[SCM] Samba Shared Repository - branch master updated
Simo Sorce
idra at samba.org
Fri Aug 13 07:09:17 MDT 2010
The branch, master has been updated
via 71d80e6... s3-krb5 Only build ADS support if arcfour-hmac-md5 is available
via fff6fa7... s3:libnet Add other required headers for libnet_samsync_keytab.c
from 5390bae... tdb: add TDB_DEPS variable filled with required libraries
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 71d80e6be0687ac7c2f3caab5e7b8caf400fe37e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 10 08:25:02 2010 +1000
s3-krb5 Only build ADS support if arcfour-hmac-md5 is available
Modern Kerberos implementations have either defines or enums for these
key types, which makes doing #ifdef difficult. This shows up in files
such as libnet_samsync_keytab.c, the bulk of which is not compiled on
current Fedora 12, for example.
The downside is that this makes Samba unconditionally depend on the
arcfour-hmac-md5 encryption type at build time. We will no longer
support libraries that only support the DES based encryption types.
However, the single-DES types that are supported in common with AD are
already painfully weak - so much so that they are disabled by default
in modern Kerberos libraries.
If not found, ADS support will not be compiled in.
This means that our 'net ads join' will no longer set the
ACB_USE_DES_KEY_ONLY flag, and we will always try to use
arcfour-hmac-md5.
A future improvement would be to remove the use of the DES encryption
types totally, but this would require that any ACB_USE_DES_KEY_ONLY
flag be removed from existing joins.
Andrew Bartlett
Signed-off-by: Simo Sorce <idra at samba.org>
commit fff6fa72ffa7890cee516bd7e65b50bdb8daf51d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 10 12:00:29 2010 +1000
s3:libnet Add other required headers for libnet_samsync_keytab.c
Due to missing defines in modern kerberos libraries, this code was
not compiled and so this wasn't noticed.
Andrew Bartlett
Signed-off-by: Simo Sorce <idra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/configure.in | 20 +++++++++++++++++++-
source3/include/smb_krb5.h | 2 +-
source3/libads/kerberos_keytab.c | 9 ++++-----
source3/libads/kerberos_verify.c | 2 --
source3/libnet/libnet_dssync_keytab.c | 4 ++--
source3/libnet/libnet_join.c | 6 ------
.../libnet/{libnet_join.c => libnet_join.c.orig} | 0
source3/libnet/libnet_samsync_keytab.c | 7 +++++--
...msync_keytab.c => libnet_samsync_keytab.c.orig} | 3 +++
source3/libsmb/clikrb5.c | 2 --
10 files changed, 34 insertions(+), 21 deletions(-)
copy source3/libnet/{libnet_join.c => libnet_join.c.orig} (100%)
copy source3/libnet/{libnet_samsync_keytab.c => libnet_samsync_keytab.c.orig} (99%)
Changeset truncated at 500 lines:
diff --git a/source3/configure.in b/source3/configure.in
index 6b73671..b4564ee 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -4040,6 +4040,7 @@ if test x"$with_ads_support" != x"no"; then
[Whether the krb5_keyblock struct has a keyvalue property])
fi
+ found_arcfour_hmac=no
AC_CACHE_CHECK([for ENCTYPE_ARCFOUR_HMAC_MD5],
samba_cv_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5,[
AC_TRY_COMPILE([#include <krb5.h>],
@@ -4057,7 +4058,19 @@ if test x"$with_ads_support" != x"no"; then
if test x"$samba_cv_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5" = x"yes" -a\
x"$samba_cv_HAVE_KEYTYPE_ARCFOUR_56" = x"yes"; then
AC_DEFINE(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5,1,
- [Whether the ENCTYPE_ARCFOUR_HMAC_MD5 key type is available])
+ [Whether the ENCTYPE_ARCFOUR_HMAC_MD5 key type definition is available])
+ found_arcfour_hmac=yes
+ fi
+ AC_CACHE_CHECK([for ENCTYPE_ARCFOUR_HMAC],
+ samba_cv_HAVE_ENCTYPE_ARCFOUR_HMAC,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_enctype enctype; enctype = ENCTYPE_ARCFOUR_HMAC;],
+ samba_cv_HAVE_ENCTYPE_ARCFOUR_HMAC=yes,
+ samba_cv_HAVE_ENCTYPE_ARCFOUR_HMAC=no)])
+ if test x"$samba_cv_HAVE_ENCTYPE_ARCFOUR_HMAC" = x"yes"; then
+ AC_DEFINE(HAVE_ENCTYPE_ARCFOUR_HMAC,1,
+ [Whether the ENCTYPE_ARCFOUR_HMAC key type definition is available])
+ found_arcfour_hmac=yes
fi
AC_CACHE_CHECK([for AP_OPTS_USE_SUBKEY],
@@ -4300,6 +4313,11 @@ if test x"$with_ads_support" != x"no"; then
# NOTE: all tests should be done before this block!
#
#
+ if test x"$found_arcfour_hmac" != x"yes"; then
+ AC_MSG_WARN(arcfour-hmac-md5 encryption type not found in -lkrb5)
+ use_ads=no
+ fi
+
if test x"$ac_cv_lib_ext_krb5_krb5_mk_req_extended" != x"yes"; then
AC_MSG_WARN(krb5_mk_req_extended not found in -lkrb5)
use_ads=no
diff --git a/source3/include/smb_krb5.h b/source3/include/smb_krb5.h
index 35cc047..0a6ba79 100644
--- a/source3/include/smb_krb5.h
+++ b/source3/include/smb_krb5.h
@@ -25,7 +25,7 @@
#endif
/* Heimdal uses a slightly different name */
-#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
+#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5) && !defined(HAVE_ENCTYPE_ARCFOUR_HMAC)
#define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
#endif
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index a874901..386ce83 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -236,17 +236,16 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
krb5_keytab keytab = NULL;
krb5_data password;
krb5_kvno kvno;
- krb5_enctype enctypes[4] = { ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, 0, 0 };
+ krb5_enctype enctypes[4] = { ENCTYPE_DES_CBC_CRC,
+ ENCTYPE_DES_CBC_MD5,
+ ENCTYPE_ARCFOUR_HMAC,
+ 0 };
char *princ_s = NULL, *short_princ_s = NULL;
char *password_s = NULL;
char *my_fqdn;
TALLOC_CTX *ctx = NULL;
char *machine_name;
-#if defined(ENCTYPE_ARCFOUR_HMAC)
- enctypes[2] = ENCTYPE_ARCFOUR_HMAC;
-#endif
-
initialize_krb5_error_table();
ret = krb5_init_context(&context);
if (ret) {
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 887dac0..7eda7fd 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -344,9 +344,7 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
/* Let's make some room for 2 password (old and new)*/
krb5_data passwords[2];
krb5_enctype enctypes[] = {
-#if defined(ENCTYPE_ARCFOUR_HMAC)
ENCTYPE_ARCFOUR_HMAC,
-#endif
ENCTYPE_DES_CBC_CRC,
ENCTYPE_DES_CBC_MD5,
ENCTYPE_NULL
diff --git a/source3/libnet/libnet_dssync_keytab.c b/source3/libnet/libnet_dssync_keytab.c
index b0c745d..96fb9c9 100644
--- a/source3/libnet/libnet_dssync_keytab.c
+++ b/source3/libnet/libnet_dssync_keytab.c
@@ -25,7 +25,7 @@
#include "libnet/libnet_keytab.h"
#include "librpc/gen_ndr/ndr_drsblobs.h"
-#if defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC)
+#if defined(HAVE_ADS)
static NTSTATUS keytab_startup(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
struct replUpToDateVectorBlob **pold_utdv)
@@ -601,7 +601,7 @@ static NTSTATUS keytab_process_objects(struct dssync_context *ctx,
{
return NT_STATUS_NOT_SUPPORTED;
}
-#endif /* defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC) */
+#endif /* defined(HAVE_ADS) */
const struct dssync_ops libnet_dssync_keytab_ops = {
.startup = keytab_startup,
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index c710f9e..7d83dc3 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -982,12 +982,6 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
/* Fill in the additional account flags now */
acct_flags |= ACB_PWNOEXP;
- if (r->out.domain_is_ad) {
-#if !defined(ENCTYPE_ARCFOUR_HMAC)
- acct_flags |= ACB_USE_DES_KEY_ONLY;
-#endif
- ;;
- }
/* Set account flags on machine account */
ZERO_STRUCT(user_info.info16);
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c.orig
similarity index 100%
copy from source3/libnet/libnet_join.c
copy to source3/libnet/libnet_join.c.orig
diff --git a/source3/libnet/libnet_samsync_keytab.c b/source3/libnet/libnet_samsync_keytab.c
index 246bcad..faba1e7 100644
--- a/source3/libnet/libnet_samsync_keytab.c
+++ b/source3/libnet/libnet_samsync_keytab.c
@@ -19,9 +19,12 @@
*/
#include "includes.h"
+#include "smb_krb5.h"
+#include "ads.h"
+#include "libnet/libnet_keytab.h"
#include "libnet/libnet_samsync.h"
-#if defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC)
+#if defined(HAVE_ADS)
/****************************************************************
****************************************************************/
@@ -293,7 +296,7 @@ static NTSTATUS close_keytab(TALLOC_CTX *mem_ctx,
return NT_STATUS_NOT_SUPPORTED;
}
-#endif /* defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC) */
+#endif /* defined(HAVE_ADS) */
const struct samsync_ops libnet_samsync_keytab_ops = {
.startup = init_keytab,
diff --git a/source3/libnet/libnet_samsync_keytab.c b/source3/libnet/libnet_samsync_keytab.c.orig
similarity index 99%
copy from source3/libnet/libnet_samsync_keytab.c
copy to source3/libnet/libnet_samsync_keytab.c.orig
index 246bcad..1349223 100644
--- a/source3/libnet/libnet_samsync_keytab.c
+++ b/source3/libnet/libnet_samsync_keytab.c.orig
@@ -19,6 +19,9 @@
*/
#include "includes.h"
+#include "smb_krb5.h"
+#include "ads.h"
+#include "libnet/libnet_keytab.h"
#include "libnet/libnet_samsync.h"
#if defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC)
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 4eb43cf..344fdac 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -964,9 +964,7 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
krb5_ccache ccdef = NULL;
krb5_auth_context auth_context = NULL;
krb5_enctype enc_types[] = {
-#ifdef ENCTYPE_ARCFOUR_HMAC
ENCTYPE_ARCFOUR_HMAC,
-#endif
ENCTYPE_DES_CBC_MD5,
ENCTYPE_DES_CBC_CRC,
ENCTYPE_NULL};
--
Samba Shared Repository
More information about the samba-cvs
mailing list