big-one Cdiff usr/src/lib/gss_mechs/mech_krb5/mech/accept_sec

Print this page

NEX-16031 Samba's smbclient fails to authenticate using Kerberos with NT_STATUS_WRONG_PASSWORD
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>


*** 1,7 ****
--- 1,8 ----
  /*
   * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
+  * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
   */
  /*
   * Copyright 2000, 2004  by the Massachusetts Institute of Technology.
   * All Rights Reserved.
   *
*** 136,174 ****
           * message in the clear -- the "authenticator" whose "checksum" ends up
           * containing the KRB_CRED message does get encrypted.)
           */
      /* Solaris Kerberos */
      if ((retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL))) {
!         krb5_enctype enctype = ENCTYPE_NULL;
!         /*
!          * If the client is using non-DES enctypes it really ought to
!          * send encrypted KRB-CREDs...
!          */
!         if (auth_context->keyblock != NULL)
!             enctype = auth_context->keyblock->enctype;
!         switch (enctype) {
!         case ENCTYPE_DES_CBC_MD5:
!         case ENCTYPE_DES_CBC_CRC:
!         case ENCTYPE_DES3_CBC_SHA1:
!             break;
!         default:
!             KRB5_LOG(KRB5_ERR, "rd_and_store_for_creds() error "
!                     "krb5_rd_cred() retval = %d\n", retval);
!             goto cleanup;
!             /* NOTREACHED */
!             break;
!         }
  
          /* Try to krb5_rd_cred() likely unencrypted KRB-CRED */
                  if ((retval = krb5_auth_con_init(context, &new_auth_ctx)))
                          goto cleanup;
                  krb5_auth_con_setflags(context, new_auth_ctx, 0);
                  if ((retval = krb5_rd_cred(context, new_auth_ctx, inbuf,
                                             &creds, NULL))) {
                          /* Solaris Kerberos */
!                         KRB5_LOG(KRB5_ERR, "rd_and_store_for_creds() error "
!                             "krb5_rd_cred() retval = %d\n", retval);
                          goto cleanup;
                  }
      }
  
      if ((retval = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache))) {
--- 137,158 ----
           * message in the clear -- the "authenticator" whose "checksum" ends up
           * containing the KRB_CRED message does get encrypted.)
           */
      /* Solaris Kerberos */
      if ((retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL))) {
!         krb5_error_code retval2 = retval;
  
          /* Try to krb5_rd_cred() likely unencrypted KRB-CRED */
                  if ((retval = krb5_auth_con_init(context, &new_auth_ctx)))
                          goto cleanup;
                  krb5_auth_con_setflags(context, new_auth_ctx, 0);
                  if ((retval = krb5_rd_cred(context, new_auth_ctx, inbuf,
                                             &creds, NULL))) {
                          /* Solaris Kerberos */
!                         KRB5_LOG1(KRB5_ERR, "rd_and_store_for_creds() error "
!                             "krb5_rd_cred() retval = %d original = %d\n",
!                             retval, retval2);
                          goto cleanup;
                  }
      }
  
      if ((retval = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache))) {