/* Create a auth_session_info_transport from an auth_session_info. * * NOTE: Members of the auth_session_info_transport structure are * talloc_referenced() into this structure, and should not be changed. */ NTSTATUS auth_session_info_transport_from_session(TALLOC_CTX *mem_ctx, struct auth_session_info *session_info, struct tevent_context *event_ctx, struct loadparm_context *lp_ctx, struct auth_session_info_transport **transport_out) { struct auth_session_info_transport *session_info_transport = talloc_zero(mem_ctx, struct auth_session_info_transport); if (!session_info_transport) { return NT_STATUS_NO_MEMORY; }; session_info_transport->session_info = talloc_reference(session_info_transport, session_info); if (!session_info_transport->session_info) { return NT_STATUS_NO_MEMORY; }; if (session_info->credentials) { struct gssapi_creds_container *gcc; OM_uint32 gret; OM_uint32 minor_status; gss_buffer_desc cred_token; const char *error_string; int ret; ret = cli_credentials_get_client_gss_creds(session_info->credentials, event_ctx, lp_ctx, &gcc, &error_string); if (ret != 0) { *transport_out = session_info_transport; return NT_STATUS_OK; } gret = gss_export_cred(&minor_status, gcc->creds, &cred_token); if (gret != GSS_S_COMPLETE) { return NT_STATUS_INTERNAL_ERROR; } if (cred_token.length) { session_info_transport->exported_gssapi_credentials = data_blob_talloc(session_info_transport, cred_token.value, cred_token.length); gss_release_buffer(&minor_status, &cred_token); NT_STATUS_HAVE_NO_MEMORY(session_info_transport->exported_gssapi_credentials.data); } } *transport_out = session_info_transport; return NT_STATUS_OK; }
static NTSTATUS gensec_gssapi_client_creds(struct gensec_security *gensec_security, struct tevent_context *ev) { struct gensec_gssapi_state *gensec_gssapi_state; struct gssapi_creds_container *gcc; struct cli_credentials *creds = gensec_get_credentials(gensec_security); const char *error_string; int ret; gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state); /* Only run this the first time the update() call is made */ if (gensec_gssapi_state->client_cred) { return NT_STATUS_OK; } ret = cli_credentials_get_client_gss_creds(creds, ev, gensec_security->settings->lp_ctx, &gcc, &error_string); switch (ret) { case 0: break; case EINVAL: DEBUG(3, ("Cannot obtain client GSS credentials we need to contact %s : %s\n", gensec_gssapi_state->target_principal, error_string)); return NT_STATUS_INVALID_PARAMETER; case KRB5KDC_ERR_PREAUTH_FAILED: case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: case KRB5KRB_AP_ERR_BAD_INTEGRITY: DEBUG(1, ("Wrong username or password: %s\n", error_string)); return NT_STATUS_LOGON_FAILURE; case KRB5KDC_ERR_CLIENT_REVOKED: DEBUG(1, ("Account locked out: %s\n", error_string)); return NT_STATUS_ACCOUNT_LOCKED_OUT; case KRB5_REALM_UNKNOWN: case KRB5_KDC_UNREACH: DEBUG(3, ("Cannot reach a KDC we require to contact %s : %s\n", gensec_gssapi_state->target_principal, error_string)); return NT_STATUS_NO_LOGON_SERVERS; case KRB5_CC_NOTFOUND: case KRB5_CC_END: DEBUG(2, ("Error obtaining ticket we require to contact %s: (possibly due to clock skew between us and the KDC) %s\n", gensec_gssapi_state->target_principal, error_string)); return NT_STATUS_TIME_DIFFERENCE_AT_DC; default: DEBUG(1, ("Aquiring initiator credentials failed: %s\n", error_string)); return NT_STATUS_UNSUCCESSFUL; } gensec_gssapi_state->client_cred = gcc; if (!talloc_reference(gensec_gssapi_state, gcc)) { return NT_STATUS_NO_MEMORY; } return NT_STATUS_OK; }