrb5)
+ use_ads=no
+ fi
+
if test x"$ac_cv_func_ext_krb5_principal2salt" != x"yes" -a \
x"$ac_cv_func_ext_krb5_get_pw_salt" != x"yes"
then
@@ -4440,10 +4492,9 @@ if test x"$with_ads_support" != x"no"; then
use_ads=no
fi
- if test x"$ac_cv_func_ext_krb5_c_verify_checksum" != x"yes" -a \
- x"$ac_cv_func_ext_krb5_verify_checksum" != x"yes"
+ if test x"$ac_cv_func_ext_krb5_c_verify_checksum" != x"yes"
then
- AC_MSG_WARN(no KRB5_VERIFY_CHECKSUM_FUNCTION detected)
+ AC_MSG_WARN(krb5_c_verify_checksum not found in -lkrb5)
use_ads=no
fi
@@ -4466,6 +4517,15 @@ if test x"$with_ads_support" != x"no"; then
fi
+ if test x"$ac_cv_func_ext_gss_get_name_attribute" != x"yes" ; then
+ if test x"$ac_cv_func_ext_gsskrb5_extract_authz_data_from_sec_context" !=
x"yes" -o \
+ if test x"$ac_cv_func_ext_gss_inquire_sec_context_by_oid" != x"yes"
+ then
+ AC_MSG_WARN(need either gss_get_name_attribute or
gsskrb5_extract_authz_data_from_sec_context and gss_inquire_sec_context_by_oid
in -lgssapi for PAC support)
+ use_ads=no
+ fi
+ fi
+
if test x"$use_ads" = x"yes"; then
AC_DEFINE(WITH_ADS,1,[Whether to include Active Directory support])
AC_DEFINE(HAVE_KRB5,1,[Whether to have KRB5 support])
diff --git a/source3/include/krb5_protos.h b/source3/include/krb5_protos.h
index 37fc1c6..32f995c 100644
--- a/source3/include/krb5_protos.h
+++ b/source3/include/krb5_protos.h
@@ -42,10 +42,6 @@ krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
krb5_const_principal principal,
char **unix_name);
-#ifndef HAVE_KRB5_SET_REAL_TIME
-krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds,
int32_t microseconds);
-#endif
-
krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const
krb5_enctype *enc);
#if defined(HAVE_KRB5_AUTH_CON_SETKEY) &&
!defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index f260dca..a43c7b1 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -484,7 +484,6 @@ char *kerberos_get_default_realm_from_ccache(TALLOC_CTX
*mem_ctx)
char *kerberos_get_realm_from_hostname(TALLOC_CTX *mem_ctx, const char
*hostname)
{
-#if defined(HAVE_KRB5_GET_HOST_REALM) && defined(HAVE_KRB5_FREE_HOST_REALM)
#if defined(HAVE_KRB5_REALM_TYPE)
/* Heimdal. */
krb5_realm *realm_list = NULL;
@@ -525,9 +524,6 @@ char *kerberos_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
const char *hostname
ctx = NULL;
}
return realm;
-#else
- return NULL;
-#endif
}
char *kerberos_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx,
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 6a11def..9af3e49 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -50,26 +50,6 @@ krb5_error_code krb5_auth_con_set_req_cksumtype(
krb5_cksumtype cksumtype);
#endif
-#ifndef HAVE_KRB5_SET_REAL_TIME
-/*
- * This function is not in the Heimdal mainline.
- */
- krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds,
int32_t microseconds)
-{
- krb5_error_code ret;
- int32_t sec, usec;
-
- ret = krb5_us_timeofday(context, &sec, &usec);
- if (ret)
- return ret;
-
- context->kdc_sec_offset = seconds - sec;
- context->kdc_usec_offset = microseconds - usec;
-
- return 0;
-}
-#endif
-
#if !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES)
#if defined(HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES)
@@ -471,14 +451,10 @@ bool unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB
*auth_data, DATA_BLOB *unwrapped_
krb5_enctype enctype1,
krb5_enctype enctype2)
{
-#if defined(HAVE_KRB5_C_ENCTYPE_COMPARE)
krb5_boolean similar = 0;
krb5_c_enctype_compare(context, enctype1, enctype2, &similar);
return similar ? True : False;
-#elif defined(HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS)
- return krb5_enctypes_compatible_keys(context, enctype1, enctype2) ?
True : False;
-#endif
}
static bool ads_cleanup_expired_creds(krb5_context context,
@@ -542,7 +518,7 @@ static krb5_error_code setup_auth_context(krb5_context
context,
return retval;
}
-#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) &&
defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) &&
defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) &&
defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
+#if defined(TKT_FLG_OK_AS_DELEGATE ) &&
defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) &&
defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) &&
defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
static krb5_error_code create_gss_checksum(krb5_data *in_data, /* [inout] */
uint32_t gss_flags)
{
@@ -694,7 +670,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
goto cleanup_creds;
}
-#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) &&
defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) &&
defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) &&
defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
+#if defined(TKT_FLG_OK_AS_DELEGATE ) &&
defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) &&
defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) &&
defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
{
uint32_t gss_flags = 0;
@@ -783,7 +759,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
error_message(retval)));
}
-#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) &&
defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) &&
defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) &&
defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
+#if defined(TKT_FLG_OK_AS_DELEGATE ) &&
defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) &&
defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) &&
defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
cleanup_data:
#endif
@@ -1160,56 +1136,11 @@ out:
}
}
-#ifdef HAVE_KRB5_GET_RENEWED_CREDS /* MIT */
- {
- ret = krb5_get_renewed_creds(context, &creds, client, ccache,
discard_const_p(char, service_string));
- if (ret) {
- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred
failed: %s\n", error_message(ret)));
- goto done;
- }
- }
-#elif defined(HAVE_KRB5_GET_KDC_CRED) /* Heimdal */
- {
- krb5_kdc_flags flags;
- krb5_realm *client_realm = NULL;
-
- ret = krb5_copy_principal(context, client, &creds_in.client);
- if (ret) {
- goto done;
- }
-
- if (service_string) {
- ret = smb_krb5_parse_name(context, service_string,
&creds_in.server);
- if (ret) {
- goto done;
- }
- } else {
- /* build tgt service by default */
- client_realm = krb5_princ_realm(context,
creds_in.client);
- if (!client_realm) {
- ret = ENOMEM;
- goto done;
- }
- ret = krb5_make_principal(context, &creds_in.server,
*client_realm, KRB5_TGS_NAME, *client_realm, NULL);
- if (ret) {
- goto done;
- }
- }
-
- flags.i = 0;
- flags.b.renewable = flags.b.renew = True;
-
- ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL,
&creds_in, &creds_out);
- if (ret) {
- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred
failed: %s\n", error_message(ret)));
- goto done;
- }
-
- creds = *creds_out;
+ ret = krb5_get_renewed_creds(context, &creds, client, ccache,
discard_const_p(char, service_string));
+ if (ret) {
+ DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed:
%s\n", error_message(ret)));
+ goto done;
}
-#else
-#error NO_SUITABLE_KRB5_TICKET_RENEW_FUNCTION_AVAILABLE
-#endif
/* hm, doesn't that create a new one if the old one wasn't there? -
Guenther */
ret = krb5_cc_initialize(context, ccache, client);
@@ -1416,44 +1347,15 @@ done:
krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context,
krb5_get_init_creds_opt **opt)
{
-#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
/* Heimdal or modern MIT version */
return krb5_get_init_creds_opt_alloc(context, opt);
-#else
- /* Historical MIT version */
- krb5_get_init_creds_opt *my_opt;
-
- *opt = NULL;
-
- if ((my_opt = SMB_MALLOC_P(krb5_get_init_creds_opt)) == NULL) {
- return ENOMEM;
- }
-
- krb5_get_init_creds_opt_init(my_opt);
-
- *opt = my_opt;
- return 0;
-#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC */
}
void smb_krb5_get_init_creds_opt_free(krb5_context context,
krb5_get_init_creds_opt *opt)
{
--
Samba Shared Repository
