Support GSS-SPNEGO mechanism if GSSAPI library supports it.

Based on a patch by Jason Gunthorpe.

--HG--
branch : HEAD

diff --git a/configure.in b/configure.in
index 4bd2465551e8559452e1d3e739cd49593311a215..2bebb27544a35ef99e258aa34597265df249b74f 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -1805,6 +1805,41 @@ if test $want_gssapi != no; then
                                old_LIBS=$LIBS
                                LIBS="$LIBS $KRB5_LIBS"
                                AC_CHECK_FUNCS(gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity)
+
+                               # does the kerberos library support SPNEGO?
+                               AC_CACHE_CHECK([whether GSSAPI supports SPNEGO],i_cv_gssapi_spnego,[
+                                 AC_TRY_RUN([
+                                   #ifdef HAVE_GSSAPI_H
+                                   #  include <gssapi.h>
+                                   #else
+                                   #  include <gssapi/gssapi.h>
+                                   #endif
+                                   #include <krb5.h>
+                                   #include <string.h>
+                                   int main(void) {
+                                     OM_uint32 minor_status;
+                                     gss_OID_set mech_set;
+                                     unsigned char spnego_oid[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x02 };
+                                     unsigned int i;
+    
+                                     gss_indicate_mechs(&minor_status, &mech_set);
+                                     for (i = 0; i < mech_set->count; i++) {
+                                       if (mech_set->elements[i].length == 6 &&
+                                           memcmp(mech_set->elements[i].elements,
+                                                  spnego_oid, 6) == 0)
+                                             return 0;
+                                     }
+                                     return 1;
+                                   }
+                                 ], [
+                                   i_cv_gssapi_spnego=yes
+                                 ], [
+                                   i_cv_gssapi_spnego=no
+                                 ])
+                               ])
+                               if test "$i_cv_gssapi_spnego" = "yes"; then
+                                 AC_DEFINE(HAVE_GSSAPI_SPNEGO,, GSSAPI supports SPNEGO)
+                               fi
                                LIBS=$old_LIBS
 
                                if test x$want_gssapi_plugin != xyes; then

diff --git a/src/auth/mech-gssapi.c b/src/auth/mech-gssapi.c
index 1817d47df766217ebdd23050af443414b385ccf7..f88ad54cbf48da05be163068c75bd9a7427cf2d9 100644 (file)
--- a/src/auth/mech-gssapi.c
+++ b/src/auth/mech-gssapi.c
@@ -552,6 +552,24 @@ const struct mech_module mech_gssapi = {
        mech_gssapi_auth_free
 };
 
+/* MTI Kerberos v1.5+ and Heimdal v0.7+ supports SPNEGO for Kerberos tickets
+   internally. Nothing else needs to be done here. Note however that this does
+   not support SPNEGO when the only available credential is NTLM.. */
+const struct mech_module mech_gssapi_spnego = {
+       "GSS-SPNEGO",
+
+       MEMBER(flags) 0,
+
+       MEMBER(passdb_need_plain) FALSE,
+       MEMBER(passdb_need_credentials) FALSE,
+       MEMBER(passdb_need_set_credentials) FALSE,
+
+       mech_gssapi_auth_new,
+        mech_gssapi_auth_initial,
+        mech_gssapi_auth_continue,
+        mech_gssapi_auth_free
+};
+
 #ifndef BUILTIN_GSSAPI
 void mech_gssapi_init(void);
 void mech_gssapi_deinit(void);
@@ -559,11 +577,17 @@ void mech_gssapi_deinit(void);
 void mech_gssapi_init(void)
 {
        mech_register_module(&mech_gssapi);
+#ifdef HAVE_GSSAPI_SPNEGO
+       mech_register_module(&mech_gssapi_spnego);
+#endif
 }
 
 void mech_gssapi_deinit(void)
 {
        mech_unregister_module(&mech_gssapi);
+#ifdef HAVE_GSSAPI_SPNEGO
+       mech_unregister_module(&mech_gssapi_spnego);
+#endif
 }
 #endif
 

diff --git a/src/auth/mech.c b/src/auth/mech.c
index 980326cdb5ed4cfccb46eda6737796f268ccd320..f357602644c540f04285a2358da2fd5a761741be 100644 (file)
--- a/src/auth/mech.c
+++ b/src/auth/mech.c
@@ -75,6 +75,9 @@ extern const struct mech_module mech_anonymous;
 #ifdef HAVE_GSSAPI
 extern const struct mech_module mech_gssapi;
 #endif
+#ifdef HAVE_GSSAPI_SPNEGO
+extern const struct mech_module mech_gssapi_spnego;
+#endif
 extern const struct mech_module mech_winbind_ntlm;
 extern const struct mech_module mech_winbind_spnego;
 
@@ -96,6 +99,9 @@ void mech_init(void)
        mech_register_module(&mech_anonymous);
 #ifdef BUILTIN_GSSAPI
        mech_register_module(&mech_gssapi);
+#ifdef HAVE_GSSAPI_SPNEGO
+       mech_register_module(&mech_gssapi_spnego);
+#endif
 #endif
 }
 
@@ -117,5 +123,8 @@ void mech_deinit(void)
        mech_unregister_module(&mech_anonymous);
 #ifdef BUILTIN_GSSAPI
        mech_unregister_module(&mech_gssapi);
+#ifdef HAVE_GSSAPI_SPNEGO
+       mech_unregister_module(&mech_gssapi_spnego);
+#endif
 #endif
 }