[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Mon Nov 15 17:00:02 MST 2010


The branch, master has been updated
       via  96bdcf7 s4-kdc Don't regenerate the PAC for cross-realm tickets
       via  a32ade6 s4-kdc Don't always regenerate the PAC
       via  4041640 heimdal Fetch the client before the PAC check, but after obtaining krbtgt_out
       via  2b7730d s4-gensec Indicate if GENSEC is in client or server mode in the debug
      from  329f76c s4:heimdal - fix the return code of a non-void function

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 96bdcf7ea9d06e4681af012974458d67d264cfda
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 16 09:33:05 2010 +1100

    s4-kdc Don't regenerate the PAC for cross-realm tickets
    
    We should never get a cross-realm ticket that was not issued by a full
    DC, but if someone claims to have such a thing, reject it rather than
    segfaulting on the NULL client pointer.
    
    Andrew Bartlett
    
    Autobuild-User: Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date: Mon Nov 15 23:59:34 UTC 2010 on sn-devel-104

commit a32ade647db710ed84565891fca3e65dd609f69d
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 16 09:30:55 2010 +1100

    s4-kdc Don't always regenerate the PAC
    
    The PAC was being regenerated on all normal DCs, because they don't
    have a msDS-SecondaryKrbTgtNumber attribute.  Instead we need to check
    if it's set and not equal to our RODC number, allowing RODCs to trust
    the full DCs and itself, but not other RODCs.
    
    Andrew Bartlett

commit 4041640bd6d7f8747c8229b02dbb847056bdaa35
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 16 09:29:18 2010 +1100

    heimdal Fetch the client before the PAC check, but after obtaining krbtgt_out
    
    By checking the client principal here, we compare the realm based on
    the normalised realm, but do so early enough to validate the PAC (and
    regenerate it if required).
    
    Andrew Bartlett

commit 2b7730d291c49a427135ddf62c3aa2ff4b7997e7
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 16 09:28:21 2010 +1100

    s4-gensec Indicate if GENSEC is in client or server mode in the debug

-----------------------------------------------------------------------

Summary of changes:
 source4/auth/gensec/gensec_gssapi.c |    6 ++-
 source4/heimdal/kdc/krb5tgs.c       |   61 +++++++++++++++++------------------
 source4/kdc/pac-glue.c              |    6 ++-
 source4/kdc/wdc-samba4.c            |    3 ++
 4 files changed, 41 insertions(+), 35 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 1a2e03f..a6d0ef2 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -594,13 +594,15 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
 				/* garbage input, possibly from the auto-mech detection */
 				return NT_STATUS_INVALID_PARAMETER;
 			default:
-				DEBUG(1, ("GSS Update(krb5)(%d) Update failed: %s\n", 
+				DEBUG(1, ("GSS %s Update(krb5)(%d) Update failed: %s\n",
+					  gensec_security->gensec_role == GENSEC_CLIENT ? "client" : "server",
 					  gensec_gssapi_state->gss_exchange_count,
 					  gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
 				return nt_status;
 			}
 		} else {
-			DEBUG(1, ("GSS Update(%d) failed: %s\n", 
+			DEBUG(1, ("GSS %s Update(%d) failed: %s\n",
+				  gensec_security->gensec_role == GENSEC_CLIENT ? "client" : "server",
 				  gensec_gssapi_state->gss_exchange_count,
 				  gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
 			return nt_status;
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 9131e5b..26e3936 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1637,37 +1637,6 @@ server_lookup:
 	goto out;
     }
 
-    ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
-			NULL, &clientdb, &client);
-    if(ret == HDB_ERR_NOT_FOUND_HERE) {
-	kdc_log(context, config, 5, "client %s does not have secrets at this KDC, need to proxy", cp);
-	goto out;
-    } else if(ret){
-	const char *krbtgt_realm, *msg;
-
-	/*
-	 * If the client belongs to the same realm as our krbtgt, it
-	 * should exist in the local database.
-	 *
-	 */
-
-	krbtgt_realm =
-	    krb5_principal_get_comp_string(context,
-					   krbtgt->entry.principal, 1);
-
-	if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
-	    if (ret == HDB_ERR_NOENTRY)
-		ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
-	    kdc_log(context, config, 1, "Client no longer in database: %s",
-		    cpn);
-	    goto out;
-	}
-	
-	msg = krb5_get_error_message(context, ret);
-	kdc_log(context, config, 1, "Client not found in database: %s", msg);
-	krb5_free_error_message(context, msg);
-    }
-
     /*
      * Select enctype, return key and kvno.
      */
@@ -1788,6 +1757,36 @@ server_lookup:
 	goto out;
     }
 
+    ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
+			NULL, &clientdb, &client);
+    if(ret == HDB_ERR_NOT_FOUND_HERE) {
+	/* This is OK, we are just trying to find out if they have
+	 * been disabled or deleted in the meantime, missing secrets
+	 * is OK */
+    } else if(ret){
+	const char *krbtgt_realm, *msg;
+
+	/*
+	 * If the client belongs to the same realm as our krbtgt, it
+	 * should exist in the local database.
+	 *
+	 */
+
+	krbtgt_realm = krb5_principal_get_realm(context, krbtgt_out->entry.principal);
+
+	if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
+	    if (ret == HDB_ERR_NOENTRY)
+		ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+	    kdc_log(context, config, 1, "Client no longer in database: %s",
+		    cpn);
+	    goto out;
+	}
+
+	msg = krb5_get_error_message(context, ret);
+	kdc_log(context, config, 1, "Client not found in database: %s", msg);
+	krb5_free_error_message(context, msg);
+    }
+
     ret = check_PAC(context, config, cp,
 		    client, server, krbtgt, ekey, &tkey_check->key, &tkey_sign->key,
 		    tgt, &rspac, &signedpath);
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 33b845d..3c0c504 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -126,9 +126,11 @@ bool samba_krbtgt_was_untrusted_rodc(struct hdb_entry_ex *princ)
 	struct samba_kdc_entry *p = talloc_get_type(princ->ctx, struct samba_kdc_entry);
 	int rodc_krbtgt_number;
 
-	/* The service account may be set not to want the PAC */
+	/* Determine if this was printed by an RODC */
 	rodc_krbtgt_number = ldb_msg_find_attr_as_int(p->msg, "msDS-SecondaryKrbTgtNumber", -1);
-	if (rodc_krbtgt_number != p->kdc_db_ctx->my_krbtgt_number) {
+	if (rodc_krbtgt_number == -1) {
+		return false;
+	} else if (rodc_krbtgt_number != p->kdc_db_ctx->my_krbtgt_number) {
 		return true;
 	}
 
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index a648711..fb5816d 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -84,6 +84,9 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context,
 	 * RODC, then we need to regenerate the PAC - we can't trust
 	 * it */
 	if (samba_krbtgt_was_untrusted_rodc(krbtgt)) {
+		if (client == NULL) {
+			return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+		}
 		nt_status = samba_kdc_get_pac_blob(mem_ctx, client, &pac_blob);
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			talloc_free(mem_ctx);


-- 
Samba Shared Repository


More information about the samba-cvs mailing list