[SCM] Samba Shared Repository - branch v3-5-test updated

Karolin Seeger kseeger at samba.org
Mon Feb 8 08:02:59 MST 2010


The branch, v3-5-test has been updated
       via  1983959... Fix bug #7079 - cliconnect gets realm wrong with trusted domains.
      from  4de319a... s3:libsmb: don't reuse the callers stype variable in cli_NetServerEnum()

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test


- Log -----------------------------------------------------------------
commit 1983959f53ddd601d771b670a19eea4204e16f4b
Author: Jeremy Allison <jra at samba.org>
Date:   Sat Jan 30 19:24:28 2010 -0800

    Fix bug #7079 - cliconnect gets realm wrong with trusted domains.
    
    Passing NULL as dest_realm for cli_session_setup_spnego() was
    always using our own realm (as for a NetBIOS name). Change this
    to look for the mapped realm using krb5_get_host_realm() if
    the destination machine name is a DNS name (contains a '.').
    Could get fancier with DNS name detection (length, etc.) but
    this will do for now.
    
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source3/configure.in        |   15 ++++++++++++
 source3/include/proto.h     |    2 +
 source3/libads/kerberos.c   |   52 +++++++++++++++++++++++++++++++++++++++++++
 source3/libsmb/cliconnect.c |   25 ++++++++++++++++++--
 4 files changed, 91 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/configure.in b/source3/configure.in
index 728e55e..f060a65 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3607,6 +3607,9 @@ if test x"$with_ads_support" != x"no"; then
   AC_CHECK_FUNC_EXT(krb5_get_creds_opt_set_impersonate, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_get_creds, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_get_credentials_for_user, $KRB5_LIBS)
+  AC_CHECK_FUNC_EXT(krb5_get_host_realm, $KRB5_LIBS)
+  AC_CHECK_FUNC_EXT(krb5_free_host_realm, $KRB5_LIBS)
+
   # MIT krb5 1.8 does not expose this call (yet)
   AC_CHECK_DECLS(krb5_get_credentials_for_user, [], [], [#include <krb5.h>])
 
@@ -3949,6 +3952,18 @@ if test x"$with_ads_support" != x"no"; then
                [Whether the WRFILE:-keytab is supported])
   fi
 
+  AC_CACHE_CHECK([for krb5_realm type],
+                samba_cv_HAVE_KRB5_REALM_TYPE,[
+    AC_TRY_COMPILE([#include <krb5.h>],
+      [krb5_realm realm;],
+      samba_cv_HAVE_KRB5_REALM_TYPE=yes,
+      samba_cv_HAVE_KRB5_REALM_TYPE=no)])
+
+  if test x"$samba_cv_HAVE_KRB5_REALM_TYPE" = x"yes"; then
+    AC_DEFINE(HAVE_KRB5_REALM_TYPE,1,
+               [Whether the type krb5_realm exists])
+  fi
+
   AC_CACHE_CHECK([for krb5_princ_realm returns krb5_realm or krb5_data],
                samba_cv_KRB5_PRINC_REALM_RETURNS_REALM,[
     AC_TRY_COMPILE([#include <krb5.h>],
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 32f389d..37e6eb9 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1797,6 +1797,8 @@ char* kerberos_standard_des_salt( void );
 bool kerberos_secrets_store_des_salt( const char* salt );
 char* kerberos_secrets_fetch_des_salt( void );
 char *kerberos_get_default_realm_from_ccache( void );
+char *kerberos_get_realm_from_hostname(const char *hostname);
+
 bool kerberos_secrets_store_salting_principal(const char *service,
 					      int enctype,
 					      const char *principal);
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index af8ea39..7fb4ec3 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -525,6 +525,58 @@ char *kerberos_get_default_realm_from_ccache( void )
 	return realm;
 }
 
+/************************************************************************
+ Routine to get the realm from a given DNS name. Returns malloc'ed memory.
+ Caller must free() if the return value is not NULL.
+************************************************************************/
+
+char *kerberos_get_realm_from_hostname(const char *hostname)
+{
+#if defined(HAVE_KRB5_GET_HOST_REALM) && defined(HAVE_KRB5_FREE_HOST_REALM)
+#if defined(HAVE_KRB5_REALM_TYPE)
+	/* Heimdal. */
+	krb5_realm *realm_list = NULL;
+#else
+	/* MIT */
+	char **realm_list = NULL;
+#endif
+	char *realm = NULL;
+	krb5_error_code kerr;
+	krb5_context ctx = NULL;
+
+	initialize_krb5_error_table();
+	if (krb5_init_context(&ctx)) {
+		return NULL;
+	}
+
+	kerr = krb5_get_host_realm(ctx, hostname, &realm_list);
+	if (kerr != 0) {
+		DEBUG(3,("kerberos_get_realm_from_hostname %s: "
+			"failed %s\n",
+			hostname ? hostname : "(NULL)",
+			error_message(kerr) ));
+		goto out;
+	}
+
+	if (realm_list && realm_list[0]) {
+		realm = SMB_STRDUP(realm_list[0]);
+	}
+
+  out:
+
+	if (ctx) {
+		if (realm_list) {
+			krb5_free_host_realm(ctx, realm_list);
+			realm_list = NULL;
+		}
+		krb5_free_context(ctx);
+		ctx = NULL;
+	}
+	return realm;
+#else
+	return NULL;
+#endif
+}
 
 /************************************************************************
  Routine to get the salting principal for this service.  This is 
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 6f4ae01..7aa8901 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1074,6 +1074,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 
 			host = strchr_m(cli->desthost, '.');
 			if (host) {
+				/* We had a '.' in the name. */
 				machine = SMB_STRNDUP(cli->desthost,
 					host - cli->desthost);
 			} else {
@@ -1087,11 +1088,29 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 				realm = SMB_STRDUP(dest_realm);
 				strupper_m(realm);
 			} else {
-				realm = kerberos_get_default_realm_from_ccache();
+				if (host) {
+					/* DNS name. */
+					realm = kerberos_get_realm_from_hostname(cli->desthost);
+				} else {
+					/* NetBIOS name - use our realm. */
+					realm = kerberos_get_default_realm_from_ccache();
+				}
 			}
+
 			if (realm && *realm) {
-				principal = talloc_asprintf(NULL, "%s$@%s",
-							machine, realm);
+				if (host) {
+					/* DNS name. */
+					principal = talloc_asprintf(talloc_tos(),
+							"cifs/%s@%s",
+							cli->desthost,
+							realm);
+				} else {
+					/* NetBIOS name, use machine account. */
+					principal = talloc_asprintf(talloc_tos(),
+							"%s$@%s",
+							machine,
+							realm);
+				}
 				if (!principal) {
 					SAFE_FREE(machine);
 					SAFE_FREE(realm);


-- 
Samba Shared Repository


More information about the samba-cvs mailing list