From d4f72d0b861e7db438084b8b30656a14a099948f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 15 May 2017 07:17:30 +0200
Subject: [PATCH] s4:auth: add samba_server_gensec_krb5_start()

This will be used by the dns services to only allow
spnego/krb5. This makes sure the accepting backend
doesn't require any RPC or IPC communication for now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/auth/auth.h                |  7 ++++++
 source4/auth/samba_server_gensec.c | 45 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index de3a8bd5b22..e1b642eb92d 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -187,5 +187,12 @@ NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx,
 				   struct cli_credentials *server_credentials,
 				   const char *target_service,
 				   struct gensec_security **gensec_context);
+NTSTATUS samba_server_gensec_krb5_start(TALLOC_CTX *mem_ctx,
+					struct tevent_context *event_ctx,
+					struct imessaging_context *msg_ctx,
+					struct loadparm_context *lp_ctx,
+					struct cli_credentials *server_credentials,
+					const char *target_service,
+					struct gensec_security **gensec_context);
 
 #endif /* _SMBAUTH_H_ */
diff --git a/source4/auth/samba_server_gensec.c b/source4/auth/samba_server_gensec.c
index af26f9972fa..ee3396a4abe 100644
--- a/source4/auth/samba_server_gensec.c
+++ b/source4/auth/samba_server_gensec.c
@@ -105,3 +105,48 @@ NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx,
 	talloc_reparent(mem_ctx, *gensec_context, settings);
 	return NT_STATUS_OK;
 }
+
+NTSTATUS samba_server_gensec_krb5_start(TALLOC_CTX *mem_ctx,
+					struct tevent_context *event_ctx,
+					struct imessaging_context *msg_ctx,
+					struct loadparm_context *lp_ctx,
+					struct cli_credentials *server_credentials,
+					const char *target_service,
+					struct gensec_security **gensec_context)
+{
+	struct gensec_settings *settings = NULL;
+	const struct gensec_security_ops **backends = NULL;
+	size_t idx = 0;
+	NTSTATUS status;
+
+	settings = lpcfg_gensec_settings(mem_ctx, lp_ctx);
+	if (settings == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	backends = talloc_zero_array(settings,
+				     const struct gensec_security_ops *, 3);
+	if (backends == NULL) {
+			TALLOC_FREE(settings);
+		return NT_STATUS_NO_MEMORY;
+	}
+	settings->backends = backends;
+
+	gensec_init();
+
+	backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_KERBEROS5);
+
+	backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
+
+	status = samba_server_gensec_start_settings(mem_ctx, event_ctx,
+						    msg_ctx, lp_ctx,
+						    settings, server_credentials,
+						    target_service,
+						    gensec_context);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(settings);
+		return status;
+	}
+
+	talloc_steal(*gensec_context, settings);
+	return NT_STATUS_OK;
+}
-- 
2.11.4.GIT