[SCM] Samba Shared Repository - branch v3-5-test updated
Karolin Seeger
kseeger at samba.org
Mon Feb 8 08:02:59 MST 2010
The branch, v3-5-test has been updated
via 1983959... Fix bug #7079 - cliconnect gets realm wrong with trusted domains.
from 4de319a... s3:libsmb: don't reuse the callers stype variable in cli_NetServerEnum()
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test
- Log -----------------------------------------------------------------
commit 1983959f53ddd601d771b670a19eea4204e16f4b
Author: Jeremy Allison <jra at samba.org>
Date: Sat Jan 30 19:24:28 2010 -0800
Fix bug #7079 - cliconnect gets realm wrong with trusted domains.
Passing NULL as dest_realm for cli_session_setup_spnego() was
always using our own realm (as for a NetBIOS name). Change this
to look for the mapped realm using krb5_get_host_realm() if
the destination machine name is a DNS name (contains a '.').
Could get fancier with DNS name detection (length, etc.) but
this will do for now.
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source3/configure.in | 15 ++++++++++++
source3/include/proto.h | 2 +
source3/libads/kerberos.c | 52 +++++++++++++++++++++++++++++++++++++++++++
source3/libsmb/cliconnect.c | 25 ++++++++++++++++++--
4 files changed, 91 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/configure.in b/source3/configure.in
index 728e55e..f060a65 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3607,6 +3607,9 @@ if test x"$with_ads_support" != x"no"; then
AC_CHECK_FUNC_EXT(krb5_get_creds_opt_set_impersonate, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_get_creds, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_get_credentials_for_user, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_get_host_realm, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_free_host_realm, $KRB5_LIBS)
+
# MIT krb5 1.8 does not expose this call (yet)
AC_CHECK_DECLS(krb5_get_credentials_for_user, [], [], [#include <krb5.h>])
@@ -3949,6 +3952,18 @@ if test x"$with_ads_support" != x"no"; then
[Whether the WRFILE:-keytab is supported])
fi
+ AC_CACHE_CHECK([for krb5_realm type],
+ samba_cv_HAVE_KRB5_REALM_TYPE,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_realm realm;],
+ samba_cv_HAVE_KRB5_REALM_TYPE=yes,
+ samba_cv_HAVE_KRB5_REALM_TYPE=no)])
+
+ if test x"$samba_cv_HAVE_KRB5_REALM_TYPE" = x"yes"; then
+ AC_DEFINE(HAVE_KRB5_REALM_TYPE,1,
+ [Whether the type krb5_realm exists])
+ fi
+
AC_CACHE_CHECK([for krb5_princ_realm returns krb5_realm or krb5_data],
samba_cv_KRB5_PRINC_REALM_RETURNS_REALM,[
AC_TRY_COMPILE([#include <krb5.h>],
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 32f389d..37e6eb9 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1797,6 +1797,8 @@ char* kerberos_standard_des_salt( void );
bool kerberos_secrets_store_des_salt( const char* salt );
char* kerberos_secrets_fetch_des_salt( void );
char *kerberos_get_default_realm_from_ccache( void );
+char *kerberos_get_realm_from_hostname(const char *hostname);
+
bool kerberos_secrets_store_salting_principal(const char *service,
int enctype,
const char *principal);
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index af8ea39..7fb4ec3 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -525,6 +525,58 @@ char *kerberos_get_default_realm_from_ccache( void )
return realm;
}
+/************************************************************************
+ Routine to get the realm from a given DNS name. Returns malloc'ed memory.
+ Caller must free() if the return value is not NULL.
+************************************************************************/
+
+char *kerberos_get_realm_from_hostname(const char *hostname)
+{
+#if defined(HAVE_KRB5_GET_HOST_REALM) && defined(HAVE_KRB5_FREE_HOST_REALM)
+#if defined(HAVE_KRB5_REALM_TYPE)
+ /* Heimdal. */
+ krb5_realm *realm_list = NULL;
+#else
+ /* MIT */
+ char **realm_list = NULL;
+#endif
+ char *realm = NULL;
+ krb5_error_code kerr;
+ krb5_context ctx = NULL;
+
+ initialize_krb5_error_table();
+ if (krb5_init_context(&ctx)) {
+ return NULL;
+ }
+
+ kerr = krb5_get_host_realm(ctx, hostname, &realm_list);
+ if (kerr != 0) {
+ DEBUG(3,("kerberos_get_realm_from_hostname %s: "
+ "failed %s\n",
+ hostname ? hostname : "(NULL)",
+ error_message(kerr) ));
+ goto out;
+ }
+
+ if (realm_list && realm_list[0]) {
+ realm = SMB_STRDUP(realm_list[0]);
+ }
+
+ out:
+
+ if (ctx) {
+ if (realm_list) {
+ krb5_free_host_realm(ctx, realm_list);
+ realm_list = NULL;
+ }
+ krb5_free_context(ctx);
+ ctx = NULL;
+ }
+ return realm;
+#else
+ return NULL;
+#endif
+}
/************************************************************************
Routine to get the salting principal for this service. This is
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 6f4ae01..7aa8901 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1074,6 +1074,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
host = strchr_m(cli->desthost, '.');
if (host) {
+ /* We had a '.' in the name. */
machine = SMB_STRNDUP(cli->desthost,
host - cli->desthost);
} else {
@@ -1087,11 +1088,29 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
realm = SMB_STRDUP(dest_realm);
strupper_m(realm);
} else {
- realm = kerberos_get_default_realm_from_ccache();
+ if (host) {
+ /* DNS name. */
+ realm = kerberos_get_realm_from_hostname(cli->desthost);
+ } else {
+ /* NetBIOS name - use our realm. */
+ realm = kerberos_get_default_realm_from_ccache();
+ }
}
+
if (realm && *realm) {
- principal = talloc_asprintf(NULL, "%s$@%s",
- machine, realm);
+ if (host) {
+ /* DNS name. */
+ principal = talloc_asprintf(talloc_tos(),
+ "cifs/%s@%s",
+ cli->desthost,
+ realm);
+ } else {
+ /* NetBIOS name, use machine account. */
+ principal = talloc_asprintf(talloc_tos(),
+ "%s$@%s",
+ machine,
+ realm);
+ }
if (!principal) {
SAFE_FREE(machine);
SAFE_FREE(realm);
--
Samba Shared Repository
More information about the samba-cvs
mailing list