svn commit: samba r11930 - in branches/SAMBA_4_0/source: heimdal/kdc kdc

abartlet at samba.org abartlet at samba.org
Sun Nov 27 02:02:46 GMT 2005 

Author: abartlet
Date: 2005-11-27 02:02:44 +0000 (Sun, 27 Nov 2005)
New Revision: 11930

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11930

Log:
Add socket/packet handling code for kpasswdd

Allow ticket requests with only a netbios name to be considered 'null'
addresses, and therefore allowed by default.

Use the netbios address as the workstation name for the allowed
workstations check with krb5.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c
   branches/SAMBA_4_0/source/kdc/kdc.c
   branches/SAMBA_4_0/source/kdc/pac-glue.c


Changeset:
Modified: branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c
===================================================================
--- branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c	2005-11-27 02:00:37 UTC (rev 11929)
+++ branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c	2005-11-27 02:02:44 UTC (rev 11930)
@@ -758,12 +758,28 @@
     krb5_error_code ret;
     krb5_address addr;
     krb5_boolean result;
-    
+    krb5_boolean only_netbios = TRUE;
+    int i;
+
     if(config->check_ticket_addresses == 0)
 	return TRUE;
 
-    if(addresses == NULL)
+    if(addresses == NULL) 
 	return config->allow_null_ticket_addresses;
+
+    for (i = 0; i < addresses->len; ++i) {
+	    if (addresses->val[i].addr_type != KRB5_ADDRESS_NETBIOS) {
+		    only_netbios = FALSE;
+	    }
+    }
+
+    /* Windows sends it's netbios name, which I can only assume is
+     * used for the 'allowed workstations' check.  This is painful, but
+     * we still want to check IP addresses if they happen to be
+     * present. */
+
+    if(only_netbios)
+	return config->allow_null_ticket_addresses;
     
     ret = krb5_sockaddr2address (context, from, &addr);
     if(ret)

Modified: branches/SAMBA_4_0/source/kdc/kdc.c
===================================================================
--- branches/SAMBA_4_0/source/kdc/kdc.c	2005-11-27 02:00:37 UTC (rev 11929)
+++ branches/SAMBA_4_0/source/kdc/kdc.c	2005-11-27 02:02:44 UTC (rev 11930)
@@ -388,6 +388,19 @@
 	kdcconn->kdc	 = kdc;
 	kdcconn->process = kpasswdd_process;
 	conn->private    = kdcconn;
+	kdcconn->packet = packet_init(kdcconn);
+	if (kdcconn->packet == NULL) {
+		stream_terminate_connection(conn, "kdc_tcp_accept: out of memory");
+		return;
+	}
+	packet_set_private(kdcconn->packet, kdcconn);
+	packet_set_socket(kdcconn->packet, conn->socket);
+	packet_set_callback(kdcconn->packet, kdc_tcp_recv);
+	packet_set_full_request(kdcconn->packet, packet_full_request_u32);
+	packet_set_error_handler(kdcconn->packet, kdc_tcp_recv_error);
+	packet_set_event_context(kdcconn->packet, conn->event.ctx);
+	packet_set_fde(kdcconn->packet, conn->event.fde);
+	packet_set_serialise(kdcconn->packet);
 }
 
 static const struct stream_server_ops kpasswdd_tcp_stream_ops = {
@@ -556,9 +569,6 @@
 	}
 	krb5_kdc_default_config(kdc->config);
 
-	/* NAT and the like make this pointless, and painful */
-	kdc->config->check_ticket_addresses = FALSE;
-
 	initialize_krb5_error_table();
 
 	ret = smb_krb5_init_context(kdc, &kdc->smb_krb5_context);

Modified: branches/SAMBA_4_0/source/kdc/pac-glue.c
===================================================================
--- branches/SAMBA_4_0/source/kdc/pac-glue.c	2005-11-27 02:00:37 UTC (rev 11929)
+++ branches/SAMBA_4_0/source/kdc/pac-glue.c	2005-11-27 02:02:44 UTC (rev 11930)
@@ -324,6 +324,8 @@
 	TALLOC_CTX *tmp_ctx = talloc_new(entry_ex->private);
 	struct hdb_ldb_private *private = talloc_get_type(entry_ex->private, struct hdb_ldb_private);
 	char *name, *workstation = NULL;
+	int i;
+
 	if (!tmp_ctx) {
 		return ENOMEM;
 	}
@@ -331,7 +333,26 @@
 	ret = krb5_unparse_name(context, entry_ex->entry.principal, &name);
 	if (ret != 0) {
 		talloc_free(tmp_ctx);
+		return ret;
 	}
+	
+	for (i=0; i < addresses->len; i++) {
+		if (addresses->val->addr_type == KRB5_ADDRESS_NETBIOS) {
+			workstation = talloc_strndup(tmp_ctx, addresses->val->address.data, MIN(addresses->val->address.length, 15));
+			if (workstation) {
+				break;
+			}
+		}
+	}
+
+	/* Strip space padding */
+	if (workstation) {
+		i = MIN(strlen(workstation), 15);
+		for (; i > 0 && workstation[i - 1] == ' '; i--) {
+			workstation[i - 1] = '\0';
+		}
+	}
+
 	nt_status = authsam_account_ok(tmp_ctx, 
 				       private->samdb, 
 				       MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,

More information about the samba-cvs mailing list