[SCM] Samba Shared Repository - branch master updated -
04edf11bee9f248241c46ce809870163a16d3ba0
Andrew Bartlett
abartlet at samba.org
Tue Sep 30 05:54:30 GMT 2008
The branch, master has been updated
via 04edf11bee9f248241c46ce809870163a16d3ba0 (commit)
via 64195b72be6c251412500984c2a5c103e376d3c6 (commit)
via 15b686198120cca0aaa305edc0a5e3242b4fa869 (commit)
via 6ad78f01a5982666c83025a94ce4ff3729d5db6f (commit)
via 8dd35fabbb4732cf601a93abbe0373fd53e661a1 (commit)
from 45645426c2ae541fc2c3a112cde5a7f1d857938b (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 04edf11bee9f248241c46ce809870163a16d3ba0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 29 22:34:30 2008 -0700
Rework to match new trustDomainPasswords IDL
commit 64195b72be6c251412500984c2a5c103e376d3c6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 29 21:36:21 2008 -0700
Fix parsing of the trust passwords in LSA CreateTrustedDomainEx*
commit 15b686198120cca0aaa305edc0a5e3242b4fa869
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 24 12:53:40 2008 -0700
Use the new 'samba4' name for our internal hdb plugin.
commit 6ad78f01a5982666c83025a94ce4ff3729d5db6f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 24 12:53:10 2008 -0700
Rename hdb_ldb to hdb_samba4 and load as a plugin into the kdc.
This avoids one more custom patch to the Heimdal code, and provides a
more standard way to produce hdb plugins in future.
I've renamed from hdb_ldb to hdb_samba4 as it really is not generic
ldb.
Andrew Bartlett
commit 8dd35fabbb4732cf601a93abbe0373fd53e661a1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 24 11:20:45 2008 -0700
NetApp found that we never set the smb signing flags2.
This was found during testing at the CIFS plugfest.
No other client seems to honour or use this bit, but it is quite
ligitimately required by the spec.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source4/heimdal/lib/hdb/hdb.c | 42 +-
source4/heimdal/lib/hdb/hdb.h | 6 +
source4/kdc/config.mk | 8 +-
source4/kdc/hdb-ldb.c | 1550 -----------------------------------
source4/kdc/hdb-samba4.c | 1550 +++++++++++++++++++++++++++++++++++
source4/kdc/kdc.c | 17 +-
source4/libcli/config.mk | 8 -
source4/libcli/drsblobs.c | 179 ----
source4/librpc/config.mk | 4 +-
source4/librpc/idl/drsblobs.idl | 25 +-
source4/librpc/ndr/ndr_drsblobs.c | 213 +++++
source4/rpc_server/lsa/dcesrv_lsa.c | 18 +-
source4/setup/secrets_dc.ldif | 2 +-
source4/smb_server/smb/request.c | 4 +
source4/torture/rpc/lsa.c | 6 +-
15 files changed, 1853 insertions(+), 1779 deletions(-)
delete mode 100644 source4/kdc/hdb-ldb.c
create mode 100644 source4/kdc/hdb-samba4.c
delete mode 100644 source4/libcli/drsblobs.c
create mode 100644 source4/librpc/ndr/ndr_drsblobs.c
Changeset truncated at 500 lines:
diff --git a/source4/heimdal/lib/hdb/hdb.c b/source4/heimdal/lib/hdb/hdb.c
index 3fddabb..19c1707 100644
--- a/source4/heimdal/lib/hdb/hdb.c
+++ b/source4/heimdal/lib/hdb/hdb.c
@@ -31,34 +31,27 @@
* SUCH DAMAGE.
*/
+#include "krb5.h"
+#include "krb5_locl.h"
#include "hdb_locl.h"
-
RCSID("$Id$");
#ifdef HAVE_DLFCN_H
#include <dlfcn.h>
#endif
-struct hdb_method {
- const char *prefix;
- krb5_error_code (*create)(krb5_context, HDB **, const char *filename);
-};
-
static struct hdb_method methods[] = {
#if HAVE_DB1 || HAVE_DB3
- {"db:", hdb_db_create},
+ {HDB_INTERFACE_VERSION, "db:", hdb_db_create},
#endif
#if HAVE_NDBM
- {"ndbm:", hdb_ndbm_create},
+ {HDB_INTERFACE_VERSION, "ndbm:", hdb_ndbm_create},
#endif
#if defined(OPENLDAP) && !defined(OPENLDAP_MODULE)
- {"ldap:", hdb_ldap_create},
- {"ldapi:", hdb_ldapi_create},
-#endif
-#ifdef HAVE_LDB /* Used for integrated samba build */
- {"ldb:", hdb_ldb_create},
+ {HDB_INTERFACE_VERSION, "ldap:", hdb_ldap_create},
+ {HDB_INTERFACE_VERSION, "ldapi:", hdb_ldapi_create},
#endif
- {NULL, NULL}
+ {0, NULL, NULL}
};
#if HAVE_DB1 || HAVE_DB3
@@ -398,11 +391,32 @@ hdb_create(krb5_context context, HDB **db, const char *filename)
{
const struct hdb_method *h;
const char *residual;
+ krb5_error_code ret;
+ struct krb5_plugin *list = NULL, *e;
if(filename == NULL)
filename = HDB_DEFAULT_DB;
krb5_add_et_list(context, initialize_hdb_error_table_r);
h = find_method (filename, &residual);
+
+ if (h == NULL) {
+ ret = _krb5_plugin_find(context, PLUGIN_TYPE_DATA, "hdb", &list);
+ if(ret == 0 && list != NULL) {
+ for (e = list; e != NULL; e = _krb5_plugin_get_next(e)) {
+ h = _krb5_plugin_get_symbol(e);
+ if (strncmp (filename, h->prefix, strlen(h->prefix)) == 0
+ && h->interface_version == HDB_INTERFACE_VERSION) {
+ residual = filename + strlen(h->prefix);
+ break;
+ }
+ }
+ if (e == NULL) {
+ h = NULL;
+ _krb5_plugin_free(list);
+ }
+ }
+ }
+
#ifdef HAVE_DLOPEN
if (h == NULL)
h = find_dynamic_method (context, filename, &residual);
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
index bc1b744..5c2097e 100644
--- a/source4/heimdal/lib/hdb/hdb.h
+++ b/source4/heimdal/lib/hdb/hdb.h
@@ -139,6 +139,12 @@ typedef krb5_error_code (*hdb_foreach_func_t)(krb5_context, HDB*,
hdb_entry_ex*, void*);
extern krb5_kt_ops hdb_kt_ops;
+struct hdb_method {
+ int interface_version;
+ const char *prefix;
+ krb5_error_code (*create)(krb5_context, HDB **, const char *filename);
+};
+
#include <hdb-protos.h>
#endif /* __HDB_H__ */
diff --git a/source4/kdc/config.mk b/source4/kdc/config.mk
index b3e5bfd..dfd2879 100644
--- a/source4/kdc/config.mk
+++ b/source4/kdc/config.mk
@@ -6,7 +6,7 @@
INIT_FUNCTION = server_service_kdc_init
SUBSYSTEM = samba
PRIVATE_DEPENDENCIES = \
- HEIMDAL_KDC HDB_LDB
+ HEIMDAL_KDC HDB_SAMBA4
# End SUBSYSTEM KDC
#######################
@@ -14,7 +14,7 @@ KDC_OBJ_FILES = $(addprefix $(kdcsrcdir)/, kdc.o kpasswdd.o)
#######################
# Start SUBSYSTEM KDC
-[SUBSYSTEM::HDB_LDB]
+[SUBSYSTEM::HDB_SAMBA4]
CFLAGS = -Iheimdal/kdc -Iheimdal/lib/hdb
PRIVATE_DEPENDENCIES = \
LIBLDB auth_sam auth_sam_reply CREDENTIALS \
@@ -22,5 +22,5 @@ PRIVATE_DEPENDENCIES = \
# End SUBSYSTEM KDC
#######################
-HDB_LDB_OBJ_FILES = $(addprefix $(kdcsrcdir)/, hdb-ldb.o pac-glue.o)
-$(eval $(call proto_header_template,$(kdcsrcdir)/pac_glue.h,$(HDB_LDB_OBJ_FILES:.o=.c)))
+HDB_SAMBA4_OBJ_FILES = $(addprefix $(kdcsrcdir)/, hdb-samba4.o pac-glue.o)
+$(eval $(call proto_header_template,$(kdcsrcdir)/pac_glue.h,$(HDB_SAMBA4_OBJ_FILES:.o=.c)))
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
deleted file mode 100644
index 4fde75c..0000000
--- a/source4/kdc/hdb-ldb.c
+++ /dev/null
@@ -1,1550 +0,0 @@
-/*
- * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
- * Copyright (c) 2004, Andrew Bartlett <abartlet at samba.org>.
- * Copyright (c) 2004, Stefan Metzmacher <metze at samba.org>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of PADL Software nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "includes.h"
-#include "system/time.h"
-#include "dsdb/common/flags.h"
-#include "lib/ldb/include/ldb.h"
-#include "lib/ldb/include/ldb_errors.h"
-#include "librpc/gen_ndr/netlogon.h"
-#include "auth/auth.h"
-#include "auth/credentials/credentials.h"
-#include "auth/auth_sam.h"
-#include "util/util_ldb.h"
-#include "dsdb/samdb/samdb.h"
-#include "librpc/ndr/libndr.h"
-#include "librpc/gen_ndr/ndr_drsblobs.h"
-#include "librpc/gen_ndr/lsa.h"
-#include "libcli/auth/libcli_auth.h"
-#include "param/param.h"
-#include "events/events.h"
-#include "kdc/kdc.h"
-#include "../lib/crypto/md4.h"
-
-enum hdb_ldb_ent_type
-{ HDB_LDB_ENT_TYPE_CLIENT, HDB_LDB_ENT_TYPE_SERVER,
- HDB_LDB_ENT_TYPE_KRBTGT, HDB_LDB_ENT_TYPE_TRUST, HDB_LDB_ENT_TYPE_ANY };
-
-enum trust_direction {
- UNKNOWN = 0,
- INBOUND = LSA_TRUST_DIRECTION_INBOUND,
- OUTBOUND = LSA_TRUST_DIRECTION_OUTBOUND
-};
-
-static const char *realm_ref_attrs[] = {
- "nCName",
- "dnsRoot",
- NULL
-};
-
-static const char *trust_attrs[] = {
- "trustPartner",
- "trustAuthIncoming",
- "trustAuthOutgoing",
- "whenCreated",
- "msDS-SupportedEncryptionTypes",
- "trustAttributes",
- "trustDirection",
- "trustType",
- NULL
-};
-
-static KerberosTime ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, const char *attr, KerberosTime default_val)
-{
- const char *tmp;
- const char *gentime;
- struct tm tm;
-
- gentime = ldb_msg_find_attr_as_string(msg, attr, NULL);
- if (!gentime)
- return default_val;
-
- tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);
- if (tmp == NULL) {
- return default_val;
- }
-
- return timegm(&tm);
-}
-
-static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum hdb_ldb_ent_type ent_type)
-{
- HDBFlags flags = int2HDBFlags(0);
-
- /* we don't allow kadmin deletes */
- flags.immutable = 1;
-
- /* mark the principal as invalid to start with */
- flags.invalid = 1;
-
- flags.renewable = 1;
-
- /* All accounts are servers, but this may be disabled again in the caller */
- flags.server = 1;
-
- /* Account types - clear the invalid bit if it turns out to be valid */
- if (userAccountControl & UF_NORMAL_ACCOUNT) {
- if (ent_type == HDB_LDB_ENT_TYPE_CLIENT || ent_type == HDB_LDB_ENT_TYPE_ANY) {
- flags.client = 1;
- }
- flags.invalid = 0;
- }
-
- if (userAccountControl & UF_INTERDOMAIN_TRUST_ACCOUNT) {
- if (ent_type == HDB_LDB_ENT_TYPE_CLIENT || ent_type == HDB_LDB_ENT_TYPE_ANY) {
- flags.client = 1;
- }
- flags.invalid = 0;
- }
- if (userAccountControl & UF_WORKSTATION_TRUST_ACCOUNT) {
- if (ent_type == HDB_LDB_ENT_TYPE_CLIENT || ent_type == HDB_LDB_ENT_TYPE_ANY) {
- flags.client = 1;
- }
- flags.invalid = 0;
- }
- if (userAccountControl & UF_SERVER_TRUST_ACCOUNT) {
- if (ent_type == HDB_LDB_ENT_TYPE_CLIENT || ent_type == HDB_LDB_ENT_TYPE_ANY) {
- flags.client = 1;
- }
- flags.invalid = 0;
- }
-
- /* Not permitted to act as a client if disabled */
- if (userAccountControl & UF_ACCOUNTDISABLE) {
- flags.client = 0;
- }
- if (userAccountControl & UF_LOCKOUT) {
- flags.invalid = 1;
- }
-/*
- if (userAccountControl & UF_PASSWORD_NOTREQD) {
- flags.invalid = 1;
- }
-*/
-/*
- UF_PASSWORD_CANT_CHANGE and UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED are irrelevent
-*/
- if (userAccountControl & UF_TEMP_DUPLICATE_ACCOUNT) {
- flags.invalid = 1;
- }
-
-/* UF_DONT_EXPIRE_PASSWD and UF_USE_DES_KEY_ONLY handled in LDB_message2entry() */
-
-/*
- if (userAccountControl & UF_MNS_LOGON_ACCOUNT) {
- flags.invalid = 1;
- }
-*/
- if (userAccountControl & UF_SMARTCARD_REQUIRED) {
- flags.require_hwauth = 1;
- }
- if (userAccountControl & UF_TRUSTED_FOR_DELEGATION) {
- flags.ok_as_delegate = 1;
- }
- if (!(userAccountControl & UF_NOT_DELEGATED)) {
- flags.forwardable = 1;
- flags.proxiable = 1;
- }
-
- if (userAccountControl & UF_DONT_REQUIRE_PREAUTH) {
- flags.require_preauth = 0;
- } else {
- flags.require_preauth = 1;
-
- }
- return flags;
-}
-
-static int hdb_ldb_destructor(struct hdb_ldb_private *private)
-{
- hdb_entry_ex *entry_ex = private->entry_ex;
- free_hdb_entry(&entry_ex->entry);
- return 0;
-}
-
-static void hdb_ldb_free_entry(krb5_context context, hdb_entry_ex *entry_ex)
-{
- talloc_free(entry_ex->ctx);
-}
-
-static krb5_error_code LDB_message2entry_keys(krb5_context context,
- struct smb_iconv_convenience *iconv_convenience,
- TALLOC_CTX *mem_ctx,
- struct ldb_message *msg,
- unsigned int userAccountControl,
- hdb_entry_ex *entry_ex)
-{
- krb5_error_code ret = 0;
- enum ndr_err_code ndr_err;
- struct samr_Password *hash;
- const struct ldb_val *sc_val;
- struct supplementalCredentialsBlob scb;
- struct supplementalCredentialsPackage *scpk = NULL;
- bool newer_keys = false;
- struct package_PrimaryKerberosBlob _pkb;
- struct package_PrimaryKerberosCtr3 *pkb3 = NULL;
- struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
- uint32_t i;
- uint32_t allocated_keys = 0;
-
- entry_ex->entry.keys.val = NULL;
- entry_ex->entry.keys.len = 0;
-
- entry_ex->entry.kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
-
- /* Get keys from the db */
-
- hash = samdb_result_hash(mem_ctx, msg, "unicodePwd");
- sc_val = ldb_msg_find_ldb_val(msg, "supplementalCredentials");
-
- /* unicodePwd for enctype 0x17 (23) if present */
- if (hash) {
- allocated_keys++;
- }
-
- /* supplementalCredentials if present */
- if (sc_val) {
- ndr_err = ndr_pull_struct_blob_all(sc_val, mem_ctx, iconv_convenience, &scb,
- (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- dump_data(0, sc_val->data, sc_val->length);
- ret = EINVAL;
- goto out;
- }
-
- if (scb.sub.signature != SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
- NDR_PRINT_DEBUG(supplementalCredentialsBlob, &scb);
- ret = EINVAL;
- goto out;
- }
-
- for (i=0; i < scb.sub.num_packages; i++) {
- if (strcmp("Primary:Kerberos-Newer-Keys", scb.sub.packages[i].name) == 0) {
- scpk = &scb.sub.packages[i];
- if (!scpk->data || !scpk->data[0]) {
- scpk = NULL;
- continue;
- }
- newer_keys = true;
- break;
- } else if (strcmp("Primary:Kerberos", scb.sub.packages[i].name) == 0) {
- scpk = &scb.sub.packages[i];
- if (!scpk->data || !scpk->data[0]) {
- scpk = NULL;
- }
- /*
- * we don't break here in hope to find
- * a Kerberos-Newer-Keys package
- */
- }
- }
- }
- /*
- * Primary:Kerberos-Newer-Keys or Primary:Kerberos element
- * of supplementalCredentials
- */
- if (scpk) {
- DATA_BLOB blob;
-
- blob = strhex_to_data_blob(scpk->data);
- if (!blob.data) {
- ret = ENOMEM;
- goto out;
- }
- talloc_steal(mem_ctx, blob.data);
-
- /* we cannot use ndr_pull_struct_blob_all() here, as w2k and w2k3 add padding bytes */
- ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, iconv_convenience, &_pkb,
- (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- krb5_set_error_string(context, "LDB_message2entry_keys: could not parse package_PrimaryKerberosBlob");
- krb5_warnx(context, "LDB_message2entry_keys: could not parse package_PrimaryKerberosBlob");
- ret = EINVAL;
- goto out;
- }
-
- if (newer_keys && _pkb.version != 4) {
- krb5_set_error_string(context, "LDB_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4");
- krb5_warnx(context, "LDB_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4");
- ret = EINVAL;
- goto out;
- }
-
- if (!newer_keys && _pkb.version != 3) {
- krb5_set_error_string(context, "LDB_message2entry_keys: could not parse Primary:Kerberos not version 3");
- krb5_warnx(context, "LDB_message2entry_keys: could not parse Primary:Kerberos not version 3");
- ret = EINVAL;
- goto out;
- }
-
- if (_pkb.version == 4) {
- pkb4 = &_pkb.ctr.ctr4;
- allocated_keys += pkb4->num_keys;
- } else if (_pkb.version == 3) {
- pkb3 = &_pkb.ctr.ctr3;
- allocated_keys += pkb3->num_keys;
- }
- }
-
- if (allocated_keys == 0) {
- /* oh, no password. Apparently (comment in
- * hdb-ldap.c) this violates the ASN.1, but this
- * allows an entry with no keys (yet). */
- return 0;
- }
-
- /* allocate space to decode into */
- entry_ex->entry.keys.len = 0;
- entry_ex->entry.keys.val = calloc(allocated_keys, sizeof(Key));
- if (entry_ex->entry.keys.val == NULL) {
- ret = ENOMEM;
- goto out;
- }
-
- if (hash && !(userAccountControl & UF_USE_DES_KEY_ONLY)) {
- Key key;
-
- key.mkvno = 0;
- key.salt = NULL; /* No salt for this enc type */
-
- ret = krb5_keyblock_init(context,
- ENCTYPE_ARCFOUR_HMAC_MD5,
- hash->hash, sizeof(hash->hash),
- &key.key);
- if (ret) {
- goto out;
- }
-
- entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
- entry_ex->entry.keys.len++;
- }
-
- if (pkb4) {
- for (i=0; i < pkb4->num_keys; i++) {
- bool use = true;
- Key key;
-
- if (!pkb4->keys[i].value) continue;
-
- if (userAccountControl & UF_USE_DES_KEY_ONLY) {
- switch (pkb4->keys[i].keytype) {
- case ENCTYPE_DES_CBC_CRC:
- case ENCTYPE_DES_CBC_MD5:
- break;
- default:
- use = false;
- break;
- }
--
Samba Shared Repository
More information about the samba-cvs
mailing list