[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Wed Mar 18 11:57:02 MDT 2015


The branch, master has been updated
       via  8421c40 s4:kdc: fix realm for outgoing trusts in samba_kdc_trust_message2entry()
      from  9d0f7e1 selftest: the drs.delete_object is currently flakey.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 8421c403e206a8eb1b55ce512e6d2d4174bed0ac
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sun Mar 15 22:25:49 2015 +0100

    s4:kdc: fix realm for outgoing trusts in samba_kdc_trust_message2entry()
    
    This is a regression introduced in commit
    8dd37327b02eaea33915a9cd206667981b8df872.
    
    Now we change 'realm' before calling
    ret = krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
    as before commit 8dd37327b02eaea33915a9cd206667981b8df872.
    
    Without this we'd set entry_ex->entry.principal to
    krbtgt/DOMA.EXAMPLE.COM at DOMA.EXAMPLE.COM instead
    of krbtgt/DOMA.EXAMPLE.COM at DOMB.EXAMPLE.COM,
    while we use krbtgt/DOMA.EXAMPLE.COM at DOMB.EXAMPLE.COM as
    salt for the keys.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Wed Mar 18 18:56:51 CET 2015 on sn-devel-104

-----------------------------------------------------------------------

Summary of changes:
 source4/kdc/db-glue.c | 53 +++++++++++++++++++++++++--------------------------
 1 file changed, 26 insertions(+), 27 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 8f2b361..bc82482 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -965,6 +965,32 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 					supported_enctypes);
 	}
 
+	trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
+
+	if (direction == INBOUND) {
+		password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
+
+	} else { /* OUTBOUND */
+		dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
+		/* replace realm */
+		realm = strupper_talloc(mem_ctx, dnsdomain);
+		password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
+	}
+
+	if (!password_val || !(trust_direction_flags & direction)) {
+		krb5_clear_error_message(context);
+		ret = HDB_ERR_NOENTRY;
+		goto out;
+	}
+
+	ndr_err = ndr_pull_struct_blob(password_val, mem_ctx, &password_blob,
+				       (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		krb5_clear_error_message(context);
+		ret = EINVAL;
+		goto out;
+	}
+
 	p = talloc(mem_ctx, struct samba_kdc_entry);
 	if (!p) {
 		ret = ENOMEM;
@@ -1023,33 +1049,6 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 
 	entry_ex->entry.valid_start = NULL;
 
-	trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
-
-	if (direction == INBOUND) {
-		password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
-
-	} else { /* OUTBOUND */
-		dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
-		/* replace realm */
-		realm = strupper_talloc(mem_ctx, dnsdomain);
-		password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
-	}
-
-	if (!password_val || !(trust_direction_flags & direction)) {
-		krb5_clear_error_message(context);
-		ret = HDB_ERR_NOENTRY;
-		goto out;
-	}
-
-	ndr_err = ndr_pull_struct_blob(password_val, mem_ctx, &password_blob,
-					   (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
-	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-		krb5_clear_error_message(context);
-		ret = EINVAL;
-		goto out;
-	}
-
-
 	/* we need to work out if we are going to use the current or
 	 * the previous password hash.
 	 * We base this on the kvno the client passes in. If the kvno


-- 
Samba Shared Repository


More information about the samba-cvs mailing list