From 4d77fb44fe9b535be532c547ed74899b7cb06815 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 27 Dec 2010 16:00:28 +0100
Subject: [PATCH 1/3] cifs.upcall: fix memory and call krb5_auth_con_free()

metze
---
 cifs.upcall.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/cifs.upcall.c b/cifs.upcall.c
index 9b1436e..9116e56 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -313,13 +313,15 @@ cifs_krb5_get_req(const char *principal, const char *ccname,
 	if (ret) {
 		syslog(LOG_DEBUG, "%s: unable to get session key for %s",
 		       __func__, principal);
-		goto out_free_creds;
+		goto out_free_auth;
 	}
 
 	*mechtoken = data_blob(apreq_pkt.data, apreq_pkt.length);
 	*sess_key = data_blob(KRB5_KEY_DATA(tokb), KRB5_KEY_LENGTH(tokb));
 
 	krb5_free_keyblock(context, tokb);
+out_free_auth:
+	krb5_auth_con_free(context, auth_context);
 out_free_creds:
 	krb5_free_creds(context, out_creds);
 out_free_principal:
-- 
1.7.0.4


From 10613a740a817cfe8325b083a542361078ff7b55 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 27 Dec 2010 16:09:30 +0100
Subject: [PATCH 2/3] cifs.upcall: use krb5_auth_con_init() to create an explicit auth_context

metze
---
 cifs.upcall.c |   14 ++++++++++++--
 1 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/cifs.upcall.c b/cifs.upcall.c
index 9116e56..d895ccd 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -299,14 +299,24 @@ cifs_krb5_get_req(const char *principal, const char *ccname,
 		goto out_free_principal;
 	}
 
-	apreq_pkt.data = NULL;
 	in_data.length = 0;
+	in_data.data = NULL;
+
+	ret = krb5_auth_con_init(context, &auth_context);
+	if (ret) {
+		syslog(LOG_DEBUG, "%s: unable to create auth_context: %d",
+		       __func__, ret);
+		goto out_free_creds;
+	}
+
+	apreq_pkt.length = 0;
+	apreq_pkt.data = NULL;
 	ret = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY,
 				   &in_data, out_creds, &apreq_pkt);
 	if (ret) {
 		syslog(LOG_DEBUG, "%s: unable to make AP-REQ for %s",
 		       __func__, principal);
-		goto out_free_creds;
+		goto out_free_auth;
 	}
 
 	ret = krb5_auth_con_getsendsubkey(context, auth_context, &tokb);
-- 
1.7.0.4


From 5afb02ef6349654feca886a9374db41b351ee1a7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 27 Dec 2010 16:10:49 +0100
Subject: [PATCH 3/3] cifs.upcall: use krb5_auth_con_set_req_cksumtype() and pass a GSSAPI checksum (bug #7890)

Some closed source SMB servers doesn't support all checksum types,
so we should try to match windows clients.

This is almost the same logic which is used by Samba.

metze
---
 cifs.upcall.c |   42 ++++++++++++++++++++++++++++++++++++++++++
 configure.ac  |    1 +
 2 files changed, 43 insertions(+), 0 deletions(-)

diff --git a/cifs.upcall.c b/cifs.upcall.c
index d895ccd..906d02c 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -261,6 +261,9 @@ cifs_krb5_get_req(const char *principal, const char *ccname,
 	krb5_creds in_creds, *out_creds;
 	krb5_data apreq_pkt, in_data;
 	krb5_auth_context auth_context = NULL;
+#if defined(HAVE_KRB5_AUTH_CON_SETADDRS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
+	static const uint8_t gss_cksum[24] = { 0x10, 0x00, /* ... */};
+#endif
 
 	ret = krb5_init_context(&context);
 	if (ret) {
@@ -309,6 +312,45 @@ cifs_krb5_get_req(const char *principal, const char *ccname,
 		goto out_free_creds;
 	}
 
+#if defined(HAVE_KRB5_AUTH_CON_SETADDRS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
+	/* Ensure we will get an addressless ticket. */
+	ret = krb5_auth_con_setaddrs(context, auth_context, NULL, NULL);
+	if (ret) {
+		syslog(LOG_DEBUG, "%s: unable to set NULL addrs: %d",
+		       __func__, ret);
+		goto out_free_auth;
+	}
+
+	/*
+	 * GSS_C_NO_CHANNEL_BINDINGS means 16 zero bytes.
+	 * This matches the behavior of heimdal and mit.
+	 *
+	 * And it is needed to work against some closed source
+	 * SMB servers.
+	 *
+	 * See https://bugzilla.samba.org/show_bug.cgi?id=7890
+	 *
+	 * The current layout is
+	 *
+	 * 0x10, 0x00, 0x00, 0x00 - length = 16
+	 * 0x00, 0x00, 0x00, 0x00 - 16 zero bytes
+	 * 0x00, 0x00, 0x00, 0x00
+	 * 0x00, 0x00, 0x00, 0x00
+	 * 0x00, 0x00, 0x00, 0x00
+	 * 0x00, 0x00, 0x00, 0x00 - gss flags
+	 */
+
+	in_data.data = discard_const_p(char, gss_cksum);
+	in_data.length = 24;
+
+	ret = krb5_auth_con_set_req_cksumtype(context, auth_context, 0x8003);
+	if (ret) {
+		syslog(LOG_DEBUG, "%s: unable to set 0x8003 checksum",
+		       __func__);
+		goto out_free_auth;
+	}
+#endif
+
 	apreq_pkt.length = 0;
 	apreq_pkt.data = NULL;
 	ret = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY,
diff --git a/configure.ac b/configure.ac
index 093b48d..53b698d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -133,6 +133,7 @@ fi
 # non-critical functions (we have workarounds for these)
 if test $enable_cifsupcall != "no"; then
 	AC_CHECK_FUNCS([krb5_principal_get_realm krb5_free_unparsed_name])
+	AC_CHECK_FUNCS([krb5_auth_con_setaddrs krb5_auth_con_set_req_cksumtype])
 fi
 
 LIBS=$cu_saved_libs
-- 
1.7.0.4