[SCM] Samba Shared Repository - branch master updated
Günther Deschner
gd at samba.org
Fri Nov 6 04:45:55 MST 2009
The branch, master has been updated
via 58184b5... s3-net: allow to call "net ads kerberos pac <impersonation principal> -P".
via 5e26622... s3-kerberos: add impersonate_principal for kerberos_return_pac_X calls.
via 4ffbfc4... s3-kerberos: add smb_krb5_get_tkt_from_creds().
via bb75f71... s3-kerberos: fix some build warnings when building against heimdal.
via 35dcc13... s3-kerberos: add smb_krb5_get_{creds,credentials} incl. support for S4U2SELF impersonation.
via 0729df3... s3-kerberos: remove duplicate prototype.
via 17ef153... s3-kerberos: add smb_krb5_parse_name_flags().
via 2cd507f... s3-kerberos: add configure checks for krb5_get_creds_X api.
from c99dd5c... Got the logic simplification worked out so we still pass BASE-DELAYWRITE and also RAW-CLOSE. Jeremy.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 58184b5fd4e95bc7ad2179237808126411509eea
Author: Günther Deschner <gd at samba.org>
Date: Mon Oct 13 17:28:39 2008 +0200
s3-net: allow to call "net ads kerberos pac <impersonation principal> -P".
Guenther
commit 5e266225108aa3335476cbe1214cc0f484c4fd02
Author: Günther Deschner <gd at samba.org>
Date: Mon Oct 13 17:27:21 2008 +0200
s3-kerberos: add impersonate_principal for kerberos_return_pac_X calls.
Guenther
commit 4ffbfc4475c92b9190811bd189802ff265aa6846
Author: Günther Deschner <gd at samba.org>
Date: Mon Oct 13 17:25:35 2008 +0200
s3-kerberos: add smb_krb5_get_tkt_from_creds().
Guenther
commit bb75f713d628073c503b06a3d217195aa95d72b2
Author: Günther Deschner <gd at samba.org>
Date: Fri Nov 6 10:25:53 2009 +0100
s3-kerberos: fix some build warnings when building against heimdal.
Guenther
commit 35dcc133c9c26d10186fe59ea096a2a5c87958e6
Author: Günther Deschner <gd at samba.org>
Date: Mon Oct 13 17:22:37 2008 +0200
s3-kerberos: add smb_krb5_get_{creds,credentials} incl. support for S4U2SELF impersonation.
Guenther
commit 0729df3661fefeffc5154c9b01ae027b3ede4b92
Author: Günther Deschner <gd at samba.org>
Date: Mon Oct 13 17:27:43 2008 +0200
s3-kerberos: remove duplicate prototype.
Guenther
commit 17ef153b68795fec681f9ce17c198236aba2b1c2
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 5 19:02:55 2009 +0100
s3-kerberos: add smb_krb5_parse_name_flags().
Guenther
commit 2cd507fe144c58a4c856c73ec56b80365dad9f23
Author: Günther Deschner <gd at samba.org>
Date: Mon Oct 13 17:21:22 2008 +0200
s3-kerberos: add configure checks for krb5_get_creds_X api.
Guenther
-----------------------------------------------------------------------
Summary of changes:
source3/configure.in | 6 +
source3/include/includes.h | 17 ++-
source3/include/proto.h | 6 +-
source3/libads/authdata.c | 66 +++++++++-
source3/libads/kerberos.c | 4 +-
source3/libsmb/clikrb5.c | 289 ++++++++++++++++++++++++++++++++++++++-
source3/utils/net_ads.c | 8 +-
source3/winbindd/winbindd_pam.c | 1 +
8 files changed, 386 insertions(+), 11 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/configure.in b/source3/configure.in
index 715f159..aab8c01 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3438,6 +3438,12 @@ if test x"$with_ads_support" != x"no"; then
AC_CHECK_FUNC_EXT(krb5_enctype_to_string, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_fwd_tgt_creds, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_auth_con_set_req_cksumtype, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_get_creds_opt_alloc, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_get_creds_opt_set_impersonate, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_get_creds, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_get_credentials_for_user, $KRB5_LIBS)
+ # MIT krb5 1.8 does not expose this call (yet)
+ AC_CHECK_DECLS(krb5_get_credentials_for_user, [], [], [#include <krb5.h>])
# MIT krb5 1.7beta3 (in Ubuntu Karmic) does not have this declaration
# but does have the symbol
diff --git a/source3/include/includes.h b/source3/include/includes.h
index b3446cb..559bc3d 100644
--- a/source3/include/includes.h
+++ b/source3/include/includes.h
@@ -952,7 +952,10 @@ char *talloc_asprintf_strupper_m(TALLOC_CTX *t, const char *fmt, ...) PRINTF_ATT
krb5_error_code smb_krb5_parse_name(krb5_context context,
const char *name, /* in unix charset */
krb5_principal *principal);
-
+krb5_error_code smb_krb5_parse_name_flags(krb5_context context,
+ const char *name, /* in unix charset */
+ int flags,
+ krb5_principal *principal);
krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
krb5_context context,
krb5_const_principal principal,
@@ -1072,7 +1075,17 @@ int smb_krb5_kt_add_entry_ext(krb5_context context,
krb5_data password,
bool no_salt,
bool keep_old_entries);
-
+krb5_error_code smb_krb5_get_credentials(krb5_context context,
+ krb5_ccache ccache,
+ krb5_principal me,
+ krb5_principal server,
+ krb5_principal impersonate_princ,
+ krb5_creds **out_creds);
+krb5_error_code smb_krb5_get_creds(const char *server_s,
+ time_t time_offset,
+ const char *cc,
+ const char *impersonate_princ_s,
+ krb5_creds **creds_p);
#endif /* HAVE_KRB5 */
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 785b968..0dbc1c7 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1707,6 +1707,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
bool request_pac,
bool add_netbios_addr,
time_t renewable_time,
+ const char *impersonate_princ_s,
struct PAC_DATA **pac_ret);
NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
const char *name,
@@ -1718,6 +1719,7 @@ NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
bool request_pac,
bool add_netbios_addr,
time_t renewable_time,
+ const char *impersonate_princ_s,
struct netr_SamInfo3 **info3);
/* The following definitions come from libads/cldap.c */
@@ -2718,10 +2720,6 @@ bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
DATA_BLOB *edata,
DATA_BLOB *edata_out);
bool unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data);
-int cli_krb5_get_ticket(const char *principal, time_t time_offset,
- DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
- uint32 extra_ap_opts, const char *ccname,
- time_t *tgs_expire);
/* The following definitions come from libsmb/clilist.c */
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 0032e9e..8a6a351 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -335,6 +335,46 @@ struct PAC_LOGON_INFO *get_logon_info_from_pac(struct PAC_DATA *pac_data)
return NULL;
}
+static krb5_error_code smb_krb5_get_tkt_from_creds(krb5_creds *creds,
+ DATA_BLOB *tkt)
+{
+ krb5_error_code ret;
+ krb5_context context;
+ krb5_auth_context auth_context = NULL;
+ krb5_data inbuf, outbuf;
+
+ ret = krb5_init_context(&context);
+ if (ret) {
+ return ret;
+ }
+
+ ret = krb5_auth_con_init(context, &auth_context);
+ if (ret) {
+ goto done;
+ }
+
+ ZERO_STRUCT(inbuf);
+
+ ret = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY,
+ &inbuf, creds, &outbuf);
+ if (ret) {
+ goto done;
+ }
+
+ *tkt = data_blob(outbuf.data, outbuf.length);
+ done:
+ if (!context) {
+ return ret;
+ }
+ krb5_free_data_contents(context, &outbuf);
+ if (auth_context) {
+ krb5_auth_con_free(context, auth_context);
+ }
+ krb5_free_context(context);
+
+ return ret;
+}
+
/****************************************************************
****************************************************************/
@@ -348,6 +388,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
bool request_pac,
bool add_netbios_addr,
time_t renewable_time,
+ const char *impersonate_princ_s,
struct PAC_DATA **pac_ret)
{
krb5_error_code ret;
@@ -358,6 +399,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
const char *auth_princ = NULL;
const char *local_service = NULL;
const char *cc = "MEMORY:kerberos_return_pac";
+ krb5_creds *creds = NULL;
ZERO_STRUCT(tkt);
ZERO_STRUCT(ap_rep);
@@ -420,8 +462,26 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
(*expire_time == 0) && (*renew_till_time == 0)) {
return NT_STATUS_INVALID_LOGON_TYPE;
}
+#if 1
+ ret = smb_krb5_get_creds(local_service,
+ time_offset,
+ cc,
+ impersonate_princ_s,
+ &creds);
+ if (ret) {
+ DEBUG(1,("failed to get credentials for %s: %s\n",
+ local_service, error_message(ret)));
+ status = krb5_to_nt_status(ret);
+ goto out;
+ }
+ ret = smb_krb5_get_tkt_from_creds(creds, &tkt);
+ if (ret) {
+ status = krb5_to_nt_status(ret);
+ goto out;
+ }
+#else
ret = cli_krb5_get_ticket(local_service,
time_offset,
&tkt,
@@ -435,7 +495,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
status = krb5_to_nt_status(ret);
goto out;
}
-
+#endif
status = ads_verify_ticket(mem_ctx,
lp_realm(),
time_offset,
@@ -487,6 +547,7 @@ static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx,
bool request_pac,
bool add_netbios_addr,
time_t renewable_time,
+ const char *impersonate_princ_s,
struct PAC_LOGON_INFO **logon_info)
{
NTSTATUS status;
@@ -503,6 +564,7 @@ static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx,
request_pac,
add_netbios_addr,
renewable_time,
+ impersonate_princ_s,
&pac_data);
if (!NT_STATUS_IS_OK(status)) {
return status;
@@ -537,6 +599,7 @@ NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
bool request_pac,
bool add_netbios_addr,
time_t renewable_time,
+ const char *impersonate_princ_s,
struct netr_SamInfo3 **info3)
{
NTSTATUS status;
@@ -552,6 +615,7 @@ NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
request_pac,
add_netbios_addr,
renewable_time,
+ impersonate_princ_s,
&logon_info);
if (!NT_STATUS_IS_OK(status)) {
return status;
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index c1e6c4a..89357b0 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -46,9 +46,9 @@ kerb_prompter(krb5_context ctx, void *data,
memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
if (prompts[0].reply->length > 0) {
if (data) {
- strncpy(prompts[0].reply->data, (const char *)data,
+ strncpy((char *)prompts[0].reply->data, (const char *)data,
prompts[0].reply->length-1);
- prompts[0].reply->length = strlen(prompts[0].reply->data);
+ prompts[0].reply->length = strlen((const char *)prompts[0].reply->data);
} else {
prompts[0].reply->length = 0;
}
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 145e30b..1778853 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -4,7 +4,7 @@
Copyright (C) Andrew Tridgell 2001
Copyright (C) Luke Howard 2002-2003
Copyright (C) Andrew Bartlett <abartlet at samba.org> 2005
- Copyright (C) Guenther Deschner 2005-2007
+ Copyright (C) Guenther Deschner 2005-2009
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -65,6 +65,24 @@ static krb5_error_code ads_krb5_get_fwd_ticket( krb5_context context,
return ret;
}
+krb5_error_code smb_krb5_parse_name_flags(krb5_context context,
+ const char *name, /* in unix charset */
+ int flags,
+ krb5_principal *principal)
+{
+ krb5_error_code ret;
+ char *utf8_name;
+ size_t converted_size;
+
+ if (!push_utf8_talloc(talloc_tos(), &utf8_name, name, &converted_size)) {
+ return ENOMEM;
+ }
+
+ ret = krb5_parse_name_flags(context, utf8_name, flags, principal);
+ TALLOC_FREE(utf8_name);
+ return ret;
+}
+
#ifdef HAVE_KRB5_PARSE_NAME_NOREALM
/**************************************************************
krb5_parse_name_norealm that takes a UNIX charset.
@@ -1946,6 +1964,275 @@ krb5_error_code krb5_auth_con_set_req_cksumtype(
}
#endif
+#if defined(HAVE_KRB5_GET_CREDS_OPT_SET_IMPERSONATE) && \
+ defined(HAVE_KRB5_GET_CREDS_OPT_ALLOC) && \
+ defined(HAVE_KRB5_GET_CREDS)
+static krb5_error_code smb_krb5_get_credentials_for_user_opt(krb5_context context,
+ krb5_ccache ccache,
+ krb5_principal me,
+ krb5_principal server,
+ krb5_principal impersonate_princ,
+ krb5_creds **out_creds)
+{
+ krb5_error_code ret;
+ krb5_get_creds_opt opt;
+
+ ret = krb5_get_creds_opt_alloc(context, &opt);
+ if (ret) {
+ goto done;
+ }
+ krb5_get_creds_opt_add_options(context, opt, KRB5_GC_FORWARDABLE);
+
+ if (impersonate_princ) {
+ ret = krb5_get_creds_opt_set_impersonate(context, opt,
+ impersonate_princ);
+ if (ret) {
+ goto done;
+ }
+ }
+
+ ret = krb5_get_creds(context, opt, ccache, server, out_creds);
+ if (ret) {
+ goto done;
+ }
+
+ done:
+ if (opt) {
+ krb5_get_creds_opt_free(context, opt);
+ }
+ return ret;
+}
+#endif /* HAVE_KRB5_GET_CREDS_OPT_SET_IMPERSONATE */
+
+#ifdef HAVE_KRB5_GET_CREDENTIALS_FOR_USER
+static krb5_error_code smb_krb5_get_credentials_for_user(krb5_context context,
+ krb5_ccache ccache,
+ krb5_principal me,
+ krb5_principal server,
+ krb5_principal impersonate_princ,
+ krb5_creds **out_creds)
+{
+ krb5_error_code ret;
+ krb5_creds in_creds;
+
+#if !HAVE_DECL_KRB5_GET_CREDENTIALS_FOR_USER
+krb5_error_code KRB5_CALLCONV
+krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
+ krb5_ccache ccache, krb5_creds *in_creds,
+ krb5_data *subject_cert,
+ krb5_creds **out_creds);
+#endif /* !HAVE_DECL_KRB5_GET_CREDENTIALS_FOR_USER */
+
+ ZERO_STRUCT(in_creds);
+
+ if (impersonate_princ) {
+
+ in_creds.server = me;
+ in_creds.client = impersonate_princ;
+
+ ret = krb5_get_credentials_for_user(context,
+ 0, /* krb5_flags options */
+ ccache,
+ &in_creds,
+ NULL, /* krb5_data *subject_cert */
+ out_creds);
+ } else {
+ in_creds.client = me;
+ in_creds.server = server;
+
+ ret = krb5_get_credentials(context, 0, ccache,
+ &in_creds, out_creds);
+ }
+
+ return ret;
+}
+#endif /* HAVE_KRB5_GET_CREDENTIALS_FOR_USER */
+
+/*
+ * smb_krb5_get_credentials
+ *
+ * @brief Get krb5 credentials for a server
+ *
+ * @param[in] context An initialized krb5_context
+ * @param[in] ccache An initialized krb5_ccache
+ * @param[in] me The krb5_principal of the caller
+ * @param[in] server The krb5_principal of the requested service
+ * @param[in] impersonate_princ The krb5_principal of a user to impersonate as (optional)
+ * @param[out] out_creds The returned krb5_creds structure
+ * @return krb5_error_code
+ *
+ */
+krb5_error_code smb_krb5_get_credentials(krb5_context context,
+ krb5_ccache ccache,
+ krb5_principal me,
+ krb5_principal server,
+ krb5_principal impersonate_princ,
+ krb5_creds **out_creds)
+{
+ krb5_error_code ret;
+ krb5_creds *creds = NULL;
+
+ *out_creds = NULL;
+
+ if (impersonate_princ) {
+#ifdef HAVE_KRB5_GET_CREDS_OPT_SET_IMPERSONATE /* Heimdal */
+ ret = smb_krb5_get_credentials_for_user_opt(context, ccache, me, server, impersonate_princ, &creds);
+#elif defined(HAVE_KRB5_GET_CREDENTIALS_FOR_USER) /* MIT */
+ ret = smb_krb5_get_credentials_for_user(context, ccache, me, server, impersonate_princ, &creds);
+#else
+ ret = ENOTSUP;
+#endif
+ } else {
+ krb5_creds in_creds;
+
+ ZERO_STRUCT(in_creds);
+
+ in_creds.client = me;
+ in_creds.server = server;
+
+ ret = krb5_get_credentials(context, 0, ccache,
+ &in_creds, &creds);
+ }
+ if (ret) {
+ goto done;
+ }
+
+ ret = krb5_cc_store_cred(context, ccache, creds);
+ if (ret) {
+ goto done;
+ }
+
+ if (out_creds) {
+ *out_creds = creds;
+ }
+
+ done:
+ if (creds && ret) {
+ krb5_free_creds(context, creds);
+ }
+
+ return ret;
+}
+
+/*
+ * smb_krb5_get_creds
+ *
+ * @brief Get krb5 credentials for a server
+ *
+ * @param[in] server_s The string name of the service
+ * @param[in] time_offset The offset to the KDCs time in seconds (optional)
+ * @param[in] cc The krb5 credential cache string name (optional)
+ * @param[in] impersonate_princ_s The string principal name to impersonate (optional)
+ * @param[out] creds_p The returned krb5_creds structure
+ * @return krb5_error_code
+ *
+ */
+krb5_error_code smb_krb5_get_creds(const char *server_s,
+ time_t time_offset,
+ const char *cc,
+ const char *impersonate_princ_s,
+ krb5_creds **creds_p)
+{
+ krb5_error_code ret;
+ krb5_context context = NULL;
+ krb5_principal me = NULL;
+ krb5_principal server = NULL;
+ krb5_principal impersonate_princ = NULL;
+ krb5_creds *creds = NULL;
+ krb5_ccache ccache = NULL;
+
+ *creds_p = NULL;
+
+ initialize_krb5_error_table();
+ ret = krb5_init_context(&context);
+ if (ret) {
+ goto done;
+ }
+
+ if (time_offset != 0) {
+ krb5_set_real_time(context, time(NULL) + time_offset, 0);
+ }
+
+ ret = krb5_cc_resolve(context, cc ? cc :
+ krb5_cc_default_name(context), &ccache);
+ if (ret) {
+ goto done;
+ }
+
+ ret = krb5_cc_get_principal(context, ccache, &me);
+ if (ret) {
+ goto done;
+ }
+
+ ret = smb_krb5_parse_name(context, server_s, &server);
+ if (ret) {
+ goto done;
+ }
+
+ if (impersonate_princ_s) {
+ ret = smb_krb5_parse_name(context, impersonate_princ_s,
+ &impersonate_princ);
+ if (ret) {
+ goto done;
+ }
+ }
+
+ ret = smb_krb5_get_credentials(context, ccache,
+ me, server, impersonate_princ,
+ &creds);
+ if (ret) {
+ goto done;
+ }
+
+ ret = krb5_cc_store_cred(context, ccache, creds);
+ if (ret) {
+ goto done;
+ }
--
Samba Shared Repository
More information about the samba-cvs
mailing list