[SCM] Samba Shared Repository - branch v3-5-test updated
Günther Deschner
gd at samba.org
Fri Nov 6 05:39:26 MST 2009
The branch, v3-5-test has been updated
via 95c0566... s3-kerberos: support S4U2SELF impersionation through cli_krb5_get_ticket().
via 580b7b1... s3-kerberos: use smb_krb5_get_credentials in ads_krb5_mk_req.
via ae4175e... s3-kerberos: modify cli_krb5_get_ticket to take a new impersonate_princ_s arg.
from a1d21fc... s3-net: better use memory credential cache in net_ads_kerberos_pac().
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test
- Log -----------------------------------------------------------------
commit 95c05668213101755e719b10828a5e57a98b57d0
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 5 19:10:55 2009 +0100
s3-kerberos: support S4U2SELF impersionation through cli_krb5_get_ticket().
Guenther
(cherry picked from commit 9e48dc2b78226bdacb8988509eaa93e5c9d92787)
commit 580b7b179818427d2cb1e245387cf1c7fa819314
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 5 17:49:00 2009 +0100
s3-kerberos: use smb_krb5_get_credentials in ads_krb5_mk_req.
Guenther
(cherry picked from commit bb01aae1b9eb1bede98b7d9a9c4920082db128fe)
commit ae4175e8a13e88fe7495af745d384b48f4f02784
Author: Günther Deschner <gd at samba.org>
Date: Mon Oct 13 17:29:22 2008 +0200
s3-kerberos: modify cli_krb5_get_ticket to take a new impersonate_princ_s arg.
Guenther
(cherry picked from commit 60bf0eb60788a5d4dc5de24997c5efda64f2bd73)
-----------------------------------------------------------------------
Summary of changes:
client/cifs.upcall.c | 2 +-
source3/include/includes.h | 7 +++++--
source3/libads/authdata.c | 3 ++-
source3/libsmb/clikrb5.c | 40 ++++++++++++++++++++++++++++++----------
source3/libsmb/clispnego.c | 2 +-
source3/rpc_client/cli_pipe.c | 2 +-
source3/utils/ntlm_auth.c | 4 ++--
7 files changed, 42 insertions(+), 18 deletions(-)
Changeset truncated at 500 lines:
diff --git a/client/cifs.upcall.c b/client/cifs.upcall.c
index bf6a861..97c6ae0 100644
--- a/client/cifs.upcall.c
+++ b/client/cifs.upcall.c
@@ -221,7 +221,7 @@ handle_krb5_mech(const char *oid, const char *principal, DATA_BLOB *secblob,
/* get a kerberos ticket for the service and extract the session key */
retval = cli_krb5_get_ticket(principal, 0, &tkt, sess_key, 0, ccname,
- NULL);
+ NULL, NULL);
if (retval) {
syslog(LOG_DEBUG, "%s: failed to obtain service ticket (%d)",
diff --git a/source3/include/includes.h b/source3/include/includes.h
index 559bc3d..4ffad61 100644
--- a/source3/include/includes.h
+++ b/source3/include/includes.h
@@ -1035,8 +1035,11 @@ krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
bool smb_krb5_principal_compare_any_realm(krb5_context context,
krb5_const_principal princ1,
krb5_const_principal princ2);
-int cli_krb5_get_ticket(const char *principal, time_t time_offset,
- DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, const char *ccname, time_t *tgs_expire);
+int cli_krb5_get_ticket(const char *principal, time_t time_offset,
+ DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
+ uint32 extra_ap_opts, const char *ccname,
+ time_t *tgs_expire,
+ const char *impersonate_princ_s);
krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *expire_time);
krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code);
krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr);
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 8a6a351..98d418c 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -488,7 +488,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
&sesskey1,
0,
cc,
- NULL);
+ NULL,
+ impersonate_princ_s);
if (ret) {
DEBUG(1,("failed to get ticket for %s: %s\n",
local_service, error_message(ret)));
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 1778853..75abf1c 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -673,10 +673,12 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
const char *principal,
krb5_ccache ccache,
krb5_data *outbuf,
- time_t *expire_time)
+ time_t *expire_time,
+ const char *impersonate_princ_s)
{
krb5_error_code retval;
krb5_principal server;
+ krb5_principal impersonate_princ = NULL;
krb5_creds * credsp;
krb5_creds creds;
krb5_data in_data;
@@ -690,7 +692,16 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal));
return retval;
}
-
+
+ if (impersonate_princ_s) {
+ retval = smb_krb5_parse_name(context, impersonate_princ_s,
+ &impersonate_princ);
+ if (retval) {
+ DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", impersonate_princ_s));
+ goto cleanup_princ;
+ }
+ }
+
/* obtain ticket & session key */
ZERO_STRUCT(creds);
if ((retval = krb5_copy_principal(context, server, &creds.server))) {
@@ -702,17 +713,20 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) {
/* This can commonly fail on smbd startup with no ticket in the cache.
* Report at higher level than 1. */
- DEBUG(3,("ads_krb5_mk_req: krb5_cc_get_principal failed (%s)\n",
+ DEBUG(3,("ads_krb5_mk_req: krb5_cc_get_principal failed (%s)\n",
error_message(retval)));
goto cleanup_creds;
}
while (!creds_ready && (i < maxtries)) {
- if ((retval = krb5_get_credentials(context, 0, ccache,
- &creds, &credsp))) {
- DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n",
- principal, error_message(retval)));
+ if ((retval = smb_krb5_get_credentials(context, ccache,
+ creds.client,
+ creds.server,
+ impersonate_princ,
+ &credsp))) {
+ DEBUG(1,("ads_krb5_mk_req: smb_krb5_get_credentials failed for %s (%s)\n",
+ principal, error_message(retval)));
goto cleanup_creds;
}
@@ -816,6 +830,9 @@ cleanup_creds:
cleanup_princ:
krb5_free_principal(context, server);
+ if (impersonate_princ) {
+ krb5_free_principal(context, impersonate_princ);
+ }
return retval;
}
@@ -826,7 +843,8 @@ cleanup_princ:
int cli_krb5_get_ticket(const char *principal, time_t time_offset,
DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
uint32 extra_ap_opts, const char *ccname,
- time_t *tgs_expire)
+ time_t *tgs_expire,
+ const char *impersonate_princ_s)
{
krb5_error_code retval;
@@ -872,7 +890,8 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset,
AP_OPTS_USE_SUBKEY | (krb5_flags)extra_ap_opts,
principal,
ccdef, &packet,
- tgs_expire))) {
+ tgs_expire,
+ impersonate_princ_s))) {
goto failed;
}
@@ -2237,7 +2256,8 @@ krb5_error_code smb_krb5_get_creds(const char *server_s,
/* this saves a few linking headaches */
int cli_krb5_get_ticket(const char *principal, time_t time_offset,
DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts,
- const char *ccname, time_t *tgs_expire)
+ const char *ccname, time_t *tgs_expire,
+ const char *impersonate_princ_s)
{
DEBUG(0,("NO KERBEROS SUPPORT\n"));
return 1;
diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index e20749b..3789fbf 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -389,7 +389,7 @@ int spnego_gen_negTokenTarg(const char *principal, int time_offset,
/* get a kerberos ticket for the service and extract the session key */
retval = cli_krb5_get_ticket(principal, time_offset,
&tkt, session_key_krb5, extra_ap_opts, NULL,
- expire_time);
+ expire_time, NULL);
if (retval)
return retval;
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index e150059..c649870 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1502,7 +1502,7 @@ static NTSTATUS create_krb5_auth_bind_req( struct rpc_pipe_client *cli,
/* Create the ticket for the service principal and return it in a gss-api wrapped blob. */
ret = cli_krb5_get_ticket(a->service_principal, 0, &tkt,
- &a->session_key, (uint32)AP_OPTS_MUTUAL_REQUIRED, NULL, NULL);
+ &a->session_key, (uint32)AP_OPTS_MUTUAL_REQUIRED, NULL, NULL, NULL);
if (ret) {
DEBUG(1,("create_krb5_auth_bind_req: cli_krb5_get_ticket for principal %s "
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 3bdc45a..2a7e18c 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1572,7 +1572,7 @@ static bool manage_client_krb5_init(struct spnego_data spnego)
spnego.negTokenInit.mechListMIC.length);
principal[spnego.negTokenInit.mechListMIC.length] = '\0';
- retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL);
+ retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL, NULL);
if (retval) {
char *user = NULL;
@@ -1596,7 +1596,7 @@ static bool manage_client_krb5_init(struct spnego_data spnego)
return False;
}
- retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL);
+ retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL, NULL);
if (retval) {
DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval)));
--
Samba Shared Repository
More information about the samba-cvs
mailing list