[SCM] Samba Shared Repository - branch master updated
Alexander Bokovoy
ab at samba.org
Thu May 24 10:16:02 MDT 2012
The branch, master has been updated
via b452fb3 waf: for MIT krb5 build require kerberos version above 1.9
via 72029d5 s3-smbldap: Add API for external callback to perform LDAP bind in smbldap
via 838435ab3 s4/scripting: in MIT build do not install samba-tool, it is not usable yet
via ca2b625 s4-selftest: Demonstrate the correct behaviour between specified usernames and kerberos ccache
via dc3f74a auth/credentials: 'workgroup' set via command line will not drop existing ccache
from a95b2ba s3:smbd/msdfs: pass allow_broken_path to resolve_dfspath_wcard()
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b452fb30f79c5effa508b891bcb453de8f452286
Author: Alexander Bokovoy <ab at samba.org>
Date: Thu May 24 16:28:31 2012 +0300
waf: for MIT krb5 build require kerberos version above 1.9
MIT krb5 implementation provides sufficient support for features
used in Samba 4 starting with 1.9. Require version above when using
system MIT krb5 build.
Autobuild-User: Alexander Bokovoy <ab at samba.org>
Autobuild-Date: Thu May 24 18:15:36 CEST 2012 on sn-devel-104
commit 72029d5547766787afb0a76c3959d1820388e28e
Author: Alexander Bokovoy <ab at samba.org>
Date: Thu May 24 15:38:41 2012 +0300
s3-smbldap: Add API for external callback to perform LDAP bind in smbldap
In order to support other bind methods, introduce a generic bind callback.
When smbldap_state.bind_callback is set, it means there is an alternative
way to perform LDAP bind to ldap_simple_bind_s() so call it instead.
The call is wrapped in become_root()/unbecome_root() to allow proper permissions
in smbd to access needed resources in the callback, for example, credential caches.
When run outside smbd, become_root()/unbecome_root() are no-op.
The API expectation is similar to ldap_simple_bind_s().
A caller of smbldap API can pass additional information to the callback by setting
smbldap_state.bind_callback_data pointer.
Both callback and the data pointer elements of smbldap_state structure get
cleaned up if someone sets proper credentials on smbldap_state with
smbldap_set_creds() so if you are interested in using smbldap_state.bind_dn
with the callback, make sure to set callback after credentials are set.
commit 838435ab30c03e5db7eb1e80f486528231dffdfc
Author: Alexander Bokovoy <ab at samba.org>
Date: Thu May 24 15:24:12 2012 +0300
s4/scripting: in MIT build do not install samba-tool, it is not usable yet
commit ca2b6259b7f0787eb372b56076e63413f530ec12
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu May 24 13:36:20 2012 +1000
s4-selftest: Demonstrate the correct behaviour between specified usernames and kerberos ccache
This shows that a username/password on the command line must always
override any credentials cache in the environment.
Andrew Bartlett
commit dc3f74a953de0fcf9b3f693efe2ba8dea7b93da9
Author: Alexander Bokovoy <ab at samba.org>
Date: Thu May 24 15:17:40 2012 +0300
auth/credentials: 'workgroup' set via command line will not drop existing ccache
The root cause for existing ccache being invalidated was use of global loadparm with
'workgroup' value set as if from command line. However, we don't really need to take
'workgroup' parameter value's nature into account when invalidating existing ccache.
When -U is used on the command line, one can specify a password to force ccache
invalidation.
The commit also reverts previous fix now that root cause is clear.
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.c | 6 +++++-
auth/credentials/credentials_krb5.c | 14 ++------------
source3/include/smbldap.h | 2 ++
source3/lib/smbldap.c | 20 +++++++++++++++++++-
source4/scripting/bin/wscript_build | 4 +---
source4/scripting/wscript_build | 7 +++----
testprogs/blackbox/test_kinit.sh | 1 -
testprogs/blackbox/test_passwords.sh | 8 ++++++++
wscript_configure_system_mitkrb5 | 9 ++++++++-
9 files changed, 48 insertions(+), 23 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 3eaccde..05f0a62 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -483,7 +483,11 @@ _PUBLIC_ bool cli_credentials_set_domain(struct cli_credentials *cred,
* calculations */
cred->domain = strupper_talloc(cred, val);
cred->domain_obtained = obtained;
- cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
+ /* setting domain does not mean we have to invalidate ccache
+ * because domain in not used for Kerberos operations.
+ * If ccache invalidation is required, one will anyway specify
+ * a password to kinit, and that will force invalidation of the ccache
+ */
return true;
}
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 2c93a8f..2a23688 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -486,18 +486,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
}
}
-
- if (cred->ccache_obtained == CRED_UNINITIALISED) {
- /* Only attempt to re-acquire ccache if it is not already in place.
- * this is important for client-side use within frameworks with already acquired tickets
- * like Apache+mod_auth_kerb+Python
- */
- ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
- &ccache, error_string);
- } else {
- ccache = cred->ccache;
- }
-
+ ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
+ &ccache, error_string);
if (ret) {
if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string));
diff --git a/source3/include/smbldap.h b/source3/include/smbldap.h
index df9df76..5051fcf 100644
--- a/source3/include/smbldap.h
+++ b/source3/include/smbldap.h
@@ -44,6 +44,8 @@ struct smbldap_state {
bool anonymous;
char *bind_dn;
char *bind_secret;
+ int (*bind_callback)(LDAP *ldap_struct, struct smbldap_state *ldap_state, void *data);
+ void *bind_callback_data;
bool paged_results;
diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
index c01d3fd..43ddaff 100644
--- a/source3/lib/smbldap.c
+++ b/source3/lib/smbldap.c
@@ -976,7 +976,20 @@ static int smbldap_connect_system(struct smbldap_state *ldap_state)
#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
#endif
- rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
+ /* When there is an alternative bind callback is set,
+ attempt to use it to perform the bind */
+ if (ldap_state->bind_callback != NULL) {
+ /* We have to allow bind callback to be run under become_root/unbecome_root
+ to make sure within smbd the callback has proper write access to its resources,
+ like credential cache. This is similar to passdb case where this callback is supposed
+ to be used. When used outside smbd, become_root()/unbecome_root() are no-op.
+ */
+ become_root();
+ rc = ldap_state->bind_callback(ldap_struct, ldap_state, ldap_state->bind_callback_data);
+ unbecome_root();
+ } else {
+ rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
+ }
if (rc != LDAP_SUCCESS) {
char *ld_error = NULL;
@@ -1667,6 +1680,8 @@ void smbldap_free_struct(struct smbldap_state **ldap_state)
SAFE_FREE((*ldap_state)->bind_dn);
SAFE_FREE((*ldap_state)->bind_secret);
+ (*ldap_state)->bind_callback = NULL;
+ (*ldap_state)->bind_callback_data = NULL;
TALLOC_FREE(*ldap_state);
@@ -1846,6 +1861,9 @@ bool smbldap_set_creds(struct smbldap_state *ldap_state, bool anon, const char *
/* free any previously set credential */
SAFE_FREE(ldap_state->bind_dn);
+ ldap_state->bind_callback = NULL;
+ ldap_state->bind_callback_data = NULL;
+
if (ldap_state->bind_secret) {
/* make sure secrets are zeroed out of memory */
memset(ldap_state->bind_secret, '\0', strlen(ldap_state->bind_secret));
diff --git a/source4/scripting/bin/wscript_build b/source4/scripting/bin/wscript_build
index 200562b..e95fd03 100644
--- a/source4/scripting/bin/wscript_build
+++ b/source4/scripting/bin/wscript_build
@@ -1,7 +1,5 @@
#!/usr/bin/env python
if bld.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'):
- for script in ['samba_dnsupdate', 'samba_spnupdate', 'samba_kcc', 'upgradeprovision', 'samba_upgradedns']:
+ for script in ['samba-tool', 'samba_dnsupdate', 'samba_spnupdate', 'samba_kcc', 'upgradeprovision', 'samba_upgradedns']:
bld.SAMBA_SCRIPT(script, pattern=script, installdir='.')
-
-bld.SAMBA_SCRIPT('samba-tool', pattern='samba-tool', installdir='.')
diff --git a/source4/scripting/wscript_build b/source4/scripting/wscript_build
index 221f030..2362a64 100644
--- a/source4/scripting/wscript_build
+++ b/source4/scripting/wscript_build
@@ -3,18 +3,17 @@
from samba_utils import MODE_755
sbin_files = None
-bin_files = 'bin/samba-tool'
if bld.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'):
sbin_files = 'bin/upgradeprovision bin/samba_dnsupdate bin/samba_spnupdate bin/samba_upgradedns'
- bin_files = bin_files + ' bin/samba_kcc'
if sbin_files:
bld.INSTALL_FILES('${SBINDIR}',
'bin/upgradeprovision bin/samba_dnsupdate bin/samba_spnupdate bin/samba_upgradedns',
chmod=MODE_755, python_fixup=True, flat=True)
-bld.INSTALL_FILES('${BINDIR}',
- bin_files,
+if bld.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'):
+ bld.INSTALL_FILES('${BINDIR}',
+ 'bin/samba-tool bin/samba_kcc',
chmod=MODE_755, python_fixup=True, flat=True)
bld.RECURSE('bin')
diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh
index 14f1e62..981987d 100755
--- a/testprogs/blackbox/test_kinit.sh
+++ b/testprogs/blackbox/test_kinit.sh
@@ -174,7 +174,6 @@ rm -f $KRB5CCNAME
testit "kinit with machineaccountccache script" $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=`expr $failed + 1`
test_smbclient "Test machine account login with kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
-rm -f $KRB5CCNAME
testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings $PWSETCONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
rm -f $PREFIX/tmpccache tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript
diff --git a/testprogs/blackbox/test_passwords.sh b/testprogs/blackbox/test_passwords.sh
index fe8386d..822f0fb 100755
--- a/testprogs/blackbox/test_passwords.sh
+++ b/testprogs/blackbox/test_passwords.sh
@@ -72,6 +72,14 @@ testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile
test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
+#
+# These tests demonstrate that a credential cache in the environment does not
+# override a username/password, even an incorrect one, on the command line
+#
+
+testit_expect_failure "Test login with user kerberos ccache, but wrong password specified" $VALGRIND $smbclient //$SERVER/tmp -c 'ls' -k yes -Unettestuser@$REALM%wrongpass && failed=`expr $failed + 1`
+testit_expect_failure "Test login with user kerberos ccache, but old password specified" $VALGRIND $smbclient //$SERVER/tmp -c 'ls' -k yes -Unettestuser@$REALM%$USERPASS && failed=`expr $failed + 1`
+
USERPASS=$NEWUSERPASS
WEAKPASS=testpass1
diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
index 7523103..805c452 100644
--- a/wscript_configure_system_mitkrb5
+++ b/wscript_configure_system_mitkrb5
@@ -1,4 +1,4 @@
-import Logs, Options
+import Logs, Options, sys
# Check for kerberos
have_gssapi=False
@@ -30,6 +30,13 @@ if conf.env.KRB5_CONFIG:
if conf.env.KRB5_VENDOR != 'heimdal':
conf.define('USING_SYSTEM_KRB5', 1)
del conf.env.HEIMDAL_KRB5_CONFIG
+ kversion = conf.cmd_and_log("%(path)s --version" % dict(path=conf.env.KRB5_CONFIG), dict()).strip()
+ kversion_split = map(int, kversion.split(" ")[-1].split("."))
+ if kversion_split < [1, 9]:
+ Logs.error('ERROR: MIT krb5 build requires at least 1.9.0. %s is found and cannot be used' % (kversion))
+ sys.exit(1)
+ else:
+ Logs.info('%s is detected, MIT krb5 build can proceed' % (kversion))
conf.check_cfg(args="--cflags --libs", package="com_err", uselib_store="com_err")
conf.CHECK_FUNCS_IN('_et_list', 'com_err')
--
Samba Shared Repository
More information about the samba-cvs
mailing list