From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 5 Mar 2024 14:33:51 +0000 (+0100)
Subject: s3:gse: make use of gensec_kerberos_possible()
X-Git-Tag: tdb-1.4.11~847
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ce05fe3b718a5d242f31f1acb25f5d7c5a6e4e0a;p=thirdparty%2Fsamba.git

s3:gse: make use of gensec_kerberos_possible()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 077b193d60e..2b803dc8f0c 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -281,8 +281,6 @@ err_out:
 static NTSTATUS gse_init_client(struct gensec_security *gensec_security,
 				bool do_sign, bool do_seal,
 				const char *ccache_name,
-				const char *server,
-				const char *service,
 				const char *realm,
 				const char *username,
 				const char *password,
@@ -297,10 +295,6 @@ static NTSTATUS gse_init_client(struct gensec_security *gensec_security,
 #endif
 	NTSTATUS status;
 
-	if (!server || !service) {
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
 	status = gse_context_init(gensec_security, do_sign, do_seal,
 				  ccache_name, add_gss_c_flags,
 				  &gse_ctx);
@@ -871,23 +865,26 @@ static NTSTATUS gensec_gse_client_start(struct gensec_security *gensec_security)
 	NTSTATUS nt_status;
 	OM_uint32 want_flags = 0;
 	bool do_sign = false, do_seal = false;
-	const char *hostname = gensec_get_target_hostname(gensec_security);
-	const char *service = gensec_get_target_service(gensec_security);
 	const char *username = cli_credentials_get_username(creds);
 	const char *password = cli_credentials_get_password(creds);
 	const char *realm = cli_credentials_get_realm(creds);
 
-	if (!hostname) {
-		DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-	if (is_ipaddress(hostname)) {
-		DEBUG(2, ("Cannot do GSE to an IP address\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-	if (strcmp(hostname, "localhost") == 0) {
-		DEBUG(2, ("GSE to 'localhost' does not make sense\n"));
-		return NT_STATUS_INVALID_PARAMETER;
+	nt_status = gensec_kerberos_possible(gensec_security);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		char *target_name = NULL;
+		char *cred_name = NULL;
+
+		target_name = gensec_get_unparsed_target_principal(gensec_security,
+								   gensec_security);
+		cred_name = cli_credentials_get_unparsed_name(creds,
+							      gensec_security);
+
+		DBG_NOTICE("Not using kerberos to %s as %s: %s\n",
+			   target_name, cred_name, nt_errstr(nt_status));
+
+		TALLOC_FREE(target_name);
+		TALLOC_FREE(cred_name);
+		return nt_status;
 	}
 
 	if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
@@ -918,9 +915,8 @@ static NTSTATUS gensec_gse_client_start(struct gensec_security *gensec_security)
 #endif
 
 	nt_status = gse_init_client(gensec_security, do_sign, do_seal, NULL,
-				    hostname, service, realm,
-				    username, password, want_flags,
-				    &gse_ctx);
+				    realm, username, password,
+				    want_flags, &gse_ctx);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
 	}