[SCM] Samba Shared Repository - branch master updated
Andrew Tridgell
tridge at samba.org
Tue Sep 28 21:09:01 MDT 2010
The branch, master has been updated
via cc28860 s4-provision: simplify our generated krb5.conf
via 4e0a3ea s4-kdc: RODC DCs should be able to produce forwardable tickets
via 04e3e27 heimdal: fixed timegm UTC/GMT bug
via dacfe67 s4-sam: fixed termination of krbtgt_attrs (comma and NULL)
via c83775d ldb-dn: don't crash on NULL in ldb_binary_encode_string()
via 3d4576b s4-kdc Ensure that an RODC may act as a server (needed to fill the krbtgt role).
via f84bdf9 heimdal Use a seperate krb5_auth_context for the delegated credentials
from e2c305d midltests/todo: add some random idl files I had tested month ago
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit cc288603ce67ccca3625d162fadc618df5fbc807
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 28 19:11:34 2010 -0700
s4-provision: simplify our generated krb5.conf
we don't want to force the KDC to be ourselves, we should
be using DNS to find a live KDC. Also remove some other options and
allow the krb5 lib to use defaults.
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 4e0a3ea705a793ef2f68805728caabd58bdf5788
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 28 19:10:27 2010 -0700
s4-kdc: RODC DCs should be able to produce forwardable tickets
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 04e3e27fd1062cd9ffe462f4a2c6b0635c3917eb
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 28 19:09:58 2010 -0700
heimdal: fixed timegm UTC/GMT bug
This was a wonderful bug!
On some Fedora systems, but not on Ubuntu, there is a difference
between UTC and GMT. Heimdal replaced timegm() with _der_timegm()
which did not account for that difference (which is 24 seconds at the
moment). This led to a mutual authentication failure.
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit dacfe67a0e4c591710adbe6b2f53783ac76f4ba1
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 28 19:07:43 2010 -0700
s4-sam: fixed termination of krbtgt_attrs (comma and NULL)
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit c83775d524612c24be97d3761a1cc29998040fa1
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 28 18:01:21 2010 -0700
ldb-dn: don't crash on NULL in ldb_binary_encode_string()
Thanks to Nadya for finding this one!
commit 3d4576b170d92f97018076faf0ed914cf2fdd01b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 29 09:06:39 2010 +1000
s4-kdc Ensure that an RODC may act as a server (needed to fill
the krbtgt role).
Andrew Bartlett
commit f84bdf91d865ab176dcc0d829944821b89b88074
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 29 06:44:33 2010 +1000
heimdal Use a seperate krb5_auth_context for the delegated credentials
If we re-use this context, we overwrite the timestamp while talking
to the KDC and fail the mutual authentiation with the target server.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source4/auth/sam.c | 8 ++--
source4/heimdal/lib/asn1/timegm.c | 21 +++---------
.../heimdal/lib/gssapi/krb5/delete_sec_context.c | 1 +
source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h | 1 +
source4/heimdal/lib/gssapi/krb5/init_sec_context.c | 34 +++++++++++++++++++-
source4/kdc/db-glue.c | 29 ++++++++++++++---
source4/lib/ldb/common/ldb_parse.c | 3 ++
source4/setup/krb5.conf | 15 +--------
8 files changed, 73 insertions(+), 39 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 0f97a19..ad7fe0a 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -36,7 +36,7 @@
"userPrincipalName", \
"servicePrincipalName", \
"msDS-KeyVersionNumber", \
- "msDS-SecondaryKrbTgtNumber" \
+ "msDS-SecondaryKrbTgtNumber", \
"msDS-SupportedEncryptionTypes", \
"supplementalCredentials", \
\
@@ -48,14 +48,14 @@
"objectSid", \
\
"pwdLastSet", \
- "accountExpires"
+ "accountExpires"
const char *krbtgt_attrs[] = {
- KRBTGT_ATTRS
+ KRBTGT_ATTRS, NULL
};
const char *server_attrs[] = {
- KRBTGT_ATTRS
+ KRBTGT_ATTRS, NULL
};
const char *user_attrs[] = {
diff --git a/source4/heimdal/lib/asn1/timegm.c b/source4/heimdal/lib/asn1/timegm.c
index c72968d..83f0e33 100644
--- a/source4/heimdal/lib/asn1/timegm.c
+++ b/source4/heimdal/lib/asn1/timegm.c
@@ -54,8 +54,6 @@ _der_timegm (struct tm *tm)
static const unsigned ndays[2][12] ={
{31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31},
{31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}};
- time_t res = 0;
- unsigned i;
if (tm->tm_year < 0)
return -1;
@@ -70,17 +68,10 @@ _der_timegm (struct tm *tm)
if (tm->tm_sec < 0 || tm->tm_sec > 59)
return -1;
- for (i = 70; i < tm->tm_year; ++i)
- res += is_leap(i) ? 366 : 365;
-
- for (i = 0; i < tm->tm_mon; ++i)
- res += ndays[is_leap(tm->tm_year)][i];
- res += tm->tm_mday - 1;
- res *= 24;
- res += tm->tm_hour;
- res *= 60;
- res += tm->tm_min;
- res *= 60;
- res += tm->tm_sec;
- return res;
+ /* now call to the libc timegm(). This code used to do the
+ * calculation itself, but that calculation didn't account for the
+ * difference between UTC and GMT, which is 24 seconds in 2010. That
+ * caused a mutual authentication failure
+ */
+ return timegm(tm);
}
diff --git a/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c b/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c
index b3d436e..e02a4c6 100644
--- a/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/delete_sec_context.c
@@ -59,6 +59,7 @@ _gsskrb5_delete_sec_context(OM_uint32 * minor_status,
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
krb5_auth_con_free (context, ctx->auth_context);
+ krb5_auth_con_free (context, ctx->deleg_auth_context);
if (ctx->kcred)
krb5_free_creds(context, ctx->kcred);
if(ctx->source)
diff --git a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
index d916708..6b9b03f 100644
--- a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
+++ b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
@@ -55,6 +55,7 @@ struct gss_msg_order;
typedef struct gsskrb5_ctx {
struct krb5_auth_context_data *auth_context;
+ struct krb5_auth_context_data *deleg_auth_context;
krb5_principal source, target;
#define IS_DCE_STYLE(ctx) (((ctx)->flags & GSS_C_DCE_STYLE) != 0)
OM_uint32 flags;
diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
index fd9934a..b513bd2 100644
--- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
@@ -117,6 +117,7 @@ _gsskrb5_create_ctx(
return GSS_S_FAILURE;
}
ctx->auth_context = NULL;
+ ctx->deleg_auth_context = NULL;
ctx->source = NULL;
ctx->target = NULL;
ctx->kcred = NULL;
@@ -139,13 +140,34 @@ _gsskrb5_create_ctx(
return GSS_S_FAILURE;
}
+ kret = krb5_auth_con_init (context, &ctx->deleg_auth_context);
+ if (kret) {
+ *minor_status = kret;
+ krb5_auth_con_free(context, ctx->auth_context);
+ HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
+ return GSS_S_FAILURE;
+ }
+
kret = set_addresses(context, ctx->auth_context, input_chan_bindings);
if (kret) {
*minor_status = kret;
+ krb5_auth_con_free(context, ctx->auth_context);
+ krb5_auth_con_free(context, ctx->deleg_auth_context);
+
HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
+ return GSS_S_BAD_BINDINGS;
+ }
+
+ kret = set_addresses(context, ctx->deleg_auth_context, input_chan_bindings);
+ if (kret) {
+ *minor_status = kret;
+
krb5_auth_con_free(context, ctx->auth_context);
+ krb5_auth_con_free(context, ctx->deleg_auth_context);
+
+ HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
return GSS_S_BAD_BINDINGS;
}
@@ -160,6 +182,16 @@ _gsskrb5_create_ctx(
KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED,
NULL);
+ /*
+ * We need a sequence number
+ */
+
+ krb5_auth_con_addflags(context,
+ ctx->deleg_auth_context,
+ KRB5_AUTH_CONTEXT_DO_SEQUENCE |
+ KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED,
+ NULL);
+
*context_handle = (gss_ctx_id_t)ctx;
return GSS_S_COMPLETE;
@@ -538,7 +570,7 @@ init_auth_restart
ap_options = 0;
if (flagmask & GSS_C_DELEG_FLAG) {
do_delegation (context,
- ctx->auth_context,
+ ctx->deleg_auth_context,
ctx->ccache, ctx->kcred, ctx->target,
&fwd_data, flagmask, &flags);
}
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index ecb160c..2f416c9 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -196,6 +196,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
TALLOC_CTX *mem_ctx,
struct ldb_message *msg,
uint32_t rid,
+ bool is_rodc,
unsigned int userAccountControl,
enum samba_kdc_ent_type ent_type,
hdb_entry_ex *entry_ex)
@@ -213,7 +214,6 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
uint16_t i;
uint16_t allocated_keys = 0;
int rodc_krbtgt_number = 0;
- bool is_rodc = false;
/* Supported Enc for this entry */
uint32_t supported_enctypes = ENC_ALL_TYPES; /* by default, we support all enc types */
@@ -229,9 +229,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
supported_enctypes);
/* Is this the krbtgt or a RODC */
- if (ldb_msg_find_element(msg, "msDS-SecondaryKrbTgtNumber")) {
- is_rodc = true;
-
+ if (is_rodc) {
rodc_krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1);
if (rodc_krbtgt_number == -1) {
@@ -541,12 +539,17 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
NTSTATUS status;
uint32_t rid;
+ bool is_rodc = false;
struct ldb_message_element *objectclasses;
struct ldb_val computer_val;
const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
computer_val.data = discard_const_p(uint8_t,"computer");
computer_val.length = strlen((const char *)computer_val.data);
+ if (ldb_msg_find_element(msg, "msDS-SecondaryKrbTgtNumber")) {
+ is_rodc = true;
+ }
+
if (!samAccountName) {
ret = ENOENT;
krb5_set_error_message(context, ret, "samba_kdc_message2entry: no samAccountName present");
@@ -686,6 +689,22 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
entry_ex->entry.flags.client = 0;
entry_ex->entry.flags.forwardable = 1;
entry_ex->entry.flags.ok_as_delegate = 1;
+ } else if (is_rodc) {
+ /* The RODC krbtgt account is like the main krbtgt,
+ * but it does not have a changepw or kadmin
+ * service */
+
+ entry_ex->entry.valid_end = NULL;
+ entry_ex->entry.pw_end = NULL;
+
+ /* Also don't allow the RODC krbtgt to be a client (it should not be needed) */
+ entry_ex->entry.flags.client = 0;
+ entry_ex->entry.flags.invalid = 0;
+ entry_ex->entry.flags.server = 1;
+
+ entry_ex->entry.flags.client = 0;
+ entry_ex->entry.flags.forwardable = 1;
+ entry_ex->entry.flags.ok_as_delegate = 0;
} else if (entry_ex->entry.flags.server && ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
/* The account/password expiry only applies when the account is used as a
* client (ie password login), not when used as a server */
@@ -735,7 +754,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
/* Get keys from the db */
ret = samba_kdc_message2entry_keys(context, p, msg,
- rid, userAccountControl,
+ rid, is_rodc, userAccountControl,
ent_type, entry_ex);
if (ret) {
/* Could be bougus data in the entry, or out of memory */
diff --git a/source4/lib/ldb/common/ldb_parse.c b/source4/lib/ldb/common/ldb_parse.c
index 746002e..0203f32 100644
--- a/source4/lib/ldb/common/ldb_parse.c
+++ b/source4/lib/ldb/common/ldb_parse.c
@@ -154,6 +154,9 @@ char *ldb_binary_encode(TALLOC_CTX *mem_ctx, struct ldb_val val)
char *ldb_binary_encode_string(TALLOC_CTX *mem_ctx, const char *string)
{
struct ldb_val val;
+ if (string == NULL) {
+ return NULL;
+ }
val.data = discard_const_p(uint8_t, string);
val.length = strlen(string);
return ldb_binary_encode(mem_ctx, val);
diff --git a/source4/setup/krb5.conf b/source4/setup/krb5.conf
index bb8df03..b1bf6cf 100644
--- a/source4/setup/krb5.conf
+++ b/source4/setup/krb5.conf
@@ -1,17 +1,4 @@
[libdefaults]
default_realm = ${REALM}
- dns_lookup_realm = true
+ dns_lookup_realm = false
dns_lookup_kdc = true
- ticket_lifetime = 24h
- forwardable = yes
-
-[realms]
- ${REALM} = {
- kdc = ${HOSTNAME}.${DNSDOMAIN}:88
- admin_server = ${HOSTNAME}.${DNSDOMAIN}:749
- default_domain = ${DNSDOMAIN}
- }
-
-[domain_realm]
- .${DNSDOMAIN} = ${REALM}
- ${DNSDOMAIN} = ${REALM}
--
Samba Shared Repository
More information about the samba-cvs
mailing list