From: Simo Sorce <idra@samba.org>
Date: Fri, 25 Sep 2020 00:59:42 +0000 (-0400)
Subject: Restrict GSSAPI query to the krb5 mechanism
X-Git-Tag: talloc-2.3.2~423
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b8653f4ee7ae4afe5391df4f68399858614d8145;p=thirdparty%2Fsamba.git

Restrict GSSAPI query to the krb5 mechanism

Otherwise GSSAPI will consult other mechanisms if available and we can
only cope with krb5 credentials here.

Signed-off-by: Simo Sorce <idra@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Sep 30 20:45:23 UTC 2020 on sn-devel-184
---

diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
index 2a99661ddee..a5940561cda 100644
--- a/lib/krb5_wrap/gss_samba.c
+++ b/lib/krb5_wrap/gss_samba.c
@@ -80,7 +80,15 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
 		.count = 1,
 	};
 
-	gss_OID_set mech_set = GSS_C_NO_OID_SET;
+	/* we are interested exclusively in krb5 credentials,
+	 * indicate to GSSAPI that we are not interested in any other
+	 * mechanism here */
+	gss_OID_set_desc mech_set = {
+		.count = 1,
+		.elements = discard_const_p(struct gss_OID_desc_struct,
+					    gss_mech_krb5),
+	};
+
 	gss_cred_usage_t cred_usage = GSS_C_INITIATE;
 	gss_name_t name = NULL;
 	gss_buffer_desc pr_name = {
@@ -144,7 +152,7 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
 	major_status = gss_acquire_cred_from(minor_status,
 					     name,
 					     0,
-					     mech_set,
+					     &mech_set,
 					     cred_usage,
 					     &cred_store,
 					     cred,