int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
struct gssapi_creds_container **_gcc)
{
int ret = 0;
OM_uint32 maj_stat, min_stat;
struct gssapi_creds_container *gcc;
struct ccache_container *ccache;
if (cred->client_gss_creds_obtained >= (MAX(cred->ccache_obtained,
MAX(cred->principal_obtained,
cred->username_obtained)))) {
*_gcc = cred->client_gss_creds;
return 0;
}
ret = cli_credentials_get_ccache(cred,
&ccache);
if (ret) {
DEBUG(1, ("Failed to get CCACHE for GSSAPI client: %s\n", error_message(ret)));
return ret;
}
gcc = talloc(cred, struct gssapi_creds_container);
if (!gcc) {
return ENOMEM;
}
maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
&gcc->creds);
if (maj_stat) {
if (min_stat) {
ret = min_stat;
} else {
ret = EINVAL;
}
}
if (ret == 0) {
cred->client_gss_creds_obtained = cred->ccache_obtained;
talloc_set_destructor(gcc, free_gssapi_creds);
cred->client_gss_creds = gcc;
*_gcc = gcc;
}
return ret;
}
/*
connect to a share - used when a tree_connect operation comes in.
*/
static NTSTATUS cvfs_connect(struct ntvfs_module_context *ntvfs,
struct ntvfs_request *req,
union smb_tcon *tcon)
{
NTSTATUS status;
struct cvfs_private *p;
const char *host, *user, *pass, *domain, *remote_share;
struct smb_composite_connect io;
struct composite_context *creq;
struct share_config *scfg = ntvfs->ctx->config;
struct cli_credentials *credentials;
bool machine_account;
bool s4u2proxy;
const char* sharename;
switch (tcon->generic.level) {
case RAW_TCON_TCON:
sharename = tcon->tcon.in.service;
break;
case RAW_TCON_TCONX:
sharename = tcon->tconx.in.path;
break;
case RAW_TCON_SMB2:
sharename = tcon->smb2.in.path;
break;
default:
return NT_STATUS_INVALID_LEVEL;
}
if (strncmp(sharename, "\\\\", 2) == 0) {
char *str = strchr(sharename+2, '\\');
if (str) {
sharename = str + 1;
}
}
/* Here we need to determine which server to connect to.
* For now we use parametric options, type cifs.
* Later we will use security=server and auth_server.c.
*/
host = share_string_option(scfg, CIFS_SERVER, NULL);
user = share_string_option(scfg, CIFS_USER, NULL);
pass = share_string_option(scfg, CIFS_PASSWORD, NULL);
domain = share_string_option(scfg, CIFS_DOMAIN, NULL);
remote_share = share_string_option(scfg, CIFS_SHARE, NULL);
if (!remote_share) {
remote_share = sharename;
}
machine_account = share_bool_option(scfg, CIFS_USE_MACHINE_ACCT, CIFS_USE_MACHINE_ACCT_DEFAULT);
s4u2proxy = share_bool_option(scfg, CIFS_USE_S4U2PROXY, CIFS_USE_S4U2PROXY_DEFAULT);
p = talloc_zero(ntvfs, struct cvfs_private);
if (!p) {
return NT_STATUS_NO_MEMORY;
}
ntvfs->private_data = p;
if (!host) {
DEBUG(1,("CIFS backend: You must supply server\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (user && pass) {
DEBUG(5, ("CIFS backend: Using specified password\n"));
credentials = cli_credentials_init(p);
if (!credentials) {
return NT_STATUS_NO_MEMORY;
}
cli_credentials_set_conf(credentials, ntvfs->ctx->lp_ctx);
cli_credentials_set_username(credentials, user, CRED_SPECIFIED);
if (domain) {
cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED);
}
cli_credentials_set_password(credentials, pass, CRED_SPECIFIED);
} else if (machine_account) {
DEBUG(5, ("CIFS backend: Using machine account\n"));
credentials = cli_credentials_init(p);
cli_credentials_set_conf(credentials, ntvfs->ctx->lp_ctx);
if (domain) {
cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED);
}
status = cli_credentials_set_machine_account(credentials, ntvfs->ctx->lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
} else if (req->session_info->credentials) {
DEBUG(5, ("CIFS backend: Using delegated credentials\n"));
credentials = req->session_info->credentials;
} else if (s4u2proxy) {
struct ccache_container *ccc = NULL;
const char *err_str = NULL;
int ret;
char *impersonate_principal;
char *self_service;
char *target_service;
impersonate_principal = talloc_asprintf(req, "%s@%s",
req->session_info->info->account_name,
req->session_info->info->domain_name);
self_service = talloc_asprintf(req, "cifs/%s",
lpcfg_netbios_name(ntvfs->ctx->lp_ctx));
target_service = talloc_asprintf(req, "cifs/%s", host);
DEBUG(5, ("CIFS backend: Using S4U2Proxy credentials\n"));
credentials = cli_credentials_init(p);
cli_credentials_set_conf(credentials, ntvfs->ctx->lp_ctx);
if (domain) {
cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED);
}
status = cli_credentials_set_machine_account(credentials, ntvfs->ctx->lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
cli_credentials_set_impersonate_principal(credentials,
impersonate_principal,
self_service);
cli_credentials_set_target_service(credentials, target_service);
ret = cli_credentials_get_ccache(credentials,
ntvfs->ctx->event_ctx,
ntvfs->ctx->lp_ctx,
&ccc,
&err_str);
if (ret != 0) {
status = NT_STATUS_CROSSREALM_DELEGATION_FAILURE;
DEBUG(1,("S4U2Proxy: cli_credentials_get_ccache() gave: ret[%d] str[%s] - %s\n",
ret, err_str, nt_errstr(status)));
return status;
}
} else {
DEBUG(1,("CIFS backend: NO delegated credentials found: You must supply server, user and password or the client must supply delegated credentials\n"));
return NT_STATUS_INTERNAL_ERROR;
}
/* connect to the server, using the smbd event context */
io.in.dest_host = host;
io.in.dest_ports = lpcfg_smb_ports(ntvfs->ctx->lp_ctx);
io.in.socket_options = lpcfg_socket_options(ntvfs->ctx->lp_ctx);
io.in.called_name = host;
io.in.credentials = credentials;
io.in.fallback_to_anonymous = false;
io.in.workgroup = lpcfg_workgroup(ntvfs->ctx->lp_ctx);
io.in.service = remote_share;
io.in.service_type = "?????";
io.in.gensec_settings = lpcfg_gensec_settings(p, ntvfs->ctx->lp_ctx);
lpcfg_smbcli_options(ntvfs->ctx->lp_ctx, &io.in.options);
lpcfg_smbcli_session_options(ntvfs->ctx->lp_ctx, &io.in.session_options);
if (!(ntvfs->ctx->client_caps & NTVFS_CLIENT_CAP_LEVEL_II_OPLOCKS)) {
io.in.options.use_level2_oplocks = false;
}
creq = smb_composite_connect_send(&io, p,
lpcfg_resolve_context(ntvfs->ctx->lp_ctx),
ntvfs->ctx->event_ctx);
status = smb_composite_connect_recv(creq, p);
NT_STATUS_NOT_OK_RETURN(status);
p->tree = io.out.tree;
p->transport = p->tree->session->transport;
SETUP_PID;
p->ntvfs = ntvfs;
ntvfs->ctx->fs_type = talloc_strdup(ntvfs->ctx, "NTFS");
NT_STATUS_HAVE_NO_MEMORY(ntvfs->ctx->fs_type);
ntvfs->ctx->dev_type = talloc_strdup(ntvfs->ctx, "A:");
NT_STATUS_HAVE_NO_MEMORY(ntvfs->ctx->dev_type);
if (tcon->generic.level == RAW_TCON_TCONX) {
tcon->tconx.out.fs_type = ntvfs->ctx->fs_type;
tcon->tconx.out.dev_type = ntvfs->ctx->dev_type;
}
/* we need to receive oplock break requests from the server */
smbcli_oplock_handler(p->transport, oplock_handler, p);
p->map_generic = share_bool_option(scfg, CIFS_MAP_GENERIC, CIFS_MAP_GENERIC_DEFAULT);
p->map_trans2 = share_bool_option(scfg, CIFS_MAP_TRANS2, CIFS_MAP_TRANS2_DEFAULT);
return NT_STATUS_OK;
}
_PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
struct gssapi_creds_container **_gcc,
const char **error_string)
{
int ret = 0;
OM_uint32 maj_stat, min_stat;
struct gssapi_creds_container *gcc;
struct ccache_container *ccache;
#ifdef SAMBA4_USES_HEIMDAL
gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
#endif
krb5_enctype *etypes = NULL;
if (cred->client_gss_creds_obtained >= cred->client_gss_creds_threshold &&
cred->client_gss_creds_obtained > CRED_UNINITIALISED) {
bool expired = false;
OM_uint32 lifetime = 0;
gss_cred_usage_t usage = 0;
maj_stat = gss_inquire_cred(&min_stat, cred->client_gss_creds->creds,
NULL, &lifetime, &usage, NULL);
if (maj_stat == GSS_S_CREDENTIALS_EXPIRED) {
DEBUG(3, ("Credentials for %s expired, must refresh credentials cache\n", cli_credentials_get_principal(cred, cred)));
expired = true;
} else if (maj_stat == GSS_S_COMPLETE && lifetime < 300) {
DEBUG(3, ("Credentials for %s will expire shortly (%u sec), must refresh credentials cache\n", cli_credentials_get_principal(cred, cred), lifetime));
expired = true;
} else if (maj_stat != GSS_S_COMPLETE) {
*error_string = talloc_asprintf(cred, "inquiry of credential lifefime via GSSAPI gss_inquire_cred failed: %s\n",
gssapi_error_string(cred, maj_stat, min_stat, NULL));
return EINVAL;
}
if (expired) {
cli_credentials_unconditionally_invalidate_client_gss_creds(cred);
} else {
DEBUG(5, ("GSSAPI credentials for %s will expire in %u secs\n",
cli_credentials_get_principal(cred, cred), (unsigned int)lifetime));
*_gcc = cred->client_gss_creds;
return 0;
}
}
ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
&ccache, error_string);
if (ret) {
if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string));
} else {
DEBUG(4, ("Failed to get kerberos credentials: %s\n", *error_string));
}
return ret;
}
gcc = talloc(cred, struct gssapi_creds_container);
if (!gcc) {
(*error_string) = error_message(ENOMEM);
return ENOMEM;
}
maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
&gcc->creds);
if ((maj_stat == GSS_S_FAILURE) && (min_stat == (OM_uint32)KRB5_CC_END || min_stat == (OM_uint32) KRB5_CC_NOTFOUND)) {
/* This CCACHE is no good. Ensure we don't use it again */
cli_credentials_unconditionally_invalidate_ccache(cred);
/* Now try again to get a ccache */
ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
&ccache, error_string);
if (ret) {
DEBUG(1, ("Failed to re-get CCACHE for GSSAPI client: %s\n", error_message(ret)));
return ret;
}
maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
&gcc->creds);
}
if (maj_stat) {
talloc_free(gcc);
if (min_stat) {
ret = min_stat;
} else {
ret = EINVAL;
}
(*error_string) = talloc_asprintf(cred, "gss_krb5_import_cred failed: %s", error_message(ret));
return ret;
}
/*
* transfer the enctypes from the smb_krb5_context to the gssapi layer
*
* We use 'our' smb_krb5_context to do the AS-REQ and it is possible
* to configure the enctypes via the krb5.conf.
*
* And the gss_init_sec_context() creates it's own krb5_context and
* the TGS-REQ had all enctypes in it and only the ones configured
* and used for the AS-REQ, so it wasn't possible to disable the usage
* of AES keys.
*/
min_stat = get_kerberos_allowed_etypes(ccache->smb_krb5_context->krb5_context,
&etypes);
if (min_stat == 0) {
OM_uint32 num_ktypes;
for (num_ktypes = 0; etypes[num_ktypes]; num_ktypes++);
maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, gcc->creds,
num_ktypes,
(int32_t *) etypes);
SAFE_FREE(etypes);
if (maj_stat) {
talloc_free(gcc);
if (min_stat) {
ret = min_stat;
} else {
ret = EINVAL;
}
(*error_string) = talloc_asprintf(cred, "gss_krb5_set_allowable_enctypes failed: %s", error_message(ret));
return ret;
}
}
#ifdef SAMBA4_USES_HEIMDAL /* MIT lacks GSS_KRB5_CRED_NO_CI_FLAGS_X */
/* don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG */
maj_stat = gss_set_cred_option(&min_stat, &gcc->creds,
GSS_KRB5_CRED_NO_CI_FLAGS_X,
&empty_buffer);
if (maj_stat) {
talloc_free(gcc);
if (min_stat) {
ret = min_stat;
} else {
ret = EINVAL;
}
(*error_string) = talloc_asprintf(cred, "gss_set_cred_option failed: %s", error_message(ret));
return ret;
}
#endif
cred->client_gss_creds_obtained = cred->ccache_obtained;
talloc_set_destructor(gcc, free_gssapi_creds);
cred->client_gss_creds = gcc;
*_gcc = gcc;
return 0;
}
static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_security,
struct tevent_context *ev,
bool gssapi)
{
struct gensec_krb5_state *gensec_krb5_state;
krb5_error_code ret;
struct ccache_container *ccache_container;
const char *error_string;
const char *principal;
const char *hostname;
krb5_data in_data;
struct tevent_context *previous_ev;
gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
principal = gensec_get_target_principal(gensec_security);
hostname = gensec_get_target_hostname(gensec_security);
ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security),
ev,
gensec_security->settings->lp_ctx, &ccache_container, &error_string);
switch (ret) {
case 0:
break;
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
return NT_STATUS_LOGON_FAILURE;
case KRB5_KDC_UNREACH:
DEBUG(3, ("Cannot reach a KDC we require to contact %s: %s\n", principal, error_string));
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
case KRB5_CC_NOTFOUND:
case KRB5_CC_END:
DEBUG(3, ("Error preparing credentials we require to contact %s : %s\n", principal, error_string));
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
default:
DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_string));
return NT_STATUS_UNSUCCESSFUL;
}
in_data.length = 0;
/* Do this every time, in case we have weird recursive issues here */
ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, ev, &previous_ev);
if (ret != 0) {
DEBUG(1, ("gensec_krb5_start: Setting event context failed\n"));
return NT_STATUS_NO_MEMORY;
}
if (principal) {
krb5_principal target_principal;
ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
&target_principal);
if (ret == 0) {
ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->auth_context,
gensec_krb5_state->ap_req_options,
target_principal,
&in_data, ccache_container->ccache,
&gensec_krb5_state->enc_ticket);
krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
target_principal);
}
} else {
ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->auth_context,
gensec_krb5_state->ap_req_options,
gensec_get_target_service(gensec_security),
hostname,
&in_data, ccache_container->ccache,
&gensec_krb5_state->enc_ticket);
}
smb_krb5_context_remove_event_ctx(gensec_krb5_state->smb_krb5_context, previous_ev, ev);
switch (ret) {
case 0:
return NT_STATUS_OK;
case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n",
hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
case KRB5_KDC_UNREACH:
DEBUG(3, ("Cannot reach a KDC we require to contact host [%s]: %s\n",
hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5KRB_AP_ERR_TKT_EXPIRED:
case KRB5_CC_END:
/* Too much clock skew - we will need to kinit to re-skew the clock */
case KRB5KRB_AP_ERR_SKEW:
case KRB5_KDCREP_SKEW:
{
DEBUG(3, ("kerberos (mk_req) failed: %s\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
/*fall through*/
}
/* just don't print a message for these really ordinary messages */
case KRB5_FCC_NOFILE:
case KRB5_CC_NOTFOUND:
case ENOENT:
return NT_STATUS_UNSUCCESSFUL;
break;
default:
DEBUG(0, ("kerberos: %s\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
return NT_STATUS_UNSUCCESSFUL;
}
}
static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_security, bool gssapi)
{
struct gensec_krb5_state *gensec_krb5_state;
krb5_error_code ret;
NTSTATUS nt_status;
struct ccache_container *ccache_container;
const char *hostname;
const char *principal;
krb5_data in_data;
hostname = gensec_get_target_hostname(gensec_security);
if (!hostname) {
DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (is_ipaddress(hostname)) {
DEBUG(2, ("Cannot do krb5 to an IP address"));
return NT_STATUS_INVALID_PARAMETER;
}
if (strcmp(hostname, "localhost") == 0) {
DEBUG(2, ("krb5 to 'localhost' does not make sense"));
return NT_STATUS_INVALID_PARAMETER;
}
nt_status = gensec_krb5_start(gensec_security, gssapi);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
gensec_krb5_state->ap_req_options = AP_OPTS_USE_SUBKEY;
if (gensec_krb5_state->gssapi) {
/* The Fake GSSAPI modal emulates Samba3, which does not do mutual authentication */
if (gensec_setting_bool(gensec_security->settings, "gensec_fake_gssapi_krb5", "mutual", false)) {
gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
}
} else {
/* The wrapping for KPASSWD (a user of the raw KRB5 API) should be mutually authenticated */
if (gensec_setting_bool(gensec_security->settings, "gensec_krb5", "mutual", true)) {
gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
}
}
principal = gensec_get_target_principal(gensec_security);
ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security),
gensec_security->event_ctx,
gensec_security->settings->lp_ctx, &ccache_container);
switch (ret) {
case 0:
break;
case KRB5KDC_ERR_PREAUTH_FAILED:
return NT_STATUS_LOGON_FAILURE;
case KRB5_KDC_UNREACH:
DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal));
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
default:
DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_message(ret)));
return NT_STATUS_UNSUCCESSFUL;
}
in_data.length = 0;
if (principal && lp_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
krb5_principal target_principal;
ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
&target_principal);
if (ret == 0) {
ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->auth_context,
gensec_krb5_state->ap_req_options,
target_principal,
&in_data, ccache_container->ccache,
&gensec_krb5_state->enc_ticket);
krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
target_principal);
}
} else {
ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->auth_context,
gensec_krb5_state->ap_req_options,
gensec_get_target_service(gensec_security),
hostname,
&in_data, ccache_container->ccache,
&gensec_krb5_state->enc_ticket);
}
switch (ret) {
case 0:
return NT_STATUS_OK;
case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n",
hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
case KRB5_KDC_UNREACH:
DEBUG(3, ("Cannot reach a KDC we require to contact host [%s]: %s\n",
hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5KRB_AP_ERR_TKT_EXPIRED:
case KRB5_CC_END:
/* Too much clock skew - we will need to kinit to re-skew the clock */
case KRB5KRB_AP_ERR_SKEW:
case KRB5_KDCREP_SKEW:
{
DEBUG(3, ("kerberos (mk_req) failed: %s\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
/*fall through*/
}
/* just don't print a message for these really ordinary messages */
case KRB5_FCC_NOFILE:
case KRB5_CC_NOTFOUND:
case ENOENT:
return NT_STATUS_UNSUCCESSFUL;
break;
default:
DEBUG(0, ("kerberos: %s\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
return NT_STATUS_UNSUCCESSFUL;
}
}
