The Samba-Bugzilla – Attachment 13008 Details for
Bug 12611
credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for git master
samba-gss_acquire_cred.patch (text/plain), 3.05 KB, created by
Alexander Bokovoy
on 2017-03-03 09:53:49 UTC
(
hide
)
Description:
patch for git master
Filename:
MIME Type:
Creator:
Alexander Bokovoy
Created:
2017-03-03 09:53:49 UTC
Size:
3.05 KB
patch
obsolete
>From d9b09b6c72c8d9a701758d4af91c3e7385b8332d Mon Sep 17 00:00:00 2001 >From: Alexander Bokovoy <ab@samba.org> >Date: Fri, 3 Mar 2017 11:04:52 +0200 >Subject: [PATCH] credentials_krb5: use gss_acquire_cred for client-side GSSAPI > use case > >Use gss_acquire_cred() to obtain credentials from the default >credentials store for client-based GENSEC GSSAPI operation. > >This allows proper execution under GSSAPI interposer plugin provided by >GSS-proxy project. GSS-proxy 0.6.2 makes possible to interpose >gss_acquire_cred() in a similar fashion to gss_acquire_cred_from(). >While gss_acquire_cred_from() is a MIT extension, gss_acquire_cred() is >available in Heimdal as well and is used in other parts of Samba, namely >in source3's GENSEC gse module. > >Client operation in GSS-proxy-enabled environment is needed for upcoming >FreeIPA 4.5 which internaly does privilege separation between its >framework and Apache front end code that handles actual authentication >of incoming client requests. > >Samba Python bindings are used by FreeIPA framework to establish forest >trust between local Samba and remote Active Directory forests. When >FreeIPA administrator attempts to create a trust, FreeIPA uses S4U2Proxy >to allow HTTP/... principal to act on behalf of the remote administrator >credentials. With privilege separation in place, Samba GENSEC and >credentials code is unable to find actual tickets in the credential >cache available in the environment because GSS-proxy keeps them >encrypted and only accessible via GSSAPI calls that were interposed. > >gss_krb5_import_cred() is not interposed, as many other direct Kerberos >extensions to GSSAPI. As result, we need to use a proper GSSAPI call here. > >GSS-proxy 0.6.3 will also handle gss_set_cred_option(), thus making >this minimal patch enough to enable FreeIPA 4.5 to operate in privilege >separation mode with Samba Python bindings. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 > >Signed-off-by: Alexander Bokovoy <ab@samba.org> >--- > auth/credentials/credentials_krb5.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > >diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c >index d2a655e..53e4c6b 100644 >--- a/auth/credentials/credentials_krb5.c >+++ b/auth/credentials/credentials_krb5.c >@@ -717,8 +717,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, > return ENOMEM; > } > >- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL, >- &gcc->creds); >+ maj_stat = gss_acquire_cred(&min_stat, GSS_C_NO_NAME, 0, GSS_C_NO_OID_SET, GSS_C_INITIATE, >+ &gcc->creds, NULL, NULL); > if ((maj_stat == GSS_S_FAILURE) && > (min_stat == (OM_uint32)KRB5_CC_END || > min_stat == (OM_uint32)KRB5_CC_NOTFOUND || >@@ -735,8 +735,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, > return ret; > } > >- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL, >- &gcc->creds); >+ maj_stat = gss_acquire_cred(&min_stat, GSS_C_NO_NAME, 0, GSS_C_NO_OID_SET, GSS_C_INITIATE, >+ &gcc->creds, NULL, NULL); > > } > >-- >2.9.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 12611
:
13008
|
13032
|
13033
|
13036
|
13055