[SCM] Samba Shared Repository - branch master updated
Nadezhda Ivanova
nivanova at samba.org
Wed Sep 18 21:40:02 CEST 2013
The branch, master has been updated
via 31ca4fc OpenLDAP provisioning tweaks
via 743d4a4 Use SASL/EXTERNAL over ldapi://
via 6bf59b0 Add SASL/EXTERNAL gensec module
via b3bb304 Prepare for SASL/EXTERNAL support
from 887f4fb Free memory on error
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 31ca4fc67443e0c7a8fec61e91df39fe2535982e
Author: Howard Chu <hyc at symas.com>
Date: Tue Sep 17 15:38:42 2013 -0700
OpenLDAP provisioning tweaks
Remove BerkeleyDB-specific setup.
Streamline cn=samba partition initialization - allow any backend type for it.
Use back-mdb instead of back-ldif for cn=samba partition
Signed-off-by: Howard Chu <hyc at symas.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova at symas.com>
Autobuild-User(master): Nadezhda Ivanova <nivanova at samba.org>
Autobuild-Date(master): Wed Sep 18 21:39:51 CEST 2013 on sn-devel-104
commit 743d4a474e1d80783f658fa1001a6d077fcfbede
Author: Howard Chu <hyc at symas.com>
Date: Tue Sep 17 14:04:06 2013 -0700
Use SASL/EXTERNAL over ldapi://
The provision script will map the uid of the user running the
script to the samba-admin LDAP DN.
Signed-off-by: Howard Chu <hyc at symas.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova at symas.com>
commit 6bf59b03d72b94b71e53fc2404c11e0d237e41b2
Author: Howard Chu <hyc at symas.com>
Date: Tue Sep 17 13:09:50 2013 -0700
Add SASL/EXTERNAL gensec module
Signed-off-by: Howard Chu <hyc at symas.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova at symas.com>
commit b3bb3040364d4b8a497ced3e758fc81f24924db9
Author: Howard Chu <hyc at symas.com>
Date: Tue Sep 17 13:09:07 2013 -0700
Prepare for SASL/EXTERNAL support
Signed-off-by: Howard Chu <hyc at symas.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova at symas.com>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.c | 8 ++
auth/gensec/external.c | 82 +++++++++++++++++
auth/gensec/gensec.h | 3 +-
auth/gensec/wscript_build | 7 ++
python/samba/provision/backend.py | 67 ++++++--------
source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 128 ++++++++++++++++-----------
source4/libcli/ldap/ldap_bind.c | 13 +++-
source4/setup/cn=replicator.ldif | 12 ---
source4/setup/cn=samba-admin.ldif | 12 ---
source4/setup/cn=samba.ldif | 19 +++--
source4/setup/slapd.conf | 6 +-
11 files changed, 235 insertions(+), 122 deletions(-)
create mode 100644 auth/gensec/external.c
delete mode 100644 source4/setup/cn=replicator.ldif
delete mode 100644 source4/setup/cn=samba-admin.ldif
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index e98dfbd..d15cee6 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -365,6 +365,14 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c
return true;
}
+ /*
+ * If we forced the mech we clearly want authentication. E.g. to use
+ * SASL/EXTERNAL which has no credentials.
+ */
+ if (cred->forced_sasl_mech) {
+ return true;
+ }
+
if (cli_credentials_is_anonymous(cred)){
return false;
}
diff --git a/auth/gensec/external.c b/auth/gensec/external.c
new file mode 100644
index 0000000..a26e435
--- /dev/null
+++ b/auth/gensec/external.c
@@ -0,0 +1,82 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ SASL/EXTERNAL authentication.
+
+ Copyright (C) Howard Chu <hyc at symas.com> 2013
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "auth/credentials/credentials.h"
+#include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
+#include "auth/gensec/gensec_proto.h"
+#include "auth/gensec/gensec_toplevel_proto.h"
+
+/* SASL/EXTERNAL is essentially a no-op; it is only usable when the transport
+ * layer is already mutually authenticated.
+ */
+
+NTSTATUS gensec_external_init(void);
+
+static NTSTATUS gensec_external_start(struct gensec_security *gensec_security)
+{
+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN)
+ return NT_STATUS_INVALID_PARAMETER;
+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL)
+ return NT_STATUS_INVALID_PARAMETER;
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS gensec_external_update(struct gensec_security *gensec_security,
+ TALLOC_CTX *out_mem_ctx,
+ struct tevent_context *ev,
+ const DATA_BLOB in, DATA_BLOB *out)
+{
+ *out = data_blob_talloc(out_mem_ctx, "", 0);
+ return NT_STATUS_OK;
+}
+
+/* We have no features */
+static bool gensec_external_have_feature(struct gensec_security *gensec_security,
+ uint32_t feature)
+{
+ return false;
+}
+
+static const struct gensec_security_ops gensec_external_ops = {
+ .name = "sasl-EXTERNAL",
+ .sasl_name = "EXTERNAL",
+ .client_start = gensec_external_start,
+ .update = gensec_external_update,
+ .have_feature = gensec_external_have_feature,
+ .enabled = true,
+ .priority = GENSEC_EXTERNAL
+};
+
+
+NTSTATUS gensec_external_init(void)
+{
+ NTSTATUS ret;
+
+ ret = gensec_register(&gensec_external_ops);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(0,("Failed to register '%s' gensec backend!\n",
+ gensec_external_ops.name));
+ }
+ return ret;
+}
diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index ac1fadf..6974f87 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -41,7 +41,8 @@ enum gensec_priority {
GENSEC_SCHANNEL = 60,
GENSEC_NTLMSSP = 50,
GENSEC_SASL = 20,
- GENSEC_OTHER = 0
+ GENSEC_OTHER = 10,
+ GENSEC_EXTERNAL = 0
};
struct gensec_security;
diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
index fcd74a3..71222f7 100755
--- a/auth/gensec/wscript_build
+++ b/auth/gensec/wscript_build
@@ -16,3 +16,10 @@ bld.SAMBA_MODULE('gensec_spnego',
init_function='gensec_spnego_init',
deps='asn1util samba-credentials SPNEGO_PARSE'
)
+
+bld.SAMBA_MODULE('gensec_external',
+ source='external.c',
+ autoproto='external_proto.h',
+ subsystem='gensec',
+ init_function='gensec_external_init'
+ )
diff --git a/python/samba/provision/backend.py b/python/samba/provision/backend.py
index 24d8675..af7f07f 100644
--- a/python/samba/provision/backend.py
+++ b/python/samba/provision/backend.py
@@ -255,7 +255,7 @@ class LDAPBackend(ProvisionBackend):
# Kerberos to an ldapi:// backend makes no sense
self.credentials.set_kerberos_state(DONT_USE_KERBEROS)
self.credentials.set_password(self.ldapadminpass)
- self.credentials.set_forced_sasl_mech("DIGEST-MD5")
+ self.credentials.set_forced_sasl_mech("EXTERNAL")
self.secrets_credentials = Credentials()
self.secrets_credentials.guess(self.lp)
@@ -263,7 +263,7 @@ class LDAPBackend(ProvisionBackend):
self.secrets_credentials.set_kerberos_state(DONT_USE_KERBEROS)
self.secrets_credentials.set_username("samba-admin")
self.secrets_credentials.set_password(self.ldapadminpass)
- self.secrets_credentials.set_forced_sasl_mech("DIGEST-MD5")
+ self.secrets_credentials.set_forced_sasl_mech("EXTERNAL")
self.provision()
@@ -361,19 +361,13 @@ class OpenLDAPBackend(LDAPBackend):
schemadn=self.names.schemadn, files=[
setup_path("schema_samba4.ldif")])
- def setup_db_config(self, dbdir):
- """Setup a Berkeley database.
+ def setup_db_dir(self, dbdir):
+ """Create a database directory.
:param dbdir: Database directory.
"""
- from samba.provision import setup_path
- if not os.path.isdir(os.path.join(dbdir, "bdb-logs")):
- os.makedirs(os.path.join(dbdir, "bdb-logs"), 0700)
- if not os.path.isdir(os.path.join(dbdir, "tmp")):
- os.makedirs(os.path.join(dbdir, "tmp"), 0700)
-
- setup_file(setup_path("DB_CONFIG"),
- os.path.join(dbdir, "DB_CONFIG"), {"LDAPDBDIR": dbdir})
+ if not os.path.exists(dbdir):
+ os.makedirs(dbdir, 0700)
def provision(self):
from samba.provision import ProvisioningError, setup_path
@@ -420,6 +414,7 @@ class OpenLDAPBackend(LDAPBackend):
mmr_syncrepl_domaindns_config = ""
mmr_syncrepl_forestdns_config = ""
mmr_syncrepl_user_config = ""
+ mmr_pass = ""
if self.ol_mmr_urls is not None:
# For now, make these equal
@@ -533,33 +528,26 @@ class OpenLDAPBackend(LDAPBackend):
"OLC_MMR_CONFIG": olc_mmr_config,
"REFINT_CONFIG": refint_config,
"INDEX_CONFIG": index_config,
- "NOSYNC": nosync_config})
-
- self.setup_db_config(os.path.join(self.ldapdir, "db", "forestdns"))
- self.setup_db_config(os.path.join(self.ldapdir, "db", "domaindns"))
- self.setup_db_config(os.path.join(self.ldapdir, "db", "user"))
- self.setup_db_config(os.path.join(self.ldapdir, "db", "config"))
- self.setup_db_config(os.path.join(self.ldapdir, "db", "schema"))
-
- if not os.path.exists(os.path.join(self.ldapdir, "db", "samba", "cn=samba")):
- os.makedirs(os.path.join(self.ldapdir, "db", "samba", "cn=samba"), 0700)
-
- setup_file(setup_path("cn=samba.ldif"),
- os.path.join(self.ldapdir, "db", "samba", "cn=samba.ldif"),
- { "UUID": str(uuid.uuid4()),
- "LDAPTIME": timestring(int(time.time()))} )
- setup_file(setup_path("cn=samba-admin.ldif"),
- os.path.join(self.ldapdir, "db", "samba", "cn=samba", "cn=samba-admin.ldif"),
- {"LDAPADMINPASS_B64": b64encode(self.ldapadminpass),
- "UUID": str(uuid.uuid4()),
- "LDAPTIME": timestring(int(time.time()))} )
+ "ADMIN_UID": str(os.getuid()),
+ "NOSYNC": nosync_config,})
+
+ self.setup_db_dir(os.path.join(self.ldapdir, "db", "forestdns"))
+ self.setup_db_dir(os.path.join(self.ldapdir, "db", "domaindns"))
+ self.setup_db_dir(os.path.join(self.ldapdir, "db", "user"))
+ self.setup_db_dir(os.path.join(self.ldapdir, "db", "config"))
+ self.setup_db_dir(os.path.join(self.ldapdir, "db", "schema"))
+ self.setup_db_dir(os.path.join(self.ldapdir, "db", "samba"))
if self.ol_mmr_urls is not None:
- setup_file(setup_path("cn=replicator.ldif"),
- os.path.join(self.ldapdir, "db", "samba", "cn=samba", "cn=replicator.ldif"),
- {"MMR_PASSWORD_B64": b64encode(mmr_pass),
- "UUID": str(uuid.uuid4()),
- "LDAPTIME": timestring(int(time.time()))} )
+ mmr = ""
+ else:
+ mmr = "#"
+
+ cn_samba = read_and_sub_file(
+ setup_path("cn=samba.ldif"),
+ { "LDAPADMINPASS": self.ldapadminpass,
+ "MMR_PASSWORD": mmr_pass,
+ "MMR": mmr })
mapping = "schema-map-openldap-2.3"
backend_schema = "backend-schema.schema"
@@ -635,6 +623,11 @@ class OpenLDAPBackend(LDAPBackend):
# Don't confuse the admin by leaving the slapd.conf around
os.remove(self.slapdconf)
+ cn_samba_cmd = [self.slapd_path, "-Tadd", "-b", "cn=samba", "-F", self.olcdir]
+ p = subprocess.Popen(cn_samba_cmd, stdin=subprocess.PIPE, shell=False)
+ p.stdin.write(cn_samba)
+ p.communicate()
+
class FDSBackend(LDAPBackend):
diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
index 060a9d7..bc8e71b 100644
--- a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
+++ b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c
@@ -138,7 +138,7 @@ static int prepare_modules_line(struct ldb_context *ldb,
* ldapi socket to an LDAP backend
*/
-static int set_ldap_credentials(struct ldb_context *ldb)
+static int set_ldap_credentials(struct ldb_context *ldb, bool use_external)
{
const char *secrets_ldb_path, *sam_ldb_path;
char *private_dir, *p, *error_string;
@@ -157,56 +157,60 @@ static int set_ldap_credentials(struct ldb_context *ldb)
return ldb_oom(ldb);
}
cli_credentials_set_anonymous(cred);
- cli_credentials_set_forced_sasl_mech(cred, "DIGEST-MD5");
-
- /*
- * We don't want to use krb5 to talk to our samdb - recursion
- * here would be bad, and this account isn't in the KDC
- * anyway
- */
- cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
-
- /*
- * Work out where *our* secrets.ldb is. It must be in
- * the same directory as sam.ldb
- */
- sam_ldb_path = (const char *)ldb_get_opaque(ldb, "ldb_url");
- if (!sam_ldb_path) {
- talloc_free(tmp_ctx);
- return ldb_operr(ldb);
- }
- if (strncmp("tdb://", sam_ldb_path, 6) == 0) {
- sam_ldb_path += 6;
- }
- private_dir = talloc_strdup(tmp_ctx, sam_ldb_path);
- p = strrchr(private_dir, '/');
- if (p) {
- *p = '\0';
+ if (use_external) {
+ cli_credentials_set_forced_sasl_mech(cred, "EXTERNAL");
} else {
- private_dir = talloc_strdup(tmp_ctx, ".");
- }
+ cli_credentials_set_forced_sasl_mech(cred, "DIGEST-MD5");
+
+ /*
+ * We don't want to use krb5 to talk to our samdb - recursion
+ * here would be bad, and this account isn't in the KDC
+ * anyway
+ */
+ cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
+
+ /*
+ * Work out where *our* secrets.ldb is. It must be in
+ * the same directory as sam.ldb
+ */
+ sam_ldb_path = (const char *)ldb_get_opaque(ldb, "ldb_url");
+ if (!sam_ldb_path) {
+ talloc_free(tmp_ctx);
+ return ldb_operr(ldb);
+ }
+ if (strncmp("tdb://", sam_ldb_path, 6) == 0) {
+ sam_ldb_path += 6;
+ }
+ private_dir = talloc_strdup(tmp_ctx, sam_ldb_path);
+ p = strrchr(private_dir, '/');
+ if (p) {
+ *p = '\0';
+ } else {
+ private_dir = talloc_strdup(tmp_ctx, ".");
+ }
- secrets_ldb_path = talloc_asprintf(private_dir, "tdb://%s/secrets.ldb",
- private_dir);
+ secrets_ldb_path = talloc_asprintf(private_dir, "tdb://%s/secrets.ldb",
+ private_dir);
- if (!secrets_ldb_path) {
- talloc_free(tmp_ctx);
- return ldb_oom(ldb);
- }
-
- /*
- * Now that we have found the location, connect to
- * secrets.ldb so we can read the SamDB Credentials
- * record
- */
- secrets_ldb = ldb_wrap_connect(tmp_ctx, NULL, lp_ctx, secrets_ldb_path,
- NULL, NULL, 0);
+ if (!secrets_ldb_path) {
+ talloc_free(tmp_ctx);
+ return ldb_oom(ldb);
+ }
- if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, NULL, secrets_ldb, NULL,
- SECRETS_LDAP_FILTER, &error_string))) {
- ldb_asprintf_errstring(ldb, "Failed to read LDAP backend password from %s", secrets_ldb_path);
- talloc_free(tmp_ctx);
- return LDB_ERR_STRONG_AUTH_REQUIRED;
+ /*
+ * Now that we have found the location, connect to
+ * secrets.ldb so we can read the SamDB Credentials
+ * record
+ */
+ secrets_ldb = ldb_wrap_connect(tmp_ctx, NULL, lp_ctx, secrets_ldb_path,
+ NULL, NULL, 0);
+
+ if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, NULL, secrets_ldb, NULL,
+ SECRETS_LDAP_FILTER, &error_string))) {
+ ldb_asprintf_errstring(ldb, "Failed to read LDAP backend password from %s", secrets_ldb_path);
+ talloc_free(tmp_ctx);
+ return LDB_ERR_STRONG_AUTH_REQUIRED;
+ }
}
/*
@@ -229,7 +233,7 @@ static int samba_dsdb_init(struct ldb_module *module)
TALLOC_CTX *tmp_ctx = talloc_new(module);
struct ldb_result *res;
struct ldb_message *rootdse_msg, *partition_msg;
- struct ldb_dn *samba_dsdb_dn;
+ struct ldb_dn *samba_dsdb_dn, *partition_dn;
struct ldb_module *backend_module, *module_chain;
const char **final_module_list, **reverse_module_list;
/*
@@ -308,7 +312,9 @@ static int samba_dsdb_init(struct ldb_module *module)
"entryuuid", "paged_searches", "simple_dn", NULL };
static const char *samba_dsdb_attrs[] = { "backendType", NULL };
- const char *backendType;
+ static const char *partition_attrs[] = { "ldapBackend", NULL };
+ const char *backendType, *backendUrl;
+ bool use_sasl_external = false;
if (!tmp_ctx) {
return ldb_oom(ldb);
@@ -326,6 +332,12 @@ static int samba_dsdb_init(struct ldb_module *module)
return ldb_oom(ldb);
}
+ partition_dn = ldb_dn_new(tmp_ctx, ldb, DSDB_PARTITION_DN);
+ if (!partition_dn) {
+ talloc_free(tmp_ctx);
+ return ldb_oom(ldb);
+ }
+
#define CHECK_LDB_RET(check_ret) \
do { \
if (check_ret != LDB_SUCCESS) { \
@@ -351,6 +363,19 @@ static int samba_dsdb_init(struct ldb_module *module)
link_modules = tdb_modules_list;
} else {
struct cli_credentials *cred;
+ bool is_ldapi = false;
+
+ ret = dsdb_module_search_dn(module, tmp_ctx, &res, partition_dn,
+ partition_attrs, DSDB_FLAG_NEXT_MODULE, NULL);
+ if (ret == LDB_SUCCESS) {
+ backendUrl = ldb_msg_find_attr_as_string(res->msgs[0], "ldapBackend", "ldapi://");
+ if (!strncasecmp(backendUrl, "ldapi://", sizeof("ldapi://")-1)) {
+ is_ldapi = true;
+ }
+ } else if (ret != LDB_ERR_NO_SUCH_OBJECT) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
if (strcasecmp(backendType, "fedora-ds") == 0) {
link_modules = fedora_ds_modules;
backend_modules = fedora_ds_backend_modules;
@@ -360,6 +385,9 @@ static int samba_dsdb_init(struct ldb_module *module)
backend_modules = openldap_backend_modules;
extended_dn_module = extended_dn_module_openldap;
extended_dn_in_module = "extended_dn_in_openldap";
+ if (is_ldapi) {
+ use_sasl_external = true;
+ }
} else {
return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, "invalid backend type");
}
@@ -370,7 +398,7 @@ static int samba_dsdb_init(struct ldb_module *module)
cred = ldb_get_opaque(ldb, "credentials");
if (!cred || !cli_credentials_authentication_requested(cred)) {
- ret = set_ldap_credentials(ldb);
+ ret = set_ldap_credentials(ldb, use_sasl_external);
if (ret != LDB_SUCCESS) {
return ret;
}
diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c
index f0a498b..d82b7a1 100644
--- a/source4/libcli/ldap/ldap_bind.c
+++ b/source4/libcli/ldap/ldap_bind.c
@@ -215,6 +215,7 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
struct ldap_message **sasl_mechs_msgs;
struct ldap_SearchResEntry *search;
int count, i;
+ bool first = true;
const char **sasl_names;
uint32_t old_gensec_features;
@@ -337,7 +338,13 @@ try_logon_again:
* avoid mutal authentication requirements.
*
* Likewise, you must not feed GENSEC too much (after the OK),
- * it doesn't like that either
+ * it doesn't like that either.
+ *
+ * For SASL/EXTERNAL, there is no data to send, but we still
+ * must send the actual Bind request the first time around.
+ * Otherwise, a result of NT_STATUS_OK with 0 output means the
+ * end of a multi-step authentication, and no message must be
+ * sent.
*/
gensec_status = status;
@@ -347,8 +354,10 @@ try_logon_again:
break;
}
if (NT_STATUS_IS_OK(status) && output.length == 0) {
- break;
+ if (!first)
+ break;
}
+ first = false;
/* Perhaps we should make gensec_start_mech_by_sasl_list() return the name we got? */
msg = new_ldap_sasl_bind_msg(tmp_ctx, conn->gensec->ops->sasl_name, (output.data?&output:NULL));
diff --git a/source4/setup/cn=replicator.ldif b/source4/setup/cn=replicator.ldif
deleted file mode 100644
index 6001456..0000000
--- a/source4/setup/cn=replicator.ldif
+++ /dev/null
@@ -1,12 +0,0 @@
-dn: cn=replicator
-objectClass: top
-objectClass: person
-cn: replicator
-userPassword:: ${MMR_PASSWORD_B64}
-structuralObjectClass: person
-entryUUID: ${UUID}
-creatorsName:
-createTimestamp: ${LDAPTIME}
--
Samba Shared Repository
More information about the samba-cvs
mailing list