[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Thu Jan 5 10:52:05 MST 2012
The branch, master has been updated
via 1b73896 s3-auth remove outdated comment
via 4ac34f3 s3-librpc remove unused headers
via a074a5d s3-auth Remove more unused headers
via 6abb880 s3-auth remove unused ntlmssp.h
via 16e463e s3-auth Remove ntlmssp_wrap.h which is no longer required
via 3042e38 s3-auth use gensec directly rather than via auth_generic_state
via 0c0c23f s3-auth Set remote address for both AD and s3 gensec modes
via e22b1b4 s3-auth re-create the auth context in the s3 ntlmssp server module
via 1075efa s3-auth Add TALLOC_CTX * to auth_generic_prepare()
via c579b73 s3-auth supply s3 ntlmssp module via gensec_settings
via 7b4f2fa s3-selftest: Add test for rpcclient, including kerberos authentication
via 73ed88d s3:gse: MIT krb5 1.8.1 has a bug in gss_wrap_iov()
via a1fd1a4 s3-librpc store the sign/seal flags we got in the gssapi client
via 860ad73 s3-libads Factor out a new routine kerberos_get_principal_from_service_hostname()
via 25d7675 s3-librpc Use gsskrb5_get_subkey() where available to get the session key
from ab58469 s3: Remove some redundant code
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1b738963ee69eaf4951fc34d03636f840ca5fadf
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 26 15:52:59 2011 +1100
s3-auth remove outdated comment
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User: Stefan Metzmacher <metze at samba.org>
Autobuild-Date: Thu Jan 5 18:51:47 CET 2012 on sn-devel-104
commit 4ac34f3288267f02003de8c622b3375f1a6752bb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 26 15:21:23 2011 +1100
s3-librpc remove unused headers
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit a074a5d5facc68641f74424b0ca675aaa6dfd66e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 26 15:02:50 2011 +1100
s3-auth Remove more unused headers
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 6abb880519c365de72bfeb0f85f2d591d0114613
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 26 15:01:41 2011 +1100
s3-auth remove unused ntlmssp.h
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 16e463e16900822d29fa57dd210cff2be5933402
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 26 14:57:02 2011 +1100
s3-auth Remove ntlmssp_wrap.h which is no longer required
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 3042e38d519411e774e110b16a2eeeaef4b25a65
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 26 14:23:15 2011 +1100
s3-auth use gensec directly rather than via auth_generic_state
This is possible because the s3 gensec modules are started as
normal gensec modules, so we do not need a wrapper any more.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 0c0c23f3fe6f7c55d69d6ca19f8252b12aa8fe5a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 26 13:42:37 2011 +1100
s3-auth Set remote address for both AD and s3 gensec modes
commit e22b1b4f9e1ec46cf7dffbce24a88240d6fa2a05
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 26 12:26:43 2011 +1100
s3-auth re-create the auth context in the s3 ntlmssp server module
This removes the abstraction violation in auth_generic.c.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 1075efabc73ef9e890fdb7a53b15cabf467c6a9b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 26 12:13:21 2011 +1100
s3-auth Add TALLOC_CTX * to auth_generic_prepare()
This makes the long term owner of this memory more clear. So far only the
clear cases have been moved from NULL however.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit c579b735d6e5ba5345ae8e26477ab13c2646c84a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 26 11:39:29 2011 +1100
s3-auth supply s3 ntlmssp module via gensec_settings
This will allow the supply of multiple modules in future
without duplicating the module selection logic.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 7b4f2fad544137db3399e0daa04dd154ba10357d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jan 3 15:57:40 2012 +1100
s3-selftest: Add test for rpcclient, including kerberos authentication
Some knownfail entries are added for things the currently fail.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 73ed88df350c0e307fcf7402be12170c22f2227e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 5 14:59:20 2012 +0100
s3:gse: MIT krb5 1.8.1 has a bug in gss_wrap_iov()
gss_krb5int_make_seal_token_v3_iov() doesn't set '*conf_state'.
metze
commit a1fd1a4c65fe0cfe71ecad96702a037cf6a16143
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jan 3 15:48:01 2012 +1100
s3-librpc store the sign/seal flags we got in the gssapi client
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 860ad734ba77238d187520f72afcbdc1c73d94ef
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jan 4 11:39:38 2012 +1100
s3-libads Factor out a new routine kerberos_get_principal_from_service_hostname()
This is now used in the GSE GSSAPI client, so that when we connect to
a target server at the CIFS level, we use the same name to connect
at the DCE/RPC level.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 25d7675d695fc1325b954cd90e339b1879776e2b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jan 2 22:17:06 2012 +1100
s3-librpc Use gsskrb5_get_subkey() where available to get the session key
This allows gse_get_session_key() to work against Heimdal.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
selftest/knownfail | 9 ++
source3/auth/auth.c | 2 -
source3/auth/auth_generic.c | 153 ++++++-----------------------
source3/auth/auth_ntlmssp.c | 6 +-
source3/auth/auth_samba4.c | 2 -
source3/auth/proto.h | 8 +-
source3/include/auth.h | 11 +--
source3/include/ntlmssp_wrap.h | 5 -
source3/include/smb.h | 2 +-
source3/libads/kerberos.c | 50 +++++++++--
source3/libads/kerberos_proto.h | 7 +-
source3/librpc/crypto/gse.c | 33 ++++++-
source3/librpc/rpc/dcerpc_helpers.c | 2 -
source3/libsmb/cliconnect.c | 46 ++-------
source3/rpc_server/dcesrv_auth_generic.c | 57 +++++-------
source3/script/tests/test_rpcclient.sh | 19 ++++
source3/selftest/tests.py | 11 ++-
source3/smbd/globals.h | 2 +-
source3/smbd/negprot.c | 14 ++--
source3/smbd/password.c | 4 +-
source3/smbd/seal.c | 22 ++---
source3/smbd/sesssetup.c | 61 ++++++------
source3/smbd/smb2_sesssetup.c | 54 +++++------
source4/heimdal_build/wscript_configure | 1 +
24 files changed, 261 insertions(+), 320 deletions(-)
create mode 100755 source3/script/tests/test_rpcclient.sh
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail b/selftest/knownfail
index 9e52fa8..220df1c 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -12,6 +12,15 @@
^samba3.*rap.sam.*.useradd # Not provided by Samba 3
^samba3.*rap.sam.*.userdelete # Not provided by Samba 3
^samba3.posix_s3.libsmbclient .opendir # This requires a workgroup called 'WORKGROUP' and for netbios browse lists to have been registered
+#These rpcclient combinations (pipe-level authentication but without sign or seal) need fixing in s3
+^samba3.blackbox.rpcclient over ncacn_np with \[spnego\]
+^samba3.blackbox.rpcclient over ncacn_np with \[spnego,bigendian\]
+^samba3.blackbox.rpcclient over ncacn_np with \[spnego,connect\]
+^samba3.blackbox.rpcclient over ncacn_np with \[spnego,connect,bigendian\]
+^samba3.blackbox.rpcclient over ncacn_np with \[spnego,smb2\]
+^samba3.blackbox.rpcclient over ncacn_np with \[spnego,smb2,bigendian\]
+^samba3.blackbox.rpcclient over ncacn_np with \[spnego,connect,smb2\]
+^samba3.blackbox.rpcclient over ncacn_np with \[spnego,connect,smb2,bigendian\]
# these show that we still have some differences between our system
# with our internal iconv because it passes except when we bypass our
# internal iconv modules
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 4e413b1..1e1ede4 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -464,8 +464,6 @@ static NTSTATUS make_auth_context_text_list(TALLOC_CTX *mem_ctx,
for (method = (*auth_context)->auth_method_list; method; method = method->next) {
if (method->prepare_gensec) {
(*auth_context)->prepare_gensec = method->prepare_gensec;
- (*auth_context)->gensec_start_mech_by_oid = method->gensec_start_mech_by_oid;
- (*auth_context)->gensec_start_mech_by_authtype = method->gensec_start_mech_by_authtype;
break;
}
}
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 47723d5..d7108f5 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -22,168 +22,79 @@
#include "includes.h"
#include "auth.h"
-#include "../auth/ntlmssp/ntlmssp.h"
-#include "ntlmssp_wrap.h"
-#include "../librpc/gen_ndr/netlogon.h"
-#include "../librpc/gen_ndr/dcerpc.h"
#include "../lib/tsocket/tsocket.h"
#include "auth/gensec/gensec.h"
-#include "librpc/rpc/dcerpc.h"
#include "lib/param/param.h"
-NTSTATUS auth_generic_prepare(const struct tsocket_address *remote_address,
- struct auth_generic_state **auth_ntlmssp_state)
+NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
+ const struct tsocket_address *remote_address,
+ struct gensec_security **gensec_security_out)
{
+ struct gensec_security *gensec_security;
struct auth_context *auth_context;
- struct auth_generic_state *ans;
NTSTATUS nt_status;
- ans = talloc_zero(NULL, struct auth_generic_state);
- if (!ans) {
- DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
- return NT_STATUS_NO_MEMORY;
- }
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
- nt_status = make_auth_context_subsystem(talloc_tos(), &auth_context);
+ nt_status = make_auth_context_subsystem(tmp_ctx, &auth_context);
if (!NT_STATUS_IS_OK(nt_status)) {
- TALLOC_FREE(ans);
+ TALLOC_FREE(tmp_ctx);
return nt_status;
}
- ans->auth_context = talloc_steal(ans, auth_context);
-
if (auth_context->prepare_gensec) {
- nt_status = auth_context->prepare_gensec(ans,
- &ans->gensec_security);
+ nt_status = auth_context->prepare_gensec(tmp_ctx,
+ &gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
- TALLOC_FREE(ans);
+ TALLOC_FREE(tmp_ctx);
return nt_status;
}
- *auth_ntlmssp_state = ans;
- return NT_STATUS_OK;
} else {
struct gensec_settings *gensec_settings;
struct loadparm_context *lp_ctx;
- lp_ctx = loadparm_init_s3(ans, loadparm_s3_context());
+ lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_context());
if (lp_ctx == NULL) {
DEBUG(10, ("loadparm_init_s3 failed\n"));
- TALLOC_FREE(ans);
+ TALLOC_FREE(tmp_ctx);
return NT_STATUS_INVALID_SERVER_STATE;
}
- gensec_settings = lpcfg_gensec_settings(ans, lp_ctx);
+ gensec_settings = lpcfg_gensec_settings(tmp_ctx, lp_ctx);
if (lp_ctx == NULL) {
DEBUG(10, ("lpcfg_gensec_settings failed\n"));
- TALLOC_FREE(ans);
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ gensec_settings->backends = talloc_zero_array(gensec_settings, struct gensec_security_ops *, 2);
+ if (gensec_settings->backends == NULL) {
+ TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
- nt_status = gensec_server_start(ans, gensec_settings,
- NULL, &ans->gensec_security);
+ gensec_settings->backends[0] = &gensec_ntlmssp3_server_ops;
+
+ nt_status = gensec_server_start(tmp_ctx, gensec_settings,
+ NULL, &gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
- TALLOC_FREE(ans);
+ TALLOC_FREE(tmp_ctx);
return nt_status;
}
- talloc_unlink(ans, lp_ctx);
- talloc_unlink(ans, gensec_settings);
+ talloc_unlink(tmp_ctx, lp_ctx);
+ talloc_unlink(tmp_ctx, gensec_settings);
}
- nt_status = gensec_set_remote_address(ans->gensec_security,
+ nt_status = gensec_set_remote_address(gensec_security,
remote_address);
if (!NT_STATUS_IS_OK(nt_status)) {
- TALLOC_FREE(ans);
+ TALLOC_FREE(tmp_ctx);
return nt_status;
}
- *auth_ntlmssp_state = ans;
- return NT_STATUS_OK;
-}
-
-NTSTATUS auth_generic_start(struct auth_generic_state *auth_ntlmssp_state, const char *oid)
-{
- struct gensec_ntlmssp_context *gensec_ntlmssp;
- NTSTATUS status;
-
- if (auth_ntlmssp_state->auth_context->gensec_start_mech_by_oid) {
- return auth_ntlmssp_state->auth_context->gensec_start_mech_by_oid(
- auth_ntlmssp_state->gensec_security, oid);
- }
-
- if (strcmp(oid, GENSEC_OID_NTLMSSP) != 0) {
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- status = gensec_start_mech_by_ops(auth_ntlmssp_state->gensec_security,
- &gensec_ntlmssp3_server_ops);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- gensec_ntlmssp =
- talloc_get_type_abort(auth_ntlmssp_state->gensec_security->private_data,
- struct gensec_ntlmssp_context);
-
- gensec_ntlmssp->auth_context = talloc_move(gensec_ntlmssp, &auth_ntlmssp_state->auth_context);
-
- return NT_STATUS_OK;
-}
-
-NTSTATUS auth_generic_authtype_start(struct auth_generic_state *auth_ntlmssp_state,
- uint8_t auth_type, uint8_t auth_level)
-{
- struct gensec_ntlmssp_context *gensec_ntlmssp;
- NTSTATUS status;
-
- if (auth_ntlmssp_state->auth_context->gensec_start_mech_by_authtype) {
- return auth_ntlmssp_state->auth_context->gensec_start_mech_by_authtype(
- auth_ntlmssp_state->gensec_security,
- auth_type, auth_level);
- }
-
- if (auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
- /* The caller will then free the auth_ntlmssp_state,
- * undoing what was done in auth_generic_prepare().
- *
- * We can't do that logic here, as
- * auth_ntlmssp_want_feature() may have been called in
- * between.
- */
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- gensec_want_feature(auth_ntlmssp_state->gensec_security,
- GENSEC_FEATURE_DCE_STYLE);
- gensec_want_feature(auth_ntlmssp_state->gensec_security,
- GENSEC_FEATURE_ASYNC_REPLIES);
- if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
- gensec_want_feature(auth_ntlmssp_state->gensec_security,
- GENSEC_FEATURE_SIGN);
- } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
- gensec_want_feature(auth_ntlmssp_state->gensec_security,
- GENSEC_FEATURE_SIGN);
- gensec_want_feature(auth_ntlmssp_state->gensec_security,
- GENSEC_FEATURE_SEAL);
- } else if (auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
- /* Default features */
- } else {
- DEBUG(2,("auth_level %d not supported in DCE/RPC authentication\n",
- auth_level));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- status = gensec_start_mech_by_ops(auth_ntlmssp_state->gensec_security,
- &gensec_ntlmssp3_server_ops);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- gensec_ntlmssp =
- talloc_get_type_abort(auth_ntlmssp_state->gensec_security->private_data,
- struct gensec_ntlmssp_context);
-
- gensec_ntlmssp->auth_context = talloc_move(gensec_ntlmssp, &auth_ntlmssp_state->auth_context);
-
+ *gensec_security_out = talloc_steal(mem_ctx, gensec_security);
+ TALLOC_FREE(tmp_ctx);
return NT_STATUS_OK;
}
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index a0deada..7a23a92 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -23,7 +23,6 @@
#include "includes.h"
#include "auth.h"
#include "../auth/ntlmssp/ntlmssp.h"
-#include "ntlmssp_wrap.h"
#include "../librpc/gen_ndr/netlogon.h"
#include "../librpc/gen_ndr/dcerpc.h"
#include "../lib/tsocket/tsocket.h"
@@ -242,6 +241,11 @@ static NTSTATUS gensec_ntlmssp3_server_start(struct gensec_security *gensec_secu
talloc_get_type_abort(gensec_security->private_data,
struct gensec_ntlmssp_context);
+ nt_status = make_auth_context_subsystem(gensec_ntlmssp, &gensec_ntlmssp->auth_context);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
nt_status = ntlmssp_server_start(gensec_ntlmssp,
is_standalone,
netbios_name,
diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c
index 119099d..971f9d6 100644
--- a/source3/auth/auth_samba4.c
+++ b/source3/auth/auth_samba4.c
@@ -185,8 +185,6 @@ static NTSTATUS auth_init_samba4(struct auth_context *auth_context,
result->name = "samba4";
result->auth = check_samba4_security;
result->prepare_gensec = prepare_gensec;
- result->gensec_start_mech_by_oid = gensec_start_mech_by_oid;
- result->gensec_start_mech_by_authtype = gensec_start_mech_by_authtype;
*auth_method = result;
return NT_STATUS_OK;
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 074da79..77f0f54 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -69,12 +69,8 @@ NTSTATUS auth_netlogond_init(void);
/* The following definitions come from auth/auth_ntlmssp.c */
-NTSTATUS auth_generic_prepare(const struct tsocket_address *remote_address,
- struct auth_generic_state **auth_ntlmssp_state);
-NTSTATUS auth_generic_start(struct auth_generic_state *auth_ntlmssp_state, const char *oid);
-NTSTATUS auth_generic_authtype_start(struct auth_generic_state *auth_ntlmssp_state,
- uint8_t auth_type, uint8_t auth_level);
-
+NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, const struct tsocket_address *remote_address,
+ struct gensec_security **gensec_security_out);
/* The following definitions come from auth/auth_sam.c */
diff --git a/source3/include/auth.h b/source3/include/auth.h
index 9d043bf..dd70059 100644
--- a/source3/include/auth.h
+++ b/source3/include/auth.h
@@ -68,11 +68,6 @@ struct auth_serversupplied_info {
typedef NTSTATUS (*prepare_gensec_fn)(TALLOC_CTX *mem_ctx,
struct gensec_security **gensec_context);
-typedef NTSTATUS (*gensec_start_mech_by_oid_fn)(struct gensec_security *gensec_context,
- const char *oid_string);
-typedef NTSTATUS (*gensec_start_mech_by_authtype_fn)(struct gensec_security *gensec_context,
- uint8_t auth_type,
- uint8_t auth_level);
struct auth_context {
DATA_BLOB challenge;
@@ -94,8 +89,6 @@ struct auth_context {
NTSTATUS (*nt_status_squash)(NTSTATUS nt_status);
prepare_gensec_fn prepare_gensec;
- gensec_start_mech_by_oid_fn gensec_start_mech_by_oid;
- gensec_start_mech_by_authtype_fn gensec_start_mech_by_authtype;
};
typedef struct auth_methods
@@ -119,8 +112,6 @@ typedef struct auth_methods
/* Optional methods allowing this module to provide a way to get a gensec context */
prepare_gensec_fn prepare_gensec;
- gensec_start_mech_by_oid_fn gensec_start_mech_by_oid;
- gensec_start_mech_by_authtype_fn gensec_start_mech_by_authtype;
/* Used to keep tabs on things like the cli for SMB server authentication */
void *private_data;
@@ -137,7 +128,7 @@ struct auth_init_function_entry {
struct auth_init_function_entry *prev, *next;
};
-struct auth_generic_state;
+extern const struct gensec_security_ops gensec_ntlmssp3_server_ops;
/* Changed from 1 -> 2 to add the logon_parameters field. */
/* Changed from 2 -> 3 when we reworked many auth structures to use IDL or be in common with Samba4 */
diff --git a/source3/include/ntlmssp_wrap.h b/source3/include/ntlmssp_wrap.h
index fb98309..ac2c77d 100644
--- a/source3/include/ntlmssp_wrap.h
+++ b/source3/include/ntlmssp_wrap.h
@@ -23,12 +23,7 @@
struct gensec_security;
-extern const struct gensec_security_ops gensec_ntlmssp3_server_ops;
-
struct auth_generic_state {
- /* used only by server implementation */
- struct auth_context *auth_context;
-
/* used only by the client implementation */
struct cli_credentials *credentials;
diff --git a/source3/include/smb.h b/source3/include/smb.h
index 2221b72..2adfa36 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -1215,7 +1215,7 @@ typedef struct user_struct {
struct auth_session_info *session_info;
- struct auth_generic_state *auth_ntlmssp_state;
+ struct gensec_security *gensec_security;
} user_struct;
/*
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 76ca0c0..f260dca 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -428,7 +428,7 @@ char* kerberos_secrets_fetch_des_salt( void )
Caller must free if the return value is not NULL.
************************************************************************/
-char *kerberos_get_default_realm_from_ccache( void )
+char *kerberos_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
{
char *realm = NULL;
krb5_context ctx = NULL;
@@ -455,11 +455,11 @@ char *kerberos_get_default_realm_from_ccache( void )
}
#if defined(HAVE_KRB5_PRINCIPAL_GET_REALM)
- realm = SMB_STRDUP(krb5_principal_get_realm(ctx, princ));
+ realm = talloc_strdup(mem_ctx, krb5_principal_get_realm(ctx, princ));
#elif defined(HAVE_KRB5_PRINC_REALM)
{
krb5_data *realm_data = krb5_princ_realm(ctx, princ);
- realm = SMB_STRNDUP(realm_data->data, realm_data->length);
+ realm = talloc_strndup(mem_ctx, realm_data->data, realm_data->length);
}
#endif
@@ -479,11 +479,10 @@ char *kerberos_get_default_realm_from_ccache( void )
}
/************************************************************************
- Routine to get the realm from a given DNS name. Returns malloc'ed memory.
- Caller must free() if the return value is not NULL.
+ Routine to get the realm from a given DNS name.
************************************************************************/
-char *kerberos_get_realm_from_hostname(const char *hostname)
+char *kerberos_get_realm_from_hostname(TALLOC_CTX *mem_ctx, const char *hostname)
{
#if defined(HAVE_KRB5_GET_HOST_REALM) && defined(HAVE_KRB5_FREE_HOST_REALM)
#if defined(HAVE_KRB5_REALM_TYPE)
@@ -512,7 +511,7 @@ char *kerberos_get_realm_from_hostname(const char *hostname)
}
if (realm_list && realm_list[0]) {
- realm = SMB_STRDUP(realm_list[0]);
+ realm = talloc_strdup(mem_ctx, realm_list[0]);
}
out:
@@ -531,6 +530,43 @@ char *kerberos_get_realm_from_hostname(const char *hostname)
#endif
}
+char *kerberos_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx,
+ const char *service,
+ const char *remote_name)
+{
+ char *realm = NULL;
+ char *host = NULL;
+ char *principal;
+ host = strchr_m(remote_name, '.');
+ if (host) {
+ /* DNS name. */
+ realm = kerberos_get_realm_from_hostname(talloc_tos(), remote_name);
+ } else {
+ /* NetBIOS name - use our realm. */
+ realm = kerberos_get_default_realm_from_ccache(talloc_tos());
+ }
+
+ if (realm == NULL || *realm == '\0') {
+ realm = talloc_strdup(talloc_tos(), lp_realm());
+ if (!realm) {
+ return NULL;
+ }
+ DEBUG(3,("kerberos_get_principal_from_service_hostname: "
+ "cannot get realm from, "
+ "desthost %s or default ccache. Using default "
+ "smb.conf realm %s\n",
+ remote_name,
+ realm));
+ }
+
+ principal = talloc_asprintf(mem_ctx,
+ "%s/%s@%s",
+ service, remote_name,
+ realm);
+ TALLOC_FREE(realm);
+ return principal;
+}
+
/************************************************************************
Routine to get the salting principal for this service. This is
maintained for backwards compatibilty with releases prior to 3.0.24.
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index ff1082a..094f38d 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -62,8 +62,11 @@ int ads_kdestroy(const char *cc_name);
char* kerberos_standard_des_salt( void );
bool kerberos_secrets_store_des_salt( const char* salt );
char* kerberos_secrets_fetch_des_salt( void );
-char *kerberos_get_default_realm_from_ccache( void );
-char *kerberos_get_realm_from_hostname(const char *hostname);
+char *kerberos_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx);
+char *kerberos_get_realm_from_hostname(TALLOC_CTX *mem_ctx, const char *hostname);
+char *kerberos_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx,
+ const char *service,
+ const char *remote_name);
bool kerberos_secrets_store_salting_principal(const char *service,
int enctype,
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index a61288b..9eaef5a 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -21,6 +21,7 @@
#include "includes.h"
#include "gse.h"
+#include "libads/kerberos_proto.h"
#if defined(HAVE_KRB5) && defined(HAVE_GSS_WRAP_IOV)
@@ -247,15 +248,22 @@ NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- name_buffer.value = talloc_asprintf(gse_ctx,
- "%s@%s", service, server);
+ /* Guess the realm based on the supplied service, and avoid the GSS libs
+ doing DNS lookups which may fail.
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list