The branch, master has been updated
via 8dd63b9 auth/gensec_gssapi: sync gensec_gssapi_state with
gse_context
via 0f039b1 s3-gse: add GENSEC_FEATURE_NEW_SPNEGO detection in
gensec_gse_have_feature()
via c74a522 s3:build: require gss_krb5_export_lucid_sec_context() for
ads support
from da8e8e5 s3:smb2_sessetup: call set_current_user_info() and
reload_services() on success
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8dd63b93431a267d5bd0f32278f7229adbb44eaa
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jan 24 10:33:11 2012 +0100
auth/gensec_gssapi: sync gensec_gssapi_state with gse_context
Both use gss_krb5_lucid_context_v1_t now.
metze
Autobuild-User: Stefan Metzmacher <me...@samba.org>
Autobuild-Date: Wed Jan 25 10:22:31 CET 2012 on sn-devel-104
commit 0f039b196af7d4e4c5260680a7d656f603915a97
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jan 24 10:31:54 2012 +0100
s3-gse: add GENSEC_FEATURE_NEW_SPNEGO detection in gensec_gse_have_feature()
metze
commit c74a522db14a71df6c0393b5aa5f382cc8205b5b
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jan 24 13:48:33 2012 +0100
s3:build: require gss_krb5_export_lucid_sec_context() for ads support
This is needed to detect krb5 with aes for GENSEC_FEATURE_NEW_SPNEGO
at runtime.
metze
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/gensec_gssapi.h | 3 +-
source3/configure.in | 6 +++
source3/librpc/crypto/gse.c | 55 +++++++++++++++++++++++++++++++
source3/wscript | 16 ++++++++-
source4/heimdal_build/wscript_configure | 1 +
5 files changed, 78 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/gensec/gensec_gssapi.h b/auth/gensec/gensec_gssapi.h
index 97c5491..96389b2 100644
--- a/auth/gensec/gensec_gssapi.h
+++ b/auth/gensec/gensec_gssapi.h
@@ -43,6 +43,8 @@ struct gensec_gssapi_state {
gss_cred_id_t delegated_cred_handle;
+ gss_krb5_lucid_context_v1_t *lucid;
+
/* gensec_gssapi only */
gss_OID gss_oid;
@@ -50,7 +52,6 @@ struct gensec_gssapi_state {
struct smb_krb5_context *smb_krb5_context;
struct gssapi_creds_container *client_cred;
struct gssapi_creds_container *server_cred;
- gss_krb5_lucid_context_v1_t *lucid;
bool sasl; /* We have two different mechs in this file: One
* for SASL wrapped GSSAPI and another for normal
diff --git a/source3/configure.in b/source3/configure.in
index 1e09e48..d309b98 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3905,6 +3905,7 @@ if test x"$with_ads_support" != x"no"; then
AC_CHECK_FUNC_EXT(gss_oid_equal, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(gss_inquire_sec_context_by_oid, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(gss_wrap_iov, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(gss_krb5_export_lucid_sec_context, $KRB5_LIBS)
# This is for FreeBSD (and possibly others). gss_mech_krb5 is a
# #define to GSS_KRB5_MECHANISM, which is defined in -lgssapi_krb5
@@ -4526,6 +4527,11 @@ if test x"$with_ads_support" != x"no"; then
fi
fi
+ if test x"$ac_cv_func_ext_gss_krb5_export_lucid_sec_context" != x"yes" ; then
+ AC_MSG_WARN(need gss_krb5_export_lucid_sec_context for SPNEGO and gss_wrap
support)
+ use_ads=no
+ fi
+
if test x"$use_ads" = x"yes"; then
AC_DEFINE(WITH_ADS,1,[Whether to include Active Directory support])
AC_DEFINE(HAVE_KRB5,1,[Whether to have KRB5 support])
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 5bd2740..0e664b7 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -77,6 +77,8 @@ struct gse_context {
gss_cred_id_t delegated_cred_handle;
+ gss_krb5_lucid_context_v1_t *lucid;
+
/* gensec_gse only */
krb5_context k5ctx;
krb5_ccache ccache;
@@ -147,6 +149,11 @@ static int gse_context_destructor(void *ptr)
&gse_ctx->delegated_cred_handle);
}
+ if (gse_ctx->lucid) {
+ gss_krb5_free_lucid_sec_context(&gss_min, gse_ctx->lucid);
+ gse_ctx->lucid = NULL;
+ }
+
/* MIT and Heimdal differ as to if you can call
* gss_release_oid() on this OID, generated by
* gss_{accept,init}_sec_context(). However, as long as the
@@ -621,6 +628,36 @@ done:
return errstr;
}
+static NTSTATUS gse_init_lucid(struct gse_context *gse_ctx)
+{
+ OM_uint32 maj_stat, min_stat;
+ void *ptr = NULL;
+
+ if (gse_ctx->lucid) {
+ return NT_STATUS_OK;
+ }
+
+ maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
+ &gse_ctx->gssapi_context,
+ 1, &ptr);
+ if (maj_stat != GSS_S_COMPLETE) {
+ DEBUG(0,("gse_init_lucid: %s\n",
+ gse_errstr(talloc_tos(), maj_stat, min_stat)));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ gse_ctx->lucid = (gss_krb5_lucid_context_v1_t *)ptr;
+
+ if (gse_ctx->lucid->version != 1) {
+ DEBUG(0,("gse_init_lucid: lucid version[%d] != 1\n",
+ gse_ctx->lucid->version));
+ gss_krb5_free_lucid_sec_context(&min_stat, gse_ctx->lucid);
+ gse_ctx->lucid = NULL;
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ return NT_STATUS_OK;
+}
+
static DATA_BLOB gse_get_session_key(TALLOC_CTX *mem_ctx,
struct gse_context *gse_ctx)
{
@@ -1139,6 +1176,24 @@ static bool gensec_gse_have_feature(struct
gensec_security *gensec_security,
if (feature & GENSEC_FEATURE_DCE_STYLE) {
return gse_ctx->gss_got_flags & GSS_C_DCE_STYLE;
}
+ if (feature & GENSEC_FEATURE_NEW_SPNEGO) {
+ NTSTATUS status;
+
+ if (!(gse_ctx->gss_got_flags & GSS_C_INTEG_FLAG)) {
+ return false;
+ }
+
+ status = gse_init_lucid(gse_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+
+ if (gse_ctx->lucid->protocol == 1) {
+ return true;
+ }
+
+ return false;
+ }
/* We can always do async (rather than strict request/reply) packets.
*/
if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
return true;
diff --git a/source3/wscript b/source3/wscript
index 1a5a5c4..912997f 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -570,8 +570,16 @@ msg.msg_acctrightslen = sizeof(fd);
if conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi') or \
conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi_krb5'):
have_gssapi=True
- conf.CHECK_FUNCS_IN('''gss_wrap_iov gss_krb5_import_cred
gss_get_name_attribute gss_mech_krb5 gss_oid_equal
-gss_inquire_sec_context_by_oid gsskrb5_extract_authz_data_from_sec_context''',
'gssapi gssapi_krb5 krb5')
+ conf.CHECK_FUNCS_IN('''
+ gss_wrap_iov
+ gss_krb5_import_cred
+ gss_get_name_attribute
+ gss_mech_krb5
+ gss_oid_equal
+ gss_inquire_sec_context_by_oid
+ gsskrb5_extract_authz_data_from_sec_context
+ gss_krb5_export_lucid_sec_context
+ ''', 'gssapi gssapi_krb5 krb5')
conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5')
conf.CHECK_FUNCS('''
krb5_set_default_in_tkt_etypes krb5_set_default_tgs_enctypes
@@ -811,6 +819,10 @@ return krb5_kt_resolve(context, "WRFILE:api", &keytab);
Logs.warn("need eiterh gss_get_name_attribute or
gsskrb5_extract_authz_data_from_sec_context and gss_inquire_sec_context_by_oid
in -lgssapi for PAC support")
use_ads=False
+ if not conf.CONFIG_SET('HAVE_GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT'):
+ Logs.warn("need gss_krb5_export_lucid_sec_context for SPNEGO and
gss_wrap support")
+ use_ads=False
+
if use_ads:
conf.DEFINE('WITH_ADS', '1')
conf.DEFINE('HAVE_KRB5', '1')
diff --git a/source4/heimdal_build/wscript_configure
b/source4/heimdal_build/wscript_configure
index 8a34fdd..9f9aa9f 100644
--- a/source4/heimdal_build/wscript_configure
+++ b/source4/heimdal_build/wscript_configure
@@ -87,6 +87,7 @@ conf.define('HAVE_GSS_OID_EQUAL', 1)
conf.define('HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID', 1)
conf.define('HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT', 1)
conf.define('HAVE_GSSKRB5_GET_SUBKEY', 1)
+conf.define('HAVE_GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT', 1)
conf.define('HAVE_LIBGSSAPI', 1)
conf.define('HAVE_ADDR_TYPE_IN_KRB5_ADDRESS', 1)
conf.define('HAVE_CHECKSUM_IN_KRB5_CHECKSUM', 1)
--
Samba Shared Repository
