[SCM] Samba Shared Repository - branch master updated

Günther Deschner gd at samba.org
Fri Nov 6 04:45:55 MST 2009


The branch, master has been updated
       via  58184b5... s3-net: allow to call "net ads kerberos pac <impersonation principal> -P".
       via  5e26622... s3-kerberos: add impersonate_principal for kerberos_return_pac_X calls.
       via  4ffbfc4... s3-kerberos: add smb_krb5_get_tkt_from_creds().
       via  bb75f71... s3-kerberos: fix some build warnings when building against heimdal.
       via  35dcc13... s3-kerberos: add smb_krb5_get_{creds,credentials} incl. support for S4U2SELF impersonation.
       via  0729df3... s3-kerberos: remove duplicate prototype.
       via  17ef153... s3-kerberos: add smb_krb5_parse_name_flags().
       via  2cd507f... s3-kerberos: add configure checks for krb5_get_creds_X api.
      from  c99dd5c... Got the logic simplification worked out so we still pass BASE-DELAYWRITE and also RAW-CLOSE. Jeremy.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 58184b5fd4e95bc7ad2179237808126411509eea
Author: Günther Deschner <gd at samba.org>
Date:   Mon Oct 13 17:28:39 2008 +0200

    s3-net: allow to call "net ads kerberos pac <impersonation principal> -P".
    
    Guenther

commit 5e266225108aa3335476cbe1214cc0f484c4fd02
Author: Günther Deschner <gd at samba.org>
Date:   Mon Oct 13 17:27:21 2008 +0200

    s3-kerberos: add impersonate_principal for kerberos_return_pac_X calls.
    
    Guenther

commit 4ffbfc4475c92b9190811bd189802ff265aa6846
Author: Günther Deschner <gd at samba.org>
Date:   Mon Oct 13 17:25:35 2008 +0200

    s3-kerberos: add smb_krb5_get_tkt_from_creds().
    
    Guenther

commit bb75f713d628073c503b06a3d217195aa95d72b2
Author: Günther Deschner <gd at samba.org>
Date:   Fri Nov 6 10:25:53 2009 +0100

    s3-kerberos: fix some build warnings when building against heimdal.
    
    Guenther

commit 35dcc133c9c26d10186fe59ea096a2a5c87958e6
Author: Günther Deschner <gd at samba.org>
Date:   Mon Oct 13 17:22:37 2008 +0200

    s3-kerberos: add smb_krb5_get_{creds,credentials} incl. support for S4U2SELF impersonation.
    
    Guenther

commit 0729df3661fefeffc5154c9b01ae027b3ede4b92
Author: Günther Deschner <gd at samba.org>
Date:   Mon Oct 13 17:27:43 2008 +0200

    s3-kerberos: remove duplicate prototype.
    
    Guenther

commit 17ef153b68795fec681f9ce17c198236aba2b1c2
Author: Günther Deschner <gd at samba.org>
Date:   Thu Nov 5 19:02:55 2009 +0100

    s3-kerberos: add smb_krb5_parse_name_flags().
    
    Guenther

commit 2cd507fe144c58a4c856c73ec56b80365dad9f23
Author: Günther Deschner <gd at samba.org>
Date:   Mon Oct 13 17:21:22 2008 +0200

    s3-kerberos: add configure checks for krb5_get_creds_X api.
    
    Guenther

-----------------------------------------------------------------------

Summary of changes:
 source3/configure.in            |    6 +
 source3/include/includes.h      |   17 ++-
 source3/include/proto.h         |    6 +-
 source3/libads/authdata.c       |   66 +++++++++-
 source3/libads/kerberos.c       |    4 +-
 source3/libsmb/clikrb5.c        |  289 ++++++++++++++++++++++++++++++++++++++-
 source3/utils/net_ads.c         |    8 +-
 source3/winbindd/winbindd_pam.c |    1 +
 8 files changed, 386 insertions(+), 11 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/configure.in b/source3/configure.in
index 715f159..aab8c01 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3438,6 +3438,12 @@ if test x"$with_ads_support" != x"no"; then
   AC_CHECK_FUNC_EXT(krb5_enctype_to_string, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_fwd_tgt_creds, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_auth_con_set_req_cksumtype, $KRB5_LIBS)
+  AC_CHECK_FUNC_EXT(krb5_get_creds_opt_alloc, $KRB5_LIBS)
+  AC_CHECK_FUNC_EXT(krb5_get_creds_opt_set_impersonate, $KRB5_LIBS)
+  AC_CHECK_FUNC_EXT(krb5_get_creds, $KRB5_LIBS)
+  AC_CHECK_FUNC_EXT(krb5_get_credentials_for_user, $KRB5_LIBS)
+  # MIT krb5 1.8 does not expose this call (yet)
+  AC_CHECK_DECLS(krb5_get_credentials_for_user, [], [], [#include <krb5.h>])
 
   # MIT krb5 1.7beta3 (in Ubuntu Karmic) does not have this declaration
   # but does have the symbol
diff --git a/source3/include/includes.h b/source3/include/includes.h
index b3446cb..559bc3d 100644
--- a/source3/include/includes.h
+++ b/source3/include/includes.h
@@ -952,7 +952,10 @@ char *talloc_asprintf_strupper_m(TALLOC_CTX *t, const char *fmt, ...) PRINTF_ATT
 krb5_error_code smb_krb5_parse_name(krb5_context context,
 				const char *name, /* in unix charset */
                                 krb5_principal *principal);
-
+krb5_error_code smb_krb5_parse_name_flags(krb5_context context,
+					  const char *name, /* in unix charset */
+					  int flags,
+					  krb5_principal *principal);
 krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
 				      krb5_context context,
 				      krb5_const_principal principal,
@@ -1072,7 +1075,17 @@ int smb_krb5_kt_add_entry_ext(krb5_context context,
 			      krb5_data password,
 			      bool no_salt,
 			      bool keep_old_entries);
-
+krb5_error_code smb_krb5_get_credentials(krb5_context context,
+					 krb5_ccache ccache,
+					 krb5_principal me,
+					 krb5_principal server,
+					 krb5_principal impersonate_princ,
+					 krb5_creds **out_creds);
+krb5_error_code smb_krb5_get_creds(const char *server_s,
+				   time_t time_offset,
+				   const char *cc,
+				   const char *impersonate_princ_s,
+				   krb5_creds **creds_p);
 #endif /* HAVE_KRB5 */
 
 
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 785b968..0dbc1c7 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1707,6 +1707,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 			     bool request_pac,
 			     bool add_netbios_addr,
 			     time_t renewable_time,
+			     const char *impersonate_princ_s,
 			     struct PAC_DATA **pac_ret);
 NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
 					const char *name,
@@ -1718,6 +1719,7 @@ NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
 					bool request_pac,
 					bool add_netbios_addr,
 					time_t renewable_time,
+					const char *impersonate_princ_s,
 					struct netr_SamInfo3 **info3);
 
 /* The following definitions come from libads/cldap.c  */
@@ -2718,10 +2720,6 @@ bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
 			   DATA_BLOB *edata, 
 			   DATA_BLOB *edata_out);
 bool unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data);
-int cli_krb5_get_ticket(const char *principal, time_t time_offset, 
-			DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, 
-			uint32 extra_ap_opts, const char *ccname, 
-			time_t *tgs_expire);
 
 /* The following definitions come from libsmb/clilist.c  */
 
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 0032e9e..8a6a351 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -335,6 +335,46 @@ struct PAC_LOGON_INFO *get_logon_info_from_pac(struct PAC_DATA *pac_data)
 	return NULL;
 }
 
+static krb5_error_code smb_krb5_get_tkt_from_creds(krb5_creds *creds,
+						   DATA_BLOB *tkt)
+{
+	krb5_error_code ret;
+	krb5_context context;
+	krb5_auth_context auth_context = NULL;
+	krb5_data inbuf, outbuf;
+
+	ret = krb5_init_context(&context);
+	if (ret) {
+		return ret;
+	}
+
+	ret = krb5_auth_con_init(context, &auth_context);
+	if (ret) {
+		goto done;
+	}
+
+	ZERO_STRUCT(inbuf);
+
+	ret = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY,
+				   &inbuf, creds, &outbuf);
+	if (ret) {
+		goto done;
+	}
+
+	*tkt = data_blob(outbuf.data, outbuf.length);
+ done:
+	if (!context) {
+		return ret;
+	}
+	krb5_free_data_contents(context, &outbuf);
+	if (auth_context) {
+		krb5_auth_con_free(context, auth_context);
+	}
+	krb5_free_context(context);
+
+	return ret;
+}
+
 /****************************************************************
 ****************************************************************/
 
@@ -348,6 +388,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 			     bool request_pac,
 			     bool add_netbios_addr,
 			     time_t renewable_time,
+			     const char *impersonate_princ_s,
 			     struct PAC_DATA **pac_ret)
 {
 	krb5_error_code ret;
@@ -358,6 +399,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 	const char *auth_princ = NULL;
 	const char *local_service = NULL;
 	const char *cc = "MEMORY:kerberos_return_pac";
+	krb5_creds *creds = NULL;
 
 	ZERO_STRUCT(tkt);
 	ZERO_STRUCT(ap_rep);
@@ -420,8 +462,26 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 	    (*expire_time == 0) && (*renew_till_time == 0)) {
 		return NT_STATUS_INVALID_LOGON_TYPE;
 	}
+#if 1
+	ret = smb_krb5_get_creds(local_service,
+				 time_offset,
+				 cc,
+				 impersonate_princ_s,
+				 &creds);
+	if (ret) {
+		DEBUG(1,("failed to get credentials for %s: %s\n",
+			local_service, error_message(ret)));
+		status = krb5_to_nt_status(ret);
+		goto out;
+	}
 
+	ret = smb_krb5_get_tkt_from_creds(creds, &tkt);
+	if (ret) {
+		status = krb5_to_nt_status(ret);
+		goto out;
+	}
 
+#else
 	ret = cli_krb5_get_ticket(local_service,
 				  time_offset,
 				  &tkt,
@@ -435,7 +495,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 		status = krb5_to_nt_status(ret);
 		goto out;
 	}
-
+#endif
 	status = ads_verify_ticket(mem_ctx,
 				   lp_realm(),
 				   time_offset,
@@ -487,6 +547,7 @@ static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx,
 					       bool request_pac,
 					       bool add_netbios_addr,
 					       time_t renewable_time,
+					       const char *impersonate_princ_s,
 					       struct PAC_LOGON_INFO **logon_info)
 {
 	NTSTATUS status;
@@ -503,6 +564,7 @@ static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx,
 				     request_pac,
 				     add_netbios_addr,
 				     renewable_time,
+				     impersonate_princ_s,
 				     &pac_data);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -537,6 +599,7 @@ NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
 					bool request_pac,
 					bool add_netbios_addr,
 					time_t renewable_time,
+					const char *impersonate_princ_s,
 					struct netr_SamInfo3 **info3)
 {
 	NTSTATUS status;
@@ -552,6 +615,7 @@ NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
 						request_pac,
 						add_netbios_addr,
 						renewable_time,
+						impersonate_princ_s,
 						&logon_info);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index c1e6c4a..89357b0 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -46,9 +46,9 @@ kerb_prompter(krb5_context ctx, void *data,
 	memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
 	if (prompts[0].reply->length > 0) {
 		if (data) {
-			strncpy(prompts[0].reply->data, (const char *)data,
+			strncpy((char *)prompts[0].reply->data, (const char *)data,
 				prompts[0].reply->length-1);
-			prompts[0].reply->length = strlen(prompts[0].reply->data);
+			prompts[0].reply->length = strlen((const char *)prompts[0].reply->data);
 		} else {
 			prompts[0].reply->length = 0;
 		}
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 145e30b..1778853 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -4,7 +4,7 @@
    Copyright (C) Andrew Tridgell 2001
    Copyright (C) Luke Howard 2002-2003
    Copyright (C) Andrew Bartlett <abartlet at samba.org> 2005
-   Copyright (C) Guenther Deschner 2005-2007
+   Copyright (C) Guenther Deschner 2005-2009
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -65,6 +65,24 @@ static krb5_error_code ads_krb5_get_fwd_ticket( krb5_context context,
 	return ret;
 }
 
+krb5_error_code smb_krb5_parse_name_flags(krb5_context context,
+					  const char *name, /* in unix charset */
+					  int flags,
+					  krb5_principal *principal)
+{
+	krb5_error_code ret;
+	char *utf8_name;
+	size_t converted_size;
+
+	if (!push_utf8_talloc(talloc_tos(), &utf8_name, name, &converted_size)) {
+		return ENOMEM;
+	}
+
+	ret = krb5_parse_name_flags(context, utf8_name, flags, principal);
+	TALLOC_FREE(utf8_name);
+	return ret;
+}
+
 #ifdef HAVE_KRB5_PARSE_NAME_NOREALM
 /**************************************************************
  krb5_parse_name_norealm that takes a UNIX charset.
@@ -1946,6 +1964,275 @@ krb5_error_code krb5_auth_con_set_req_cksumtype(
 }
 #endif
 
+#if defined(HAVE_KRB5_GET_CREDS_OPT_SET_IMPERSONATE) && \
+    defined(HAVE_KRB5_GET_CREDS_OPT_ALLOC) && \
+    defined(HAVE_KRB5_GET_CREDS)
+static krb5_error_code smb_krb5_get_credentials_for_user_opt(krb5_context context,
+							     krb5_ccache ccache,
+							     krb5_principal me,
+							     krb5_principal server,
+							     krb5_principal impersonate_princ,
+							     krb5_creds **out_creds)
+{
+	krb5_error_code ret;
+	krb5_get_creds_opt opt;
+
+	ret = krb5_get_creds_opt_alloc(context, &opt);
+	if (ret) {
+		goto done;
+	}
+	krb5_get_creds_opt_add_options(context, opt, KRB5_GC_FORWARDABLE);
+
+	if (impersonate_princ) {
+		ret = krb5_get_creds_opt_set_impersonate(context, opt,
+							 impersonate_princ);
+		if (ret) {
+			goto done;
+		}
+	}
+
+	ret = krb5_get_creds(context, opt, ccache, server, out_creds);
+	if (ret) {
+		goto done;
+	}
+
+ done:
+	if (opt) {
+		krb5_get_creds_opt_free(context, opt);
+	}
+	return ret;
+}
+#endif /* HAVE_KRB5_GET_CREDS_OPT_SET_IMPERSONATE */
+
+#ifdef HAVE_KRB5_GET_CREDENTIALS_FOR_USER
+static krb5_error_code smb_krb5_get_credentials_for_user(krb5_context context,
+							 krb5_ccache ccache,
+							 krb5_principal me,
+							 krb5_principal server,
+							 krb5_principal impersonate_princ,
+							 krb5_creds **out_creds)
+{
+	krb5_error_code ret;
+	krb5_creds in_creds;
+
+#if !HAVE_DECL_KRB5_GET_CREDENTIALS_FOR_USER
+krb5_error_code KRB5_CALLCONV
+krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
+                              krb5_ccache ccache, krb5_creds *in_creds,
+                              krb5_data *subject_cert,
+                              krb5_creds **out_creds);
+#endif /* !HAVE_DECL_KRB5_GET_CREDENTIALS_FOR_USER */
+
+	ZERO_STRUCT(in_creds);
+
+	if (impersonate_princ) {
+
+		in_creds.server = me;
+		in_creds.client = impersonate_princ;
+
+		ret = krb5_get_credentials_for_user(context,
+						    0, /* krb5_flags options */
+						    ccache,
+						    &in_creds,
+						    NULL, /* krb5_data *subject_cert */
+						    out_creds);
+	} else {
+		in_creds.client = me;
+		in_creds.server = server;
+
+		ret = krb5_get_credentials(context, 0, ccache,
+					   &in_creds, out_creds);
+	}
+
+	return ret;
+}
+#endif /* HAVE_KRB5_GET_CREDENTIALS_FOR_USER */
+
+/*
+ * smb_krb5_get_credentials
+ *
+ * @brief Get krb5 credentials for a server
+ *
+ * @param[in] context		An initialized krb5_context
+ * @param[in] ccache		An initialized krb5_ccache
+ * @param[in] me		The krb5_principal of the caller
+ * @param[in] server		The krb5_principal of the requested service
+ * @param[in] impersonate_princ The krb5_principal of a user to impersonate as (optional)
+ * @param[out] out_creds	The returned krb5_creds structure
+ * @return krb5_error_code
+ *
+ */
+krb5_error_code smb_krb5_get_credentials(krb5_context context,
+					 krb5_ccache ccache,
+					 krb5_principal me,
+					 krb5_principal server,
+					 krb5_principal impersonate_princ,
+					 krb5_creds **out_creds)
+{
+	krb5_error_code ret;
+	krb5_creds *creds = NULL;
+
+	*out_creds = NULL;
+
+	if (impersonate_princ) {
+#ifdef HAVE_KRB5_GET_CREDS_OPT_SET_IMPERSONATE /* Heimdal */
+		ret = smb_krb5_get_credentials_for_user_opt(context, ccache, me, server, impersonate_princ, &creds);
+#elif defined(HAVE_KRB5_GET_CREDENTIALS_FOR_USER) /* MIT */
+		ret = smb_krb5_get_credentials_for_user(context, ccache, me, server, impersonate_princ, &creds);
+#else
+		ret = ENOTSUP;
+#endif
+	} else {
+		krb5_creds in_creds;
+
+		ZERO_STRUCT(in_creds);
+
+		in_creds.client = me;
+		in_creds.server = server;
+
+		ret = krb5_get_credentials(context, 0, ccache,
+					   &in_creds, &creds);
+	}
+	if (ret) {
+		goto done;
+	}
+
+	ret = krb5_cc_store_cred(context, ccache, creds);
+	if (ret) {
+		goto done;
+	}
+
+	if (out_creds) {
+		*out_creds = creds;
+	}
+
+ done:
+	if (creds && ret) {
+		krb5_free_creds(context, creds);
+	}
+
+	return ret;
+}
+
+/*
+ * smb_krb5_get_creds
+ *
+ * @brief Get krb5 credentials for a server
+ *
+ * @param[in] server_s		The string name of the service
+ * @param[in] time_offset	The offset to the KDCs time in seconds (optional)
+ * @param[in] cc		The krb5 credential cache string name (optional)
+ * @param[in] impersonate_princ_s The string principal name to impersonate (optional)
+ * @param[out] creds_p		The returned krb5_creds structure
+ * @return krb5_error_code
+ *
+ */
+krb5_error_code smb_krb5_get_creds(const char *server_s,
+				   time_t time_offset,
+				   const char *cc,
+				   const char *impersonate_princ_s,
+				   krb5_creds **creds_p)
+{
+	krb5_error_code ret;
+	krb5_context context = NULL;
+	krb5_principal me = NULL;
+	krb5_principal server = NULL;
+	krb5_principal impersonate_princ = NULL;
+	krb5_creds *creds = NULL;
+	krb5_ccache ccache = NULL;
+
+	*creds_p = NULL;
+
+	initialize_krb5_error_table();
+	ret = krb5_init_context(&context);
+	if (ret) {
+		goto done;
+	}
+
+	if (time_offset != 0) {
+		krb5_set_real_time(context, time(NULL) + time_offset, 0);
+	}
+
+	ret = krb5_cc_resolve(context, cc ? cc :
+		krb5_cc_default_name(context), &ccache);
+	if (ret) {
+		goto done;
+	}
+
+	ret = krb5_cc_get_principal(context, ccache, &me);
+	if (ret) {
+		goto done;
+	}
+
+	ret = smb_krb5_parse_name(context, server_s, &server);
+	if (ret) {
+		goto done;
+	}
+
+	if (impersonate_princ_s) {
+		ret = smb_krb5_parse_name(context, impersonate_princ_s,
+					  &impersonate_princ);
+		if (ret) {
+			goto done;
+		}
+	}
+
+	ret = smb_krb5_get_credentials(context, ccache,
+				       me, server, impersonate_princ,
+				       &creds);
+	if (ret) {
+		goto done;
+	}
+
+	ret = krb5_cc_store_cred(context, ccache, creds);
+	if (ret) {
+		goto done;
+	}


-- 
Samba Shared Repository


More information about the samba-cvs mailing list