/[smeserver]/rpms/samba/sme10/samba-v4.6-gss_krb5_import_cred.patch
ViewVC logotype

Annotation of /rpms/samba/sme10/samba-v4.6-gss_krb5_import_cred.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (hide annotations) (download)
Tue May 8 16:37:54 2018 UTC (6 years, 5 months ago) by jpp
Branch: MAIN
CVS Tags: samba-4_6_2-12_el7_4, samba--, samba-4_6_2-12_3_el7_sme, samba-4_6_2-12_4_el7_sme, samba-4_6_2-12_2_el7_sme 
upgrade to samba-4.6.2-12
1 jpp 1.1 From 334a4870cbbfefcd09c10f432a320ceaac29a14a Mon Sep 17 00:00:00 2001
2     From: Alexander Bokovoy <ab@samba.org>
3     Date: Fri, 3 Mar 2017 17:08:09 +0200
4     Subject: [PATCH 1/6] gssapi: check for gss_acquire_cred_from
5    
6     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
7    
8     Signed-off-by: Alexander Bokovoy <ab@samba.org>
9     Reviewed-by: Stefan Metzmacher <metze@samba.org>
10     (cherry picked from commit d630a364f9d74443e482934f76cd7107c331e108)
11     ---
12     wscript_configure_system_mitkrb5 | 1 +
13     1 file changed, 1 insertion(+)
14    
15     diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
16     index 06a9821..d3e8ebf 100644
17     --- a/wscript_configure_system_mitkrb5
18     +++ b/wscript_configure_system_mitkrb5
19     @@ -92,6 +92,7 @@ conf.CHECK_FUNCS_IN('''
20     gsskrb5_extract_authz_data_from_sec_context
21     gss_krb5_export_lucid_sec_context
22     gss_import_cred gss_export_cred
23     + gss_acquire_cred_from
24     ''', 'gssapi gssapi_krb5')
25     conf.CHECK_VARIABLE('GSS_KRB5_CRED_NO_CI_FLAGS_X', headers=possible_gssapi_headers)
26     conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5')
27     --
28     2.9.3
29    
30    
31     From 4b4a95436a56ee91e6bef8e905656c387ce2f62c Mon Sep 17 00:00:00 2001
32     From: Alexander Bokovoy <ab@samba.org>
33     Date: Fri, 3 Mar 2017 16:14:57 +0200
34     Subject: [PATCH 2/6] lib/krb5_wrap: add smb_gss_krb5_import_cred wrapper
35    
36     Wrap gss_krb5_import_cred() to allow re-implementing it with
37     gss_acquire_cred_from() for newer MIT versions. gss_acquire_cred_from()
38     works fine with GSSAPI interposer (GSS-proxy) while
39     gss_krb5_import_cred() is not interposed yet.
40    
41     The wrapper has additional parameter, krb5_context handle, to facilitate
42     with credentials cache name discovery. All our callers to
43     gss_krb5_import_cred() already have krb5 context handy.
44    
45     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
46    
47     Signed-off-by: Alexander Bokovoy <ab@samba.org>
48     Reviewed-by: Stefan Metzmacher <metze@samba.org>
49     (cherry picked from commit 0e6e8dd2600c699a7a02e3d11fed21b5bc49858d)
50     ---
51     lib/krb5_wrap/gss_samba.c | 121 ++++++++++++++++++++++++++++++++++++++++++++++
52     lib/krb5_wrap/gss_samba.h | 13 +++++
53     2 files changed, 134 insertions(+)
54    
55     diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
56     index b444633..757ffc5 100644
57     --- a/lib/krb5_wrap/gss_samba.c
58     +++ b/lib/krb5_wrap/gss_samba.c
59     @@ -48,4 +48,125 @@ int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid)
60     }
61     #endif /* !HAVE_GSS_OID_EQUAL */
62    
63     +
64     +/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
65     + * if this GSSAPI extension is available. gss_acquire_cred_from() is properly
66     + * interposed by GSSPROXY while gss_krb5_import_cred() is not.
67     + *
68     + * This wrapper requires a proper krb5_context to resolve ccache name.
69     + * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
70     +uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
71     + krb5_ccache id, krb5_principal keytab_principal,
72     + krb5_keytab keytab, gss_cred_id_t *cred)
73     +{
74     + uint32_t major_status = 0;
75     +
76     +#if HAVE_GSS_ACQUIRE_CRED_FROM
77     + uint32_t minor = 0;
78     + gss_key_value_element_desc ccache_element = {
79     + .key = "ccache",
80     + .value = NULL,
81     + };
82     +
83     + gss_key_value_element_desc keytab_element = {
84     + .key = "keytab",
85     + .value = NULL,
86     + };
87     +
88     + gss_key_value_element_desc elements[2];
89     +
90     + gss_key_value_set_desc cred_store = {
91     + .elements = &ccache_element,
92     + .count = 1,
93     + };
94     +
95     + gss_OID_set mech_set = GSS_C_NO_OID_SET;
96     + gss_cred_usage_t cred_usage = GSS_C_INITIATE;
97     + gss_name_t name = NULL;
98     + gss_buffer_desc pr_name = {
99     + .value = NULL,
100     + .length = 0,
101     + };
102     +
103     + if (id != NULL) {
104     + major_status = krb5_cc_get_full_name(ctx,
105     + id,
106     + discard_const(&ccache_element.value));
107     + if (major_status != 0) {
108     + return major_status;
109     + }
110     + }
111     +
112     + if (keytab != NULL) {
113     + keytab_element.value = malloc(4096);
114     + if (!keytab_element.value) {
115     + return ENOMEM;
116     + }
117     + major_status = krb5_kt_get_name(ctx,
118     + keytab,
119     + discard_const(keytab_element.value), 4096);
120     + if (major_status != 0) {
121     + free(discard_const(keytab_element.value));
122     + return major_status;
123     + }
124     + cred_usage = GSS_C_ACCEPT;
125     + cred_store.elements = &keytab_element;
126     +
127     + if (keytab_principal != NULL) {
128     + major_status = krb5_unparse_name(ctx, keytab_principal, (char**)&pr_name.value);
129     + if (major_status != 0) {
130     + free(discard_const(keytab_element.value));
131     + return major_status;
132     + }
133     + pr_name.length = strlen(pr_name.value);
134     +
135     + major_status = gss_import_name(minor_status,
136     + &pr_name,
137     + discard_const(GSS_KRB5_NT_PRINCIPAL_NAME),
138     + &name);
139     + if (major_status != 0) {
140     + krb5_free_unparsed_name(ctx, pr_name.value);
141     + free(discard_const(keytab_element.value));
142     + return major_status;
143     + }
144     + }
145     + }
146     +
147     + if (id != NULL && keytab != NULL) {
148     + elements[0] = ccache_element;
149     + elements[1] = keytab_element;
150     +
151     + cred_store.elements = elements;
152     + cred_store.count = 2;
153     + cred_usage = GSS_C_BOTH;
154     + }
155     +
156     + major_status = gss_acquire_cred_from(minor_status,
157     + name,
158     + 0,
159     + mech_set,
160     + cred_usage,
161     + &cred_store,
162     + cred,
163     + NULL,
164     + NULL);
165     +
166     + if (pr_name.value != NULL) {
167     + (void)gss_release_name(&minor, &name);
168     + krb5_free_unparsed_name(ctx, pr_name.value);
169     + }
170     + if (keytab_element.value != NULL) {
171     + free(discard_const(keytab_element.value));
172     + }
173     + krb5_free_string(ctx, discard_const(ccache_element.value));
174     +#else
175     + major_status = gss_krb5_import_cred(minor_status,
176     + id,
177     + keytab_principal,
178     + keytab, cred);
179     +#endif
180     + return major_status;
181     +}
182     +
183     +
184     #endif /* HAVE_GSSAPI */
185     diff --git a/lib/krb5_wrap/gss_samba.h b/lib/krb5_wrap/gss_samba.h
186     index 5319932..89aee34 100644
187     --- a/lib/krb5_wrap/gss_samba.h
188     +++ b/lib/krb5_wrap/gss_samba.h
189     @@ -25,6 +25,7 @@
190     #ifdef HAVE_GSSAPI
191    
192     #include "system/gssapi.h"
193     +#include "krb5_samba.h"
194    
195     #if defined(HAVE_GSS_OID_EQUAL)
196     #define smb_gss_oid_equal gss_oid_equal
197     @@ -32,5 +33,17 @@
198     int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid);
199     #endif /* HAVE_GSS_OID_EQUAL */
200    
201     +/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
202     + * if this GSSAPI extension is available. gss_acquire_cred_from() is properly
203     + * interposed by GSS-proxy while gss_krb5_import_cred() is not.
204     + *
205     + * This wrapper requires a proper krb5_context to resolve the ccache name for
206     + * gss_acquire_cred_from().
207     + *
208     + * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
209     +uint32_t smb_gss_krb5_import_cred(OM_uint32 *minor_status, krb5_context ctx,
210     + krb5_ccache id, krb5_principal keytab_principal,
211     + krb5_keytab keytab, gss_cred_id_t *cred);
212     +
213     #endif /* HAVE_GSSAPI */
214     #endif /* _GSS_SAMBA_H */
215     --
216     2.9.3
217    
218    
219     From f06fafce32a27acf4028ab573297c64189b62e30 Mon Sep 17 00:00:00 2001
220     From: Alexander Bokovoy <ab@samba.org>
221     Date: Fri, 3 Mar 2017 16:57:13 +0200
222     Subject: [PATCH 3/6] credentials_krb5: convert to use smb_gss_krb5_import_cred
223    
224     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
225    
226     Signed-off-by: Alexander Bokovoy <ab@samba.org>
227     Reviewed-by: Stefan Metzmacher <metze@samba.org>
228     (cherry picked from commit ca8fd793930173b4e625d3f286739de214155bc1)
229     ---
230     auth/credentials/credentials_krb5.c | 22 +++++++++++++---------
231     1 file changed, 13 insertions(+), 9 deletions(-)
232    
233     diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
234     index e974df9..0e68012 100644
235     --- a/auth/credentials/credentials_krb5.c
236     +++ b/auth/credentials/credentials_krb5.c
237     @@ -579,8 +579,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
238     return ENOMEM;
239     }
240    
241     - maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
242     - &gcc->creds);
243     + maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context,
244     + ccache->ccache, NULL, NULL,
245     + &gcc->creds);
246     if ((maj_stat == GSS_S_FAILURE) &&
247     (min_stat == (OM_uint32)KRB5_CC_END ||
248     min_stat == (OM_uint32)KRB5_CC_NOTFOUND ||
249     @@ -597,8 +598,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
250     return ret;
251     }
252    
253     - maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
254     - &gcc->creds);
255     + maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context,
256     + ccache->ccache, NULL, NULL,
257     + &gcc->creds);
258    
259     }
260    
261     @@ -609,7 +611,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
262     } else {
263     ret = EINVAL;
264     }
265     - (*error_string) = talloc_asprintf(cred, "gss_krb5_import_cred failed: %s", error_message(ret));
266     + (*error_string) = talloc_asprintf(cred, "smb_gss_krb5_import_cred failed: %s", error_message(ret));
267     return ret;
268     }
269    
270     @@ -1076,12 +1078,14 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
271    
272     if (ktc->password_based || obtained < CRED_SPECIFIED) {
273     /* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */
274     - maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab,
275     - &gcc->creds);
276     + maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
277     + NULL, NULL, ktc->keytab,
278     + &gcc->creds);
279     } else {
280     /* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */
281     - maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab,
282     - &gcc->creds);
283     + maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
284     + NULL, princ, ktc->keytab,
285     + &gcc->creds);
286     }
287     if (maj_stat) {
288     if (min_stat) {
289     --
290     2.9.3
291    
292    
293     From 5305bffd4c72a85cc6c3148222ef7e346cbe3d87 Mon Sep 17 00:00:00 2001
294     From: Alexander Bokovoy <ab@samba.org>
295     Date: Fri, 3 Mar 2017 16:57:50 +0200
296     Subject: [PATCH 4/6] libads: convert to use smb_gss_krb5_import_cred
297    
298     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
299    
300     Signed-off-by: Alexander Bokovoy <ab@samba.org>
301     Reviewed-by: Stefan Metzmacher <metze@samba.org>
302     (cherry picked from commit 520167992bd2477bc11920d2dc9ec87f2cb339c9)
303     ---
304     source3/libads/sasl.c | 2 +-
305     1 file changed, 1 insertion(+), 1 deletion(-)
306    
307     diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
308     index 8570788..30127fa 100644
309     --- a/source3/libads/sasl.c
310     +++ b/source3/libads/sasl.c
311     @@ -372,7 +372,7 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred)
312     goto done;
313     }
314    
315     - maj = gss_krb5_import_cred(&min, kccache, NULL, NULL, cred);
316     + maj = smb_gss_krb5_import_cred(&min, kctx, kccache, NULL, NULL, cred);
317     if (maj != GSS_S_COMPLETE) {
318     status = ADS_ERROR_GSS(maj, min);
319     goto done;
320     --
321     2.9.3
322    
323    
324     From 1dbc68f9bee19a9c26825cc5be7d81951dcac710 Mon Sep 17 00:00:00 2001
325     From: Alexander Bokovoy <ab@samba.org>
326     Date: Fri, 3 Mar 2017 16:58:14 +0200
327     Subject: [PATCH 5/6] s3-gse: convert to use smb_gss_krb5_import_cred
328    
329     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
330    
331     Signed-off-by: Alexander Bokovoy <ab@samba.org>
332     Reviewed-by: Stefan Metzmacher <metze@samba.org>
333     (cherry picked from commit 3d733d5791a6d82edda13ac39790bd8ba893f3d7)
334     ---
335     source3/librpc/crypto/gse.c | 20 +++++++++++---------
336     1 file changed, 11 insertions(+), 9 deletions(-)
337    
338     diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
339     index abf20bc..f4238f3 100644
340     --- a/source3/librpc/crypto/gse.c
341     +++ b/source3/librpc/crypto/gse.c
342     @@ -252,11 +252,12 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
343     /* TODO: get krb5 ticket using username/password, if no valid
344     * one already available in ccache */
345    
346     - gss_maj = gss_krb5_import_cred(&gss_min,
347     - gse_ctx->ccache,
348     - NULL, /* keytab_principal */
349     - NULL, /* keytab */
350     - &gse_ctx->creds);
351     + gss_maj = smb_gss_krb5_import_cred(&gss_min,
352     + gse_ctx->k5ctx,
353     + gse_ctx->ccache,
354     + NULL, /* keytab_principal */
355     + NULL, /* keytab */
356     + &gse_ctx->creds);
357     if (gss_maj) {
358     char *ccache = NULL;
359     int kret;
360     @@ -268,7 +269,7 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
361     ccache = NULL;
362     }
363    
364     - DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -"
365     + DEBUG(5, ("smb_gss_krb5_import_cred ccache[%s] failed with [%s] -"
366     "the caller may retry after a kinit.\n",
367     ccache, gse_errstr(gse_ctx, gss_maj, gss_min)));
368     SAFE_FREE(ccache);
369     @@ -430,12 +431,13 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
370     }
371    
372     /* This creates a GSSAPI cred_id_t with the keytab set */
373     - gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab,
374     - &gse_ctx->creds);
375     + gss_maj = smb_gss_krb5_import_cred(&gss_min, gse_ctx->k5ctx,
376     + NULL, NULL, gse_ctx->keytab,
377     + &gse_ctx->creds);
378    
379     if (gss_maj != 0
380     && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
381     - DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n",
382     + DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n",
383     gse_errstr(gse_ctx, gss_maj, gss_min)));
384     status = NT_STATUS_INTERNAL_ERROR;
385     goto done;
386     --
387     2.9.3
388    
389    
390     From 3c9390d26cf12e483d98f005b43da7b10348753d Mon Sep 17 00:00:00 2001
391     From: Alexander Bokovoy <ab@samba.org>
392     Date: Wed, 8 Mar 2017 12:38:49 +0200
393     Subject: [PATCH 6/6] s3-gse: move krb5 fallback to smb_gss_krb5_import_cred
394     wrapper
395    
396     MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing
397     credentials from a keytab without specifying actual principal.
398     This was fixed in MIT krb5 1.9.2 (see commit
399     71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git
400     master's version is bd18687a705a8a6cdcb7c140764d1a7c6a3381b5).
401    
402     Move fallback code to the smb_gss_krb5_import_cred wrapper. We only
403     expect this fallback to happen with krb5 GSSAPI mechanism, thus hard
404     code use of krb5 mech when calling to gss_acquire_cred.
405    
406     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
407    
408     Signed-off-by: Alexander Bokovoy <ab@samba.org>
409     Reviewed-by: Stefan Metzmacher <metze@samba.org>
410    
411     Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
412     Autobuild-Date(master): Wed Mar 8 22:00:24 CET 2017 on sn-devel-144
413    
414     (cherry picked from commit 57286d57732d49fdb8b8e21f584787cdbc917c32)
415     ---
416     lib/krb5_wrap/gss_samba.c | 46 +++++++++++++++++++++++++++++++++++++++---
417     source3/librpc/crypto/gse.c | 49 +--------------------------------------------
418     2 files changed, 44 insertions(+), 51 deletions(-)
419    
420     diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
421     index 757ffc5..9e5ad4a 100644
422     --- a/lib/krb5_wrap/gss_samba.c
423     +++ b/lib/krb5_wrap/gss_samba.c
424     @@ -161,9 +161,49 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
425     krb5_free_string(ctx, discard_const(ccache_element.value));
426     #else
427     major_status = gss_krb5_import_cred(minor_status,
428     - id,
429     - keytab_principal,
430     - keytab, cred);
431     + id,
432     + keytab_principal,
433     + keytab, cred);
434     +
435     + if (major_status == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
436     + if ((keytab_principal == NULL) && (keytab != NULL)) {
437     + /* No principal was specified and MIT krb5 1.9 version failed.
438     + * We have to fall back to set global acceptor identity */
439     + gss_OID_set_desc mech_set;
440     + char *kt_name = NULL;
441     +
442     + kt_name = malloc(4096);
443     + if (!kt_name) {
444     + return ENOMEM;
445     + }
446     +
447     + major_status = krb5_kt_get_name(ctx,
448     + keytab,
449     + kt_name, 4096);
450     + if (major_status != 0) {
451     + free(kt_name);
452     + return major_status;
453     + }
454     +
455     + major_status = gsskrb5_register_acceptor_identity(kt_name);
456     + if (major_status) {
457     + free(kt_name);
458     + return major_status;
459     + }
460     +
461     + /* We are dealing with krb5 GSSAPI mech in this fallback */
462     + mech_set.count = 1;
463     + mech_set.elements = gss_mech_krb5;
464     + major_status = gss_acquire_cred(minor_status,
465     + GSS_C_NO_NAME,
466     + GSS_C_INDEFINITE,
467     + &mech_set,
468     + GSS_C_ACCEPT,
469     + cred,
470     + NULL, NULL);
471     + free(kt_name);
472     + }
473     + }
474     #endif
475     return major_status;
476     }
477     diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
478     index f4238f3..a111320 100644
479     --- a/source3/librpc/crypto/gse.c
480     +++ b/source3/librpc/crypto/gse.c
481     @@ -435,58 +435,11 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
482     NULL, NULL, gse_ctx->keytab,
483     &gse_ctx->creds);
484    
485     - if (gss_maj != 0
486     - && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
487     + if (gss_maj != 0) {
488     DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n",
489     gse_errstr(gse_ctx, gss_maj, gss_min)));
490     status = NT_STATUS_INTERNAL_ERROR;
491     goto done;
492     -
493     - /* This is the error the MIT krb5 1.9 gives when it
494     - * implements the function, but we do not specify the
495     - * principal. However, when we specify the principal
496     - * as host$@REALM the GSS acceptor fails with 'wrong
497     - * principal in request'. Work around the issue by
498     - * falling back to the alternate approach below. */
499     - } else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME))
500     - /* FIXME!!!
501     - * This call sets the default keytab for the whole server, not
502     - * just for this context. Need to find a way that does not alter
503     - * the state of the whole server ... */
504     - {
505     - const char *ktname;
506     - gss_OID_set_desc mech_set;
507     -
508     - ret = smb_krb5_kt_get_name(gse_ctx, gse_ctx->k5ctx,
509     - gse_ctx->keytab, &ktname);
510     - if (ret) {
511     - status = NT_STATUS_INTERNAL_ERROR;
512     - goto done;
513     - }
514     -
515     - ret = gsskrb5_register_acceptor_identity(ktname);
516     - if (ret) {
517     - status = NT_STATUS_INTERNAL_ERROR;
518     - goto done;
519     - }
520     -
521     - mech_set.count = 1;
522     - mech_set.elements = &gse_ctx->gss_mech;
523     -
524     - gss_maj = gss_acquire_cred(&gss_min,
525     - GSS_C_NO_NAME,
526     - GSS_C_INDEFINITE,
527     - &mech_set,
528     - GSS_C_ACCEPT,
529     - &gse_ctx->creds,
530     - NULL, NULL);
531     -
532     - if (gss_maj) {
533     - DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
534     - gse_errstr(gse_ctx, gss_maj, gss_min)));
535     - status = NT_STATUS_INTERNAL_ERROR;
536     - goto done;
537     - }
538     }
539    
540     status = NT_STATUS_OK;
541     --
542     2.9.3
543    
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed