[SCM] Samba Shared Repository - branch master updated
Simo Sorce
idra at samba.org
Thu Apr 19 17:54:05 MDT 2012
The branch, master has been updated
via 4b29cf5 Move kdc_get_policy helper in the lsa server where it belongs.
via 37e98ff Use loadparm helper to find lifetime defaults
via 86910e1 loadparm: Add helper function to fetch default lifetime policies
via 74510b0 loadparm: Add convenience function to return long integers
via e0f425a loadparm: Fix broken lp_ulong utility function
via 97f5b28 Move README file in the right place.
from 00d5f32 Fix bug #8877 - Syslog broken owing to mistyping of debug_settings.syslog.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4b29cf5f66c5e75f759a5c2a79ba26629f907778
Author: Simo Sorce <idra at samba.org>
Date: Thu Apr 19 17:54:57 2012 -0400
Move kdc_get_policy helper in the lsa server where it belongs.
This was used in only 2 places, db-glue.c and the lsa server.
In db-glue.c it is awkward though, as it forces to use an unconvenient lsa
structure and conversions from time_t to nt_time only to have nt_times
converted back to time_t for actual use. This is silly.
Also the kdc-policy file was a single funciton library, that's just ridiculous.
The loadparm helper is all we need to keep the values consistent, and if we
ever end up doing something with group policies we will care about it when it's
the time. the code would have to change quite a lot anyway.
Autobuild-User: Simo Sorce <idra at samba.org>
Autobuild-Date: Fri Apr 20 01:53:37 CEST 2012 on sn-devel-104
commit 37e98ff252edc5e76d2c74a8459247ffcb5fd101
Author: Simo Sorce <idra at samba.org>
Date: Thu Apr 19 11:17:25 2012 -0400
Use loadparm helper to find lifetime defaults
Implictly fixes buggy use of int for time_t
commit 86910e15feaa490cf70f592c6e9af44f3db7e6f0
Author: Simo Sorce <idra at samba.org>
Date: Thu Apr 19 11:16:03 2012 -0400
loadparm: Add helper function to fetch default lifetime policies
This use long to fetch time_t quantities, because there are architectures were
time_t is a signed long but long != int, So long is the proper way to deal with
it.
commit 74510b059e6852d1491a4cb6eaa9cc7c2ed61fbf
Author: Simo Sorce <idra at samba.org>
Date: Thu Apr 19 11:00:45 2012 -0400
loadparm: Add convenience function to return long integers
commit e0f425ab2d49779d0abbc0756326f548ff1ee19b
Author: Simo Sorce <idra at samba.org>
Date: Thu Apr 19 10:58:39 2012 -0400
loadparm: Fix broken lp_ulong utility function
commit 97f5b287fbe36e8e0026c3a76f90a7662111e9aa
Author: Simo Sorce <idra at samba.org>
Date: Thu Apr 19 10:34:54 2012 -0400
Move README file in the right place.
Someone forgot to move the README when they moved the code ...
-----------------------------------------------------------------------
Summary of changes:
{source4 => lib}/param/README | 0
lib/param/loadparm.c | 29 +++++++++++++++++++-
lib/param/param.h | 5 +++
lib/param/util.c | 19 ++++++++++++++
source4/kdc/db-glue.c | 17 +++++++-----
source4/kdc/kdc-policy.h | 25 ------------------
source4/kdc/policy.c | 48 -----------------------------------
source4/kdc/samba_kdc.h | 8 +++++-
source4/kdc/wscript_build | 10 +------
source4/rpc_server/lsa/dcesrv_lsa.c | 26 ++++++++++++++++++-
source4/rpc_server/wscript_build | 2 +-
11 files changed, 95 insertions(+), 94 deletions(-)
rename {source4 => lib}/param/README (100%)
delete mode 100644 source4/kdc/kdc-policy.h
delete mode 100644 source4/kdc/policy.c
mode change 100644 => 100755 source4/kdc/wscript_build
Changeset truncated at 500 lines:
diff --git a/source4/param/README b/lib/param/README
similarity index 100%
rename from source4/param/README
rename to lib/param/README
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 46bae44..d68d585 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -1699,11 +1699,11 @@ static int lp_int(const char *s)
/**
* convenience routine to return unsigned long parameters.
*/
-static int lp_ulong(const char *s)
+static unsigned long lp_ulong(const char *s)
{
if (!s) {
- DEBUG(0,("lp_int(%s): is called with NULL!\n",s));
+ DEBUG(0,("lp_ulong(%s): is called with NULL!\n",s));
return -1;
}
@@ -1713,6 +1713,20 @@ static int lp_ulong(const char *s)
/**
* convenience routine to return unsigned long parameters.
*/
+static long lp_long(const char *s)
+{
+
+ if (!s) {
+ DEBUG(0,("lp_long(%s): is called with NULL!\n",s));
+ return -1;
+ }
+
+ return strtol(s, NULL, 0);
+}
+
+/**
+ * convenience routine to return unsigned long parameters.
+ */
static double lp_double(const char *s)
{
@@ -1840,6 +1854,17 @@ unsigned long lpcfg_parm_ulong(struct loadparm_context *lp_ctx,
return default_v;
}
+long lpcfg_parm_long(struct loadparm_context *lp_ctx,
+ struct loadparm_service *service, const char *type,
+ const char *option, long default_v)
+{
+ const char *value = lpcfg_get_parametric(lp_ctx, service, type, option);
+
+ if (value)
+ return lp_long(value);
+
+ return default_v;
+}
double lpcfg_parm_double(struct loadparm_context *lp_ctx,
struct loadparm_service *service, const char *type,
diff --git a/lib/param/param.h b/lib/param/param.h
index 079ef8b..7842a84 100644
--- a/lib/param/param.h
+++ b/lib/param/param.h
@@ -297,6 +297,11 @@ struct smb_iconv_handle *smb_iconv_handle_reinit_lp(TALLOC_CTX *mem_ctx,
const char *lpcfg_sam_name(struct loadparm_context *lp_ctx);
+void lpcfg_default_kdc_policy(struct loadparm_context *lp_ctx,
+ time_t *svc_tkt_lifetime,
+ time_t *usr_tkt_lifetime,
+ time_t *renewal_lifetime);
+
/* The following definitions come from lib/version.c */
const char *samba_version_string(void);
diff --git a/lib/param/util.c b/lib/param/util.c
index 3a6a004..f60abb9 100644
--- a/lib/param/util.c
+++ b/lib/param/util.c
@@ -266,3 +266,22 @@ const char *lpcfg_sam_name(struct loadparm_context *lp_ctx)
}
}
+void lpcfg_default_kdc_policy(struct loadparm_context *lp_ctx,
+ time_t *svc_tkt_lifetime,
+ time_t *usr_tkt_lifetime,
+ time_t *renewal_lifetime)
+{
+ long val;
+
+ val = lpcfg_parm_long(lp_ctx, NULL,
+ "kdc", "service ticket lifetime", 10);
+ *svc_tkt_lifetime = val * 60 * 60;
+
+ val = lpcfg_parm_long(lp_ctx, NULL,
+ "kdc", "user ticket lifetime", 10);
+ *usr_tkt_lifetime = val * 60 * 60;
+
+ val = lpcfg_parm_long(lp_ctx, NULL,
+ "kdc", "renewal lifetime", 24 * 7);
+ *renewal_lifetime = val * 60 * 60;
+}
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 95a524d..7bb2db2 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -35,7 +35,6 @@
#include <hdb.h>
#include "kdc/samba_kdc.h"
#include "kdc/kdc-glue.h"
-#include "kdc/kdc-policy.h"
#include "kdc/db-glue.h"
#define SAMBA_KVNO_GET_KRBTGT(kvno) \
@@ -784,12 +783,12 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
}
if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
- *entry_ex->entry.max_life = nt_time_to_unix(kdc_db_ctx->policy.service_tkt_lifetime);
+ *entry_ex->entry.max_life = kdc_db_ctx->policy.svc_tkt_lifetime;
} else if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT || ent_type == SAMBA_KDC_ENT_TYPE_CLIENT) {
- *entry_ex->entry.max_life = nt_time_to_unix(kdc_db_ctx->policy.user_tkt_lifetime);
+ *entry_ex->entry.max_life = kdc_db_ctx->policy.usr_tkt_lifetime;
} else {
- *entry_ex->entry.max_life = MIN(nt_time_to_unix(kdc_db_ctx->policy.service_tkt_lifetime),
- nt_time_to_unix(kdc_db_ctx->policy.user_tkt_lifetime));
+ *entry_ex->entry.max_life = MIN(kdc_db_ctx->policy.svc_tkt_lifetime,
+ kdc_db_ctx->policy.usr_tkt_lifetime);
}
entry_ex->entry.max_renew = malloc(sizeof(*entry_ex->entry.max_life));
@@ -798,7 +797,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
goto out;
}
- *entry_ex->entry.max_renew = nt_time_to_unix(kdc_db_ctx->policy.user_tkt_renewaltime);
+ *entry_ex->entry.max_renew = kdc_db_ctx->policy.renewal_lifetime;
entry_ex->entry.generation = NULL;
@@ -1881,7 +1880,11 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte
kdc_db_ctx->ev_ctx = base_ctx->ev_ctx;
kdc_db_ctx->lp_ctx = base_ctx->lp_ctx;
- kdc_get_policy(base_ctx->lp_ctx, NULL, &kdc_db_ctx->policy);
+ /* get default kdc policy */
+ lpcfg_default_kdc_policy(base_ctx->lp_ctx,
+ &kdc_db_ctx->policy.svc_tkt_lifetime,
+ &kdc_db_ctx->policy.usr_tkt_lifetime,
+ &kdc_db_ctx->policy.renewal_lifetime);
session_info = system_session(kdc_db_ctx->lp_ctx);
if (session_info == NULL) {
diff --git a/source4/kdc/kdc-policy.h b/source4/kdc/kdc-policy.h
deleted file mode 100644
index 01e9372..0000000
--- a/source4/kdc/kdc-policy.h
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- KDC Policy
-
- Copyright (C) Andrew Bartlett <abartlet at samba.org> 2010
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-struct lsa_DomainInfoKerberos;
-struct loadparm_context;
-struct smb_krb5_context;
-#include "kdc/kdc-policy-proto.h"
diff --git a/source4/kdc/policy.c b/source4/kdc/policy.c
deleted file mode 100644
index e9cc608..0000000
--- a/source4/kdc/policy.c
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- KDC Policy
-
- Copyright (C) Andrew Bartlett <abartlet at samba.org> 2010
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "system/kerberos.h"
-#include "auth/kerberos/kerberos.h"
-#include "param/param.h"
-#include "kdc/kdc-policy.h"
-
-void kdc_get_policy(struct loadparm_context *lp_ctx,
- struct smb_krb5_context *smb_krb5_context,
- struct lsa_DomainInfoKerberos *k)
-{
- /* These should be set and stored via Group Policy, but until then, some defaults are in order */
-
- /* Our KDC always re-validates the client */
- k->authentication_options = LSA_POLICY_KERBEROS_VALIDATE_CLIENT;
-
- unix_to_nt_time(&k->service_tkt_lifetime,
- lpcfg_parm_int(lp_ctx, NULL, "kdc", "service ticket lifetime", 10) * 60 * 60);
- unix_to_nt_time(&k->user_tkt_lifetime,
- lpcfg_parm_int(lp_ctx, NULL, "kdc", "user ticket lifetime", 10) * 60 * 60);
- unix_to_nt_time(&k->user_tkt_renewaltime,
- lpcfg_parm_int(lp_ctx, NULL, "kdc", "renewal lifetime", 24*7) * 60 * 60);
- if (smb_krb5_context) {
- unix_to_nt_time(&k->clock_skew,
- krb5_get_max_time_skew(smb_krb5_context->krb5_context));
- }
- k->reserved = 0;
-}
diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h
index 1c3bb16..607b436 100644
--- a/source4/kdc/samba_kdc.h
+++ b/source4/kdc/samba_kdc.h
@@ -24,6 +24,12 @@
#ifndef _SAMBA_KDC_H_
#define _SAMBA_KDC_H_
+struct samba_kdc_policy {
+ time_t svc_tkt_lifetime;
+ time_t usr_tkt_lifetime;
+ time_t renewal_lifetime;
+};
+
struct samba_kdc_base_context {
struct tevent_context *ev_ctx;
struct loadparm_context *lp_ctx;
@@ -39,7 +45,7 @@ struct samba_kdc_db_context {
bool rodc;
unsigned int my_krbtgt_number;
struct ldb_dn *krbtgt_dn;
- struct lsa_DomainInfoKerberos policy;
+ struct samba_kdc_policy policy;
};
struct samba_kdc_entry {
diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build
old mode 100644
new mode 100755
index 22eee12..a566818
--- a/source4/kdc/wscript_build
+++ b/source4/kdc/wscript_build
@@ -49,19 +49,11 @@ bld.SAMBA_LIBRARY('pac',
bld.SAMBA_LIBRARY('db-glue',
source='db-glue.c',
- deps='ldb auth4_sam auth_sam_reply samba-credentials hdb samba-hostconfig com_err kdc-policy',
+ deps='ldb auth4_sam auth_sam_reply samba-credentials hdb samba-hostconfig com_err',
private_library=True,
includes='../heimdal/kdc',
)
-bld.SAMBA_LIBRARY('kdc-policy',
- source='policy.c',
- deps='samba-hostconfig authkrb5',
- private_library=True,
- autoproto = 'kdc-policy-proto.h'
- )
-
-
bld.SAMBA_SUBSYSTEM('MIT_SAMBA',
source='mit_samba.c',
deps='ldb auth4_sam auth_sam_reply samba-credentials hdb db-glue PAC_GLUE samba-hostconfig com_err'
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index de95b4a..2ecd144 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -31,7 +31,6 @@
#include "lib/util/tsort.h"
#include "dsdb/common/util.h"
#include "libcli/security/session.h"
-#include "kdc/kdc-policy.h"
#include "libcli/lsarpc/util_lsarpc.h"
/*
@@ -3691,6 +3690,31 @@ static NTSTATUS dcesrv_lsa_SetInfoPolicy2(struct dcesrv_call_state *dce_call,
DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
}
+static void kdc_get_policy(struct loadparm_context *lp_ctx,
+ struct smb_krb5_context *smb_krb5_context,
+ struct lsa_DomainInfoKerberos *k)
+{
+ time_t svc_tkt_lifetime;
+ time_t usr_tkt_lifetime;
+ time_t renewal_lifetime;
+
+ /* These should be set and stored via Group Policy, but until then, some defaults are in order */
+
+ /* Our KDC always re-validates the client */
+ k->authentication_options = LSA_POLICY_KERBEROS_VALIDATE_CLIENT;
+
+ lpcfg_default_kdc_policy(lp_ctx, &svc_tkt_lifetime,
+ &usr_tkt_lifetime, &renewal_lifetime);
+
+ unix_to_nt_time(&k->service_tkt_lifetime, svc_tkt_lifetime);
+ unix_to_nt_time(&k->user_tkt_lifetime, usr_tkt_lifetime);
+ unix_to_nt_time(&k->user_tkt_renewaltime, renewal_lifetime);
+ if (smb_krb5_context) {
+ unix_to_nt_time(&k->clock_skew,
+ krb5_get_max_time_skew(smb_krb5_context->krb5_context));
+ }
+ k->reserved = 0;
+}
/*
lsa_QueryDomainInformationPolicy
*/
diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
index ffdee23..c684c05 100755
--- a/source4/rpc_server/wscript_build
+++ b/source4/rpc_server/wscript_build
@@ -93,7 +93,7 @@ bld.SAMBA_MODULE('dcerpc_lsarpc',
autoproto='lsa/proto.h',
subsystem='dcerpc_server',
init_function='dcerpc_server_lsa_init',
- deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err security kdc-policy UTIL_LSARPC'
+ deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err security UTIL_LSARPC'
)
--
Samba Shared Repository
More information about the samba-cvs
mailing list