[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Sep 23 17:25:31 MDT 2010
The branch, master has been updated
via 0bc3e15 selftest Don't run 'speed' tests for very long
via b00dc83 s4-selftest Run slow tests less often
via e823cb8 s4-libnet_join Use header constant for 'all encryption types' in msDS-SupportedEncryptionTypes
via f03913e s4-kerberos Move 'set key into keytab' code out of credentials.
via 062b0eb s4-libnet Remove libnet_samdump_keytab() and net samdump keytab
via f9698cf s4-kerberos Fix kerberos_enctype_bitmap_to_enctypes()
via 964f992 s4:repl_meta_data - also on delete operations the new RDN attribute has to be casefolded correctly
via 30afa65 s4:lazy_commit LDB module - the "show_deleted" control is initialised by the "show_deleted" LDB module
via 29e3806 s4:rootdse LDB module - make use of "dsdb_forest_functional_level"
via 9123bcb s4:ldap.py - add tests for the "dsServiceName", "serverName", "dnsHostName" and "ldapServiceName" rootDSE attributes
via 76c346d s4:provision - rootdse - remove static "ldapServiceName" attribute
via 1d9a348 s4:rootdse LDB module - introduce dynamic "ldapServiceName"
via ccc67a0 s4:provision - rootdse - remove static "dnsHostName" attribute
via 681106a s4:rootdse LDB module - introduce dynamic "dnsHostName" attribute
via 5f60f5e s4:provision - rootdse - remove the static attribute "serverName"
via 5fd7bc8 s4:rootdse LDB module - make "serverName" dynamic
via e446ef1 s4:rootdse LDB module - remove "priv" checks where not needed
via f153569 s4:rootdse LDB module - better that the "edn" control handling is done last
via b6eb1b2 s4:torture/rpc/netlogon.c - remove the dependency on "samdb_server_site_name"
via 65ca9e6 s4:provision.py - support still not fully provisioned trees regarding the rootDSE module
via 439d7ff s4:provision.py - make more use of "names.serverdn" on NTDS settings location
via 679eb33 s4:samldb LDB module - it isn't allowed to create user/computer accounts with a primary group specified
via 2e91399 s4:dsdb/common/util_samr.c - remove the primary group specifications
via c03ec03 s4:ldap.py - test default primary groups on modify operations
via f46c623 s4:samldb LDB module - support the "userAccountControl" -> "primaryGroupID" detection also on modify operations
via 72bb8c3 s4:ldap.py - enhance SAM user/groups behaviour test regarding default primary groups
via 4492d0a libds:flag_mapping.c - support also the default read-only DC primary group
via f45848e s4:python/samba/join.py - add a comment to point out that NCs have to be assigned dynamically
via 8223342 s4:python/samba/join.py - use constant for DC function level
via f84724c s4:rootdse LDB module - make more use of LDB result constants
via 0829845 s4:rootdse LDB module - fix comment typo
via 7a1a0cd s4:password_hash LDB module - don't assign "lp_ctx" twice
via 9ca8214 ldb:ldb_match.c - fix counter variable type
via 0f163eb ldb:ldb_msg_add_linearized_dn - handle NULL DNs
via e59cdaf s4:rootdse LDB module - fix counter types
via 1a1be71 s4:extended_dn_in LDB module - fix a counter type
via 6c349d4 s4:drepl_out_helpers.c - fix a counter type
via 80f3e92 s4:rpc_server/dcerpc_server.c - fix a "const" warning
via ae60328 s4:libcli/resolve/file.c - fix "const" warning
from 8ba3eac s3-waf: remove duplicate CONFIGFILE from dynconfig.py which caused sysconfigdir to be ignored.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0bc3e159316b437a2ba2253c7b7893a1f3049a0e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 23 17:32:46 2010 +1000
selftest Don't run 'speed' tests for very long
'make test' is too long, and the main thing we need with these
tests is to ensure they don't segfault - there is no need to benchmark
every box in the build farm, and we have no 'fail' metric in any case.
Andrew Bartlett
commit b00dc8399290988dbc8fd3d04fb9654d026d8dd8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 23 17:11:24 2010 +1000
s4-selftest Run slow tests less often
These tests don't need to be run twice - basic parsing errors that
will show up with the various options will be caught quite well
by other tests.
Andrew Bartlett
commit e823cb8cacd9301609314ed52d2b51856294e58c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 23 17:02:31 2010 +1000
s4-libnet_join Use header constant for 'all encryption types' in msDS-SupportedEncryptionTypes
commit f03913e2ccfcd75a9d569a5b6e9152b091e0014f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 23 17:01:44 2010 +1000
s4-kerberos Move 'set key into keytab' code out of credentials.
This code never really belonged in the credentials layer, and
is easier done with direct access to the ldb_message that is
in secrets.ldb.
Andrew Bartlett
commit 062b0ebc04406a24c804ffe1d3a95eb0b4500199
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 23 16:54:06 2010 +1000
s4-libnet Remove libnet_samdump_keytab() and net samdump keytab
There is a beter implementation of this in Samba3, and this uses
functions in the credentials code that I want to remove.
The same functionality is available by running 'net samsync' and
'net export keytab'. This isn't a DRS-backed utility, it only
used netlogon replication.
Andrew Bartlett
commit f9698cfc970215a77e8ad60afb67f68058093b33
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 23 19:41:20 2010 +1000
s4-kerberos Fix kerberos_enctype_bitmap_to_enctypes()
The previous code never worked
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 964f9927798b884ddde1c78902d6d81a1d93c8d0
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sun Sep 19 20:34:08 2010 +0200
s4:repl_meta_data - also on delete operations the new RDN attribute has to be casefolded correctly
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 30afa657851ba1785f1ecfb8f684c233b9157cc1
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sun Sep 19 22:39:44 2010 +0200
s4:lazy_commit LDB module - the "show_deleted" control is initialised by the "show_deleted" LDB module
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 29e3806b0e60df2fbadaae248011db7524a71797
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Fri Sep 17 08:49:07 2010 +0200
s4:rootdse LDB module - make use of "dsdb_forest_functional_level"
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 9123bcbf77260551bd2b97e93445ae0e67ad89a3
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Fri Sep 17 10:47:08 2010 +0200
s4:ldap.py - add tests for the "dsServiceName", "serverName", "dnsHostName" and "ldapServiceName" rootDSE attributes
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 76c346dfc186faf2bc75ecd37b71b182d24e71f4
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sat Sep 18 21:46:51 2010 +0200
s4:provision - rootdse - remove static "ldapServiceName" attribute
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 1d9a3481446e99911aaa1d55561886f1970db316
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sat Sep 18 21:44:26 2010 +0200
s4:rootdse LDB module - introduce dynamic "ldapServiceName"
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit ccc67a03d69ed5c3c5c6b8fbed5d9e85ea4fd295
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sat Sep 18 20:54:33 2010 +0200
s4:provision - rootdse - remove static "dnsHostName" attribute
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 681106af4f34a1b9ef70f7f6cc51216a5f3f4194
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sat Sep 18 20:50:25 2010 +0200
s4:rootdse LDB module - introduce dynamic "dnsHostName" attribute
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 5f60f5e5e7c973d20962afd9318edb1365530f89
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Sep 15 18:44:00 2010 +0200
s4:provision - rootdse - remove the static attribute "serverName"
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 5fd7bc85640a7a8730daf379bfe314a91a02577f
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Sep 15 18:36:03 2010 +0200
s4:rootdse LDB module - make "serverName" dynamic
This helps to fix bug #7347. "dsServiceName" cannot be made dynamic in such a
simple way since it's already needed on LDB initialisation time.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit e446ef1c3fc3ebcc511caf5d1d94804cfb7a8202
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Thu Sep 16 14:37:11 2010 +0200
s4:rootdse LDB module - remove "priv" checks where not needed
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit f1535694f76afdd1c1d5db4240abe0f94b90f8c5
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Sep 15 18:24:53 2010 +0200
s4:rootdse LDB module - better that the "edn" control handling is done last
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit b6eb1b207222ef776d1e3ec6bdf807dbd1b85911
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sat Sep 18 20:42:18 2010 +0200
s4:torture/rpc/netlogon.c - remove the dependency on "samdb_server_site_name"
Since this one relies on the right server loadparm context which we aren't able
to provide over torture.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 65ca9e691bb12d37de39e382c897d7b41d846c26
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Thu Sep 16 17:31:56 2010 +0200
s4:provision.py - support still not fully provisioned trees regarding the rootDSE module
We simply override the NTDS settings path manually
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 439d7ff935f845ae381e8650e7e2b80d65e929d2
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Thu Sep 16 16:58:18 2010 +0200
s4:provision.py - make more use of "names.serverdn" on NTDS settings location
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 679eb33e798efbfdaebb9cf0cd3977bb945e8075
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Sep 15 15:19:38 2010 +0200
s4:samldb LDB module - it isn't allowed to create user/computer accounts with a primary group specified
It can only be changed afterwards. We allow a "relax"ed exception for the
provision state since we need this for the guest account.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 2e913994f2455019a3b99cb19df2f319b7218e17
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Sep 15 15:01:00 2010 +0200
s4:dsdb/common/util_samr.c - remove the primary group specifications
Now also the primary group detection/change on modify operations does work
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit c03ec03212ff08b56710f1935caa6aa7f6cb529f
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Sep 15 14:57:59 2010 +0200
s4:ldap.py - test default primary groups on modify operations
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit f46c6233e75509736f0c2a1c376ccab5c0f22fd2
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Sep 15 14:13:18 2010 +0200
s4:samldb LDB module - support the "userAccountControl" -> "primaryGroupID" detection also on modify operations
Also requested by MS-SAMR 3.1.1.8.1.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 72bb8c3fb37096ebb3c9bcc23032769c395997f4
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Sep 15 13:49:24 2010 +0200
s4:ldap.py - enhance SAM user/groups behaviour test regarding default primary groups
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 4492d0a6319c4886f508b95a0fbff970c45c682b
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Sep 15 13:36:04 2010 +0200
libds:flag_mapping.c - support also the default read-only DC primary group
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit f45848e33afecc7b0494b554af48a9e8107cb4cf
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Thu Sep 16 23:24:02 2010 +0200
s4:python/samba/join.py - add a comment to point out that NCs have to be assigned dynamically
We could also have DNS partitions (only to make one example).
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 8223342e50247cbfb7d3244cf717944f1d93a676
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Thu Sep 16 23:19:32 2010 +0200
s4:python/samba/join.py - use constant for DC function level
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit f84724cebcb7ac3ea47620854a318a4ac7c23688
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Sep 15 18:21:43 2010 +0200
s4:rootdse LDB module - make more use of LDB result constants
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 08298457d4f0762cd5245a865d9b3a09cd74353e
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sun Sep 19 09:40:13 2010 +0200
s4:rootdse LDB module - fix comment typo
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 7a1a0cde2e4b3f1ef43de9021dcc1e60da87089b
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sat Sep 18 10:06:03 2010 +0200
s4:password_hash LDB module - don't assign "lp_ctx" twice
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 9ca8214978246b07326973bc7534682bb27e7084
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sun Sep 19 13:00:38 2010 +0200
ldb:ldb_match.c - fix counter variable type
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 0f163eb61113424e55887a9d0f2a7a89b109c4d0
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Thu Sep 16 18:08:56 2010 +0200
ldb:ldb_msg_add_linearized_dn - handle NULL DNs
Don't let the routine crash
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit e59cdaf40eba6afbad987bc9de8442a72433a0c9
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Mon Sep 20 09:23:37 2010 +0200
s4:rootdse LDB module - fix counter types
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 1a1be71eb80df3c75ddb61350b45a43c124cf2b3
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sun Sep 19 17:52:42 2010 +0200
s4:extended_dn_in LDB module - fix a counter type
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 6c349d479f3ec553fcfca1d6c60ad7cbec5d938d
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Thu Sep 16 14:02:21 2010 +0200
s4:drepl_out_helpers.c - fix a counter type
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 80f3e92d0a2f0844de6041a89f3e36769c2803ce
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Thu Sep 16 22:08:10 2010 +0200
s4:rpc_server/dcerpc_server.c - fix a "const" warning
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit ae60328b1c40d1d3c89b822cb0c5c62fde953674
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Thu Sep 16 22:05:48 2010 +0200
s4:libcli/resolve/file.c - fix "const" warning
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libds/common/flag_mapping.c | 4 +-
selftest/selftest.pl | 2 +
source4/auth/credentials/credentials.h | 4 +-
source4/auth/credentials/credentials_files.c | 14 +-
source4/auth/credentials/credentials_krb5.c | 56 +----
source4/auth/kerberos/kerberos.h | 6 +
source4/auth/kerberos/kerberos_util.c | 367 ++++++++++++++---------
source4/dsdb/common/util_samr.c | 4 -
source4/dsdb/repl/drepl_out_helpers.c | 2 +-
source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 2 +-
source4/dsdb/samdb/ldb_modules/lazy_commit.c | 17 -
source4/dsdb/samdb/ldb_modules/password_hash.c | 4 +-
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 11 +-
source4/dsdb/samdb/ldb_modules/rootdse.c | 125 +++++---
source4/dsdb/samdb/ldb_modules/samldb.c | 31 +-
source4/dsdb/samdb/ldb_modules/update_keytab.c | 54 ++--
source4/dsdb/tests/python/ldap.py | 162 +++++++++-
source4/lib/ldb/common/ldb_match.c | 2 +-
source4/lib/ldb/common/ldb_msg.c | 10 +-
source4/libcli/resolve/file.c | 2 +-
source4/libnet/config.mk | 2 +-
source4/libnet/libnet_join.c | 7 +-
source4/libnet/libnet_samdump_keytab.c | 131 --------
source4/libnet/wscript_build | 2 +-
source4/param/secrets.c | 25 ++
source4/param/secrets.h | 4 +
source4/rpc_server/dcerpc_server.c | 2 +-
source4/scripting/python/samba/join.py | 4 +-
source4/scripting/python/samba/provision.py | 21 +-
source4/selftest/tests.sh | 28 +-
source4/setup/provision_rootdse_add.ldif | 3 -
source4/torture/rpc/netlogon.c | 59 ++++-
source4/utils/net/net_vampire.c | 52 ----
33 files changed, 650 insertions(+), 569 deletions(-)
delete mode 100644 source4/libnet/libnet_samdump_keytab.c
Changeset truncated at 500 lines:
diff --git a/libds/common/flag_mapping.c b/libds/common/flag_mapping.c
index dfe6199..cf63327 100644
--- a/libds/common/flag_mapping.c
+++ b/libds/common/flag_mapping.c
@@ -153,7 +153,9 @@ uint32_t ds_uf2prim_group_rid(uint32_t uf)
{
uint32_t prim_group_rid = DOMAIN_RID_USERS;
- if (uf & UF_SERVER_TRUST_ACCOUNT) prim_group_rid = DOMAIN_RID_DCS;
+ if ((uf & UF_PARTIAL_SECRETS_ACCOUNT)
+ && (uf & UF_WORKSTATION_TRUST_ACCOUNT)) prim_group_rid = DOMAIN_RID_READONLY_DCS;
+ else if (uf & UF_SERVER_TRUST_ACCOUNT) prim_group_rid = DOMAIN_RID_DCS;
else if (uf & UF_WORKSTATION_TRUST_ACCOUNT) prim_group_rid = DOMAIN_RID_DOMAIN_MEMBERS;
return prim_group_rid;
diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index 37360b9..254c347 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -593,6 +593,8 @@ sub write_clientconf($$$)
modules dir = $ENV{LD_SAMBA_MODULE_PATH}
setup directory = ./setup
resolv:host file = $prefix_abs/dns_host_file
+#We don't want to run 'speed' tests for very long
+ torture:timelimit = 1
";
close(CF);
}
diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h
index b7a9540..b7023cd 100644
--- a/source4/auth/credentials/credentials.h
+++ b/source4/auth/credentials/credentials.h
@@ -142,6 +142,7 @@ struct cli_credentials {
};
struct ldb_context;
+struct ldb_message;
struct loadparm_context;
struct ccache_container;
@@ -268,9 +269,6 @@ int cli_credentials_set_keytab_name(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
const char *keytab_name,
enum credentials_obtained obtained);
-int cli_credentials_update_keytab(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
- struct loadparm_context *lp_ctx);
void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features);
uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds);
int cli_credentials_set_ccache(struct cli_credentials *cred,
diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c
index 8ad395d..e1990a8 100644
--- a/source4/auth/credentials/credentials_files.c
+++ b/source4/auth/credentials/credentials_files.c
@@ -35,7 +35,6 @@
#include "lib/events/events.h"
#include "dsdb/samdb/samdb.h"
-
/**
* Read a file descriptor, and parse it for a password (eg from a file or stdin)
*
@@ -193,7 +192,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
const char *realm;
enum netr_SchannelType sct;
const char *salt_principal;
- const char *keytab;
+ char *keytab;
const struct ldb_val *whenChanged;
/* ok, we are going to get it now, don't recurse back here */
@@ -310,17 +309,10 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
/* If there was an external keytab specified by reference in
* the LDB, then use this. Otherwise we will make one up
* (chewing CPU time) from the password */
- keytab = ldb_msg_find_attr_as_string(msg, "krb5Keytab", NULL);
+ keytab = keytab_name_from_msg(cred, ldb, msg);
if (keytab) {
cli_credentials_set_keytab_name(cred, event_ctx, lp_ctx, keytab, CRED_SPECIFIED);
- } else {
- keytab = ldb_msg_find_attr_as_string(msg, "privateKeytab", NULL);
- if (keytab) {
- keytab = talloc_asprintf(mem_ctx, "FILE:%s", samdb_relative_path(ldb, mem_ctx, keytab));
- if (keytab) {
- cli_credentials_set_keytab_name(cred, event_ctx, lp_ctx, keytab, CRED_SPECIFIED);
- }
- }
+ talloc_free(keytab);
}
talloc_free(mem_ctx);
diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c
index 4021146..6e11a5f 100644
--- a/source4/auth/credentials/credentials_krb5.c
+++ b/source4/auth/credentials/credentials_krb5.c
@@ -595,7 +595,6 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
krb5_error_code ret;
struct keytab_container *ktc;
struct smb_krb5_context *smb_krb5_context;
- const char **enctype_strings;
TALLOC_CTX *mem_ctx;
if (cred->keytab_obtained >= (MAX(cred->principal_obtained,
@@ -619,11 +618,8 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
return ENOMEM;
}
- enctype_strings = cli_credentials_get_enctype_strings(cred);
-
ret = smb_krb5_create_memory_keytab(mem_ctx, cred,
- smb_krb5_context,
- enctype_strings, &ktc);
+ smb_krb5_context, &ktc);
if (ret) {
talloc_free(mem_ctx);
return ret;
@@ -682,41 +678,6 @@ _PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred,
return ret;
}
-_PUBLIC_ int cli_credentials_update_keytab(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
- struct loadparm_context *lp_ctx)
-{
- krb5_error_code ret;
- struct keytab_container *ktc;
- struct smb_krb5_context *smb_krb5_context;
- const char **enctype_strings;
- TALLOC_CTX *mem_ctx;
-
- mem_ctx = talloc_new(cred);
- if (!mem_ctx) {
- return ENOMEM;
- }
-
- ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &smb_krb5_context);
- if (ret) {
- talloc_free(mem_ctx);
- return ret;
- }
-
- enctype_strings = cli_credentials_get_enctype_strings(cred);
-
- ret = cli_credentials_get_keytab(cred, event_ctx, lp_ctx, &ktc);
- if (ret != 0) {
- talloc_free(mem_ctx);
- return ret;
- }
-
- ret = smb_krb5_update_keytab(mem_ctx, cred, smb_krb5_context, enctype_strings, ktc);
-
- talloc_free(mem_ctx);
- return ret;
-}
-
/* Get server gss credentials (in gsskrb5, this means the keytab) */
_PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
@@ -810,21 +771,6 @@ _PUBLIC_ int cli_credentials_get_kvno(struct cli_credentials *cred)
}
-const char **cli_credentials_get_enctype_strings(struct cli_credentials *cred)
-{
- /* If this is ever made user-configurable, we need to add code
- * to remove/hide the other entries from the generated
- * keytab */
- static const char *default_enctypes[] = {
- "des-cbc-md5",
- "aes256-cts-hmac-sha1-96",
- "des3-cbc-sha1",
- "arcfour-hmac-md5",
- NULL
- };
- return default_enctypes;
-}
-
const char *cli_credentials_get_salt_principal(struct cli_credentials *cred)
{
return cred->salt_principal;
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index b58014f..091242d 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -142,9 +142,15 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
time_t tgs_authtime,
DATA_BLOB *pac);
struct loadparm_context;
+struct ldb_message;
+struct ldb_context;
uint32_t kerberos_enctype_to_bitmap(krb5_enctype enc_type_enum);
/* Translate between the Microsoft msDS-SupportedEncryptionTypes values and the IETF encryption type values */
krb5_enctype kerberos_enctype_bitmap_to_enctype(uint32_t enctype_bitmap);
+krb5_error_code smb_krb5_update_keytab(struct smb_krb5_context *smb_krb5_context,
+ struct ldb_context *ldb,
+ struct ldb_message *msg,
+ bool delete_all_kvno);
#include "auth/kerberos/proto.h"
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 8b533f6..dbe8c83 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -27,6 +27,8 @@
#include "auth/credentials/credentials_proto.h"
#include "auth/credentials/credentials_krb5.h"
#include "auth/kerberos/kerberos_credentials.h"
+#include "ldb.h"
+#include "param/secrets.h"
struct principal_container {
struct smb_krb5_context *smb_krb5_context;
@@ -77,51 +79,158 @@ static krb5_error_code parse_principal(TALLOC_CTX *parent_ctx,
return 0;
}
-static krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
- struct cli_credentials *machine_account,
- struct smb_krb5_context *smb_krb5_context,
- krb5_principal *salt_princ)
+static krb5_error_code principal_from_msg(TALLOC_CTX *parent_ctx,
+ struct ldb_message *msg,
+ struct smb_krb5_context *smb_krb5_context,
+ krb5_principal *principal,
+ char **_princ_string,
+ const char **error_string)
{
krb5_error_code ret;
- char *machine_username;
- char *salt_body;
- char *lower_realm;
- const char *salt_principal;
- const char *error_string;
+ char *upper_realm;
+ const char *servicePrincipalName = ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL);
+ const char *realm = ldb_msg_find_attr_as_string(msg, "realm", NULL);
+ const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container);
+ TALLOC_CTX *tmp_ctx;
+ char *princ_string;
if (!mem_ctx) {
+ *error_string = "Cannot allocate mem_ctx";
return ENOMEM;
}
- salt_principal = cli_credentials_get_salt_principal(machine_account);
- if (salt_principal) {
- ret = parse_principal(parent_ctx, salt_principal, smb_krb5_context, salt_princ, &error_string);
+ tmp_ctx = talloc_new(mem_ctx);
+ if (!tmp_ctx) {
+ talloc_free(mem_ctx);
+ *error_string = "Cannot allocate tmp_ctx";
+ return ENOMEM;
+ }
+
+ if (!realm) {
+ *error_string = "Cannot have a kerberos secret in secrets.ldb without a realm";
+ return EINVAL;
+ }
+
+ upper_realm = strupper_talloc(tmp_ctx, realm);
+ if (!upper_realm) {
+ talloc_free(mem_ctx);
+ *error_string = "Cannot allocate full upper case realm";
+ return ENOMEM;
+ }
+
+ if (samAccountName) {
+ princ_string = talloc_asprintf(parent_ctx, "%s@%s", samAccountName, upper_realm);
+ if (!princ_string) {
+ *error_string = "Cannot allocate full samAccountName";
+ return ENOMEM;
+ }
+
+ ret = krb5_make_principal(smb_krb5_context->krb5_context, principal, upper_realm, samAccountName,
+ NULL);
+ } else if (servicePrincipalName) {
+ princ_string = talloc_asprintf(parent_ctx, "%s@%s", servicePrincipalName, upper_realm);
+ if (!princ_string) {
+ *error_string = "Cannot allocate full servicePrincipalName";
+ return ENOMEM;
+ }
+
+ ret = krb5_parse_name(smb_krb5_context->krb5_context, princ_string, principal);
+ } else {
+ *error_string = "Cannot have a kerberos secret without a samAccountName or servicePrinipcalName!";
+ return EINVAL;
+ }
+
+ if (ret == 0) {
+ /* This song-and-dance effectivly puts the principal
+ * into talloc, so we can't loose it. */
+ mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
+ mem_ctx->principal = *principal;
+ talloc_set_destructor(mem_ctx, free_principal);
+ if (_princ_string) {
+ *_princ_string = princ_string;
+ }
} else {
- machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account));
+ (*error_string) = smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, parent_ctx);
+ }
+
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
+static krb5_error_code salt_principal_from_msg(TALLOC_CTX *parent_ctx,
+ struct ldb_message *msg,
+ struct smb_krb5_context *smb_krb5_context,
+ krb5_principal *salt_princ,
+ const char **error_string)
+{
+ const char *salt_principal = ldb_msg_find_attr_as_string(msg, "saltPrincipal", NULL);
+ const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
+ const char *realm = ldb_msg_find_attr_as_string(msg, "realm", NULL);
+ if (salt_principal) {
+ return parse_principal(parent_ctx, salt_principal, smb_krb5_context, salt_princ, error_string);
+ } else if (samAccountName) {
+ krb5_error_code ret;
+ char *machine_username;
+ char *salt_body;
+ char *lower_realm;
+ char *upper_realm;
+
+ TALLOC_CTX *tmp_ctx;
+ struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container);
+ if (!mem_ctx) {
+ *error_string = "Cannot allocate mem_ctx";
+ return ENOMEM;
+ }
+
+ tmp_ctx = talloc_new(mem_ctx);
+ if (!tmp_ctx) {
+ talloc_free(mem_ctx);
+ *error_string = "Cannot allocate tmp_ctx";
+ return ENOMEM;
+ }
+
+ if (!realm) {
+ *error_string = "Cannot have a kerberos secret in secrets.ldb without a realm";
+ return EINVAL;
+ }
+ machine_username = talloc_strdup(tmp_ctx, samAccountName);
if (!machine_username) {
talloc_free(mem_ctx);
+ *error_string = "Cannot duplicate samAccountName";
return ENOMEM;
}
if (machine_username[strlen(machine_username)-1] == '$') {
machine_username[strlen(machine_username)-1] = '\0';
}
- lower_realm = strlower_talloc(mem_ctx, cli_credentials_get_realm(machine_account));
+
+ lower_realm = strlower_talloc(tmp_ctx, realm);
if (!lower_realm) {
talloc_free(mem_ctx);
+ *error_string = "Cannot allocate to lower case realm";
+ return ENOMEM;
+ }
+
+ upper_realm = strupper_talloc(tmp_ctx, realm);
+ if (!upper_realm) {
+ talloc_free(mem_ctx);
+ *error_string = "Cannot allocate to upper case realm";
return ENOMEM;
}
- salt_body = talloc_asprintf(mem_ctx, "%s.%s", machine_username,
+ salt_body = talloc_asprintf(tmp_ctx, "%s.%s", machine_username,
lower_realm);
+ talloc_free(lower_realm);
+ talloc_free(machine_username);
if (!salt_body) {
talloc_free(mem_ctx);
- return ENOMEM;
+ *error_string = "Cannot form salt principal body";
+ return ENOMEM;
}
ret = krb5_make_principal(smb_krb5_context->krb5_context, salt_princ,
- cli_credentials_get_realm(machine_account),
+ upper_realm,
"host", salt_body, NULL);
if (ret == 0) {
/* This song-and-dance effectivly puts the principal
@@ -129,10 +238,15 @@ static krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
mem_ctx->principal = *salt_princ;
talloc_set_destructor(mem_ctx, free_principal);
+ } else {
+ (*error_string) = smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, parent_ctx);
+ talloc_free(tmp_ctx);
}
+ return ret;
+ } else {
+ /* Catch the servicePrincipalName case */
+ return principal_from_msg(parent_ctx, msg, smb_krb5_context, salt_princ, NULL, error_string);
}
-
- return ret;
}
/* Obtain the principal set on this context. Requires a
@@ -140,7 +254,7 @@ static krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
* the library routines. The returned princ is placed in the talloc
* system by means of a destructor (do *not* free). */
- krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
+krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
struct cli_credentials *credentials,
struct smb_krb5_context *smb_krb5_context,
krb5_principal *princ,
@@ -371,7 +485,7 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
int kvno,
const char *password_s,
struct smb_krb5_context *smb_krb5_context,
- const char **enctype_strings,
+ krb5_enctype *enctypes,
krb5_keytab keytab)
{
int i;
@@ -385,20 +499,10 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
password.data = discard_const_p(char *, password_s);
password.length = strlen(password_s);
- for (i=0; enctype_strings[i]; i++) {
+ for (i=0; enctypes[i]; i++) {
krb5_keytab_entry entry;
- krb5_enctype enctype;
- ret = krb5_string_to_enctype(smb_krb5_context->krb5_context, enctype_strings[i], &enctype);
- if (ret != 0) {
- DEBUG(1, ("Failed to interpret %s as a krb5 encryption type: %s\n",
- enctype_strings[i],
- smb_get_krb5_error_message(smb_krb5_context->krb5_context,
- ret, mem_ctx)));
- talloc_free(mem_ctx);
- return ret;
- }
ret = create_kerberos_key_from_string(smb_krb5_context->krb5_context,
- salt_princ, &password, &entry.keyblock, enctype);
+ salt_princ, &password, &entry.keyblock, enctypes[i]);
if (ret != 0) {
talloc_free(mem_ctx);
return ret;
@@ -408,8 +512,8 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
entry.vno = kvno;
ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, keytab, &entry);
if (ret != 0) {
- DEBUG(1, ("Failed to add %s entry for %s(kvno %d) to keytab: %s\n",
- enctype_strings[i],
+ DEBUG(1, ("Failed to add enctype %d entry for %s(kvno %d) to keytab: %s\n",
+ (int)enctypes[i],
princ_string,
kvno,
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
@@ -419,9 +523,9 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
return ret;
}
- DEBUG(5, ("Added %s(kvno %d) to keytab (%s)\n",
+ DEBUG(5, ("Added %s(kvno %d) to keytab (enctype %d)\n",
princ_string, kvno,
- enctype_strings[i]));
+ (int)enctypes[i]));
krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
}
@@ -430,110 +534,65 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
}
static krb5_error_code create_keytab(TALLOC_CTX *parent_ctx,
- struct cli_credentials *machine_account,
- struct smb_krb5_context *smb_krb5_context,
- const char **enctype_strings,
- krb5_keytab keytab,
- bool add_old)
+ struct ldb_message *msg,
+ struct smb_krb5_context *smb_krb5_context,
+ krb5_keytab keytab,
+ bool add_old)
{
krb5_error_code ret;
const char *password_s;
const char *old_secret;
int kvno;
+ uint32_t enctype_bitmap;
krb5_principal salt_princ;
krb5_principal princ;
- const char *princ_string;
+ char *princ_string;
+ krb5_enctype *enctypes;
const char *error_string;
- enum credentials_obtained obtained;
TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
if (!mem_ctx) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list