svn commit: samba r9650 - in branches/SOC/SAMBA_4_0: .
source/auth/kerberos source/heimdal/kdc source/kdc
source/libnet source/script/tests source/scripting/ejs
source/setup source/torture/auth
metze at samba.org
metze at samba.org
Fri Aug 26 12:38:18 GMT 2005
Author: metze
Date: 2005-08-26 12:38:17 +0000 (Fri, 26 Aug 2005)
New Revision: 9650
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9650
Log:
r11400 at SERNOX (orig r9643): tridge | 2005-08-26 13:36:28 +0200
fixed samsync code for the new dn explode semantics
r11401 at SERNOX (orig r9644): tridge | 2005-08-26 13:37:09 +0200
add LOCAL-PAC to the list of 'make test' tests
r11402 at SERNOX (orig r9645): tridge | 2005-08-26 13:37:52 +0200
fixed the ejs GetOptions() call to look at the first option passed (this is what broke --help)
r11403 at SERNOX (orig r9646): tridge | 2005-08-26 13:38:07 +0200
fixed error message
r11404 at SERNOX (orig r9647): tridge | 2005-08-26 13:42:21 +0200
saved_pac is binary data, so prevent any possible portability problems with signed chars
r11405 at SERNOX (orig r9648): tridge | 2005-08-26 13:52:35 +0200
this fixes the krb5 based login with the pac. The key to this whole saga was
that the logon_time field in the pac must match the authtime field in the ticket we
gave the client in the AS-REP (and thus also the authtime field in the ticket we get
back in the TGS-REQ).
Many thanks to Andrew Bartlett for his patience in showing me the
basic ropes of all this code! This was a joint effort.
r11406 at SERNOX (orig r9649): tridge | 2005-08-26 14:02:47 +0200
missed a spot .....
Modified:
branches/SOC/SAMBA_4_0/
branches/SOC/SAMBA_4_0/source/auth/kerberos/kerberos.h
branches/SOC/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c
branches/SOC/SAMBA_4_0/source/heimdal/kdc/kerberos5.c
branches/SOC/SAMBA_4_0/source/kdc/pac-glue.c
branches/SOC/SAMBA_4_0/source/kdc/pac-glue.h
branches/SOC/SAMBA_4_0/source/libnet/libnet_samsync_ldb.c
branches/SOC/SAMBA_4_0/source/script/tests/test_local.sh
branches/SOC/SAMBA_4_0/source/scripting/ejs/smbcalls_options.c
branches/SOC/SAMBA_4_0/source/setup/provision
branches/SOC/SAMBA_4_0/source/torture/auth/pac.c
Changeset:
Property changes on: branches/SOC/SAMBA_4_0
___________________________________________________________________
Name: svk:merge
- 0c0555d6-39d7-0310-84fc-f1cc0bd64818:/branches/SAMBA_4_0:9638
d349723c-e9fc-0310-b8a8-fdedf1c27407:/local/SAMBA_4_0:5616
d349723c-e9fc-0310-b8a8-fdedf1c27407:/local/samba-SAMBA_4_0:5609
+ 0c0555d6-39d7-0310-84fc-f1cc0bd64818:/branches/SAMBA_4_0:9649
d349723c-e9fc-0310-b8a8-fdedf1c27407:/local/SAMBA_4_0:5616
d349723c-e9fc-0310-b8a8-fdedf1c27407:/local/samba-SAMBA_4_0:5609
Modified: branches/SOC/SAMBA_4_0/source/auth/kerberos/kerberos.h
===================================================================
--- branches/SOC/SAMBA_4_0/source/auth/kerberos/kerberos.h 2005-08-26 12:02:47 UTC (rev 9649)
+++ branches/SOC/SAMBA_4_0/source/auth/kerberos/kerberos.h 2005-08-26 12:38:17 UTC (rev 9650)
@@ -143,6 +143,7 @@
krb5_context context,
krb5_keyblock *krbtgt_keyblock,
krb5_keyblock *server_keyblock,
+ time_t tgs_authtime,
DATA_BLOB *pac);
krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx,
Modified: branches/SOC/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c
===================================================================
--- branches/SOC/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c 2005-08-26 12:02:47 UTC (rev 9649)
+++ branches/SOC/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c 2005-08-26 12:38:17 UTC (rev 9650)
@@ -385,6 +385,7 @@
krb5_context context,
krb5_keyblock *krbtgt_keyblock,
krb5_keyblock *service_keyblock,
+ time_t tgs_authtime,
DATA_BLOB *pac)
{
NTSTATUS nt_status;
@@ -478,8 +479,13 @@
LOGON_INFO->info3.base.last_logon = timeval_to_nttime(&tv);
LOGON_NAME->account_name = server_info->account_name;
- LOGON_NAME->logon_time = timeval_to_nttime(&tv);
+ /*
+ this logon_time field is absolutely critical. This is what
+ caused all our pac troubles :-)
+ */
+ unix_to_nt_time(&LOGON_NAME->logon_time, tgs_authtime);
+
ret = kerberos_encode_pac(mem_ctx,
pac_data,
context,
Modified: branches/SOC/SAMBA_4_0/source/heimdal/kdc/kerberos5.c
===================================================================
--- branches/SOC/SAMBA_4_0/source/heimdal/kdc/kerberos5.c 2005-08-26 12:02:47 UTC (rev 9649)
+++ branches/SOC/SAMBA_4_0/source/heimdal/kdc/kerberos5.c 2005-08-26 12:38:17 UTC (rev 9650)
@@ -1597,6 +1597,7 @@
EncTicketPart *tgt,
EncTicketPart *adtkt,
AuthorizationData *auth_data,
+ krb5_ticket *tgs_ticket,
hdb_entry *server,
hdb_entry *client,
krb5_principal client_principal,
@@ -1774,6 +1775,7 @@
client->principal,
tgtkey,
ekey,
+ tgs_ticket->ticket.authtime,
&pac);
if (ret) {
free_AuthorizationData(if_relevant);
@@ -2357,6 +2359,7 @@
tgt,
b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL,
auth_data,
+ ticket,
server,
client,
cp,
Modified: branches/SOC/SAMBA_4_0/source/kdc/pac-glue.c
===================================================================
--- branches/SOC/SAMBA_4_0/source/kdc/pac-glue.c 2005-08-26 12:02:47 UTC (rev 9649)
+++ branches/SOC/SAMBA_4_0/source/kdc/pac-glue.c 2005-08-26 12:38:17 UTC (rev 9650)
@@ -26,11 +26,12 @@
#include "kdc/pac-glue.h" /* Ensure we don't get this prototype wrong, as that could be painful */
krb5_error_code samba_get_pac(krb5_context context,
- struct krb5_kdc_configuration *config,
- krb5_principal client,
- krb5_keyblock *krbtgt_keyblock,
- krb5_keyblock *server_keyblock,
- krb5_data *pac)
+ struct krb5_kdc_configuration *config,
+ krb5_principal client,
+ krb5_keyblock *krbtgt_keyblock,
+ krb5_keyblock *server_keyblock,
+ time_t tgs_authtime,
+ krb5_data *pac)
{
krb5_error_code ret;
NTSTATUS nt_status;
@@ -74,6 +75,7 @@
context,
krbtgt_keyblock,
server_keyblock,
+ tgs_authtime,
&tmp_blob);
if (ret) {
Modified: branches/SOC/SAMBA_4_0/source/kdc/pac-glue.h
===================================================================
--- branches/SOC/SAMBA_4_0/source/kdc/pac-glue.h 2005-08-26 12:02:47 UTC (rev 9649)
+++ branches/SOC/SAMBA_4_0/source/kdc/pac-glue.h 2005-08-26 12:38:17 UTC (rev 9650)
@@ -1,7 +1,8 @@
krb5_error_code samba_get_pac(krb5_context context,
- struct krb5_kdc_configuration *config,
- krb5_principal client,
- krb5_keyblock *krbtgt_keyblock,
- krb5_keyblock *server_keyblock,
+ struct krb5_kdc_configuration *config,
+ krb5_principal client,
+ krb5_keyblock *krbtgt_keyblock,
+ krb5_keyblock *server_keyblock,
+ time_t tgs_authtime,
krb5_data *pac);
Modified: branches/SOC/SAMBA_4_0/source/libnet/libnet_samsync_ldb.c
===================================================================
--- branches/SOC/SAMBA_4_0/source/libnet/libnet_samsync_ldb.c 2005-08-26 12:02:47 UTC (rev 9649)
+++ branches/SOC/SAMBA_4_0/source/libnet/libnet_samsync_ldb.c 2005-08-26 12:38:17 UTC (rev 9650)
@@ -119,6 +119,8 @@
const char *domain_attrs[] = {"nETBIOSName", "nCName", NULL};
struct ldb_message **msgs_domain;
int ret_domain;
+ char *base_dn;
+
ret_domain = gendb_search(state->sam_ldb, mem_ctx, NULL, &msgs_domain, domain_attrs,
"(&(&(nETBIOSName=%s)(objectclass=crossRef))(ncName=*))",
domain_name);
@@ -130,24 +132,20 @@
return NT_STATUS_NO_SUCH_DOMAIN;
}
- state->base_dn[database]
- = talloc_steal(state, samdb_result_string(msgs_domain[0],
- "nCName", NULL));
-
- state->dom_sid[database]
- = talloc_steal(state,
- samdb_search_dom_sid(state->sam_ldb, state,
- state->base_dn[database], "objectSid", "dn=%s",
- ldb_dn_linearize(mem_ctx, state->base_dn[database])));
+ state->base_dn[database] = samdb_result_dn(state, msgs_domain[0], "nCName", NULL);
+
+ base_dn = ldb_dn_linearize(mem_ctx, state->base_dn[database]);
+
+ state->dom_sid[database] = samdb_search_dom_sid(state->sam_ldb, state,
+ state->base_dn[database],
+ "objectSid", "dn=%s", base_dn);
} else if (database == SAM_DATABASE_BUILTIN) {
- /* work out the builtin_dn - useful for so many calls its worth
- fetching here */
- state->base_dn[database]
- = talloc_steal(state,
- samdb_search_string(state->sam_ldb, mem_ctx, NULL,
- "dn", "objectClass=builtinDomain"));
- state->dom_sid[database]
- = dom_sid_parse_talloc(state, SID_BUILTIN);
+ /* work out the builtin_dn - useful for so many calls its worth
+ fetching here */
+ const char *dnstring = samdb_search_string(state->sam_ldb, mem_ctx, NULL,
+ "dn", "objectClass=builtinDomain");
+ state->base_dn[database] = ldb_dn_explode(state, dnstring);
+ state->dom_sid[database] = dom_sid_parse_talloc(state, SID_BUILTIN);
} else {
/* PRIVs DB */
return NT_STATUS_INVALID_PARAMETER;
Modified: branches/SOC/SAMBA_4_0/source/script/tests/test_local.sh
===================================================================
--- branches/SOC/SAMBA_4_0/source/script/tests/test_local.sh 2005-08-26 12:02:47 UTC (rev 9649)
+++ branches/SOC/SAMBA_4_0/source/script/tests/test_local.sh 2005-08-26 12:38:17 UTC (rev 9650)
@@ -1,6 +1,6 @@
#!/bin/sh
-local_tests="LOCAL-NTLMSSP LOCAL-TALLOC LOCAL-MESSAGING LOCAL-IRPC LOCAL-BINDING LOCAL-IDTREE LOCAL-SOCKET"
+local_tests="LOCAL-NTLMSSP LOCAL-TALLOC LOCAL-MESSAGING LOCAL-IRPC LOCAL-BINDING LOCAL-IDTREE LOCAL-SOCKET LOCAL-PAC"
if [ $# -lt 0 ]; then
cat <<EOF
Modified: branches/SOC/SAMBA_4_0/source/scripting/ejs/smbcalls_options.c
===================================================================
--- branches/SOC/SAMBA_4_0/source/scripting/ejs/smbcalls_options.c 2005-08-26 12:02:47 UTC (rev 9649)
+++ branches/SOC/SAMBA_4_0/source/scripting/ejs/smbcalls_options.c 2005-08-26 12:38:17 UTC (rev 9650)
@@ -82,7 +82,7 @@
}
/* create the long_options array */
- for (i=2;i<argc;i++) {
+ for (i=1;i<argc;i++) {
const char *optstr = mprToString(argv[i]);
int t, opt_type = POPT_ARG_NONE;
const char *s;
Modified: branches/SOC/SAMBA_4_0/source/setup/provision
===================================================================
--- branches/SOC/SAMBA_4_0/source/setup/provision 2005-08-26 12:02:47 UTC (rev 9649)
+++ branches/SOC/SAMBA_4_0/source/setup/provision 2005-08-26 12:38:17 UTC (rev 9650)
@@ -30,7 +30,7 @@
'blank');
if (options == undefined) {
- println("Failed to parse options: ", options.ERROR);
+ println("Failed to parse options");
return -1;
}
Modified: branches/SOC/SAMBA_4_0/source/torture/auth/pac.c
===================================================================
--- branches/SOC/SAMBA_4_0/source/torture/auth/pac.c 2005-08-26 12:02:47 UTC (rev 9649)
+++ branches/SOC/SAMBA_4_0/source/torture/auth/pac.c 2005-08-26 12:38:17 UTC (rev 9650)
@@ -105,6 +105,7 @@
smb_krb5_context->krb5_context,
&krbtgt_keyblock,
&server_keyblock,
+ time(NULL),
&tmp_blob);
if (ret) {
@@ -196,7 +197,7 @@
-- abartlet 2005-07-04
*/
-static const char saved_pac[] = {
+static const uint8_t saved_pac[] = {
0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xd8, 0x01, 0x00, 0x00,
0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00,
0x20, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00,
More information about the samba-cvs
mailing list