diff --git a/configure.ac b/configure.ac index bbf854cc..320f0225 100644 --- a/configure.ac +++ b/configure.ac @@ -427,7 +427,8 @@ AC_ARG_WITH([libgssapi_krb5], [AS_HELP_STRING([--with-libgssapi_krb5], # conditionally require libgssapi_krb5 if test "x$require_libgssapi_krb5_ext" != "xno"; then AC_CHECK_HEADERS(gssapi/gssapi_generic.h) - AC_SEARCH_LIBS([gss_init_sec_context], [gssapi_krb5 gssapi],, + AC_SEARCH_LIBS([gss_init_sec_context], [gssapi_krb5 gssapi], + AC_DEFINE(HAVE_LIBGSSAPI_KRB5, [1], [Enabled GSSAPI security]), AC_MSG_ERROR(libgssapi_krb5 is needed for GSSAPI security)) fi diff --git a/doc/zmq_gssapi.txt b/doc/zmq_gssapi.txt index 3b32ec84..b98a4816 100644 --- a/doc/zmq_gssapi.txt +++ b/doc/zmq_gssapi.txt @@ -22,16 +22,17 @@ CLIENT AND SERVER ROLES ----------------------- A socket using GSSAPI can be either client or server, but not both. -To become either a GSSAPI client or server, the application sets the -ZMQ_GSSAPI_PRINCIPAL option to provide the socket with the name of the principal -for whom GSSAPI credentials should be acquired. +To become a GSSAPI server, the application sets the ZMQ_GSSAPI_SERVER +option on the socket. -To become a GSSAPI server, the application additionally sets the -ZMQ_GSSAPI_SERVER option on the socket. +To become a GSSAPI client, the application sets the ZMQ_GSSAPI_SERVICE_PRINCIPAL +option to the name of the principal on the server to which it intends to +connect. -To become a GSSAPI client, the application additionally sets the -ZMQ_GSSAPI_SERVICE_PRINCIPAL option to the name of the principal of the server -to which it intends to connect. +On client or server, the application may additionally set the +ZMQ_GSSAPI_PRINCIPAL option to provide the socket with the name of the +principal for whom GSSAPI credentials should be acquired. If this option +is not set, default credentials are used. OPTIONAL ENCRYPTION diff --git a/src/gssapi_client.cpp b/src/gssapi_client.cpp index 9eb598ab..495f4ab0 100644 --- a/src/gssapi_client.cpp +++ b/src/gssapi_client.cpp @@ -166,10 +166,14 @@ zmq::mechanism_t::status_t zmq::gssapi_client_t::status () const int zmq::gssapi_client_t::initialize_context () { + // principal was specified but credentials could not be acquired + if (principal_name != NULL && cred == NULL) + return -1; + // First time through, import service_name into target_name if (target_name == GSS_C_NO_NAME) { send_tok.value = service_name; - send_tok.length = strlen(service_name); + send_tok.length = strlen(service_name) + 1; OM_uint32 maj = gss_import_name(&min_stat, &send_tok, GSS_C_NT_HOSTBASED_SERVICE, &target_name); diff --git a/src/gssapi_mechanism_base.cpp b/src/gssapi_mechanism_base.cpp index f00591bd..77301882 100644 --- a/src/gssapi_mechanism_base.cpp +++ b/src/gssapi_mechanism_base.cpp @@ -338,7 +338,7 @@ int zmq::gssapi_mechanism_base_t::acquire_credentials (char * service_name_, gss return -1; maj_stat = gss_acquire_cred (&min_stat, server_name, 0, - GSS_C_NO_OID_SET, GSS_C_ACCEPT, + GSS_C_NO_OID_SET, GSS_C_BOTH, cred_, NULL, NULL); if (maj_stat != GSS_S_COMPLETE)