[SCM] Samba Shared Repository - branch master updated
Andrew Tridgell
tridge at samba.org
Tue Sep 28 13:31:01 MDT 2010
The branch, master has been updated
via e257e7a autobuild: use git notes for autobuild messages
via 00611cb selftest: enable FAIL_IMMEDIATELY in autobuild make test
via f4177b6 s4-drs: added support for DRSUAPI_EXOP_REPL_OBJ
via 491e89f ldb-tdb: ignore failure to register control on rootdse
via 9aa07e7 s4-drs: use drs_ObjectIdentifier_*() calls in getncchanges
via d4939ce s4-drs: moved the drs_ObjectIdentifier handling to dsdb_dn.c
via cd3eddb waf: we don't need the preprocessor recursion limit any more
via 8045b35 s4-drs: Added check for drs-manage-topology to updateRefs.
via 440cee4 s4-drs: Added drs_security_access_check function
via 6caa512 s4-dsdb: adapted check_access_on_dn for use in drs.
via 4be2696 heimdal Fix DNS name qualification to not mangle IP addresses
via 89ee9e6 s4-kdc Handle the case where we may be given a ticket from an RODC in db layer
via 9d33929 heimdal Add an error code for use in the RODC
via 9b5e304 heimdal Add support for extracting a particular KVNO from the database
via 3021af2 s4-kdc Add common setup, handle RODC setup case
via 88abf44 s4-dsdb Add ldb_reset_err_string() when we set error codes.
via 063b612 s4-dsdb Make samdb_reference_dn() use dsdb_search() and DSDB_SEARCH_ONE_ONLY
via 990720b s4-kdc Add function to determine if a hdb entry is a RODC
via 85f7bce s4-kdc Use msDS-SecondaryKrbTgtNumber to fill in the full KVNO
via 8b57482 s4-dsdb Fix segfault in error case in rootdse module
via 6bab5c0 Make upgrade procedure more explicit.
from 9d3046f s3-waf: add AUTH_SCRIPT module to AUTH subsystem (which is build as shared module by default).
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e257e7a40b0d7d22c3aff2d1f15bb350775dbff3
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 28 11:24:37 2010 -0700
autobuild: use git notes for autobuild messages
This avoids changing the commit ID when we add a note that the
autobuild has passed
thanks to Jelmer for this suggestion!
commit 00611cbcf6ea2da2b0b9179c9ef8e3bd27555c5c
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 28 11:23:35 2010 -0700
selftest: enable FAIL_IMMEDIATELY in autobuild make test
this should reduce the time we wait for previous failing builds.
Right now this will only work for s4, as we need a makefile change for
s3 support
commit f4177b66c5b9351cf36b09f6b55b042985d633f0
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 28 10:48:38 2010 -0700
s4-drs: added support for DRSUAPI_EXOP_REPL_OBJ
this extended getncchanges operation replicates a single object
commit 491e89fa1c8dc4df327866c09cae941578209243
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 28 10:46:03 2010 -0700
ldb-tdb: ignore failure to register control on rootdse
this is expected for non-sam LDBs
commit 9aa07e72c88c9e4f52546597610019c8596ea4cc
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 28 10:40:18 2010 -0700
s4-drs: use drs_ObjectIdentifier_*() calls in getncchanges
this allows for replication by GUID or SID
commit d4939ce4fc5e61c96e047b6a61a5502335da8926
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 28 10:39:52 2010 -0700
s4-drs: moved the drs_ObjectIdentifier handling to dsdb_dn.c
this will be used outside of the drs server.
This also fixes the handling of the ndr_size elements of the
drs_ObjectIdentifier
commit cd3eddbb59a21534f5a854b9a1fb1419530cca3f
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 28 10:38:40 2010 -0700
waf: we don't need the preprocessor recursion limit any more
thanks to ita for this
commit 8045b35b1bda15f619238fac943c604cfe851c94
Author: Nadezhda Ivanova <nivanova at samba.org>
Date: Sun Sep 26 21:16:47 2010 -0700
s4-drs: Added check for drs-manage-topology to updateRefs.
commit 440cee48b93936bfb9b1376e55e457a721bdcc19
Author: Nadezhda Ivanova <nivanova at samba.org>
Date: Sun Sep 26 21:14:45 2010 -0700
s4-drs: Added drs_security_access_check function
It takes a security token, an ldb_context, and the desired CAR and checks
if the principal has this CAR granted
commit 6caa5128150da5c585957b34e8a9c40396877452
Author: Nadezhda Ivanova <nivanova at samba.org>
Date: Sun Sep 26 21:12:48 2010 -0700
s4-dsdb: adapted check_access_on_dn for use in drs.
commit 4be269664451f3df82a8b4939ffcf5d4274d02ed
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 29 03:59:15 2010 +1000
heimdal Fix DNS name qualification to not mangle IP addresses
If the host running this code used IPv6 forms for IPv4 addreses
then the check for '.' would not be sufficient to determine that this
isn't a name we should mangle. Instead, check if it can be parsed
as a numeric address first, and only then mangle.
Andrew Bartlett
commit 89ee9e6518f5bd398bb44e0cd47454e2d69f469e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 28 13:13:28 2010 +1000
s4-kdc Handle the case where we may be given a ticket from an RODC in db layer
This includes rewriting the PAC if the original krbtgt isn't to be
trusted, and reading different entries from the DB for the krbtgt
depending on the krbtgt number.
Andrew Bartlett
commit 9d33929d76d0969917c1d42e1097d75af3401008
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 28 13:10:24 2010 +1000
heimdal Add an error code for use in the RODC
In this case, the whole request packet should be forwarded to
a real KDC, with full secrets, as we don't have the password.
This could also be used to implement 'play dead when the LDAP
server is down'.
Andrew Bartlett
commit 9b5e304ccedc8f0f7ce2342e4d9c621417dd1c1e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 28 13:07:53 2010 +1000
heimdal Add support for extracting a particular KVNO from the database
This should allow master key rollover.
(but the real reason is to allow multiple krbtgt accounts, as used by
Active Directory to implement RODC support)
Andrew Bartlett
commit 3021af2777ffd28f595835630510e367e7286c1c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 28 13:05:37 2010 +1000
s4-kdc Add common setup, handle RODC setup case
This means we just set up the system_session etc in one place
and don't diverge between the MIT and Heimdal plugins.
We also now determine if we are an RODC and store some details
that we will need later.
Andrew Bartlett
commit 88abf441d021e753f149a534a232090634652367
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 28 12:57:15 2010 +1000
s4-dsdb Add ldb_reset_err_string() when we set error codes.
If we don't we could show an old, incrorrect error
commit 063b61289db73444d514d2897339cf135fc8dfc9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 28 12:55:48 2010 +1000
s4-dsdb Make samdb_reference_dn() use dsdb_search() and DSDB_SEARCH_ONE_ONLY
This simplifies the function. While doing so, also change the error
string setting to set a really clear error string for the failure to find
and failure to parse cases.
Andrew Bartlett
commit 990720b8cd869a375686cc78f270e68ca9bd28b3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 28 12:53:06 2010 +1000
s4-kdc Add function to determine if a hdb entry is a RODC
This is important, as we must ignore the PAC from an RODC.
Andrew Bartlett
commit 85f7bce865e611c5d18b67a3f34723f7da7df92e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 28 12:49:44 2010 +1000
s4-kdc Use msDS-SecondaryKrbTgtNumber to fill in the full KVNO
Andrew Bartlett
commit 8b57482fa8bfff901c08dbfa4b722b291862c372
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Sep 27 14:43:33 2010 +1000
s4-dsdb Fix segfault in error case in rootdse module
commit 6bab5c07519baa0be1bf86161236a0307c48e31f
Author: Michael Wood <esiotrot at gmail.com>
Date: Mon Sep 27 00:05:05 2010 +0200
Make upgrade procedure more explicit.
Add in a compile step.
Change the tar command to include the recommended dirs.
-----------------------------------------------------------------------
Summary of changes:
script/autobuild.py | 6 +-
source3/wscript | 3 -
source4/auth/sam.c | 1 +
source4/dsdb/common/dsdb_access.c | 19 ++-
source4/dsdb/common/dsdb_dn.c | 42 +++++
source4/dsdb/common/util.c | 18 ++-
source4/dsdb/samdb/ldb_modules/rootdse.c | 5 +-
source4/dsdb/samdb/ldb_modules/util.c | 1 +
source4/heimdal/kdc/kerberos5.c | 5 +-
source4/heimdal/kdc/krb5tgs.c | 51 +++++--
source4/heimdal/kdc/misc.c | 8 +
source4/heimdal/kdc/windc.c | 3 +-
source4/heimdal/kdc/windc_plugin.h | 1 +
source4/heimdal/lib/hdb/hdb.h | 3 +-
source4/heimdal/lib/hdb/hdb_err.et | 1 +
source4/heimdal/lib/hdb/keytab.c | 2 +-
source4/heimdal/lib/krb5/krbhst.c | 28 +++-
source4/kdc/db-glue.c | 219 ++++++++++++++++++++++++---
source4/kdc/db-glue.h | 4 +
source4/kdc/hdb-samba4.c | 55 +------
source4/kdc/kdc.c | 1 +
source4/kdc/mit_samba.c | 44 ++----
source4/kdc/pac-glue.c | 16 ++
source4/kdc/pac-glue.h | 2 +
source4/kdc/samba_kdc.h | 3 +
source4/kdc/wdc-samba4.c | 42 ++++--
source4/lib/ldb/ldb_tdb/ldb_tdb.c | 5 +-
source4/rpc_server/drsuapi/dcesrv_drsuapi.h | 6 +
source4/rpc_server/drsuapi/drsutil.c | 46 ++++--
source4/rpc_server/drsuapi/getncchanges.c | 63 ++++++--
source4/rpc_server/drsuapi/updaterefs.c | 16 +-
source4/wscript | 3 -
upgrading-samba4.txt | 8 +-
33 files changed, 524 insertions(+), 206 deletions(-)
Changeset truncated at 500 lines:
diff --git a/script/autobuild.py b/script/autobuild.py
index 5d7228b..2870068 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -21,13 +21,13 @@ tasks = {
"make basics",
"make -j 4 everything", # don't use too many processes
"make install",
- "TDB_NO_FSYNC=1 make test" ],
+ "TDB_NO_FSYNC=1 make test FAIL_IMMEDIATELY=1" ],
"source4" : [ "./autogen.sh",
"./configure.developer ${PREFIX}",
"make -j",
"make install",
- "TDB_NO_FSYNC=1 make test" ],
+ "TDB_NO_FSYNC=1 make test FAIL_IMMEDIATELY=1" ],
"source4/lib/ldb" : [ "./autogen-waf.sh",
"./configure --enable-developer -C ${PREFIX}",
@@ -268,7 +268,7 @@ def rebase_tree(url):
def push_to(url):
print("Pushing to %s" % url)
if options.mark:
- run_cmd("EDITOR=script/commit_mark.sh git commit --amend -c HEAD", dir=test_master)
+ run_cmd("EDITOR=script/commit_mark.sh git notes edit HEAD", dir=test_master)
run_cmd("git remote add -t master pushto %s" % url, show=True, dir=test_master)
run_cmd("git push pushto +HEAD:master", show=True, dir=test_master)
diff --git a/source3/wscript b/source3/wscript
index d182d94..d124eb6 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -73,9 +73,6 @@ def configure(conf):
if Options.options.with_swat:
conf.env['build_swat'] = True
- # set a limit on recursing in the waf preprocessor
- conf.env.preprocessor_recursion_limit = 10
-
conf.ADD_EXTRA_INCLUDES('''#source3 #source3/include #lib/replace #lib/talloc
#lib/tevent #source3/libaddns #source3/librpc
#source3/lib #lib/tdb/include #lib/popt #source4''')
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index bdbf690..0f97a19 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -36,6 +36,7 @@
"userPrincipalName", \
"servicePrincipalName", \
"msDS-KeyVersionNumber", \
+ "msDS-SecondaryKrbTgtNumber" \
"msDS-SupportedEncryptionTypes", \
"supplementalCredentials", \
\
diff --git a/source4/dsdb/common/dsdb_access.c b/source4/dsdb/common/dsdb_access.c
index c7d8610..ebbe4f4 100644
--- a/source4/dsdb/common/dsdb_access.c
+++ b/source4/dsdb/common/dsdb_access.c
@@ -35,6 +35,7 @@
#include "param/param.h"
#include "auth/auth.h"
#include "dsdb/samdb/samdb.h"
+#include "dsdb/common/util.h"
void dsdb_acl_debug(struct security_descriptor *sd,
struct security_token *token,
@@ -135,24 +136,24 @@ int dsdb_check_access_on_dn_internal(struct ldb_context *ldb,
int dsdb_check_access_on_dn(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
struct ldb_dn *dn,
+ struct security_token *token,
uint32_t access,
- const struct GUID *guid)
+ const char *ext_right)
{
int ret;
+ struct GUID guid;
struct ldb_result *acl_res;
static const char *acl_attrs[] = {
"nTSecurityDescriptor",
"objectSid",
NULL
};
-
- struct auth_session_info *session_info
- = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
- if(!session_info) {
- return ldb_operr(ldb);
+ NTSTATUS status = GUID_from_string(ext_right, &guid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return LDB_ERR_OPERATIONS_ERROR;
}
- ret = ldb_search(ldb, mem_ctx, &acl_res, dn, LDB_SCOPE_BASE, acl_attrs, NULL);
+ ret = dsdb_search_dn(ldb, mem_ctx, &acl_res, dn, acl_attrs, DSDB_SEARCH_SHOW_DELETED);
if (ret != LDB_SUCCESS) {
DEBUG(10,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
return ret;
@@ -160,9 +161,9 @@ int dsdb_check_access_on_dn(struct ldb_context *ldb,
return dsdb_check_access_on_dn_internal(ldb, acl_res,
mem_ctx,
- session_info->security_token,
+ token,
dn,
access,
- guid);
+ &guid);
}
diff --git a/source4/dsdb/common/dsdb_dn.c b/source4/dsdb/common/dsdb_dn.c
index cb9cb29..85ba9b7 100644
--- a/source4/dsdb/common/dsdb_dn.c
+++ b/source4/dsdb/common/dsdb_dn.c
@@ -22,6 +22,8 @@
#include "includes.h"
#include "dsdb/samdb/samdb.h"
#include "lib/ldb/include/ldb_module.h"
+#include "librpc/ndr/libndr.h"
+#include "libcli/security/dom_sid.h"
enum dsdb_dn_format dsdb_dn_oid_to_format(const char *oid)
{
@@ -402,3 +404,43 @@ WERROR dsdb_dn_la_from_blob(struct ldb_context *sam_ctx,
return WERR_OK;
}
+
+
+/*
+ format a drsuapi_DsReplicaObjectIdentifier naming context as a string
+ */
+char *drs_ObjectIdentifier_to_string(TALLOC_CTX *mem_ctx,
+ struct drsuapi_DsReplicaObjectIdentifier *nc)
+{
+ char *ret = NULL;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ if (!GUID_all_zero(&nc->guid)) {
+ char *guid = GUID_string(tmp_ctx, &nc->guid);
+ if (guid) {
+ ret = talloc_asprintf_append(ret, "<GUID=%s>;", guid);
+ }
+ }
+ if (nc->__ndr_size_sid != 0 && nc->sid.sid_rev_num != 0) {
+ const char *sid = dom_sid_string(tmp_ctx, &nc->sid);
+ if (sid) {
+ ret = talloc_asprintf_append(ret, "<SID=%s>;", sid);
+ }
+ }
+ if (nc->__ndr_size_dn != 0 && nc->dn) {
+ ret = talloc_asprintf_append(ret, "%s", nc->dn);
+ }
+ talloc_free(tmp_ctx);
+ talloc_steal(mem_ctx, ret);
+ return ret;
+}
+
+struct ldb_dn *drs_ObjectIdentifier_to_dn(TALLOC_CTX *mem_ctx,
+ struct ldb_context *ldb,
+ struct drsuapi_DsReplicaObjectIdentifier *nc)
+{
+ char *dn_string = drs_ObjectIdentifier_to_string(mem_ctx, nc);
+ struct ldb_dn *new_dn;
+ new_dn = ldb_dn_new(mem_ctx, ldb, dn_string);
+ talloc_free(dn_string);
+ return new_dn;
+}
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index a8186e8..a5d0f60 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -1690,20 +1690,21 @@ int samdb_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_
attrs[0] = attribute;
attrs[1] = NULL;
- ret = ldb_search(ldb, mem_ctx, &res, base, LDB_SCOPE_BASE, attrs, NULL);
+ ret = dsdb_search(ldb, mem_ctx, &res, base, LDB_SCOPE_BASE, attrs, DSDB_SEARCH_ONE_ONLY, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
- if (res->count != 1) {
- talloc_free(res);
- return LDB_ERR_NO_SUCH_OBJECT;
- }
*dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0], attribute);
if (!*dn) {
+ if (!ldb_msg_find_element(res->msgs[0], attribute)) {
+ ldb_asprintf_errstring(ldb, "Cannot find attribute %s of %s to calculate reference dn", attribute,
+ ldb_dn_get_linearized(base));
+ } else {
+ ldb_asprintf_errstring(ldb, "Cannot interpret attribute %s of %s as a dn", attribute,
+ ldb_dn_get_linearized(base));
+ }
talloc_free(res);
- ldb_asprintf_errstring(ldb, "Cannot find dn of attribute %s of %s", attribute,
- ldb_dn_get_linearized(base));
return LDB_ERR_NO_SUCH_ATTRIBUTE;
}
@@ -3810,6 +3811,7 @@ int dsdb_search(struct ldb_context *ldb,
ret = dsdb_request_add_controls(req, dsdb_flags);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
+ ldb_reset_err_string(ldb);
return ret;
}
@@ -3826,10 +3828,12 @@ int dsdb_search(struct ldb_context *ldb,
if (dsdb_flags & DSDB_SEARCH_ONE_ONLY) {
if (res->count == 0) {
talloc_free(tmp_ctx);
+ ldb_reset_err_string(ldb);
return LDB_ERR_NO_SUCH_OBJECT;
}
if (res->count != 1) {
talloc_free(tmp_ctx);
+ ldb_reset_err_string(ldb);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
}
diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c
index 23b8f63..4f0b11b 100644
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -1063,7 +1063,10 @@ static int rootdse_become_master(struct ldb_module *module,
msg = messaging_client_init(tmp_ctx, lpcfg_messaging_path(tmp_ctx, lp_ctx),
ldb_get_event_context(ldb));
-
+ if (!msg) {
+ ldb_asprintf_errstring(ldb, "Failed to generate client messaging context in %s", lpcfg_messaging_path(tmp_ctx, lp_ctx));
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
irpc_handle = irpc_binding_handle_by_name(tmp_ctx, msg,
"dreplsrv",
&ndr_table_irpc);
diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
index 1dc466e..b64b934 100644
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -622,6 +622,7 @@ int dsdb_module_reference_dn(struct ldb_module *module, TALLOC_CTX *mem_ctx, str
*dn = ldb_msg_find_attr_as_dn(ldb_module_get_ctx(module),
mem_ctx, res->msgs[0], attribute);
if (!*dn) {
+ ldb_reset_err_string(ldb_module_get_ctx(module));
talloc_free(res);
return LDB_ERR_NO_SUCH_ATTRIBUTE;
}
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index c3e9475..05df86e 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -988,7 +988,8 @@ _kdc_as_rep(krb5_context context,
*/
ret = _kdc_db_fetch(context, config, client_princ,
- HDB_F_GET_CLIENT | flags, &clientdb, &client);
+ HDB_F_GET_CLIENT | flags, 0,
+ &clientdb, &client);
if(ret){
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, msg);
@@ -999,7 +1000,7 @@ _kdc_as_rep(krb5_context context,
ret = _kdc_db_fetch(context, config, server_princ,
HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
- NULL, &server);
+ 0, NULL, &server);
if(ret){
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name, msg);
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index dd14ae6..3560a0d 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -281,8 +281,10 @@ check_PAC(krb5_context context,
const krb5_principal client_principal,
hdb_entry_ex *client,
hdb_entry_ex *server,
+ hdb_entry_ex *krbtgt,
const EncryptionKey *server_key,
- const EncryptionKey *krbtgt_key,
+ const EncryptionKey *krbtgt_check_key,
+ const EncryptionKey *krbtgt_sign_key,
EncTicketPart *tkt,
krb5_data *rspac,
int *signedpath)
@@ -325,14 +327,14 @@ check_PAC(krb5_context context,
ret = krb5_pac_verify(context, pac, tkt->authtime,
client_principal,
- krbtgt_key, NULL);
+ krbtgt_check_key, NULL);
if (ret) {
krb5_pac_free(context, pac);
return ret;
}
ret = _kdc_pac_verify(context, client_principal,
- client, server, &pac);
+ client, server, krbtgt, &pac);
if (ret) {
krb5_pac_free(context, pac);
return ret;
@@ -341,7 +343,7 @@ check_PAC(krb5_context context,
ret = _krb5_pac_sign(context, pac, tkt->authtime,
client_principal,
- server_key, krbtgt_key, rspac);
+ server_key, krbtgt_sign_key, rspac);
krb5_pac_free(context, pac);
@@ -1156,7 +1158,7 @@ tgs_parse_request(krb5_context context,
ap_req.ticket.sname,
ap_req.ticket.realm);
- ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt);
+ ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, ap_req.ticket.enc_part.kvno, NULL, krbtgt);
if(ret) {
const char *msg = krb5_get_error_message(context, ret);
@@ -1454,6 +1456,8 @@ tgs_build_reply(krb5_context context,
krb5_kvno kvno;
krb5_data rspac;
+ hdb_entry_ex *krbtgt_out = NULL;
+
METHOD_DATA enc_pa_data;
PrincipalName *s;
@@ -1463,7 +1467,8 @@ tgs_build_reply(krb5_context context,
char opt_str[128];
int signedpath = 0;
- Key *tkey;
+ Key *tkey_check;
+ Key *tkey_sign;
memset(&sessionkey, 0, sizeof(sessionkey));
memset(&adtkt, 0, sizeof(adtkt));
@@ -1495,7 +1500,7 @@ tgs_build_reply(krb5_context context,
}
_krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
ret = _kdc_db_fetch(context, config, p,
- HDB_F_GET_CLIENT|HDB_F_GET_SERVER,
+ HDB_F_GET_KRBTGT, t->enc_part.kvno,
NULL, &uu);
krb5_free_principal(context, p);
if(ret){
@@ -1548,7 +1553,7 @@ tgs_build_reply(krb5_context context,
server_lookup:
ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | HDB_F_CANON,
- NULL, &server);
+ 0, NULL, &server);
if(ret){
const char *new_rlm, *msg;
@@ -1609,7 +1614,7 @@ server_lookup:
}
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
- &clientdb, &client);
+ 0, &clientdb, &client);
if(ret) {
const char *krbtgt_realm, *msg;
@@ -1704,15 +1709,31 @@ server_lookup:
*/
ret = hdb_enctype2key(context, &krbtgt->entry,
- krbtgt_etype, &tkey);
+ krbtgt_etype, &tkey_check);
if(ret) {
kdc_log(context, config, 0,
"Failed to find key for krbtgt PAC check");
goto out;
}
+ /* Now refetch the krbtgt, but get the current kvno (the sign check may have been on an old kvno) */
+ ret = _kdc_db_fetch(context, config, krbtgt->entry.principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
+ if (ret) {
+ kdc_log(context, config, 0,
+ "Failed to find krbtgt in DB for krbtgt PAC signature");
+ goto out;
+ }
+
+ ret = hdb_enctype2key(context, &krbtgt_out->entry,
+ krbtgt_etype, &tkey_sign);
+ if(ret) {
+ kdc_log(context, config, 0,
+ "Failed to find key for krbtgt PAC signature");
+ goto out;
+ }
+
ret = check_PAC(context, config, cp,
- client, server, ekey, &tkey->key,
+ client, server, krbtgt, ekey, &tkey_check->key, &tkey_sign->key,
tgt, &rspac, &signedpath);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
@@ -1814,7 +1835,7 @@ server_lookup:
krb5_pac p = NULL;
krb5_data_free(&rspac);
ret = _kdc_db_fetch(context, config, client_principal, HDB_F_GET_CLIENT | HDB_F_CANON,
- &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
+ 0, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
if (ret) {
const char *msg;
@@ -1840,7 +1861,7 @@ server_lookup:
if (p != NULL) {
ret = _krb5_pac_sign(context, p, ticket->ticket.authtime,
s4u2self_impersonated_client->entry.principal,
- ekey, &tkey->key,
+ ekey, &tkey_sign->key,
&rspac);
krb5_pac_free(context, p);
if (ret) {
@@ -2070,7 +2091,7 @@ server_lookup:
spn,
client,
cp,
- krbtgt,
+ krbtgt_out,
krbtgt_etype,
spp,
&rspac,
@@ -2084,6 +2105,8 @@ out:
krb5_data_free(&rspac);
krb5_free_keyblock_contents(context, &sessionkey);
+ if(krbtgt_out)
+ _kdc_free_ent(context, krbtgt_out);
if(server)
_kdc_free_ent(context, server);
if(client)
diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c
index 39f91dc..3080748 100644
--- a/source4/heimdal/kdc/misc.c
+++ b/source4/heimdal/kdc/misc.c
@@ -40,12 +40,19 @@ _kdc_db_fetch(krb5_context context,
krb5_kdc_configuration *config,
krb5_const_principal principal,
unsigned flags,
+ krb5int32 *kvno_ptr,
HDB **db,
hdb_entry_ex **h)
{
hdb_entry_ex *ent;
krb5_error_code ret;
int i;
+ unsigned kvno;
+
+ if (kvno_ptr) {
+ kvno = *kvno_ptr;
+ flags |= HDB_F_KVNO_SPECIFIED;
+ }
ent = calloc (1, sizeof (*ent));
if (ent == NULL) {
@@ -88,6 +95,7 @@ _kdc_db_fetch(krb5_context context,
config->db[i],
principal,
flags | HDB_F_DECRYPT,
+ kvno,
ent);
krb5_free_principal(context, enterprise_principal);
diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c
index 524bc90..a8f1eb1 100644
--- a/source4/heimdal/kdc/windc.c
+++ b/source4/heimdal/kdc/windc.c
@@ -86,6 +86,7 @@ _kdc_pac_verify(krb5_context context,
const krb5_principal client_principal,
hdb_entry_ex *client,
hdb_entry_ex *server,
+ hdb_entry_ex *krbtgt,
krb5_pac *pac)
{
if (windcft == NULL) {
@@ -93,7 +94,7 @@ _kdc_pac_verify(krb5_context context,
return EINVAL;
}
return (windcft->pac_verify)(windcctx, context,
- client_principal, client, server, pac);
+ client_principal, client, server, krbtgt, pac);
}
krb5_error_code
diff --git a/source4/heimdal/kdc/windc_plugin.h b/source4/heimdal/kdc/windc_plugin.h
index 0ec8e06..037fc8c 100644
--- a/source4/heimdal/kdc/windc_plugin.h
+++ b/source4/heimdal/kdc/windc_plugin.h
@@ -60,6 +60,7 @@ typedef krb5_error_code
const krb5_principal,
struct hdb_entry_ex *,
--
Samba Shared Repository
More information about the samba-cvs
mailing list