[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Mon Nov 15 01:48:01 MST 2010
The branch, master has been updated
via 1e29ee3 heimdal Fix handling of backwards cross-realm detection for Samba4
via 6358303 s4-kdc Fix realm handling in our KDC
from 1409c97 s4: Build ldap and samba3_smb services as shared modules.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1e29ee3a70151ca830f5523834d1f669fd8d0a82
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 15 18:43:51 2010 +1100
heimdal Fix handling of backwards cross-realm detection for Samba4
Samba4 may modify the case of the realm in a returned entry, but will no longer modify the case of the prinicipal components.
The easy way to keep this test passing is to consider also what we
need to do to get the krbtgt account for the PAC signing - and to use
krbtgt/<this>/@REALM component to fetch the real krbtgt, and to use
that resutl for realm comparion.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Mon Nov 15 08:47:44 UTC 2010 on sn-devel-104
commit 63583037842417f117f8f3db8f576e1e83d42522
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 15 13:30:03 2010 +1100
s4-kdc Fix realm handling in our KDC
we should reset the realm part of the principal, but not the lowercase
realm embedded in the 'krbtgt/realm at REALM'.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source4/heimdal/kdc/krb5tgs.c | 66 +++++++++++++++++++++++++++++-----------
source4/kdc/db-glue.c | 44 ++++-----------------------
2 files changed, 54 insertions(+), 56 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 60fb4dc..9131e5b 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1465,6 +1465,7 @@ tgs_build_reply(krb5_context context,
krb5_error_code ret;
krb5_principal cp = NULL, sp = NULL;
krb5_principal client_principal = NULL;
+ krb5_principal krbtgt_principal = NULL;
char *spn = NULL, *cpn = NULL;
hdb_entry_ex *server = NULL, *client = NULL, *s4u2self_impersonated_client = NULL;
HDB *clientdb, *s4u2self_impersonated_clientdb;
@@ -1715,21 +1716,6 @@ server_lookup:
* backward.
*/
- if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
- krb5_principal_get_comp_string(context,
- krbtgt->entry.principal,
- 1)) != 0) {
- char *tpn;
- ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
- kdc_log(context, config, 0,
- "Request with wrong krbtgt: %s",
- (ret == 0) ? tpn : "<unknown>");
- if(ret == 0)
- free(tpn);
- ret = KRB5KRB_AP_ERR_NOT_US;
- goto out;
- }
-
/*
* Validate authoriation data
*/
@@ -1742,14 +1728,58 @@ server_lookup:
goto out;
}
- /* Now refetch the krbtgt, but get the current kvno (the sign check may have been on an old kvno) */
- ret = _kdc_db_fetch(context, config, krbtgt->entry.principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
+ /* Now refetch the primary krbtgt, and get the current kvno (the
+ * sign check may have been on an old kvno, and the server may
+ * have been an incoming trust) */
+ ret = krb5_make_principal(context, &krbtgt_principal,
+ krb5_principal_get_comp_string(context,
+ krbtgt->entry.principal,
+ 1),
+ KRB5_TGS_NAME,
+ krb5_principal_get_comp_string(context,
+ krbtgt->entry.principal,
+ 1), NULL);
+ if(ret) {
+ kdc_log(context, config, 0,
+ "Failed to generate krbtgt principal");
+ goto out;
+ }
+
+ ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
+ krb5_free_principal(context, krbtgt_principal);
if (ret) {
+ krb5_error_code ret2;
+ char *tpn, *tpn2;
+ ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
+ ret2 = krb5_unparse_name(context, krbtgt->entry.principal, &tpn2);
kdc_log(context, config, 0,
- "Failed to find krbtgt in DB for krbtgt PAC signature");
+ "Request with wrong krbtgt: %s, %s not found in our database",
+ (ret == 0) ? tpn : "<unknown>", (ret2 == 0) ? tpn2 : "<unknown>");
+ if(ret == 0)
+ free(tpn);
+ if(ret2 == 0)
+ free(tpn2);
+ ret = KRB5KRB_AP_ERR_NOT_US;
goto out;
}
+ /* The first realm is the realm of the service, the second is
+ * krbtgt/<this>/@REALM component of the krbtgt DN the request was
+ * encrypted to. The redirection via the krbtgt_out entry allows
+ * the DB to possibly correct the case of the realm (Samba4 does
+ * this) before the strcmp() */
+ if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
+ krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
+ char *tpn;
+ ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &tpn);
+ kdc_log(context, config, 0,
+ "Request with wrong krbtgt: %s",
+ (ret == 0) ? tpn : "<unknown>");
+ if(ret == 0)
+ free(tpn);
+ ret = KRB5KRB_AP_ERR_NOT_US;
+ }
+
ret = hdb_enctype2key(context, &krbtgt_out->entry,
krbtgt_etype, &tkey_sign);
if(ret) {
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index eaa97e3..1dec6a5 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -553,7 +553,6 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
unsigned int i;
krb5_error_code ret = 0;
krb5_boolean is_computer = FALSE;
- char *realm = strupper_talloc(mem_ctx, lpcfg_realm(lp_ctx));
struct samba_kdc_entry *p;
NTTIME acct_expiry;
@@ -585,12 +584,6 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
memset(entry_ex, 0, sizeof(*entry_ex));
- if (!realm) {
- ret = ENOMEM;
- krb5_set_error_message(context, ret, "talloc_strdup: out of memory");
- goto out;
- }
-
p = talloc(mem_ctx, struct samba_kdc_entry);
if (!p) {
ret = ENOMEM;
@@ -618,7 +611,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
- krb5_make_principal(context, &entry_ex->entry.principal, realm, samAccountName, NULL);
+ krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
} else {
ret = copy_Principal(principal, entry_ex->entry.principal);
if (ret) {
@@ -633,7 +626,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
* we determine from our records */
/* this has to be with malloc() */
- krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
+ krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx));
}
/* First try and figure out the flags based on the userAccountControl */
@@ -662,7 +655,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
/* use 'kadmin' for now (needed by mit_samba) */
krb5_make_principal(context,
&entry_ex->entry.created_by.principal,
- realm, "kadmin", NULL);
+ lpcfg_realm(lp_ctx), "kadmin", NULL);
entry_ex->entry.modified_by = (Event *) malloc(sizeof(Event));
if (entry_ex->entry.modified_by == NULL) {
@@ -676,7 +669,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
/* use 'kadmin' for now (needed by mit_samba) */
krb5_make_principal(context,
&entry_ex->entry.modified_by->principal,
- realm, "kadmin", NULL);
+ lpcfg_realm(lp_ctx), "kadmin", NULL);
}
@@ -826,7 +819,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
{
struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
const char *dnsdomain;
- char *realm = strupper_talloc(mem_ctx, lpcfg_realm(lp_ctx));
+ const char *realm = lpcfg_realm(lp_ctx);
DATA_BLOB password_utf16;
struct samr_Password password_hash;
const struct ldb_val *password_val;
@@ -872,7 +865,6 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
} else { /* OUTBOUND */
dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
/* replace realm */
- talloc_free(realm);
realm = strupper_talloc(mem_ctx, dnsdomain);
password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
}
@@ -1100,7 +1092,6 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
struct ldb_message *msg = NULL;
struct ldb_dn *realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
- krb5_principal alloc_principal = NULL;
if (principal->name.name_string.len != 2
|| (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) {
/* Not a krbtgt */
@@ -1117,7 +1108,6 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
* krbtgt */
int lret;
- char *realm_fixed;
if (krbtgt_number == kdc_db_ctx->my_krbtgt_number) {
lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx,
@@ -1151,28 +1141,6 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
return HDB_ERR_NOENTRY;
}
- realm_fixed = strupper_talloc(mem_ctx, lpcfg_realm(lp_ctx));
- if (!realm_fixed) {
- ret = ENOMEM;
- krb5_set_error_message(context, ret, "strupper_talloc: out of memory");
- return ret;
- }
-
- ret = krb5_copy_principal(context, principal, &alloc_principal);
- if (ret) {
- return ret;
- }
-
- free(alloc_principal->name.name_string.val[1]);
- alloc_principal->name.name_string.val[1] = strdup(realm_fixed);
- talloc_free(realm_fixed);
- if (!alloc_principal->name.name_string.val[1]) {
- ret = ENOMEM;
- krb5_set_error_message(context, ret, "samba_kdc_fetch: strdup() failed!");
- return ret;
- }
- principal = alloc_principal;
-
ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
principal, SAMBA_KDC_ENT_TYPE_KRBTGT,
realm_dn, msg, entry_ex);
@@ -1235,7 +1203,6 @@ static krb5_error_code samba_kdc_lookup_server(krb5_context context,
struct ldb_message **msg)
{
krb5_error_code ret;
- const char *realm;
if (principal->name.name_string.len >= 2) {
/* 'normal server' case */
int ldb_ret;
@@ -1274,6 +1241,7 @@ static krb5_error_code samba_kdc_lookup_server(krb5_context context,
int lret;
char *filter = NULL;
char *short_princ;
+ const char *realm;
/* server as client principal case, but we must not lookup userPrincipalNames */
*realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
realm = krb5_principal_get_realm(context, principal);
--
Samba Shared Repository
More information about the samba-cvs
mailing list