[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Mon Mar 9 05:11:03 MDT 2015


The branch, master has been updated
       via  02f6cfd torture-krb5: Add an initial test for s4u2self behaviour
       via  a1ddee8 kdc: Fix S4U2Self handling with KRB5_NT_ENTERPRISE_PRINCIPAL containing a UPN
       via  7bef5e4 talloc: version 2.1.2
       via  3929abf talloc: fix _talloc_total_limit_size prototype
      from  6b0cece lib: talloc: Test suite for the new destructor reparent logic.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 02f6cfd14c8ac15b5d8a55783bb98a87557394d5
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Mar 9 11:12:01 2015 +1300

    torture-krb5: Add an initial test for s4u2self behaviour
    
    This test only checks for S4U2Self of the same user, but shows
    that a user account is not a valid service for this purpose.
    
    Andrew Bartlett
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Mon Mar  9 12:10:09 CET 2015 on sn-devel-104

commit a1ddee8d2f9e58e04f3203db9afa576354dd2079
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Mar 9 16:00:56 2015 +1300

    kdc: Fix S4U2Self handling with KRB5_NT_ENTERPRISE_PRINCIPAL containing a UPN
    
    This is now handled properly by samba_kdc_lookup_server() and this wrapper actually
    breaks things.
    
    Andrew Bartlett
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 7bef5e4f0e5ff4a4187f3d63e51a1725ff32b771
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Mar 9 09:07:24 2015 +0100

    talloc: version 2.1.2
    
    Changes:
    - Allow destructors to reparent the object
    - Allow destructors to remove itself
    - Build improvements
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Günther Deschner <gd at samba.org>

commit 3929abfc6b5a3ae8a27da57d4dbee9524e3585e3
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jan 27 13:07:34 2015 +0100

    talloc: fix _talloc_total_limit_size prototype
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 ...loc-util-2.0.6.sigs => pytalloc-util-2.1.2.sigs} |  0
 .../ABI/{talloc-2.1.0.sigs => talloc-2.1.2.sigs}    |  0
 lib/talloc/talloc.c                                 |  2 +-
 lib/talloc/wscript                                  |  2 +-
 source4/kdc/db-glue.c                               | 21 ---------------------
 source4/torture/krb5/kdc-canon.c                    | 18 +++++++++++++++---
 6 files changed, 17 insertions(+), 26 deletions(-)
 copy lib/talloc/ABI/{pytalloc-util-2.0.6.sigs => pytalloc-util-2.1.2.sigs} (100%)
 copy lib/talloc/ABI/{talloc-2.1.0.sigs => talloc-2.1.2.sigs} (100%)


Changeset truncated at 500 lines:

diff --git a/lib/talloc/ABI/pytalloc-util-2.0.6.sigs b/lib/talloc/ABI/pytalloc-util-2.1.2.sigs
similarity index 100%
copy from lib/talloc/ABI/pytalloc-util-2.0.6.sigs
copy to lib/talloc/ABI/pytalloc-util-2.1.2.sigs
diff --git a/lib/talloc/ABI/talloc-2.1.0.sigs b/lib/talloc/ABI/talloc-2.1.2.sigs
similarity index 100%
copy from lib/talloc/ABI/talloc-2.1.0.sigs
copy to lib/talloc/ABI/talloc-2.1.2.sigs
diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c
index 46f10f4..c10fd53 100644
--- a/lib/talloc/talloc.c
+++ b/lib/talloc/talloc.c
@@ -1064,7 +1064,7 @@ static inline int _talloc_free_internal(void *ptr, const char *location)
 	return 0;
 }
 
-static size_t _talloc_total_limit_size(const void *ptr,
+static inline size_t _talloc_total_limit_size(const void *ptr,
 					struct talloc_memlimit *old_limit,
 					struct talloc_memlimit *new_limit);
 
diff --git a/lib/talloc/wscript b/lib/talloc/wscript
index 986492c..97c52c3 100644
--- a/lib/talloc/wscript
+++ b/lib/talloc/wscript
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 APPNAME = 'talloc'
-VERSION = '2.1.1'
+VERSION = '2.1.2'
 
 
 blddir = 'bin'
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index aa73641..0bc907e 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1839,7 +1839,6 @@ samba_kdc_check_s4u2self(krb5_context context,
 			 krb5_const_principal target_principal)
 {
 	krb5_error_code ret;
-	krb5_principal enterprise_prinicpal = NULL;
 	struct ldb_dn *realm_dn;
 	struct ldb_message *msg;
 	struct dom_sid *orig_sid;
@@ -1857,30 +1856,10 @@ samba_kdc_check_s4u2self(krb5_context context,
 		return ret;
 	}
 
-	if (target_principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
-		/* Need to reparse the enterprise principal to find the real target */
-		if (target_principal->name.name_string.len != 1) {
-			ret = KRB5_PARSE_MALFORMED;
-			krb5_set_error_message(context, ret, "samba_kdc_check_s4u2self: request for delegation to enterprise principal with wrong (%d) number of components",
-					       target_principal->name.name_string.len);
-			talloc_free(mem_ctx);
-			return ret;
-		}
-		ret = krb5_parse_name(context, target_principal->name.name_string.val[0],
-				      &enterprise_prinicpal);
-		if (ret) {
-			talloc_free(mem_ctx);
-			return ret;
-		}
-		target_principal = enterprise_prinicpal;
-	}
-
 	ret = samba_kdc_lookup_server(context, kdc_db_ctx, mem_ctx, target_principal,
 				      HDB_F_GET_CLIENT|HDB_F_GET_SERVER,
 				      delegation_check_attrs, &realm_dn, &msg);
 
-	krb5_free_principal(context, enterprise_prinicpal);
-
 	if (ret != 0) {
 		talloc_free(mem_ctx);
 		return ret;
diff --git a/source4/torture/krb5/kdc-canon.c b/source4/torture/krb5/kdc-canon.c
index 312c7b5..49c6c26 100644
--- a/source4/torture/krb5/kdc-canon.c
+++ b/source4/torture/krb5/kdc-canon.c
@@ -37,7 +37,8 @@
 #define TEST_NETBIOS_REALM    0x0000010
 #define TEST_WIN2K            0x0000020
 #define TEST_UPN              0x0000040
-#define TEST_ALL              0x000007F
+#define TEST_S4U2SELF         0x0000080
+#define TEST_ALL              0x00000FF
 
 struct test_data {
 	const char *test_name;
@@ -54,6 +55,7 @@ struct test_data {
 	bool win2k;
 	bool upn;
 	bool other_upn_suffix;
+	bool s4u2self;
 	const char *krb5_service;
 	const char *krb5_hostname;
 };	
@@ -1665,6 +1667,14 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
 				       opt,
 				       KRB5_GC_NO_STORE);
 
+	if (test_data->s4u2self) {
+		torture_assert_int_equal(tctx,
+					 krb5_get_creds_opt_set_impersonate(k5_context,
+									    opt,
+									    principal),
+					 0, "krb5_get_creds_opt_set_impersonate failed");
+	}
+
 	/* Confirm if we can get a ticket to our own name */
 	k5ret = krb5_get_creds(k5_context, opt, ccache, principal, &server_creds);
 
@@ -2051,14 +2061,15 @@ struct torture_suite *torture_krb5_canon(TALLOC_CTX *mem_ctx)
 	suite->description = talloc_strdup(suite, "Kerberos Canonicalisation tests");
 
 	for (i = 0; i < TEST_ALL; i++) {
-		char *name = talloc_asprintf(suite, "%s.%s.%s.%s.%s.%s.%s",
+		char *name = talloc_asprintf(suite, "%s.%s.%s.%s.%s.%s.%s.%s",
 					     (i & TEST_CANONICALIZE) ? "canon" : "no-canon",
 					     (i & TEST_ENTERPRISE) ? "enterprise" : "no-enterprise",
 					     (i & TEST_UPPER_REALM) ? "uc-realm" : "lc-realm",
 					     (i & TEST_UPPER_USERNAME) ? "uc-user" : "lc-user",
 					     (i & TEST_NETBIOS_REALM) ? "netbios-realm" : "krb5-realm",
 					     (i & TEST_WIN2K) ? "win2k" : "no-win2k",
-					     (i & TEST_UPN) ? "upn" : "no-upn");
+					     (i & TEST_UPN) ? "upn" : "no-upn",
+					     (i & TEST_S4U2SELF) ? "s4u2self" : "normal");
 
 		struct test_data *test_data = talloc_zero(suite, struct test_data);
 
@@ -2075,6 +2086,7 @@ struct torture_suite *torture_krb5_canon(TALLOC_CTX *mem_ctx)
 		test_data->netbios_realm = (i & TEST_NETBIOS_REALM) != 0;
 		test_data->win2k = (i & TEST_WIN2K) != 0;
 		test_data->upn = (i & TEST_UPN) != 0;
+		test_data->s4u2self = (i & TEST_S4U2SELF) != 0;
 		torture_suite_add_simple_tcase_const(suite, name, torture_krb5_as_req_canon,
 						     test_data);
 						     


-- 
Samba Shared Repository


More information about the samba-cvs mailing list