From d9b09b6c72c8d9a701758d4af91c3e7385b8332d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 3 Mar 2017 11:04:52 +0200 Subject: [PATCH] credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case Use gss_acquire_cred() to obtain credentials from the default credentials store for client-based GENSEC GSSAPI operation. This allows proper execution under GSSAPI interposer plugin provided by GSS-proxy project. GSS-proxy 0.6.2 makes possible to interpose gss_acquire_cred() in a similar fashion to gss_acquire_cred_from(). While gss_acquire_cred_from() is a MIT extension, gss_acquire_cred() is available in Heimdal as well and is used in other parts of Samba, namely in source3's GENSEC gse module. Client operation in GSS-proxy-enabled environment is needed for upcoming FreeIPA 4.5 which internaly does privilege separation between its framework and Apache front end code that handles actual authentication of incoming client requests. Samba Python bindings are used by FreeIPA framework to establish forest trust between local Samba and remote Active Directory forests. When FreeIPA administrator attempts to create a trust, FreeIPA uses S4U2Proxy to allow HTTP/... principal to act on behalf of the remote administrator credentials. With privilege separation in place, Samba GENSEC and credentials code is unable to find actual tickets in the credential cache available in the environment because GSS-proxy keeps them encrypted and only accessible via GSSAPI calls that were interposed. gss_krb5_import_cred() is not interposed, as many other direct Kerberos extensions to GSSAPI. As result, we need to use a proper GSSAPI call here. GSS-proxy 0.6.3 will also handle gss_set_cred_option(), thus making this minimal patch enough to enable FreeIPA 4.5 to operate in privilege separation mode with Samba Python bindings. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 Signed-off-by: Alexander Bokovoy --- auth/credentials/credentials_krb5.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index d2a655e..53e4c6b 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -717,8 +717,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, return ENOMEM; } - maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL, - &gcc->creds); + maj_stat = gss_acquire_cred(&min_stat, GSS_C_NO_NAME, 0, GSS_C_NO_OID_SET, GSS_C_INITIATE, + &gcc->creds, NULL, NULL); if ((maj_stat == GSS_S_FAILURE) && (min_stat == (OM_uint32)KRB5_CC_END || min_stat == (OM_uint32)KRB5_CC_NOTFOUND || @@ -735,8 +735,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, return ret; } - maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL, - &gcc->creds); + maj_stat = gss_acquire_cred(&min_stat, GSS_C_NO_NAME, 0, GSS_C_NO_OID_SET, GSS_C_INITIATE, + &gcc->creds, NULL, NULL); } -- 2.9.3