/* Create a auth_session_info_transport from an auth_session_info.
*
* NOTE: Members of the auth_session_info_transport structure are
* talloc_referenced() into this structure, and should not be changed.
*/
NTSTATUS auth_session_info_transport_from_session(TALLOC_CTX *mem_ctx,
struct auth_session_info *session_info,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
struct auth_session_info_transport **transport_out)
{
struct auth_session_info_transport *session_info_transport
= talloc_zero(mem_ctx, struct auth_session_info_transport);
if (!session_info_transport) {
return NT_STATUS_NO_MEMORY;
};
session_info_transport->session_info = talloc_reference(session_info_transport, session_info);
if (!session_info_transport->session_info) {
return NT_STATUS_NO_MEMORY;
};
if (session_info->credentials) {
struct gssapi_creds_container *gcc;
OM_uint32 gret;
OM_uint32 minor_status;
gss_buffer_desc cred_token;
const char *error_string;
int ret;
ret = cli_credentials_get_client_gss_creds(session_info->credentials,
event_ctx,
lp_ctx,
&gcc, &error_string);
if (ret != 0) {
*transport_out = session_info_transport;
return NT_STATUS_OK;
}
gret = gss_export_cred(&minor_status,
gcc->creds,
&cred_token);
if (gret != GSS_S_COMPLETE) {
return NT_STATUS_INTERNAL_ERROR;
}
if (cred_token.length) {
session_info_transport->exported_gssapi_credentials
= data_blob_talloc(session_info_transport,
cred_token.value,
cred_token.length);
gss_release_buffer(&minor_status, &cred_token);
NT_STATUS_HAVE_NO_MEMORY(session_info_transport->exported_gssapi_credentials.data);
}
}
*transport_out = session_info_transport;
return NT_STATUS_OK;
}
static NTSTATUS gensec_gssapi_client_creds(struct gensec_security *gensec_security,
struct tevent_context *ev)
{
struct gensec_gssapi_state *gensec_gssapi_state;
struct gssapi_creds_container *gcc;
struct cli_credentials *creds = gensec_get_credentials(gensec_security);
const char *error_string;
int ret;
gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
/* Only run this the first time the update() call is made */
if (gensec_gssapi_state->client_cred) {
return NT_STATUS_OK;
}
ret = cli_credentials_get_client_gss_creds(creds,
ev,
gensec_security->settings->lp_ctx, &gcc, &error_string);
switch (ret) {
case 0:
break;
case EINVAL:
DEBUG(3, ("Cannot obtain client GSS credentials we need to contact %s : %s\n", gensec_gssapi_state->target_principal, error_string));
return NT_STATUS_INVALID_PARAMETER;
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
DEBUG(1, ("Wrong username or password: %s\n", error_string));
return NT_STATUS_LOGON_FAILURE;
case KRB5KDC_ERR_CLIENT_REVOKED:
DEBUG(1, ("Account locked out: %s\n", error_string));
return NT_STATUS_ACCOUNT_LOCKED_OUT;
case KRB5_REALM_UNKNOWN:
case KRB5_KDC_UNREACH:
DEBUG(3, ("Cannot reach a KDC we require to contact %s : %s\n", gensec_gssapi_state->target_principal, error_string));
return NT_STATUS_NO_LOGON_SERVERS;
case KRB5_CC_NOTFOUND:
case KRB5_CC_END:
DEBUG(2, ("Error obtaining ticket we require to contact %s: (possibly due to clock skew between us and the KDC) %s\n", gensec_gssapi_state->target_principal, error_string));
return NT_STATUS_TIME_DIFFERENCE_AT_DC;
default:
DEBUG(1, ("Aquiring initiator credentials failed: %s\n", error_string));
return NT_STATUS_UNSUCCESSFUL;
}
gensec_gssapi_state->client_cred = gcc;
if (!talloc_reference(gensec_gssapi_state, gcc)) {
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_OK;
}
