[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Tue Jul 23 18:44:03 MDT 2013 

The branch, master has been updated
       via  9adfe82 pam_winbind: update documentation for "DIR" krb5ccname pragma.
       via  7ad3a36 s3-winbindd: support the DIR pragma for raw kerberos user pam authentication.
       via  73e6fef wbinfo: allow to define a custom krb5ccname for kerberized pam auth.
       via  e9ae36e s4-lib/socket: Allocate a the larger sockaddr_un and not just a sockaddr_in in unixdom_get_peer_addr()
      from  fe06e1b smbd: Fix CID 1035536 Uninitialized pointer read

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 9adfe82a1785aa6a7baefb435072a0a81dfb13cb
Author: Günther Deschner <gd at samba.org>
Date:   Thu Jul 18 19:09:14 2013 +0200

    pam_winbind: update documentation for "DIR" krb5ccname pragma.
    
    Guenther
    
    Signed-off-by: Günther Deschner <gd at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Wed Jul 24 02:43:10 CEST 2013 on sn-devel-104

commit 7ad3a367d52b1f123c318946d654e95639202130
Author: Günther Deschner <gd at samba.org>
Date:   Thu Jul 18 19:05:51 2013 +0200

    s3-winbindd: support the DIR pragma for raw kerberos user pam authentication.
    
    It is currently only available in MIT. In addition, allow to define custom
    filepaths for FILE, WRFILE and DIR pragmas and substitute one occurence of the
    %u pattern.
    
    Guenther
    
    Signed-off-by: Günther Deschner <gd at samba.org>
    Pair-Programmed-With: Andreas Schneider <asn at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 73e6feff9b3f30e70d84fe256aff239fafdfdb95
Author: Günther Deschner <gd at samba.org>
Date:   Thu Jul 18 19:04:29 2013 +0200

    wbinfo: allow to define a custom krb5ccname for kerberized pam auth.
    
    Guenther
    
    Signed-off-by: Günther Deschner <gd at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit e9ae36e9683372b86f1efbd29904722a33fea083
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Jul 24 10:19:26 2013 +1200

    s4-lib/socket: Allocate a the larger sockaddr_un and not just a sockaddr_in in unixdom_get_peer_addr()
    
    This caused crashes in _tsocket_address_bsd_from_sockaddr() when we
    read past the end of the allocation.
    
    Andrew Bartlett
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 docs-xml/manpages/pam_winbind.conf.5.xml |   39 ++++++++++++++++++++++-------
 examples/pam_winbind/pam_winbind.conf    |    3 +-
 nsswitch/wbinfo.c                        |    6 +++-
 source3/winbindd/winbindd_pam.c          |   23 +++++++++++++++++
 source4/lib/socket/socket_unix.c         |    4 +-
 5 files changed, 60 insertions(+), 15 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 8c36719..020cb67 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -106,16 +106,35 @@
 		<term>krb5_ccache_type = [type]</term>
 		<listitem><para>
 
-		When pam_winbind is configured to try kerberos authentication
-		by enabling the <parameter>krb5_auth</parameter> option, it can
-		store the retrieved Ticket Granting Ticket (TGT) in a
-		credential cache. The type of credential cache can be set with
-		this option. Currently the only supported value is:
-		<parameter>FILE</parameter>. In that case a credential cache in
-		the form of /tmp/krb5cc_UID will be created, where UID is
-		replaced with the numeric user id.  Leave empty to just do
-		kerberos authentication without having a ticket cache after the
-		logon has succeeded. This setting is empty by default.
+		When pam_winbind is configured to try kerberos authentication by
+		enabling the <parameter>krb5_auth</parameter> option, it can
+		store the retrieved Ticket Granting Ticket (TGT) in a credential
+		cache. The type of credential cache can be controlled with this
+		option.  The supported values are: <parameter>FILE</parameter>
+		and <parameter>DIR</parameter> (when the DIR type is supported
+		by the system's Kerberos library). In case of FILE a credential
+		cache in the form of /tmp/krb5cc_UID will be created -  in case
+		of DIR it will be located under the /run/user/UID/krb5cc
+		directory.  UID is replaced with the numeric user id.</para>
+
+		<para>It is also possible to define custom filepaths and use the "%u"
+		pattern in order to substitue the numeric user id.
+		Examples:</para>
+
+		<variablelist>
+			<varlistentry>
+				<term>krb5_ccache_type = DIR:/run/user/%u/krb5cc</term>
+					<listitem><para>This will create a credential cache file in the specified directory.</para></listitem>
+			</varlistentry>
+			<varlistentry>
+				<term>krb5_ccache_type = FILE:/tmp/krb5cc_%u</term>
+					<listitem><para>This will create a credential cache file.</para></listitem>
+			</varlistentry>
+		</variablelist>
+
+		<para> Leave empty to just do kerberos authentication without
+			having a ticket cache after the logon has succeeded.
+			This setting is empty by default.
 
 		</para></listitem>
 		</varlistentry>
diff --git a/examples/pam_winbind/pam_winbind.conf b/examples/pam_winbind/pam_winbind.conf
index dd0b112..87bc388 100644
--- a/examples/pam_winbind/pam_winbind.conf
+++ b/examples/pam_winbind/pam_winbind.conf
@@ -3,6 +3,7 @@
 #
 # /etc/security/pam_winbind.conf
 #
+# For more details see man pam_winbind.conf(5)
 
 [global]
 
@@ -19,7 +20,7 @@
 # authenticate using kerberos
 ;krb5_auth = no
 
-# when using kerberos, request a "FILE" krb5 credential cache type
+# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type
 # (leave empty to just do krb5 authentication but not have a ticket
 # afterwards)
 ;krb5_ccache_type =
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index a1ca7fc..cba469e 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -2097,6 +2097,7 @@ int main(int argc, char **argv, char **envp)
 	bool use_lanman = false;
 	char *logoff_user = getenv("USER");
 	int logoff_uid = geteuid();
+	const char *opt_krb5ccname = "FILE";
 
 	struct poptOption long_options[] = {
 		POPT_AUTOHELP
@@ -2178,6 +2179,7 @@ int main(int argc, char **argv, char **envp)
 		{ "krb5auth", 'K', POPT_ARG_STRING, &string_arg, 'K', "authenticate user using Kerberos", "user%password" },
 			/* destroys wbinfo --help output */
 			/* "user%password,DOM\\user%password,user at EXAMPLE.COM,EXAMPLE.COM\\user%password" }, */
+		{ "krb5ccname", 0, POPT_ARG_STRING, &opt_krb5ccname, '0', "authenticate user using Kerberos and specific credential cache type", "krb5ccname" },
 #endif
 		{ "separator", 0, POPT_ARG_NONE, 0, OPT_SEPARATOR, "Get the active winbind separator", NULL },
 		{ "verbose", 0, POPT_ARG_NONE, 0, OPT_VERBOSE, "Print additional information per command", NULL },
@@ -2547,13 +2549,13 @@ int main(int argc, char **argv, char **envp)
 						 WBFLAG_PAM_INFO3_TEXT |
 						 WBFLAG_PAM_CONTACT_TRUSTDOM;
 
-				if (!wbinfo_auth_krb5(string_arg, "FILE",
+				if (!wbinfo_auth_krb5(string_arg, opt_krb5ccname,
 						      flags)) {
 					d_fprintf(stderr,
 						"Could not authenticate user "
 						"[%s] with Kerberos "
 						"(ccache: %s)\n", string_arg,
-						"FILE");
+						opt_krb5ccname);
 					goto done;
 				}
 				break;
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index aed4741..7b67154 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -492,6 +492,29 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
 			gen_cc = talloc_asprintf(
 				mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
 		}
+		if (strequal(type, "DIR")) {
+			gen_cc = talloc_asprintf(
+				mem_ctx, "DIR:/run/user/%d/krb5cc", uid);
+		}
+
+		if (strnequal(type, "FILE:/", 6) ||
+		    strnequal(type, "WRFILE:/", 8) ||
+		    strnequal(type, "DIR:/", 5)) {
+
+			/* we allow only one "%u" substitution */
+
+			char *p;
+
+			p = strchr(type, '%');
+			if (p != NULL) {
+
+				p++;
+
+				if (p != NULL && *p == 'u' && strchr(p, '%') == NULL) {
+					gen_cc = talloc_asprintf(mem_ctx, type, uid);
+				}
+			}
+		}
 	}
 
 	*user_ccache_file = gen_cc;
diff --git a/source4/lib/socket/socket_unix.c b/source4/lib/socket/socket_unix.c
index 0774b12..3aa5440 100644
--- a/source4/lib/socket/socket_unix.c
+++ b/source4/lib/socket/socket_unix.c
@@ -323,7 +323,7 @@ static char *unixdom_get_peer_name(struct socket_context *sock, TALLOC_CTX *mem_
 
 static struct socket_address *unixdom_get_peer_addr(struct socket_context *sock, TALLOC_CTX *mem_ctx)
 {
-	struct sockaddr_in *peer_addr;
+	struct sockaddr_un *peer_addr;
 	socklen_t len = sizeof(*peer_addr);
 	struct socket_address *peer;
 	int ret;
@@ -334,7 +334,7 @@ static struct socket_address *unixdom_get_peer_addr(struct socket_context *sock,
 	}
 	
 	peer->family = sock->backend_name;
-	peer_addr = talloc(peer, struct sockaddr_in);
+	peer_addr = talloc(peer, struct sockaddr_un);
 	if (!peer_addr) {
 		talloc_free(peer);
 		return NULL;


-- 
Samba Shared Repository

More information about the samba-cvs mailing list