[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Fri Mar 20 19:04:05 MDT 2015
The branch, master has been updated
via c07a54b torture: Fix the usage of the MEMORY credential cache.
via a9bcc86 kdc-db-glue: Remove unused code.
via b21b2d5 kdc-db-glue: Do not allocate memory for the principal
via aa1431e kdc-db-glue: Fix memory cleanup to avoid crashes.
via 6ada266 kdc-db-glue: Fix function format of samba_kdc_message2entry()
via b9072d9 kdc-db-glue: Fix a NULL pointer dereference.
via 13cd1d5 s4-kdc/db_glue: bad idea to free parent mem_ctx when sub function got a failure.
via 6d6712f s4-kdc/pac_glue: only include required headers.
via c5965c4 s4-kdc/pac_glue: use ENCTYPE_ARCFOUR_HMAC just like in db_glue.
via e49802a s4-kdc/db-glue: use krb5_copy_data_contents in samba_kdc_message2entry_keys().
via 51191bd s4-kdc/pac_glue: use krb5_copy_data_contents in samba_make_krb5_pac().
via c5eb9b3 s4-kdc/db_glue: use KRB5_PW_SALT instead of hdb type.
via 683ba8a s4-kdc/db_glue: use smb_krb5_principal_get_type() to access private members
via 3ee26c4 s4-kdc/db_glue: use KRB5_KEY_TYPE to access private key members.
via 0163c94 s4-kdc/db_glue: use time_t directly instead of KerberosTime.
via 668f1e9 s4-kdc/db_glue: use krb5_principal_get_comp_string() to access members of private structs.
via 75602bf s4-kdc/db_glue: use krb5_princ_size() instead of inspecting private structs.
via 10a06fc s4-kdc/db_glue: use smb_krb5_principal_get_realm().
via 8b2cada s4:kdc/db-glue: pass a valid principal from samba_kdc_seq() to samba_kdc_message2entry()
via 463be9f s4-kdc/db_glue: use smb_krb5_principal_set_realm().
via b705ec9 s4-kdc/db_glue: use krb5_copy_principal().
via 7296f1b s4-kdc/db_glue: use smb_krb5_make_principal().
via 2b29bfe s4-kdc/db_glue: use smb_krb5_keyblock_init_contents().
via 07edd10 s4-kdc/db_glue: no need to include kdc/kdc-glue.h header here.
via 2f6cdbb s4-kdc/db_glue: no need to NULL entry_ex->entry.generation.
via b74413b s4-kdc/db_glue: remove unused hdb_entry_ex from samba_kdc_seq().
via d823885 s4-kdc/db_glue: fix Debug messages.
via 9713734 s4-kdc/pac-glue: use kerberos_free_data_contents().
via 1e9e40e s4-libnet: only build python_dckeytab when heimdal is available.
via ad0fd58 s4-rpc_server: only build backup_key rpc service when Heimdal is available.
via 2ad3dcc s4-dsdb/samdb: use abstract functions for MIT compatibility.
via d86f7b9 s3-winbind: Correct debug message for starting winbind.
via 8a5db7d dlz_bind9: Fix keytab location.
via 10a135a YouCompleteMe: Add missing path.
from 1fc1dfe s4:torture/libnetapi: remove allow_warnings=True
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit c07a54b2941c0d5dc69eb435405daddac1b994bf
Author: Andreas Schneider <asn at samba.org>
Date: Thu Feb 26 17:03:44 2015 +0100
torture: Fix the usage of the MEMORY credential cache.
Pair-Programmed-With: Guenther Deschner <gd at samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Sat Mar 21 02:03:34 CET 2015 on sn-devel-104
commit a9bcc86504971e6c30d782364f912e95eff2e93f
Author: Andreas Schneider <asn at samba.org>
Date: Wed Feb 25 11:57:23 2015 +0100
kdc-db-glue: Remove unused code.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b21b2d596ebc0a11b3f8c19de0498cc8c0783655
Author: Andreas Schneider <asn at samba.org>
Date: Wed Feb 25 11:56:34 2015 +0100
kdc-db-glue: Do not allocate memory for the principal
The function we are calling already allocate memory.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit aa1431e53febdeb80d2c93f6e330fbaedb607ba3
Author: Andreas Schneider <asn at samba.org>
Date: Wed Feb 25 11:55:43 2015 +0100
kdc-db-glue: Fix memory cleanup to avoid crashes.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6ada266dcf8e6e33a5f58afc0568db540b7430cc
Author: Andreas Schneider <asn at samba.org>
Date: Wed Feb 25 11:54:52 2015 +0100
kdc-db-glue: Fix function format of samba_kdc_message2entry()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b9072d974131de613949e368ada5e5d754375007
Author: Andreas Schneider <asn at samba.org>
Date: Wed Feb 25 11:52:45 2015 +0100
kdc-db-glue: Fix a NULL pointer dereference.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 13cd1d5c58668313fd26aa00406bcfad1fccf256
Author: Günther Deschner <gd at samba.org>
Date: Tue Feb 10 14:38:22 2015 +0100
s4-kdc/db_glue: bad idea to free parent mem_ctx when sub function got a failure.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6d6712fdde2b82d20f8c395110efa0706324ad71
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 15:49:17 2014 +0200
s4-kdc/pac_glue: only include required headers.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c5965c41aec216fc91f6dcd412911f43b77b0a81
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 15:20:59 2014 +0200
s4-kdc/pac_glue: use ENCTYPE_ARCFOUR_HMAC just like in db_glue.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e49802a02df6b624e4667e1ca375e5cb57df3fa9
Author: Günther Deschner <gd at samba.org>
Date: Mon May 12 17:45:26 2014 +0200
s4-kdc/db-glue: use krb5_copy_data_contents in samba_kdc_message2entry_keys().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 51191bd9d80124bbaa9a865893bf4aa0936c2fb6
Author: Günther Deschner <gd at samba.org>
Date: Mon May 12 17:45:14 2014 +0200
s4-kdc/pac_glue: use krb5_copy_data_contents in samba_make_krb5_pac().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c5eb9b388ec666678afdf63dae793aa8e9c87388
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 14:32:47 2014 +0200
s4-kdc/db_glue: use KRB5_PW_SALT instead of hdb type.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 683ba8a09db46f9fa936e6c2e3323ce232ef686d
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 12:21:43 2014 +0200
s4-kdc/db_glue: use smb_krb5_principal_get_type() to access private members
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3ee26c43b935591f77857cb5178b07fa02d21b09
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 10:50:21 2014 +0200
s4-kdc/db_glue: use KRB5_KEY_TYPE to access private key members.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 0163c9403e83fb37ef5a75921e77759ac800835a
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 10:49:00 2014 +0200
s4-kdc/db_glue: use time_t directly instead of KerberosTime.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 668f1e9ab02070217cc710b654a197f5f35f8e59
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 10:44:09 2014 +0200
s4-kdc/db_glue: use krb5_principal_get_comp_string() to access members of private structs.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 75602bf1aed68026c61260442f1095b5a8940436
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 10:25:07 2014 +0200
s4-kdc/db_glue: use krb5_princ_size() instead of inspecting private structs.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 10a06fcd55c314d87c378b561bb7b57c756428ad
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 10:10:49 2014 +0200
s4-kdc/db_glue: use smb_krb5_principal_get_realm().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 8b2cada705644dd398b0eed73c43b53483f00f71
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 20 15:29:30 2015 +0100
s4:kdc/db-glue: pass a valid principal from samba_kdc_seq() to samba_kdc_message2entry()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 463be9f676b93c39f5fed3e3b8903bfb21d9c380
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 10:09:17 2014 +0200
s4-kdc/db_glue: use smb_krb5_principal_set_realm().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b705ec95d4907f3f887b36963950fe0f18807273
Author: Günther Deschner <gd at samba.org>
Date: Wed May 7 17:14:14 2014 +0200
s4-kdc/db_glue: use krb5_copy_principal().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 7296f1b2f5a9bb9287aaee2f57469371d2bf5679
Author: Günther Deschner <gd at samba.org>
Date: Wed May 7 16:47:52 2014 +0200
s4-kdc/db_glue: use smb_krb5_make_principal().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2b29bfe62adbd2900646be08758c842ffa885004
Author: Günther Deschner <gd at samba.org>
Date: Wed May 7 16:46:31 2014 +0200
s4-kdc/db_glue: use smb_krb5_keyblock_init_contents().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 07edd10ba5a3b11684da81eb910aa42fcd3d327c
Author: Günther Deschner <gd at samba.org>
Date: Wed May 7 19:58:39 2014 +0200
s4-kdc/db_glue: no need to include kdc/kdc-glue.h header here.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2f6cdbbb90c8a8d3972734b51f2db49c0631b54c
Author: Günther Deschner <gd at samba.org>
Date: Wed May 7 16:56:06 2014 +0200
s4-kdc/db_glue: no need to NULL entry_ex->entry.generation.
The whole entry_ex->entry struct is initialized already.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b74413b3394ac2f1ea602659c0f71e1f483a477f
Author: Günther Deschner <gd at samba.org>
Date: Wed May 7 16:37:25 2014 +0200
s4-kdc/db_glue: remove unused hdb_entry_ex from samba_kdc_seq().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d82388501fcf8b80686504318738d2830b9fffcf
Author: Günther Deschner <gd at samba.org>
Date: Wed May 7 16:11:51 2014 +0200
s4-kdc/db_glue: fix Debug messages.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 97137347f3d73b5dd8785a66514c24055c4f18ef
Author: Günther Deschner <gd at samba.org>
Date: Wed May 7 11:50:52 2014 +0200
s4-kdc/pac-glue: use kerberos_free_data_contents().
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1e9e40e1d6317eb7e83a0ba6f7617aafc893ca4c
Author: Günther Deschner <gd at samba.org>
Date: Wed Apr 30 01:19:53 2014 +0200
s4-libnet: only build python_dckeytab when heimdal is available.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ad0fd589724d5dead6a7ba4c123d37ec61ec7b84
Author: Günther Deschner <gd at samba.org>
Date: Fri Apr 25 15:21:17 2014 +0200
s4-rpc_server: only build backup_key rpc service when Heimdal is available.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2ad3dcc7cf688de515aeeff707b16ed7066f5cb0
Author: Günther Deschner <gd at samba.org>
Date: Fri Apr 25 14:17:10 2014 +0200
s4-dsdb/samdb: use abstract functions for MIT compatibility.
This involves switching to krb5_data, smb_krb5_get_pw_salt and
smb_krb5_create_key_from_string.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d86f7b9dafc58fa663d9430e16a6e90bd7455e1d
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jan 27 16:32:48 2015 +0100
s3-winbind: Correct debug message for starting winbind.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 8a5db7d2f4936b54bf0ab8d36f54804cd463f967
Author: Andreas Schneider <asn at samba.org>
Date: Thu Feb 26 18:17:18 2015 +0100
dlz_bind9: Fix keytab location.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 10a135a3d7a87778c3202e1c09a3f5e4c5882ab6
Author: Andreas Schneider <asn at samba.org>
Date: Thu Feb 26 17:10:28 2015 +0100
YouCompleteMe: Add missing path.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.ycm_extra_conf.py | 1 +
source4/dns_server/dlz_bind9.c | 2 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 59 +++---
source4/kdc/db-glue.c | 247 ++++++++++++++-----------
source4/kdc/pac-glue.c | 35 ++--
source4/libnet/wscript_build | 2 +-
source4/rpc_server/wscript_build | 3 +-
source4/torture/rpc/remote_pac.c | 84 ++++++---
source4/winbind/winbindd.c | 2 +-
9 files changed, 260 insertions(+), 175 deletions(-)
Changeset truncated at 500 lines:
diff --git a/.ycm_extra_conf.py b/.ycm_extra_conf.py
index fa75e22..e581561 100644
--- a/.ycm_extra_conf.py
+++ b/.ycm_extra_conf.py
@@ -141,6 +141,7 @@ flags = [
'-Ibin/default/source3/include',
'-Ibin/default/source3/librpc/gen_ndr',
'-Ibin/default/source3/param',
+'-Ibin/default/source4',
'-Ibin/default/source4/auth',
'-Ibin/default/source4/auth/gensec',
'-Ibin/default/source4/auth/kerberos',
diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c
index 8c7192f..7a76fe5 100644
--- a/source4/dns_server/dlz_bind9.c
+++ b/source4/dns_server/dlz_bind9.c
@@ -1304,7 +1304,7 @@ _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
cli_credentials_set_krb5_context(server_credentials, state->smb_krb5_ctx);
cli_credentials_set_conf(server_credentials, state->lp);
- keytab_name = talloc_asprintf(tmp_ctx, "file:%s/dns.keytab",
+ keytab_name = talloc_asprintf(tmp_ctx, "FILE:%s/dns.keytab",
lpcfg_private_dir(state->lp));
ret = cli_credentials_set_keytab_name(server_credentials, state->lp, keytab_name,
CRED_SPECIFIED);
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index d304038..e266307 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -647,7 +647,7 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
struct ldb_context *ldb;
krb5_error_code krb5_ret;
krb5_principal salt_principal;
- krb5_salt salt;
+ krb5_data salt;
krb5_keyblock key;
krb5_data cleartext_data;
@@ -721,7 +721,7 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
/*
* create salt from salt_principal
*/
- krb5_ret = krb5_get_pw_salt(io->smb_krb5_context->krb5_context,
+ krb5_ret = smb_krb5_get_pw_salt(io->smb_krb5_context->krb5_context,
salt_principal, &salt);
krb5_free_principal(io->smb_krb5_context->krb5_context, salt_principal);
if (krb5_ret) {
@@ -734,24 +734,26 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
}
/* create a talloc copy */
io->g.salt = talloc_strndup(io->ac,
- (char *)salt.saltvalue.data,
- salt.saltvalue.length);
- krb5_free_salt(io->smb_krb5_context->krb5_context, salt);
+ (char *)salt.data,
+ salt.length);
+ kerberos_free_data_contents(io->smb_krb5_context->krb5_context, &salt);
if (!io->g.salt) {
return ldb_oom(ldb);
}
- salt.saltvalue.data = discard_const(io->g.salt);
- salt.saltvalue.length = strlen(io->g.salt);
+ /* now use the talloced copy of the salt */
+ salt.data = discard_const(io->g.salt);
+ salt.length = strlen(io->g.salt);
/*
* create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
* the salt and the cleartext password
*/
- krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context,
- ENCTYPE_AES256_CTS_HMAC_SHA1_96,
- cleartext_data,
- salt,
- &key);
+ krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
+ NULL,
+ &salt,
+ &cleartext_data,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ &key);
if (krb5_ret) {
ldb_asprintf_errstring(ldb,
"setup_kerberos_keys: "
@@ -772,11 +774,12 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
* create ENCTYPE_AES128_CTS_HMAC_SHA1_96 key out of
* the salt and the cleartext password
*/
- krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context,
- ENCTYPE_AES128_CTS_HMAC_SHA1_96,
- cleartext_data,
- salt,
- &key);
+ krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
+ NULL,
+ &salt,
+ &cleartext_data,
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ &key);
if (krb5_ret) {
ldb_asprintf_errstring(ldb,
"setup_kerberos_keys: "
@@ -797,11 +800,12 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
* create ENCTYPE_DES_CBC_MD5 key out of
* the salt and the cleartext password
*/
- krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context,
- ENCTYPE_DES_CBC_MD5,
- cleartext_data,
- salt,
- &key);
+ krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
+ NULL,
+ &salt,
+ &cleartext_data,
+ ENCTYPE_DES_CBC_MD5,
+ &key);
if (krb5_ret) {
ldb_asprintf_errstring(ldb,
"setup_kerberos_keys: "
@@ -822,11 +826,12 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
* create ENCTYPE_DES_CBC_CRC key out of
* the salt and the cleartext password
*/
- krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context,
- ENCTYPE_DES_CBC_CRC,
- cleartext_data,
- salt,
- &key);
+ krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
+ NULL,
+ &salt,
+ &cleartext_data,
+ ENCTYPE_DES_CBC_CRC,
+ &key);
if (krb5_ret) {
ldb_asprintf_errstring(ldb,
"setup_kerberos_keys: "
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index bc82482..d60b602 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -34,7 +34,6 @@
#include "auth/kerberos/kerberos.h"
#include <hdb.h>
#include "kdc/samba_kdc.h"
-#include "kdc/kdc-glue.h"
#include "kdc/db-glue.h"
#define SAMBA_KVNO_GET_KRBTGT(kvno) \
@@ -67,7 +66,7 @@ static const char *trust_attrs[] = {
};
-static KerberosTime ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, const char *attr, KerberosTime default_val)
+static time_t ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, const char *attr, time_t default_val)
{
const char *tmp;
const char *gentime;
@@ -189,9 +188,12 @@ static HDBFlags uf2HDBFlags(krb5_context context, uint32_t userAccountControl, e
static int samba_kdc_entry_destructor(struct samba_kdc_entry *p)
{
- hdb_entry_ex *entry_ex = p->entry_ex;
- free_hdb_entry(&entry_ex->entry);
- return 0;
+ if (p->entry_ex != NULL) {
+ hdb_entry_ex *entry_ex = p->entry_ex;
+ free_hdb_entry(&entry_ex->entry);
+ }
+
+ return 0;
}
static void samba_kdc_free_entry(krb5_context context, hdb_entry_ex *entry_ex)
@@ -398,10 +400,11 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
key.mkvno = 0;
key.salt = NULL; /* No salt for this enc type */
- ret = krb5_keyblock_init(context,
- ENCTYPE_ARCFOUR_HMAC,
- hash->hash, sizeof(hash->hash),
- &key.key);
+ ret = smb_krb5_keyblock_init_contents(context,
+ ENCTYPE_ARCFOUR_HMAC,
+ hash->hash,
+ sizeof(hash->hash),
+ &key.key);
if (ret) {
goto out;
}
@@ -434,9 +437,11 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
goto out;
}
- key.salt->type = hdb_pw_salt;
+ key.salt->type = KRB5_PW_SALT;
- ret = krb5_data_copy(&key.salt->salt, salt.data, salt.length);
+ ret = krb5_copy_data_contents(&key.salt->salt,
+ salt.data,
+ salt.length);
if (ret) {
free(key.salt);
key.salt = NULL;
@@ -446,11 +451,11 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
/* TODO: maybe pass the iteration_count somehow... */
- ret = krb5_keyblock_init(context,
- pkb4->keys[i].keytype,
- pkb4->keys[i].value->data,
- pkb4->keys[i].value->length,
- &key.key);
+ ret = smb_krb5_keyblock_init_contents(context,
+ pkb4->keys[i].keytype,
+ pkb4->keys[i].value->data,
+ pkb4->keys[i].value->length,
+ &key.key);
if (ret == KRB5_PROG_ETYPE_NOSUPP) {
DEBUG(2,("Unsupported keytype ignored - type %u\n",
pkb4->keys[i].keytype));
@@ -493,9 +498,11 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
goto out;
}
- key.salt->type = hdb_pw_salt;
+ key.salt->type = KRB5_PW_SALT;
- ret = krb5_data_copy(&key.salt->salt, salt.data, salt.length);
+ ret = krb5_copy_data_contents(&key.salt->salt,
+ salt.data,
+ salt.length);
if (ret) {
free(key.salt);
key.salt = NULL;
@@ -503,11 +510,11 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
}
}
- ret = krb5_keyblock_init(context,
- pkb3->keys[i].keytype,
- pkb3->keys[i].value->data,
- pkb3->keys[i].value->length,
- &key.key);
+ ret = smb_krb5_keyblock_init_contents(context,
+ pkb3->keys[i].keytype,
+ pkb3->keys[i].value->data,
+ pkb3->keys[i].value->length,
+ &key.key);
if (ret) {
if (key.salt) {
free_Salt(key.salt);
@@ -538,7 +545,8 @@ out:
*/
static krb5_error_code samba_kdc_message2entry(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
- TALLOC_CTX *mem_ctx, krb5_const_principal principal,
+ TALLOC_CTX *mem_ctx,
+ krb5_const_principal principal,
enum samba_kdc_ent_type ent_type,
unsigned flags,
struct ldb_dn *realm_dn,
@@ -580,9 +588,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
is_computer = TRUE;
}
- memset(entry_ex, 0, sizeof(*entry_ex));
+ ZERO_STRUCTP(entry_ex);
- p = talloc(mem_ctx, struct samba_kdc_entry);
+ p = talloc_zero(mem_ctx, struct samba_kdc_entry);
if (!p) {
ret = ENOMEM;
goto out;
@@ -638,7 +646,6 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
* fixed UPPER case realm, but the as-sent username
*/
- entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) {
if (flags & (HDB_F_CANON)) {
/*
@@ -646,9 +653,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
* both realm values in the principal are set
* to the upper case, canonical realm
*/
- ret = krb5_make_principal(context, &entry_ex->entry.principal,
- lpcfg_realm(lp_ctx), "krbtgt",
- lpcfg_realm(lp_ctx), NULL);
+ ret = smb_krb5_make_principal(context, &entry_ex->entry.principal,
+ lpcfg_realm(lp_ctx), "krbtgt",
+ lpcfg_realm(lp_ctx), NULL);
if (ret) {
krb5_clear_error_message(context);
goto out;
@@ -664,7 +671,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
* this appears to be required regardless of
* the canonicalize flag from the client
*/
- ret = krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx));
+ ret = smb_krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx));
if (ret) {
krb5_clear_error_message(context);
goto out;
@@ -672,7 +679,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
}
} else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
- ret = krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
+ ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
if (ret) {
krb5_clear_error_message(context);
goto out;
@@ -683,7 +690,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
* packet, and has a different meaning between AS-REQ
* and TGS-REQ. We only change the principal in the AS-REQ case
*/
- ret = krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
+ ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
if (ret) {
krb5_clear_error_message(context);
goto out;
@@ -695,7 +702,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
goto out;
}
- if (krb5_principal_get_type(context, principal) != KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ if (smb_krb5_principal_get_type(context, principal) != KRB5_NT_ENTERPRISE_PRINCIPAL) {
/* While we have copied the client principal, tests
* show that Win2k3 returns the 'corrected' realm, not
* the client-specified realm. This code attempts to
@@ -703,7 +710,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
* we determine from our records */
/* this has to be with malloc() */
- ret = krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx));
+ ret = smb_krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx));
if (ret) {
krb5_clear_error_message(context);
goto out;
@@ -746,9 +753,10 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
/* use 'whenCreated' */
entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
/* use 'kadmin' for now (needed by mit_samba) */
- ret = krb5_make_principal(context,
- &entry_ex->entry.created_by.principal,
- lpcfg_realm(lp_ctx), "kadmin", NULL);
+
+ ret = smb_krb5_make_principal(context,
+ &entry_ex->entry.created_by.principal,
+ lpcfg_realm(lp_ctx), "kadmin", NULL);
if (ret) {
krb5_clear_error_message(context);
goto out;
@@ -764,9 +772,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
/* use 'whenChanged' */
entry_ex->entry.modified_by->time = ldb_msg_find_krb5time_ldap_time(msg, "whenChanged", 0);
/* use 'kadmin' for now (needed by mit_samba) */
- ret = krb5_make_principal(context,
- &entry_ex->entry.modified_by->principal,
- lpcfg_realm(lp_ctx), "kadmin", NULL);
+ ret = smb_krb5_make_principal(context,
+ &entry_ex->entry.modified_by->principal,
+ lpcfg_realm(lp_ctx), "kadmin", NULL);
if (ret) {
krb5_clear_error_message(context);
goto out;
@@ -784,23 +792,34 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
}
if (rid == DOMAIN_RID_KRBTGT) {
+ char *realm = NULL;
+
entry_ex->entry.valid_end = NULL;
entry_ex->entry.pw_end = NULL;
entry_ex->entry.flags.invalid = 0;
entry_ex->entry.flags.server = 1;
+ realm = smb_krb5_principal_get_realm(context, principal);
+ if (realm == NULL) {
+ ret = ENOMEM;
+ goto out;
+ }
+
/* Don't mark all requests for the krbtgt/realm as
* 'change password', as otherwise we could get into
* trouble, and not enforce the password expirty.
* Instead, only do it when request is for the kpasswd service */
if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER
- && principal->name.name_string.len == 2
- && (strcmp(principal->name.name_string.val[0], "kadmin") == 0)
- && (strcmp(principal->name.name_string.val[1], "changepw") == 0)
- && lpcfg_is_my_domain_or_realm(lp_ctx, principal->realm)) {
+ && krb5_princ_size(context, principal) == 2
+ && (strcmp(krb5_principal_get_comp_string(context, principal, 0), "kadmin") == 0)
+ && (strcmp(krb5_principal_get_comp_string(context, principal, 1), "changepw") == 0)
+ && lpcfg_is_my_domain_or_realm(lp_ctx, realm)) {
entry_ex->entry.flags.change_pw = 1;
}
+
+ SAFE_FREE(realm);
+
entry_ex->entry.flags.client = 0;
entry_ex->entry.flags.forwardable = 1;
entry_ex->entry.flags.ok_as_delegate = 1;
@@ -884,8 +903,6 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
*entry_ex->entry.max_renew = kdc_db_ctx->policy.renewal_lifetime;
- entry_ex->entry.generation = NULL;
-
/* Get keys from the db */
ret = samba_kdc_message2entry_keys(context, kdc_db_ctx, p, msg,
rid, is_rodc, userAccountControl,
@@ -909,7 +926,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
goto out;
}
for (i=0; i < entry_ex->entry.etypes->len; i++) {
- entry_ex->entry.etypes->val[i] = entry_ex->entry.keys.val[i].key.keytype;
+ entry_ex->entry.etypes->val[i] = KRB5_KEY_TYPE(&entry_ex->entry.keys.val[i].key);
}
@@ -919,6 +936,7 @@ out:
if (ret != 0) {
/* This doesn't free ent itself, that is for the eventual caller to do */
hdb_free_entry(context, entry_ex);
+ ZERO_STRUCTP(entry_ex);
} else {
talloc_steal(kdc_db_ctx, entry_ex->ctx);
}
@@ -1012,22 +1030,15 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
/* use 'whenCreated' */
entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
/* use 'kadmin' for now (needed by mit_samba) */
- ret = krb5_make_principal(context,
- &entry_ex->entry.created_by.principal,
- realm, "kadmin", NULL);
+ ret = smb_krb5_make_principal(context,
+ &entry_ex->entry.created_by.principal,
+ realm, "kadmin", NULL);
if (ret) {
krb5_clear_error_message(context);
goto out;
}
- entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
- if (entry_ex->entry.principal == NULL) {
- krb5_clear_error_message(context);
- ret = ENOMEM;
- goto out;
- }
-
- ret = copy_Principal(principal, entry_ex->entry.principal);
+ ret = krb5_copy_principal(context, principal, &entry_ex->entry.principal);
if (ret) {
krb5_clear_error_message(context);
goto out;
@@ -1041,7 +1052,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
* we determine from our records
*/
- ret = krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
+ ret = smb_krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
if (ret) {
krb5_clear_error_message(context);
goto out;
@@ -1213,11 +1224,11 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
if (password_hash != NULL) {
Key key = {};
- ret = krb5_keyblock_init(context,
- ENCTYPE_ARCFOUR_HMAC,
- password_hash->hash,
- sizeof(password_hash->hash),
- &key.key);
+ ret = smb_krb5_keyblock_init_contents(context,
+ ENCTYPE_ARCFOUR_HMAC,
+ password_hash->hash,
+ sizeof(password_hash->hash),
+ &key.key);
if (ret != 0) {
goto out;
}
@@ -1238,8 +1249,6 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
entry_ex->entry.max_renew = NULL;
- entry_ex->entry.generation = NULL;
-
entry_ex->entry.etypes = malloc(sizeof(*(entry_ex->entry.etypes)));
if (entry_ex->entry.etypes == NULL) {
krb5_clear_error_message(context);
@@ -1254,7 +1263,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
goto out;
}
for (i=0; i < entry_ex->entry.etypes->len; i++) {
- entry_ex->entry.etypes->val[i] = entry_ex->entry.keys.val[i].key.keytype;
--
Samba Shared Repository
More information about the samba-cvs
mailing list