[SCM] Samba Shared Repository - branch v3-0-test updated -
release-3-0-32-36-gd2bea89
jlayton at samba.org
jlayton at samba.org
Fri Sep 12 21:04:10 GMT 2008
The branch, v3-0-test has been updated
via d2bea898942e213fb1e33f46c76274527928473d (commit)
via 59d7d3ae58432a07a858fc7e9161e27bb9478c9e (commit)
via be4adc6938b06fc6df79c6c129528fdbb8b0c041 (commit)
via ce937b28a75b8c72e36bd3853d52a9ac1a7606b9 (commit)
via b5cf5a34d227dd436b12a2d50ba8ddb728799089 (commit)
via 340fdd5fed64ec4a8d7fc937956c722d59a73ba8 (commit)
via 8ee20a90bf312ba8c98ae86439bb8365a4c55561 (commit)
via 186eb5b26e29b687e9eab981a0ef673462f68f78 (commit)
via de0e8337d4fdde8fc3e892710c1f27a697fdcef5 (commit)
via da92a35cae09d312f11f77d900132422162c435a (commit)
via fb47f5de055a444b8b7a4555da0160f8d624e286 (commit)
via c3d0508619e11f3c70fec3427d6cf1213b98895f (commit)
via af743c4407c41ef988ee99891e36b66153697330 (commit)
via 362092be7114d0ed4a8771ff3b4b5166350bac92 (commit)
via e2e41ff95cc2388dd41cee1e105a280fbfcf7c02 (commit)
via 64f1f899dc983196692f535e6142acc0c817c0ab (commit)
via 63aae3f3135741eab8702eb9b261f7cee2fbeca0 (commit)
via 88989075056fb7b14e3ed33b951d5587227a7be7 (commit)
via 9d2c5aee56d58930d4d982046b7164e12c12db5d (commit)
from 5e73ddba11cbf9ea2d6ca63be098720ff0d5a0d1 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test
- Log -----------------------------------------------------------------
commit d2bea898942e213fb1e33f46c76274527928473d
Author: Jeff Layton <jlayton at redhat.com>
Date: Fri Sep 12 16:58:00 2008 -0400
mount.cifs: don't prompt for password on krb5 mounts
krb5 mounts require that the user already have a valid krb5 ticket.
Since we can't currently use the password entered, don't prompt for it.
Also, switch to using strncmp instead of strcmp here.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit 59d7d3ae58432a07a858fc7e9161e27bb9478c9e
Author: Jeff Layton <jlayton at redhat.com>
Date: Fri Sep 12 16:58:00 2008 -0400
mount.cifs: fix several problems when mounting subdirectories of shares (try 2)
This patch is the second patch to attempt to fix up some of the problems
with mounting subdirectories of shares. The earlier patch didn't handle
this correctly when POSIX extensions were enabled. This one does.
This is a bit of a confusing area since the different components of
a service string have different rules:
1) hostname: no '/' (slash) or '\' (backslash) is allowed to be
embedded within the string
2) sharename: same rules as hostname
3) prefixpath: '\' *is* allowed to be embedded in a path component,
iff POSIX extensions are enabled. Otherwise, neither
character is allowed.
The idea here is to allow either character to act as a delimiter when we
know that the character can't be anything but a delimiter (namely
everywhere up to the start of the prefixpath). The patch will convert
any '\' unconditionally to '/' in the UNC portion of the string.
However, inside the prefixpath, we can't make assumptions about what
constitutes a delimiter because POSIX allows for embedded '\'
characters. So there we don't attempt to do any conversion, and pass the
prefixpath to the kernel as is. Once the kernel determines whether POSIX
extensions are enabled, it can then convert the path if needed and it's
able to do so. A patch to handle this has already been committed to the
cifs-2.6 git tree.
This patch also fixes an annoyance. When you mount a subdir of a share,
mount.cifs munges the device string so that you can't tell what the
prefixpath is. So if I mount:
//server/share/p1/p2/p3
..then /proc/mounts and mtab will show only:
//server/share
Finally, it also tries to apply some consistent rules to the uppercasing
of strings.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit be4adc6938b06fc6df79c6c129528fdbb8b0c041
Author: Jeff Layton <jlayton at redhat.com>
Date: Fri Sep 12 16:58:00 2008 -0400
Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL };
Cherry picked from commit 3d3d61687ef00181f4f04e001d42181d93ac931e
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit ce937b28a75b8c72e36bd3853d52a9ac1a7606b9
Author: Jeff Layton <jlayton at redhat.com>
Date: Fri Sep 12 16:57:59 2008 -0400
cifs.upcall: bump SPNEGO msg version number and don't reject old versions
When we added the ability for the kernel to send sec=mskrb5 to the
upcall, we subtly broke old cifs.upcall versions that don't understand
it. Bump the spnego message version to 2 to make this clear. Also,
change cifs.upcall to not reject requests with a version that's lower
than the current one, and to send the reply with the same version that
the request sent. The idea is to try and keep cifs.upcall backward
compatible with old kernels.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit b5cf5a34d227dd436b12a2d50ba8ddb728799089
Author: Jeff Layton <jlayton at redhat.com>
Date: Fri Sep 12 16:57:59 2008 -0400
cifs.upcall: fix build warning
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit 340fdd5fed64ec4a8d7fc937956c722d59a73ba8
Author: Jeff Layton <jlayton at redhat.com>
Date: Fri Sep 12 16:57:59 2008 -0400
cifs.upcall: handle MSKRB5 OID properly
When the kernel sends the upcall a sec=mskrb5 parameter, that means
the the MSKRB5 OID is preferred by the server. This patch fixes the
upcall to use that OID in place of the "normal" krb5 OID when it
gets a sec=mskrb5 parameter.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
Acked-by: Steve French <smfrench at gmail.com>
commit 8ee20a90bf312ba8c98ae86439bb8365a4c55561
Author: Jeff Layton <jlayton at redhat.com>
Date: Fri Sep 12 16:57:59 2008 -0400
cifs.upcall: negatively instantiate keys on error
When a request-key upcall exits without instantiating a key, the kernel
will negatively instantiate the key with a 60s timeout. Older kernels,
however seem to also link that key into the session keyring. This
behavior can interefere with subsequent mount attempts until the
key times out. The next request_key() call will get this negative key
even if the upcall would have worked the second time.
Fix this by having cifs.upcall negatively instantiate the key itself
with a 1s timeout and don't attach it to the session keyring.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit 186eb5b26e29b687e9eab981a0ef673462f68f78
Author: Steve French <stevef at smf-t60p.smfdom>
Date: Fri Sep 12 16:57:59 2008 -0400
Building cifs.upcall is giving this build warning:
client/cifs.upcall.c:205: warning: function declaration isn’t a prototype
This patch fixes this by properly declaring usage() args as void.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
Signed-off-by: Steve French <sfrench at samba.org>
commit de0e8337d4fdde8fc3e892710c1f27a697fdcef5
Author: Steve French <stevef at smf-t60p.smfdom>
Date: Fri Sep 12 16:57:59 2008 -0400
cifs.upcall: fix manpage and comments
The "cifs.resolver" key type has been changed to "dns_resolver". Fix
the comments at the top of cifs.upcall and the manpage accordingly.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
Signed-off-by: Steve French <sfrench at samba.org>
---
docs-xml/manpages-3/cifs.upcall.8.xml | 4 ++--
source/client/cifs.upcall.c | 8 ++++----
2 files changed, 6 insertions(+), 6 deletions(-)
commit da92a35cae09d312f11f77d900132422162c435a
Author: Steve French <stevef at smf-t60p.smfdom>
Date: Fri Sep 12 16:57:59 2008 -0400
cifs.upcall was not recognizing the newer name "dns_resolver" key type
(as a synonym for the older "cifs.resolver" name) when resolving host
names to ip addresses for the kernel.
Acked-by: Jeff Layton
commit fb47f5de055a444b8b7a4555da0160f8d624e286
Author: Steve French <stevef at smf-t60p.smfdom>
Date: Fri Sep 12 16:57:59 2008 -0400
cifs.upcall: fix compile warning
Steve French noticed these warnings when building cifs.upcall:
Compiling client/cifs.upcall.c
client/cifs.upcall.c: In function 'usage':
client/cifs.upcall.c:204: warning: declaration of 'prog' shadows a global declaration
client/cifs.upcall.c:33: warning: shadowed declaration is here
Change the usage function to not take and arg and have it just use the global
"prog" variable. Fix a typo in the log message generated when an unknown
option is specified. Also getopt() always returns '?' when it sees an unknown
option so there's no point in printing it out.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit c3d0508619e11f3c70fec3427d6cf1213b98895f
Author: Michael Adam <obnox at samba.org>
Date: Fri Sep 12 16:57:59 2008 -0400
build: fix linking cifs.upcall when nscd_flush_cache() is found.
Michael
commit af743c4407c41ef988ee99891e36b66153697330
Author: Jeff Layton <jlayton at redhat.com>
Date: Fri Sep 12 16:57:58 2008 -0400
cifs.upcall: move default install location to EPREFIX/sbin
cifs.upcall links to libraries that live under /usr, so installing it
in /sbin doesn't seem appropriate. Move it to EPREFIX/sbin instead
(i.e. /usr/sbin).
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit 362092be7114d0ed4a8771ff3b4b5166350bac92
Author: Jeff Layton <jlayton at redhat.com>
Date: Fri Sep 12 16:57:58 2008 -0400
cifs.upcall: enable building by default on linux
When building on linux, default to building cifs.upcall. Throw a
warning if ADS support is disabled or keyutils isn't installed.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
commit e2e41ff95cc2388dd41cee1e105a280fbfcf7c02
Author: Jeremy Allison <jra at samba.org>
Date: Fri Sep 12 16:57:58 2008 -0400
This patchset comprises a number of cleanups for the cifs upcall
binary. The biggest change is that it renames it from cifs.spnego
to cifs.upcall since the cifs.spnego name really isn't applicable
anymore.
It also fixes a segfault when the program is run without any args
and adds a manpage. Comments and/or suggestions appreciated.
This set should apply cleanly to the 3.3 test branch.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
Jeremy.
commit 64f1f899dc983196692f535e6142acc0c817c0ab
Author: Igor Mammedov <niallain at gmail.com>
Date: Fri Sep 12 16:57:58 2008 -0400
Adds support for cifs.resolver upcall.
Here is a patch for userspace cifs.spnego handler that adds support for cifs.resolver
upcall used in DFS code.
Any comments are appreciated.
#############################
Cifs upcall with key type cifs.resolver is used for resolving
server names in handling DFS refferals.
Signed-off-by: Igor Mammedov <niallain at gmail.com>
commit 63aae3f3135741eab8702eb9b261f7cee2fbeca0
Author: Simo Sorce <idra at samba.org>
Date: Fri Sep 12 16:57:58 2008 -0400
Fix warning
commit 88989075056fb7b14e3ed33b951d5587227a7be7
Author: Igor Mammedov <niallain at gmail.com>
Date: Fri Sep 12 16:57:58 2008 -0400
* helper source for handling cifs kernel module upcall for kerberos
authorization
* Added -c option to set service prefix to "cifs" in service principal by
default service prefix "host" is used
* replaced malloc/free/srtncpy with replacements from samba project
Signed-off-by: Igor Mammedov <niallain at gmail.com>
commit 9d2c5aee56d58930d4d982046b7164e12c12db5d
Author: Igor Mammedov <niallain at gmail.com>
Date: Fri Sep 12 16:57:58 2008 -0400
* Adds support for cifs.spnego helper into configure and Makefile.in
* Added checks for spnego prereq keyutils.h and kerberos in configure.in
Signed-off-by: Igor Mammedov <niallain at gmail.com>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages-3/cifs.upcall.8.xml | 115 ++++++++++
source/Makefile.in | 21 ++-
source/client/cifs.upcall.c | 388 +++++++++++++++++++++++++++++++++
source/client/cifs_spnego.h | 46 ++++
source/client/mount.cifs.c | 98 ++++++---
source/configure.in | 57 +++++
6 files changed, 693 insertions(+), 32 deletions(-)
create mode 100644 docs-xml/manpages-3/cifs.upcall.8.xml
create mode 100644 source/client/cifs.upcall.c
create mode 100644 source/client/cifs_spnego.h
mode change 100755 => 100644 source/client/mount.cifs.c
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages-3/cifs.upcall.8.xml b/docs-xml/manpages-3/cifs.upcall.8.xml
new file mode 100644
index 0000000..3c1bb24
--- /dev/null
+++ b/docs-xml/manpages-3/cifs.upcall.8.xml
@@ -0,0 +1,115 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="cifs.upcall.8">
+
+
+<refmeta>
+ <refentrytitle>cifs.upcall</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">System Administration tools</refmiscinfo>
+ <refmiscinfo class="version">3.2</refmiscinfo>
+</refmeta>
+
+<refnamediv>
+ <refname>cifs.upcall</refname>
+ <refpurpose>Userspace upcall helper for Common Internet File System (CIFS)</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+ <cmdsynopsis>
+ <command>cifs.upcall</command>
+ <arg choice="opt">-c</arg>
+ <arg choice="opt">-v</arg>
+ <arg choice="req">keyid</arg>
+ </cmdsynopsis>
+</refsynopsisdiv>
+
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
+ <manvolnum>7</manvolnum></citerefentry> suite.</para>
+
+<para>cifs.upcall is a userspace helper program for the linux CIFS client
+filesystem. There are a number of activities that the kernel cannot easily
+do itself. This program is a callout program that does these things for the
+kernel and then returns the result.</para>
+
+<para>cifs.upcall is generally intended to be run when the kernel calls
+request-key<manvolnum>8</manvolnum> for a particular key type. While it
+can be run directly from the command-line, it's not generally intended
+to be run that way.</para>
+</refsect1>
+
+<refsect1>
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>-c</term>
+ <listitem><para>When handling a kerberos upcall, use a service principal that starts with "cifs/". The default is to use the "host/" service principal.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-v</term>
+ <listitem><para>Print version number and exit.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</refsect1>
+
+<refsect1>
+ <title>CONFIGURATION FOR KEYCTL</title>
+ <para>cifs.upcall is designed to be called from the kernel via the request-key callout program. This requres that request-key be told where and how to call this program. The current cifs.upcall program handles two different key types:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>cifs.spnego</term>
+ <listitem><para>This keytype is for retrieving kerberos session keys
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>dns_resolver</term>
+ <listitem><para>This key type is for resolving hostnames into IP addresses
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>To make this program useful for CIFS, you'll need to set up entries for them in request-key.conf<manvolnum>5</manvolnum>. Here's an example of an entry for each key type:</para>
+<programlisting>
+#OPERATION TYPE D C PROGRAM ARG1 ARG2...
+#========= ============= = = ==========================================
+create cifs.spnego * * /usr/local/sbin/cifs.upcall -c %k
+create dns_resolver * * /usr/local/sbin/cifs.upcall %k
+</programlisting>
+<para>
+See <citerefentry><refentrytitle>request-key.conf<manvolnum>5</manvolnum></refentrytitle></citerefentry> for more info on each field.
+</para>
+</refsect1>
+
+<refsect1>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry><refentrytitle>request-key.conf</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>mount.cifs</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>Igor Mammedov wrote the cifs.upcall program.</para>
+ <para>Jeff Layton authored this manpage.</para>
+ <para>The maintainer of the Linux CIFS VFS is Steve French.</para>
+ <para>The <ulink url="mailto:linux-cifs-client at lists.samba.org">Linux
+ CIFS Mailing list</ulink> is the preferred place to ask
+ questions regarding these programs.
+ </para>
+</refsect1>
+
+</refentry>
diff --git a/source/Makefile.in b/source/Makefile.in
index 90db249..c377ed1 100644
--- a/source/Makefile.in
+++ b/source/Makefile.in
@@ -144,7 +144,7 @@ PATH_FLAGS = $(PATH_FLAGS6) $(PASSWD_FLAGS)
# Note that all executable programs now provide for an optional executable suffix.
-SBIN_PROGS = bin/smbd at EXEEXT@ bin/nmbd at EXEEXT@ bin/swat at EXEEXT@ @EXTRA_SBIN_PROGS@
+SBIN_PROGS = bin/smbd at EXEEXT@ bin/nmbd at EXEEXT@ bin/swat at EXEEXT@ @EXTRA_SBIN_PROGS@ @CIFSUPCALL_PROGS@
ROOT_SBIN_PROGS = @CIFSMOUNT_PROGS@
@@ -646,6 +646,8 @@ CIFS_MOUNT_OBJ = client/mount.cifs.o
CIFS_UMOUNT_OBJ = client/umount.cifs.o
+CIFS_UPCALL_OBJ = client/cifs.upcall.o
+
NMBLOOKUP_OBJ = utils/nmblookup.o $(PARAM_OBJ) $(LIBNMB_OBJ) $(RPC_PARSE_OBJ1) $(DOSERR_OBJ) \
$(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(SECRETS_OBJ) $(LIBSAMBA_OBJ)
@@ -1022,6 +1024,11 @@ bin/umount.cifs at EXEEXT@: $(CIFS_UMOUNT_OBJ) bin/.dummy
@echo Linking $@
@$(CC) $(FLAGS) -o $@ $(CIFS_UMOUNT_OBJ) $(DYNEXP) $(LDFLAGS)
+bin/cifs.upcall at EXEEXT@: $(BINARY_PREREQS) $(CIFS_UPCALL_OBJ) $(LIBSMBCLIENT_OBJ) bin/.dummy
+ @echo Linking $@
+ @$(CC) $(FLAGS) -o $@ $(CIFS_UPCALL_OBJ) $(DYNEXP) $(LDFLAGS) -lkeyutils $(LIBS) \
+ $(LIBSMBCLIENT_OBJ) $(KRB5LIBS) $(LDAP_LIBS) $(NSCD_LIBS)
+
bin/testparm at EXEEXT@: proto_exists $(TESTPARM_OBJ) @BUILD_POPT@ bin/.dummy
@echo Linking $@
@$(CC) $(FLAGS) -o $@ $(TESTPARM_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) $(LDAP_LIBS) @POPTLIBS@
@@ -1566,8 +1573,7 @@ bin/timelimit at EXEEXT@: script/tests/timelimit.o
@echo Linking $@
@$(CC) $(FLAGS) -o $@ $(DYNEXP) script/tests/timelimit.o
-install: installservers installbin @INSTALL_CIFSMOUNT@ installman installscripts installdat installswat installmodules @INSTALL_LIBSMBCLIENT@ @INSTALL_LIBMSRPC@ @INSTALL_PAM_MODULES@ @INSTALL_LIBSMBSHAREMODES@
-
+install: installservers installbin @INSTALL_CIFSMOUNT@ @INSTALL_CIFSUPCALL@ installman installscripts installdat installswat installmodules @INSTALL_LIBSMBCLIENT@ @INSTALL_LIBMSRPC@ @INSTALL_PAM_MODULES@ @INSTALL_LIBSMBSHAREMODES@
install-everything: install installmodules
@@ -1592,6 +1598,10 @@ installcifsmount: @CIFSMOUNT_PROGS@
@$(SHELL) $(srcdir)/script/installdirs.sh $(INSTALLPERMS) $(DESTDIR) $(ROOTSBINDIR)
@$(SHELL) script/installbin.sh $(INSTALLPERMS) $(DESTDIR) $(prefix) $(ROOTSBINDIR) @CIFSMOUNT_PROGS@
+installcifsupcall: @CIFSUPCALL_PROGS@
+ @$(SHELL) $(srcdir)/script/installdirs.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(SBINDIR)
+ @$(SHELL) script/installbin.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(SBINDIR) @CIFSUPCALL_PROGS@
+
# Some symlinks are required for the 'probing' of modules.
# This mechanism should go at some point..
installmodules: modules installdirs
@@ -1709,7 +1719,7 @@ showlayout:
@echo " swatdir: $(SWATDIR)"
-uninstall: uninstallman uninstallservers uninstallbin @UNINSTALL_CIFSMOUNT@ uninstallscripts uninstalldat uninstallswat uninstallmodules @UNINSTALL_LIBSMBCLIENT@ @UNINSTALL_LIBMSRPC@ @UNINSTALL_PAM_MODULES@ @UNINSTALL_LIBSMBSHAREMODES@
+uninstall: uninstallman uninstallservers uninstallbin @UNINSTALL_CIFSMOUNT@ @UNINSTALL_CIFSUPCALL@ uninstallscripts uninstalldat uninstallswat uninstallmodules @UNINSTALL_LIBSMBCLIENT@ @UNINSTALL_LIBMSRPC@ @UNINSTALL_PAM_MODULES@ @UNINSTALL_LIBSMBSHAREMODES@
uninstallman:
@$(SHELL) $(srcdir)/script/uninstallman.sh $(DESTDIR)$(MANDIR) $(srcdir) C
@@ -1723,6 +1733,9 @@ uninstallbin:
uninstallcifsmount:
@$(SHELL) script/uninstallbin.sh $(INSTALLPERMS) $(DESTDIR) $(prefix) $(ROOTSBINDIR) @CIFSMOUNT_PROGS@
+uninstallcifsupcall:
+ @$(SHELL) script/uninstallbin.sh $(INSTALLPERMS_BIN) $(DESTDIR) $(prefix) $(ROOTSBINDIR) @CIFSUPCALL_PROGS@
+
uninstallmodules:
@$(SHELL) $(srcdir)/script/uninstallmodules.sh $(INSTALLPERMS) $(DESTDIR) $(prefix) $(VFSLIBDIR) $(VFS_MODULES)
@$(SHELL) $(srcdir)/script/uninstallmodules.sh $(INSTALLPERMS) $(DESTDIR) $(prefix) $(PDBLIBDIR) $(PDB_MODULES)
diff --git a/source/client/cifs.upcall.c b/source/client/cifs.upcall.c
new file mode 100644
index 0000000..3bb5658
--- /dev/null
+++ b/source/client/cifs.upcall.c
@@ -0,0 +1,388 @@
+/*
+* CIFS user-space helper.
+* Copyright (C) Igor Mammedov (niallain at gmail.com) 2007
+*
+* Used by /sbin/request-key for handling
+* cifs upcall for kerberos authorization of access to share and
+* cifs upcall for DFS srver name resolving (IPv4/IPv6 aware).
+* You should have keyutils installed and add something like the
+* following lines to /etc/request-key.conf file:
+
+create cifs.spnego * * /usr/local/sbin/cifs.upcall %k
+create dns_resolver * * /usr/local/sbin/cifs.upcall %k
+
+* This program is free software; you can redistribute it and/or modify
+* it under the terms of the GNU General Public License as published by
+* the Free Software Foundation; either version 2 of the License, or
+* (at your option) any later version.
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU General Public License for more details.
+* You should have received a copy of the GNU General Public License
+* along with this program; if not, write to the Free Software
+* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*/
+
+#include "includes.h"
+#include <keyutils.h>
+
+#include "cifs_spnego.h"
+
+const char *CIFSSPNEGO_VERSION = "1.2";
+static const char *prog = "cifs.upcall";
+typedef enum _secType {
+ KRB5,
+ MS_KRB5
+} secType_t;
+const DATA_BLOB data_blob_null = { NULL, 0, NULL };
+
+/*
+ * Prepares AP-REQ data for mechToken and gets session key
+ * Uses credentials from cache. It will not ask for password
+ * you should receive credentials for yuor name manually using
+ * kinit or whatever you wish.
+ *
+ * in:
+ * oid - string with OID/ Could be OID_KERBEROS5
+ * or OID_KERBEROS5_OLD
+ * principal - Service name.
+ * Could be "cifs/FQDN" for KRB5 OID
+ * or for MS_KRB5 OID style server principal
+ * like "pdc$@YOUR.REALM.NAME"
+ *
+ * out:
+ * secblob - pointer for spnego wrapped AP-REQ data to be stored
+ * sess_key- pointer for SessionKey data to be stored
+ *
+ * ret: 0 - success, others - failure
+*/
+int handle_krb5_mech(const char *oid, const char *principal,
+ DATA_BLOB * secblob, DATA_BLOB * sess_key)
+{
+ int retval;
+ DATA_BLOB tkt, tkt_wrapped;
+
+ /* get a kerberos ticket for the service and extract the session key */
+ retval = cli_krb5_get_ticket(principal, 0,
+ &tkt, sess_key, 0, NULL, NULL);
+
+ if (retval)
+ return retval;
+
+ /* wrap that up in a nice GSS-API wrapping */
+ tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
+
+ /* and wrap that in a shiny SPNEGO wrapper */
+ *secblob = gen_negTokenInit(oid, tkt_wrapped);
+
+ data_blob_free(&tkt_wrapped);
+ data_blob_free(&tkt);
+ return retval;
+}
+
+#define DKD_HAVE_HOSTNAME 1
+#define DKD_HAVE_VERSION 2
+#define DKD_HAVE_SEC 4
+#define DKD_HAVE_IPV4 8
+#define DKD_HAVE_IPV6 16
+#define DKD_HAVE_UID 32
+#define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC)
+
+int decode_key_description(const char *desc, int *ver, secType_t * sec,
+ char **hostname, uid_t * uid)
+{
+ int retval = 0;
+ char *pos;
+ const char *tkn = desc;
+
+ do {
+ pos = index(tkn, ';');
+ if (strncmp(tkn, "host=", 5) == 0) {
+ int len;
+
+ if (pos == NULL) {
+ len = strlen(tkn);
+ } else {
+ len = pos - tkn;
+ }
+ len -= 4;
+ SAFE_FREE(*hostname);
+ *hostname = SMB_XMALLOC_ARRAY(char, len);
+ strlcpy(*hostname, tkn + 5, len);
+ retval |= DKD_HAVE_HOSTNAME;
+ } else if (strncmp(tkn, "ipv4=", 5) == 0) {
+ /* BB: do we need it if we have hostname already? */
+ } else if (strncmp(tkn, "ipv6=", 5) == 0) {
+ /* BB: do we need it if we have hostname already? */
+ } else if (strncmp(tkn, "sec=", 4) == 0) {
+ if (strncmp(tkn + 4, "krb5", 4) == 0) {
+ retval |= DKD_HAVE_SEC;
+ *sec = KRB5;
+ } else if (strncmp(tkn + 4, "mskrb5", 6) == 0) {
+ retval |= DKD_HAVE_SEC;
+ *sec = MS_KRB5;
+ }
+ } else if (strncmp(tkn, "uid=", 4) == 0) {
+ errno = 0;
+ *uid = strtol(tkn + 4, NULL, 16);
+ if (errno != 0) {
+ syslog(LOG_WARNING, "Invalid uid format: %s",
+ strerror(errno));
+ return 1;
+ } else {
+ retval |= DKD_HAVE_UID;
+ }
+ } else if (strncmp(tkn, "ver=", 4) == 0) { /* if version */
+ errno = 0;
+ *ver = strtol(tkn + 4, NULL, 16);
+ if (errno != 0) {
+ syslog(LOG_WARNING,
+ "Invalid version format: %s",
+ strerror(errno));
+ return 1;
+ } else {
+ retval |= DKD_HAVE_VERSION;
+ }
+ }
+ if (pos == NULL)
+ break;
+ tkn = pos + 1;
+ } while (tkn);
+ return retval;
+}
+
+int cifs_resolver(const key_serial_t key, const char *key_descr)
+{
+ int c;
+ struct addrinfo *addr;
+ char ip[INET6_ADDRSTRLEN];
+ void *p;
+ const char *keyend = key_descr;
+ /* skip next 4 ';' delimiters to get to description */
+ for (c = 1; c <= 4; c++) {
+ keyend = index(keyend+1, ';');
+ if (!keyend) {
+ syslog(LOG_WARNING, "invalid key description: %s",
+ key_descr);
+ return 1;
+ }
+ }
+ keyend++;
+
+ /* resolve name to ip */
+ c = getaddrinfo(keyend, NULL, NULL, &addr);
+ if (c) {
+ syslog(LOG_WARNING, "unable to resolve hostname: %s [%s]",
+ keyend, gai_strerror(c));
+ return 1;
+ }
+
+ /* conver ip to string form */
+ if (addr->ai_family == AF_INET) {
+ p = &(((struct sockaddr_in *)addr->ai_addr)->sin_addr);
+ } else {
+ p = &(((struct sockaddr_in6 *)addr->ai_addr)->sin6_addr);
+ }
+ if (!inet_ntop(addr->ai_family, p, ip, sizeof(ip))) {
+ syslog(LOG_WARNING, "%s: inet_ntop: %s",
+ __FUNCTION__, strerror(errno));
+ freeaddrinfo(addr);
+ return 1;
+ }
+
+ /* setup key */
+ c = keyctl_instantiate(key, ip, strlen(ip)+1, 0);
+ if (c == -1) {
+ syslog(LOG_WARNING, "%s: keyctl_instantiate: %s",
+ __FUNCTION__, strerror(errno));
+ freeaddrinfo(addr);
+ return 1;
+ }
+
+ freeaddrinfo(addr);
+ return 0;
+}
+
+void
+usage(void)
+{
+ syslog(LOG_WARNING, "Usage: %s [-c] [-v] key_serial", prog);
+ fprintf(stderr, "Usage: %s [-c] [-v] key_serial\n", prog);
+}
+
+int main(const int argc, char *const argv[])
+{
+ struct cifs_spnego_msg *keydata = NULL;
+ DATA_BLOB secblob = data_blob_null;
+ DATA_BLOB sess_key = data_blob_null;
+ secType_t sectype;
+ key_serial_t key = 0;
+ size_t datalen;
+ long rc = 1;
+ uid_t uid;
+ int kernel_upcall_version;
+ int c, use_cifs_service_prefix = 0;
+ char *buf, *hostname = NULL;
+ const char *oid;
+
+ openlog(prog, 0, LOG_DAEMON);
+
+ while ((c = getopt(argc, argv, "cv")) != -1) {
+ switch (c) {
+ case 'c':{
+ use_cifs_service_prefix = 1;
+ break;
+ }
+ case 'v':{
+ printf("version: %s\n", CIFSSPNEGO_VERSION);
+ goto out;
+ }
+ default:{
+ syslog(LOG_WARNING, "unknown option: %c", c);
+ goto out;
+ }
+ }
+ }
+
+ /* is there a key? */
+ if (argc <= optind) {
+ usage();
+ goto out;
+ }
+
+ /* get key and keyring values */
+ errno = 0;
+ key = strtol(argv[optind], NULL, 10);
+ if (errno != 0) {
+ key = 0;
+ syslog(LOG_WARNING, "Invalid key format: %s", strerror(errno));
+ goto out;
+ }
+
+ rc = keyctl_describe_alloc(key, &buf);
+ if (rc == -1) {
+ syslog(LOG_WARNING, "keyctl_describe_alloc failed: %s",
+ strerror(errno));
+ rc = 1;
+ goto out;
+ }
+
+ if ((strncmp(buf, "cifs.resolver", sizeof("cifs.resolver")-1) == 0) ||
+ (strncmp(buf, "dns_resolver", sizeof("dns_resolver")-1) == 0)) {
+ rc = cifs_resolver(key, buf);
+ goto out;
+ }
+
+ rc = decode_key_description(buf, &kernel_upcall_version, §ype,
+ &hostname, &uid);
+ if ((rc & DKD_MUSTHAVE_SET) != DKD_MUSTHAVE_SET) {
+ syslog(LOG_WARNING,
+ "unable to get from description necessary params");
+ rc = 1;
+ SAFE_FREE(buf);
+ goto out;
+ }
+ SAFE_FREE(buf);
+
+ if (kernel_upcall_version > CIFS_SPNEGO_UPCALL_VERSION) {
+ syslog(LOG_WARNING,
+ "incompatible kernel upcall version: 0x%x",
+ kernel_upcall_version);
+ rc = 1;
+ goto out;
+ }
+
+ if (rc & DKD_HAVE_UID) {
+ rc = setuid(uid);
+ if (rc == -1) {
+ syslog(LOG_WARNING, "setuid: %s", strerror(errno));
--
Samba Shared Repository
More information about the samba-cvs
mailing list