[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Sun Feb 8 02:38:03 MST 2015
The branch, master has been updated
via bfccf0a torture-krb5: Provide a generic handler to catch and print unexpected KRB_ERROR packets
via bdde51b auth/kerberos: Use talloc_stackframe to avoid memory and FD leak of event context
via 3c89b25 torture-krb5: Add test for TGS-REQ with type KRB5_NT_PRINCIPAL, KRB5_NT_SRV_INST, KRB5_NT_SRV_HST
via 52b74a4 torture-krb5: Add test in for normal TGS-REQ
via 0a4da2f torture-krb5: Split out TEST_AS_REQ_SELF recv testing routine
via 60c7913 torture-krb5: Add additional assertions for non-canon TGS-REP
via e05ad35 torture-krb5: Further test improvements to cover KRB5_GC_CANONICALIZE on krbtgt/
via 32e2b75 selftest: Run krb5.kdc with an account that has a UPN and an SPN
via 5fe76cc torture-krb5: Add tests for AS-REQ to our own name
via 4bafb45 torture-krb5: Improve the assertions in our KDC tests to be more explicit
via 11871c8 torture-krb5: Reformat and re-work test to be easier to follow
via 0a4374a torture-krb5: Add tests for the canonicalise TGS-REQ case
via bcd33c0 torture-krb5: add TGS-REQ testing to krb5.kdc.canon testsuite
via f32564d kdc: make Samba KDC pass new TGS-REQ and AS-REQ (to self) testing
via 01c6991 kdc: fixup KDC to use functions portable to MIT krb5
via d775275 torture-krb5: Do not do post-recv checks if the packet recv failed
from 0e89d58 ctdb-tests: Add new "ctdb setreclock" test
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit bfccf0abf8a11788b59edab1983d14114906c7f4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Feb 7 19:45:24 2015 +1300
torture-krb5: Provide a generic handler to catch and print unexpected KRB_ERROR packets
This may aid debugging in the future.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sun Feb 8 10:37:23 CET 2015 on sn-devel-104
commit bdde51b26f4f5bcd6b0dcb5557fee40d7bc40207
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Feb 6 08:53:21 2015 +1300
auth/kerberos: Use talloc_stackframe to avoid memory and FD leak of event context
The smb_krb5_send_and_recv_func_forced and smb_krb5_send_and_recv_func
functions could leak an event context including an epoll FD and some
memory. This may explain a flapping test in krb5.kdc
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim at samba.org>
commit 3c89b25e4fbc86981ec2cfaebbd5e119a5fc965d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Feb 5 16:44:23 2015 +1300
torture-krb5: Add test for TGS-REQ with type KRB5_NT_PRINCIPAL, KRB5_NT_SRV_INST, KRB5_NT_SRV_HST
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
commit 52b74a4eaf82b892bddabcd70a3bc38c4fdc8410
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Feb 5 15:49:40 2015 +1300
torture-krb5: Add test in for normal TGS-REQ
For example, host/server
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
commit 0a4da2fc97de2ce81c168820f2f5a792388d5bc5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Feb 5 10:11:42 2015 +1300
torture-krb5: Split out TEST_AS_REQ_SELF recv testing routine
This duplicates more code, but re-using the callbacks makes it much, much harder to debug
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
commit 60c791339122b8b3f9be5bc085badd14e2ca6058
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Feb 3 15:51:41 2015 +1300
torture-krb5: Add additional assertions for non-canon TGS-REP
This confirms that the KDC does not modify the returned principal in a TGS-REP unconditionally.
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit e05ad3500fb501f87c1eb77a1c13c5c237f02b3d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Feb 3 15:22:52 2015 +1300
torture-krb5: Further test improvements to cover KRB5_GC_CANONICALIZE on krbtgt/
This covers more of the protocol, and confirms which tests actually send network
packets (and so actually run the assertions in the send_and_recv handlers.
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 32e2b75a96b45d64d6059240ef2e8da924c6c84e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Feb 3 11:36:49 2015 +1300
selftest: Run krb5.kdc with an account that has a UPN and an SPN
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
commit 5fe76cc02a1f09213b4b4a65dc53ad4d2ce97c86
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 2 15:01:40 2015 +1300
torture-krb5: Add tests for AS-REQ to our own name
This allows us to probe the behaviour of AS-REQ requests against a principal other than krbtgt/
This alos allows verification of behaviour of principals of type KRB5_NT_ENTERPRISE_PRINCIPAL
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 4bafb45b096e7246d8186f379a4663b755fb0d37
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 2 13:55:25 2015 +1300
torture-krb5: Improve the assertions in our KDC tests to be more explicit
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
commit 11871c853a911b85ebb3f9ff5671ce1f9024188f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 2 12:18:23 2015 +1300
torture-krb5: Reformat and re-work test to be easier to follow
The behaviour is the same as in the previous commit, but it is much easier to follow
as the main test code now indicates to the send_and_recv callbacks what stage of the
test we are at, and resets the packet counter between stages.
This also re-orders the code so that the send and recv callbacks for each stage
are next to each other, and uses a case statement in the main send_and_recv driver
for clarity.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
commit 0a4374a93aced30245c0719e6a279f1dd7ea78f1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jan 30 18:17:16 2015 +1300
torture-krb5: Add tests for the canonicalise TGS-REQ case
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Pair-programmed-with: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
commit bcd33c0dce793427b2c408ad592801c881770d4d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jan 30 12:31:10 2015 +1300
torture-krb5: add TGS-REQ testing to krb5.kdc.canon testsuite
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit f32564d643a76b2618395096d26d99654b33dd98
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jan 30 12:31:29 2015 +1300
kdc: make Samba KDC pass new TGS-REQ and AS-REQ (to self) testing
This also reverts 51b94ab3fd4d13ee38813eb7d20db11edaa667a8 as our
testing shows Windows 2012R2 does not have this behaviour.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit 01c6991d362d26c71604649ad7a2dd4e6b695918
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Feb 2 12:38:07 2015 +1300
kdc: fixup KDC to use functions portable to MIT krb5
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
commit d7752757c29d69547b361ed094f04ae4db4c9f8a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Feb 7 20:58:42 2015 +1300
torture-krb5: Do not do post-recv checks if the packet recv failed
This may be the cause of the flapping tests in this code previously,
as the recv_buf would be 0 length.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-By: Jelmer Vernooij <jelmer at samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim at samba.org>
-----------------------------------------------------------------------
Summary of changes:
selftest/target/Samba4.pm | 2 +
source4/auth/kerberos/krb5_init_context.c | 60 +-
source4/kdc/db-glue.c | 208 +++-
source4/selftest/tests.py | 8 +-
source4/torture/krb5/kdc-canon.c | 1762 +++++++++++++++++++++++++++--
source4/torture/krb5/kdc.c | 4 +-
6 files changed, 1845 insertions(+), 199 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index c85b4a7..1cc74b7 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -829,6 +829,8 @@ sub provision_raw_step2($$$)
changetype: modify
replace: userPrincipalName
userPrincipalName: testallowed_upn\@$ctx->{realm}
+replace: servicePrincipalName
+servicePrincipalName: host/testallowed
-
";
close(LDIF);
diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c
index e8a1a6c..7fcc8a6 100644
--- a/source4/auth/kerberos/krb5_init_context.c
+++ b/source4/auth/kerberos/krb5_init_context.c
@@ -228,8 +228,8 @@ static krb5_error_code smb_krb5_send_and_recv_func_int(krb5_context context,
DATA_BLOB send_blob;
- TALLOC_CTX *tmp_ctx = talloc_new(NULL);
- if (!tmp_ctx) {
+ TALLOC_CTX *frame = talloc_stackframe();
+ if (frame == NULL) {
return ENOMEM;
}
@@ -237,9 +237,9 @@ static krb5_error_code smb_krb5_send_and_recv_func_int(krb5_context context,
for (a = ai; a; a = a->ai_next) {
struct socket_address *remote_addr;
- smb_krb5 = talloc(tmp_ctx, struct smb_krb5_socket);
+ smb_krb5 = talloc(frame, struct smb_krb5_socket);
if (!smb_krb5) {
- talloc_free(tmp_ctx);
+ TALLOC_FREE(frame);
return ENOMEM;
}
smb_krb5->hi = hi;
@@ -254,7 +254,7 @@ static krb5_error_code smb_krb5_send_and_recv_func_int(krb5_context context,
break;
#endif
default:
- talloc_free(tmp_ctx);
+ TALLOC_FREE(frame);
return EINVAL;
}
@@ -267,7 +267,7 @@ static krb5_error_code smb_krb5_send_and_recv_func_int(krb5_context context,
status = socket_create(name, SOCKET_TYPE_STREAM, &smb_krb5->sock, 0);
break;
case KRB5_KRBHST_HTTP:
- talloc_free(tmp_ctx);
+ TALLOC_FREE(frame);
return EINVAL;
}
if (!NT_STATUS_IS_OK(status)) {
@@ -335,12 +335,12 @@ static krb5_error_code smb_krb5_send_and_recv_func_int(krb5_context context,
packet_send(smb_krb5->packet, smb_krb5->request);
break;
case KRB5_KRBHST_HTTP:
- talloc_free(tmp_ctx);
+ TALLOC_FREE(frame);
return EINVAL;
}
while ((NT_STATUS_IS_OK(smb_krb5->status)) && !smb_krb5->reply.length) {
if (tevent_loop_once(ev) != 0) {
- talloc_free(tmp_ctx);
+ TALLOC_FREE(frame);
return EINVAL;
}
@@ -355,7 +355,7 @@ static krb5_error_code smb_krb5_send_and_recv_func_int(krb5_context context,
func,
data);
if (ret != 0) {
- talloc_free(tmp_ctx);
+ TALLOC_FREE(frame);
return ret;
}
}
@@ -381,14 +381,14 @@ static krb5_error_code smb_krb5_send_and_recv_func_int(krb5_context context,
ret = krb5_data_copy(recv_buf, smb_krb5->reply.data, smb_krb5->reply.length);
if (ret) {
- talloc_free(tmp_ctx);
+ TALLOC_FREE(frame);
return ret;
}
talloc_free(smb_krb5);
break;
}
- talloc_free(tmp_ctx);
+ TALLOC_FREE(frame);
if (a) {
return 0;
}
@@ -406,16 +406,16 @@ krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
struct addrinfo *ai;
struct tevent_context *ev;
- TALLOC_CTX *tmp_ctx = talloc_new(NULL);
- if (!tmp_ctx) {
+ TALLOC_CTX *frame = talloc_stackframe();
+ if (frame == NULL) {
return ENOMEM;
}
- if (!data) {
+ if (data == NULL) {
/* If no event context was available, then create one for this loop */
- ev = samba_tevent_context_init(tmp_ctx);
- if (!ev) {
- talloc_free(tmp_ctx);
+ ev = samba_tevent_context_init(frame);
+ if (ev == NULL) {
+ TALLOC_FREE(frame);
return ENOMEM;
}
} else {
@@ -424,10 +424,13 @@ krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
ret = krb5_krbhst_get_addrinfo(context, hi, &ai);
if (ret) {
- talloc_free(tmp_ctx);
+ TALLOC_FREE(frame);
return ret;
}
- return smb_krb5_send_and_recv_func_int(context, ev, hi, ai, smb_krb5_send_and_recv_func, data, timeout, send_buf, recv_buf);
+
+ ret = smb_krb5_send_and_recv_func_int(context, ev, hi, ai, smb_krb5_send_and_recv_func, data, timeout, send_buf, recv_buf);
+ TALLOC_FREE(frame);
+ return ret;
}
krb5_error_code smb_krb5_send_and_recv_func_forced(krb5_context context,
@@ -437,24 +440,27 @@ krb5_error_code smb_krb5_send_and_recv_func_forced(krb5_context context,
const krb5_data *send_buf,
krb5_data *recv_buf)
{
+ krb5_error_code k5ret;
struct addrinfo *ai = data;
struct tevent_context *ev;
- TALLOC_CTX *tmp_ctx = talloc_new(NULL);
- if (!tmp_ctx) {
+ TALLOC_CTX *frame = talloc_stackframe();
+ if (frame == NULL) {
return ENOMEM;
}
- /* If no event context was available, then create one for this loop */
- ev = samba_tevent_context_init(tmp_ctx);
- if (!ev) {
- talloc_free(tmp_ctx);
+ /* no event context is passed in, create one for this loop */
+ ev = samba_tevent_context_init(frame);
+ if (ev == NULL) {
+ TALLOC_FREE(frame);
return ENOMEM;
}
/* No need to pass in send_and_recv functions, we won't nest on this private event loop */
- return smb_krb5_send_and_recv_func_int(context, ev, hi, ai, NULL, NULL,
- timeout, send_buf, recv_buf);
+ k5ret = smb_krb5_send_and_recv_func_int(context, ev, hi, ai, NULL, NULL,
+ timeout, send_buf, recv_buf);
+ TALLOC_FREE(frame);
+ return k5ret;
}
#endif
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 042abe6..aa73641 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -640,47 +640,62 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) {
- ret = krb5_copy_principal(context, principal, &entry_ex->entry.principal);
- if (ret) {
- return ret;
- }
-
- /*
- * Windows seems to canonicalize the principal
- * in a TGS REP even if the client did not specify
- * the canonicalize flag.
- */
- if (flags & (HDB_F_CANON|HDB_F_FOR_TGS_REQ)) {
- /* When requested to do so, ensure that the
+ if (flags & (HDB_F_CANON)) {
+ /*
+ * When requested to do so, ensure that the
* both realm values in the principal are set
- * to the upper case, canonical realm */
- free(entry_ex->entry.principal->name.name_string.val[1]);
- entry_ex->entry.principal->name.name_string.val[1] = strdup(lpcfg_realm(lp_ctx));
- if (!entry_ex->entry.principal->name.name_string.val[1]) {
- ret = ENOMEM;
- krb5_set_error_message(context, ret, "samba_kdc_fetch: strdup() failed!");
- return ret;
+ * to the upper case, canonical realm
+ */
+ ret = krb5_make_principal(context, &entry_ex->entry.principal,
+ lpcfg_realm(lp_ctx), "krbtgt",
+ lpcfg_realm(lp_ctx), NULL);
+ if (ret) {
+ krb5_clear_error_message(context);
+ goto out;
+ }
+ krb5_principal_set_type(context, entry_ex->entry.principal, KRB5_NT_SRV_INST);
+ } else {
+ ret = krb5_copy_principal(context, principal, &entry_ex->entry.principal);
+ if (ret) {
+ krb5_clear_error_message(context);
+ goto out;
+ }
+ /*
+ * this appears to be required regardless of
+ * the canonicalize flag from the client
+ */
+ ret = krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx));
+ if (ret) {
+ krb5_clear_error_message(context);
+ goto out;
}
}
- /*
- * this has to be with malloc(), and appears to be
- * required regardless of the canonicalize flag from
- * the client
- */
- krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx));
} else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
- krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
- } else if (flags & HDB_F_CANON) {
- krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
+ ret = krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
+ if (ret) {
+ krb5_clear_error_message(context);
+ goto out;
+ }
+ } else if (flags & HDB_F_CANON && flags & HDB_F_FOR_AS_REQ) {
+ /*
+ * HDB_F_CANON maps from the canonicalize flag in the
+ * packet, and has a different meaning between AS-REQ
+ * and TGS-REQ. We only change the principal in the AS-REQ case
+ */
+ ret = krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
+ if (ret) {
+ krb5_clear_error_message(context);
+ goto out;
+ }
} else {
- ret = copy_Principal(principal, entry_ex->entry.principal);
+ ret = krb5_copy_principal(context, principal, &entry_ex->entry.principal);
if (ret) {
krb5_clear_error_message(context);
goto out;
}
- if (principal->name.name_type != KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ if (krb5_principal_get_type(context, principal) != KRB5_NT_ENTERPRISE_PRINCIPAL) {
/* While we have copied the client principal, tests
* show that Win2k3 returns the 'corrected' realm, not
* the client-specified realm. This code attempts to
@@ -688,7 +703,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
* we determine from our records */
/* this has to be with malloc() */
- krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx));
+ ret = krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx));
+ if (ret) {
+ krb5_clear_error_message(context);
+ goto out;
+ }
}
}
@@ -706,7 +725,18 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
entry_ex->entry.flags.server = 0;
}
}
-
+ /*
+ * To give the correct type of error to the client, we must
+ * not just return the entry without .server set, we must
+ * pretend the principal does not exist. Otherwise we may
+ * return ERR_POLICY instead of
+ * KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
+ */
+ if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER && entry_ex->entry.flags.server == 0) {
+ ret = HDB_ERR_NOENTRY;
+ krb5_set_error_message(context, ret, "samba_kdc_message2entry: no servicePrincipalName present for this server, refusing with no-such-entry");
+ goto out;
+ }
if (flags & HDB_F_ADMIN_DATA) {
/* These (created_by, modified_by) parts of the entry are not relevant for Samba4's use
* of the Heimdal KDC. They are stored in a the traditional
@@ -716,9 +746,13 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
/* use 'whenCreated' */
entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
/* use 'kadmin' for now (needed by mit_samba) */
- krb5_make_principal(context,
- &entry_ex->entry.created_by.principal,
- lpcfg_realm(lp_ctx), "kadmin", NULL);
+ ret = krb5_make_principal(context,
+ &entry_ex->entry.created_by.principal,
+ lpcfg_realm(lp_ctx), "kadmin", NULL);
+ if (ret) {
+ krb5_clear_error_message(context);
+ goto out;
+ }
entry_ex->entry.modified_by = (Event *) malloc(sizeof(Event));
if (entry_ex->entry.modified_by == NULL) {
@@ -730,9 +764,13 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
/* use 'whenChanged' */
entry_ex->entry.modified_by->time = ldb_msg_find_krb5time_ldap_time(msg, "whenChanged", 0);
/* use 'kadmin' for now (needed by mit_samba) */
- krb5_make_principal(context,
- &entry_ex->entry.modified_by->principal,
- lpcfg_realm(lp_ctx), "kadmin", NULL);
+ ret = krb5_make_principal(context,
+ &entry_ex->entry.modified_by->principal,
+ lpcfg_realm(lp_ctx), "kadmin", NULL);
+ if (ret) {
+ krb5_clear_error_message(context);
+ goto out;
+ }
}
@@ -948,9 +986,13 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
/* use 'whenCreated' */
entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
/* use 'kadmin' for now (needed by mit_samba) */
- krb5_make_principal(context,
+ ret = krb5_make_principal(context,
&entry_ex->entry.created_by.principal,
realm, "kadmin", NULL);
+ if (ret) {
+ krb5_clear_error_message(context);
+ goto out;
+ }
entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
if (entry_ex->entry.principal == NULL) {
@@ -973,7 +1015,11 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
* we determine from our records
*/
- krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
+ ret = krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
+ if (ret) {
+ krb5_clear_error_message(context);
+ goto out;
+ }
entry_ex->entry.valid_start = NULL;
@@ -1264,7 +1310,7 @@ static krb5_error_code samba_kdc_lookup_client(krb5_context context,
NTSTATUS nt_status;
char *principal_string;
- if (principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ if (krb5_principal_get_type(context, principal) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
principal_string = smb_krb5_principal_get_comp_string(mem_ctx, context,
principal, 0);
if (principal_string == NULL) {
@@ -1308,8 +1354,8 @@ static krb5_error_code samba_kdc_fetch_client(krb5_context context,
struct ldb_message *msg = NULL;
ret = samba_kdc_lookup_client(context, kdc_db_ctx,
- mem_ctx, principal, user_attrs,
- &realm_dn, &msg);
+ mem_ctx, principal, user_attrs,
+ &realm_dn, &msg);
if (ret != 0) {
return ret;
}
@@ -1460,15 +1506,17 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
}
static krb5_error_code samba_kdc_lookup_server(krb5_context context,
- struct samba_kdc_db_context *kdc_db_ctx,
- TALLOC_CTX *mem_ctx,
- krb5_const_principal principal,
- const char **attrs,
- struct ldb_dn **realm_dn,
- struct ldb_message **msg)
+ struct samba_kdc_db_context *kdc_db_ctx,
+ TALLOC_CTX *mem_ctx,
+ krb5_const_principal principal,
+ unsigned flags,
+ const char **attrs,
+ struct ldb_dn **realm_dn,
+ struct ldb_message **msg)
{
krb5_error_code ret;
- if (principal->name.name_string.len >= 2) {
+ if ((smb_krb5_principal_get_type(context, principal) != KRB5_NT_ENTERPRISE_PRINCIPAL)
+ && krb5_princ_size(context, principal) >= 2) {
/* 'normal server' case */
int ldb_ret;
NTSTATUS nt_status;
@@ -1503,14 +1551,53 @@ static krb5_error_code samba_kdc_lookup_server(krb5_context context,
if (ldb_ret != LDB_SUCCESS) {
return HDB_ERR_NOENTRY;
}
-
+ return 0;
+ } else if (!(flags & HDB_F_FOR_AS_REQ)
+ && smb_krb5_principal_get_type(context, principal) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ /*
+ * The behaviour of accepting an
+ * KRB5_NT_ENTERPRISE_PRINCIPAL server principal
+ * containing a UPN only applies to TGS-REQ packets,
+ * not AS-REQ packets.
+ */
+ return samba_kdc_lookup_client(context, kdc_db_ctx,
+ mem_ctx, principal, attrs,
+ realm_dn, msg);
} else {
+ /*
+ * This case is for:
+ * - the AS-REQ, where we only accept
+ * samAccountName based lookups for the server, no
+ * matter if the name is an
+ * KRB5_NT_ENTERPRISE_PRINCIPAL or not
+ * - for the TGS-REQ when we are not given an
+ * KRB5_NT_ENTERPRISE_PRINCIPAL, which also must
+ * only lookup samAccountName based names.
+ */
int lret;
char *short_princ;
- /* const char *realm; */
+ krb5_principal enterprise_prinicpal = NULL;
+
+ if (smb_krb5_principal_get_type(context, principal) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ /* Need to reparse the enterprise principal to find the real target */
+ if (principal->name.name_string.len != 1) {
+ ret = KRB5_PARSE_MALFORMED;
+ krb5_set_error_message(context, ret, "samba_kdc_lookup_server: request for an "
+ "enterprise principal with wrong (%d) number of components",
+ principal->name.name_string.len);
+ return ret;
+ }
+ ret = krb5_parse_name(context, principal->name.name_string.val[0],
+ &enterprise_prinicpal);
+ if (ret) {
+ talloc_free(mem_ctx);
+ return ret;
+ }
+ principal = enterprise_prinicpal;
+ }
+
/* server as client principal case, but we must not lookup userPrincipalNames */
*realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
- /* realm = krb5_principal_get_realm(context, principal); */
/* TODO: Check if it is our realm, otherwise give referral */
@@ -1540,11 +1627,13 @@ static krb5_error_code samba_kdc_lookup_server(krb5_context context,
return HDB_ERR_NOENTRY;
}
free(short_princ);
+ return 0;
}
-
- return 0;
+ return HDB_ERR_NOENTRY;
}
+
+
static krb5_error_code samba_kdc_fetch_server(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
TALLOC_CTX *mem_ctx,
@@ -1557,7 +1646,7 @@ static krb5_error_code samba_kdc_fetch_server(krb5_context context,
struct ldb_message *msg;
ret = samba_kdc_lookup_server(context, kdc_db_ctx, mem_ctx, principal,
- server_attrs, &realm_dn, &msg);
+ flags, server_attrs, &realm_dn, &msg);
if (ret != 0) {
return ret;
}
@@ -1787,7 +1876,8 @@ samba_kdc_check_s4u2self(krb5_context context,
}
ret = samba_kdc_lookup_server(context, kdc_db_ctx, mem_ctx, target_principal,
- delegation_check_attrs, &realm_dn, &msg);
+ HDB_F_GET_CLIENT|HDB_F_GET_SERVER,
+ delegation_check_attrs, &realm_dn, &msg);
--
Samba Shared Repository
More information about the samba-cvs
mailing list