The branch, master has been updated via 8dd63b9 auth/gensec_gssapi: sync gensec_gssapi_state with gse_context via 0f039b1 s3-gse: add GENSEC_FEATURE_NEW_SPNEGO detection in gensec_gse_have_feature() via c74a522 s3:build: require gss_krb5_export_lucid_sec_context() for ads support from da8e8e5 s3:smb2_sessetup: call set_current_user_info() and reload_services() on success
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 8dd63b93431a267d5bd0f32278f7229adbb44eaa Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 24 10:33:11 2012 +0100 auth/gensec_gssapi: sync gensec_gssapi_state with gse_context Both use gss_krb5_lucid_context_v1_t now. metze Autobuild-User: Stefan Metzmacher <me...@samba.org> Autobuild-Date: Wed Jan 25 10:22:31 CET 2012 on sn-devel-104 commit 0f039b196af7d4e4c5260680a7d656f603915a97 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 24 10:31:54 2012 +0100 s3-gse: add GENSEC_FEATURE_NEW_SPNEGO detection in gensec_gse_have_feature() metze commit c74a522db14a71df6c0393b5aa5f382cc8205b5b Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 24 13:48:33 2012 +0100 s3:build: require gss_krb5_export_lucid_sec_context() for ads support This is needed to detect krb5 with aes for GENSEC_FEATURE_NEW_SPNEGO at runtime. metze ----------------------------------------------------------------------- Summary of changes: auth/gensec/gensec_gssapi.h | 3 +- source3/configure.in | 6 +++ source3/librpc/crypto/gse.c | 55 +++++++++++++++++++++++++++++++ source3/wscript | 16 ++++++++- source4/heimdal_build/wscript_configure | 1 + 5 files changed, 78 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/gensec/gensec_gssapi.h b/auth/gensec/gensec_gssapi.h index 97c5491..96389b2 100644 --- a/auth/gensec/gensec_gssapi.h +++ b/auth/gensec/gensec_gssapi.h @@ -43,6 +43,8 @@ struct gensec_gssapi_state { gss_cred_id_t delegated_cred_handle; + gss_krb5_lucid_context_v1_t *lucid; + /* gensec_gssapi only */ gss_OID gss_oid; @@ -50,7 +52,6 @@ struct gensec_gssapi_state { struct smb_krb5_context *smb_krb5_context; struct gssapi_creds_container *client_cred; struct gssapi_creds_container *server_cred; - gss_krb5_lucid_context_v1_t *lucid; bool sasl; /* We have two different mechs in this file: One * for SASL wrapped GSSAPI and another for normal diff --git a/source3/configure.in b/source3/configure.in index 1e09e48..d309b98 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -3905,6 +3905,7 @@ if test x"$with_ads_support" != x"no"; then AC_CHECK_FUNC_EXT(gss_oid_equal, $KRB5_LIBS) AC_CHECK_FUNC_EXT(gss_inquire_sec_context_by_oid, $KRB5_LIBS) AC_CHECK_FUNC_EXT(gss_wrap_iov, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(gss_krb5_export_lucid_sec_context, $KRB5_LIBS) # This is for FreeBSD (and possibly others). gss_mech_krb5 is a # #define to GSS_KRB5_MECHANISM, which is defined in -lgssapi_krb5 @@ -4526,6 +4527,11 @@ if test x"$with_ads_support" != x"no"; then fi fi + if test x"$ac_cv_func_ext_gss_krb5_export_lucid_sec_context" != x"yes" ; then + AC_MSG_WARN(need gss_krb5_export_lucid_sec_context for SPNEGO and gss_wrap support) + use_ads=no + fi + if test x"$use_ads" = x"yes"; then AC_DEFINE(WITH_ADS,1,[Whether to include Active Directory support]) AC_DEFINE(HAVE_KRB5,1,[Whether to have KRB5 support]) diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index 5bd2740..0e664b7 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -77,6 +77,8 @@ struct gse_context { gss_cred_id_t delegated_cred_handle; + gss_krb5_lucid_context_v1_t *lucid; + /* gensec_gse only */ krb5_context k5ctx; krb5_ccache ccache; @@ -147,6 +149,11 @@ static int gse_context_destructor(void *ptr) &gse_ctx->delegated_cred_handle); } + if (gse_ctx->lucid) { + gss_krb5_free_lucid_sec_context(&gss_min, gse_ctx->lucid); + gse_ctx->lucid = NULL; + } + /* MIT and Heimdal differ as to if you can call * gss_release_oid() on this OID, generated by * gss_{accept,init}_sec_context(). However, as long as the @@ -621,6 +628,36 @@ done: return errstr; } +static NTSTATUS gse_init_lucid(struct gse_context *gse_ctx) +{ + OM_uint32 maj_stat, min_stat; + void *ptr = NULL; + + if (gse_ctx->lucid) { + return NT_STATUS_OK; + } + + maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, + &gse_ctx->gssapi_context, + 1, &ptr); + if (maj_stat != GSS_S_COMPLETE) { + DEBUG(0,("gse_init_lucid: %s\n", + gse_errstr(talloc_tos(), maj_stat, min_stat))); + return NT_STATUS_INTERNAL_ERROR; + } + gse_ctx->lucid = (gss_krb5_lucid_context_v1_t *)ptr; + + if (gse_ctx->lucid->version != 1) { + DEBUG(0,("gse_init_lucid: lucid version[%d] != 1\n", + gse_ctx->lucid->version)); + gss_krb5_free_lucid_sec_context(&min_stat, gse_ctx->lucid); + gse_ctx->lucid = NULL; + return NT_STATUS_INTERNAL_ERROR; + } + + return NT_STATUS_OK; +} + static DATA_BLOB gse_get_session_key(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx) { @@ -1139,6 +1176,24 @@ static bool gensec_gse_have_feature(struct gensec_security *gensec_security, if (feature & GENSEC_FEATURE_DCE_STYLE) { return gse_ctx->gss_got_flags & GSS_C_DCE_STYLE; } + if (feature & GENSEC_FEATURE_NEW_SPNEGO) { + NTSTATUS status; + + if (!(gse_ctx->gss_got_flags & GSS_C_INTEG_FLAG)) { + return false; + } + + status = gse_init_lucid(gse_ctx); + if (!NT_STATUS_IS_OK(status)) { + return false; + } + + if (gse_ctx->lucid->protocol == 1) { + return true; + } + + return false; + } /* We can always do async (rather than strict request/reply) packets. */ if (feature & GENSEC_FEATURE_ASYNC_REPLIES) { return true; diff --git a/source3/wscript b/source3/wscript index 1a5a5c4..912997f 100644 --- a/source3/wscript +++ b/source3/wscript @@ -570,8 +570,16 @@ msg.msg_acctrightslen = sizeof(fd); if conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi') or \ conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi_krb5'): have_gssapi=True - conf.CHECK_FUNCS_IN('''gss_wrap_iov gss_krb5_import_cred gss_get_name_attribute gss_mech_krb5 gss_oid_equal -gss_inquire_sec_context_by_oid gsskrb5_extract_authz_data_from_sec_context''', 'gssapi gssapi_krb5 krb5') + conf.CHECK_FUNCS_IN(''' + gss_wrap_iov + gss_krb5_import_cred + gss_get_name_attribute + gss_mech_krb5 + gss_oid_equal + gss_inquire_sec_context_by_oid + gsskrb5_extract_authz_data_from_sec_context + gss_krb5_export_lucid_sec_context + ''', 'gssapi gssapi_krb5 krb5') conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5') conf.CHECK_FUNCS(''' krb5_set_default_in_tkt_etypes krb5_set_default_tgs_enctypes @@ -811,6 +819,10 @@ return krb5_kt_resolve(context, "WRFILE:api", &keytab); Logs.warn("need eiterh gss_get_name_attribute or gsskrb5_extract_authz_data_from_sec_context and gss_inquire_sec_context_by_oid in -lgssapi for PAC support") use_ads=False + if not conf.CONFIG_SET('HAVE_GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT'): + Logs.warn("need gss_krb5_export_lucid_sec_context for SPNEGO and gss_wrap support") + use_ads=False + if use_ads: conf.DEFINE('WITH_ADS', '1') conf.DEFINE('HAVE_KRB5', '1') diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure index 8a34fdd..9f9aa9f 100644 --- a/source4/heimdal_build/wscript_configure +++ b/source4/heimdal_build/wscript_configure @@ -87,6 +87,7 @@ conf.define('HAVE_GSS_OID_EQUAL', 1) conf.define('HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID', 1) conf.define('HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT', 1) conf.define('HAVE_GSSKRB5_GET_SUBKEY', 1) +conf.define('HAVE_GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT', 1) conf.define('HAVE_LIBGSSAPI', 1) conf.define('HAVE_ADDR_TYPE_IN_KRB5_ADDRESS', 1) conf.define('HAVE_CHECKSUM_IN_KRB5_CHECKSUM', 1) -- Samba Shared Repository