[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Tue Aug 30 13:25:03 UTC 2016


The branch, master has been updated
       via  faa3bef gensec_krb5: Use get_krb5_smb_session_key() in gensec_krb5_session_key()
       via  7f9a075 gensec_krb5: Use implementation idependent krb5_mk_req_extended()
       via  739a7ad gensec_krb5: Use kerberos_free_data_contents() to free krb5 data
       via  8268501 gensec_krb5: Only set the event context with Heimdal
       via  7ea7b60 gensec_krb5: Use krb5_wrap setup_kaddr() to convert address
       via  ab8628a gensec_krb5: Rename smb_rd_req_return_stuff()
       via  de224d7 gensec_krb5: Rename gensec_krb5_util to gensec_krb5_heimdal
       via  1fe94a6 s4-kdc: pac-glue: Add support for MIT pkinit
       via  4f51484 mit_samba: Add missing copyright
       via  5ac9de3 mit_samba: Add missing argument passed to authsam_make_user_info_dc()
      from  dd5439e tests/samba-tool/user.py: replace deprecated 'add' subcommand with 'create'

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit faa3bef690a72a7b3f546e04494a8a3baebafc52
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Aug 11 15:18:14 2016 +0200

    gensec_krb5: Use get_krb5_smb_session_key() in gensec_krb5_session_key()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Tue Aug 30 15:24:02 CEST 2016 on sn-devel-144

commit 7f9a075d9c8d777fd04c1dcec6693e1e27efc3ae
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Aug 11 15:04:42 2016 +0200

    gensec_krb5: Use implementation idependent krb5_mk_req_extended()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 739a7adaef29d24611ee2d709e01e1cb7ffb31be
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Aug 11 15:10:33 2016 +0200

    gensec_krb5: Use kerberos_free_data_contents() to free krb5 data
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 8268501972994ce8240a27b68e85f9208b617094
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Aug 11 11:22:41 2016 +0200

    gensec_krb5: Only set the event context with Heimdal
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 7ea7b60649dbc8312963a18119184b51ec2345fc
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Aug 11 11:20:42 2016 +0200

    gensec_krb5: Use krb5_wrap setup_kaddr() to convert address
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ab8628ac7a206d5b35022b6161f1ed9963ad0f97
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Aug 12 14:41:05 2016 +0200

    gensec_krb5: Rename smb_rd_req_return_stuff()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit de224d70062695d50668d1b3084a80ac81d6d79b
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Aug 12 14:37:51 2016 +0200

    gensec_krb5: Rename gensec_krb5_util to gensec_krb5_heimdal
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 1fe94a659e8fdeb9ddb07c9f5a3126f1cdaa459c
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Aug 10 15:57:05 2016 +0200

    s4-kdc: pac-glue: Add support for MIT pkinit
    
    This only makes sure the code compiles again. I'm not able to test this
    yet.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 4f51484b4071d54183fbca0db4cfb21960016214
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Jun 9 16:02:23 2016 +0200

    mit_samba: Add missing copyright
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 5ac9de30f0bc184fae14daca80a476de8161ea6d
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Jun 30 16:25:41 2016 +0200

    mit_samba: Add missing argument passed to authsam_make_user_info_dc()
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source4/auth/gensec/gensec_krb5.c                  | 116 ++++++++++++++-------
 .../gensec/{gensec_krb5_util.h => gensec_krb5.h}   |   8 +-
 .../{gensec_krb5_util.c => gensec_krb5_heimdal.c}  |  61 ++++++-----
 source4/auth/gensec/wscript_build                  |   2 +-
 source4/kdc/mit_samba.c                            |   3 +
 source4/kdc/pac-glue.c                             | 101 ++++++++++++++++++
 6 files changed, 216 insertions(+), 75 deletions(-)
 rename source4/auth/gensec/{gensec_krb5_util.h => gensec_krb5.h} (56%)
 rename source4/auth/gensec/{gensec_krb5_util.c => gensec_krb5_heimdal.c} (81%)


Changeset truncated at 500 lines:

diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 2af6b14..8dbec15 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -41,7 +41,7 @@
 #include "lib/util/util_net.h"
 #include "../lib/util/asn1.h"
 #include "auth/kerberos/pac_utils.h"
-#include "gensec_krb5_util.h"
+#include "gensec_krb5.h"
 
 _PUBLIC_ NTSTATUS gensec_krb5_init(void);
 
@@ -150,6 +150,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool
 	if (tlocal_addr) {
 		ssize_t socklen;
 		struct sockaddr_storage ss;
+		bool ok;
 
 		socklen = tsocket_address_bsd_sockaddr(tlocal_addr,
 				(struct sockaddr *) &ss,
@@ -158,12 +159,9 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool
 			talloc_free(gensec_krb5_state);
 			return NT_STATUS_INTERNAL_ERROR;
 		}
-		ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
-				(const struct sockaddr *) &ss, &my_krb5_addr);
-		if (ret) {
-			DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n", 
-				 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
-							    ret, gensec_krb5_state)));
+		ok = setup_kaddr(&my_krb5_addr, &ss);
+		if (!ok) {
+			DBG_WARNING("setup_kaddr (local) failed\n");
 			talloc_free(gensec_krb5_state);
 			return NT_STATUS_INTERNAL_ERROR;
 		}
@@ -173,6 +171,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool
 	if (tremote_addr) {
 		ssize_t socklen;
 		struct sockaddr_storage ss;
+		bool ok;
 
 		socklen = tsocket_address_bsd_sockaddr(tremote_addr,
 				(struct sockaddr *) &ss,
@@ -181,12 +180,9 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool
 			talloc_free(gensec_krb5_state);
 			return NT_STATUS_INTERNAL_ERROR;
 		}
-		ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
-				(const struct sockaddr *) &ss, &peer_krb5_addr);
-		if (ret) {
-			DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n", 
-				 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
-							    ret, gensec_krb5_state)));
+		ok = setup_kaddr(&peer_krb5_addr, &ss);
+		if (!ok) {
+			DBG_WARNING("setup_kaddr (remote) failed\n");
 			talloc_free(gensec_krb5_state);
 			return NT_STATUS_INTERNAL_ERROR;
 		}
@@ -287,7 +283,9 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
 	const char *hostname;
 	krb5_data in_data = { .length = 0 };
 	krb5_data *in_data_p = NULL;
+#ifdef SAMBA4_USES_HEIMDAL
 	struct tevent_context *previous_ev;
+#endif
 
 	if (lpcfg_parm_bool(gensec_security->settings->lp_ctx,
 			    NULL, "gensec_krb5", "send_authenticator_checksum", true)) {
@@ -320,23 +318,58 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 	
+#ifdef SAMBA4_USES_HEIMDAL
 	/* Do this every time, in case we have weird recursive issues here */
 	ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, ev, &previous_ev);
 	if (ret != 0) {
 		DEBUG(1, ("gensec_krb5_start: Setting event context failed\n"));
 		return NT_STATUS_NO_MEMORY;
 	}
+#endif
 	if (principal) {
 		krb5_principal target_principal;
 		ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
 				      &target_principal);
 		if (ret == 0) {
-			ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context, 
-						&gensec_krb5_state->auth_context,
-						gensec_krb5_state->ap_req_options, 
-						target_principal,
-						in_data_p, ccache_container->ccache, 
-						&gensec_krb5_state->enc_ticket);
+			krb5_creds this_cred;
+			krb5_creds *cred;
+
+			ZERO_STRUCT(this_cred);
+			ret = krb5_cc_get_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
+						    ccache_container->ccache,
+						    &this_cred.client);
+			if (ret != 0) {
+				return NT_STATUS_UNSUCCESSFUL;
+			}
+
+			ret = krb5_copy_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
+						  target_principal,
+						  &this_cred.server);
+			if (ret != 0) {
+				krb5_free_cred_contents(gensec_krb5_state->smb_krb5_context->krb5_context,
+							&this_cred);
+				return NT_STATUS_UNSUCCESSFUL;
+			}
+			this_cred.times.endtime = 0;
+
+			ret = krb5_get_credentials(gensec_krb5_state->smb_krb5_context->krb5_context,
+						   0,
+						   ccache_container->ccache,
+						   &this_cred,
+						   &cred);
+			krb5_free_cred_contents(gensec_krb5_state->smb_krb5_context->krb5_context,
+						&this_cred);
+			if (ret != 0) {
+				return NT_STATUS_UNSUCCESSFUL;
+			}
+
+			ret = krb5_mk_req_extended(gensec_krb5_state->smb_krb5_context->krb5_context,
+						   &gensec_krb5_state->auth_context,
+						   gensec_krb5_state->ap_req_options,
+						   in_data_p,
+						   cred,
+						   &gensec_krb5_state->enc_ticket);
+
 			krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context, 
 					    target_principal);
 		}
@@ -350,7 +383,9 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
 				  &gensec_krb5_state->enc_ticket);
 	}
 
+#ifdef SAMBA4_USES_HEIMDAL
 	smb_krb5_context_remove_event_ctx(gensec_krb5_state->smb_krb5_context, previous_ev, ev);
+#endif
 
 	switch (ret) {
 	case 0:
@@ -618,11 +653,13 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
 			inbuf.length = in.length;
 		}
 
-		ret = smb_rd_req_return_stuff(gensec_krb5_state->smb_krb5_context->krb5_context,
-					      &gensec_krb5_state->auth_context, 
-					      &inbuf, keytab->keytab, server_in_keytab,  
-					      &outbuf, 
-					      &gensec_krb5_state->ticket, 
+		ret = smb_krb5_rd_req_decoded(gensec_krb5_state->smb_krb5_context->krb5_context,
+					      &gensec_krb5_state->auth_context,
+					      &inbuf,
+					      keytab->keytab,
+					      server_in_keytab,
+					      &outbuf,
+					      &gensec_krb5_state->ticket,
 					      &gensec_krb5_state->keyblock);
 
 		if (ret) {
@@ -637,7 +674,8 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
 		} else {
 			*out = data_blob_talloc(out_mem_ctx, outbuf.data, outbuf.length);
 		}
-		krb5_data_free(&outbuf);
+		kerberos_free_data_contents(gensec_krb5_state->smb_krb5_context->krb5_context,
+					    &outbuf);
 		return NT_STATUS_OK;
 	}
 
@@ -655,8 +693,9 @@ static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security,
 	struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
 	krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
 	krb5_auth_context auth_context = gensec_krb5_state->auth_context;
-	krb5_keyblock *skey;
 	krb5_error_code err = -1;
+	bool remote = false;
+	bool ok;
 
 	if (gensec_krb5_state->state_position != GENSEC_KRB5_DONE) {
 		return NT_STATUS_NO_USER_SESSION_KEY;
@@ -664,25 +703,24 @@ static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security,
 
 	switch (gensec_security->gensec_role) {
 	case GENSEC_CLIENT:
-		err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
+		remote = false;
 		break;
 	case GENSEC_SERVER:
-		err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
+		remote = true;
 		break;
 	}
-	if (err == 0 && skey != NULL) {
-		DEBUG(10, ("Got KRB5 session key of length %d\n",  
-			   (int)KRB5_KEY_LENGTH(skey)));
-		*session_key = data_blob_talloc(mem_ctx,
-					       KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
-		dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
 
-		krb5_free_keyblock(context, skey);
-		return NT_STATUS_OK;
-	} else {
+	ok = get_krb5_smb_session_key(mem_ctx,
+				      context,
+				      auth_context,
+				      session_key,
+				      remote);
+	if (!ok) {
 		DEBUG(10, ("KRB5 error getting session key %d\n", err));
 		return NT_STATUS_NO_USER_SESSION_KEY;
 	}
+
+	return NT_STATUS_OK;
 }
 
 static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security,
@@ -816,7 +854,7 @@ static NTSTATUS gensec_krb5_wrap(struct gensec_security *gensec_security,
 		}
 		*out = data_blob_talloc(mem_ctx, output.data, output.length);
 		
-		krb5_data_free(&output);
+		kerberos_free_data_contents(context, &output);
 	} else {
 		return NT_STATUS_ACCESS_DENIED;
 	}
@@ -847,7 +885,7 @@ static NTSTATUS gensec_krb5_unwrap(struct gensec_security *gensec_security,
 		}
 		*out = data_blob_talloc(mem_ctx, output.data, output.length);
 		
-		krb5_data_free(&output);
+		kerberos_free_data_contents(context, &output);
 	} else {
 		return NT_STATUS_ACCESS_DENIED;
 	}
diff --git a/source4/auth/gensec/gensec_krb5_util.h b/source4/auth/gensec/gensec_krb5.h
similarity index 56%
rename from source4/auth/gensec/gensec_krb5_util.h
rename to source4/auth/gensec/gensec_krb5.h
index 09be3ff..ee684be 100644
--- a/source4/auth/gensec/gensec_krb5_util.h
+++ b/source4/auth/gensec/gensec_krb5.h
@@ -1,10 +1,10 @@
 /* See gensec_krb5_util.c for the license */
 
-krb5_error_code smb_rd_req_return_stuff(krb5_context context, 
+krb5_error_code smb_krb5_rd_req_decoded(krb5_context context,
 					krb5_auth_context *auth_context,
 					const krb5_data *inbuf,
-					krb5_keytab keytab, 
+					krb5_keytab keytab,
 					krb5_principal acceptor_principal,
-					krb5_data *outbuf, 
-					krb5_ticket **ticket, 
+					krb5_data *outbuf,
+					krb5_ticket **ticket,
 					krb5_keyblock **keyblock);
diff --git a/source4/auth/gensec/gensec_krb5_util.c b/source4/auth/gensec/gensec_krb5_heimdal.c
similarity index 81%
rename from source4/auth/gensec/gensec_krb5_util.c
rename to source4/auth/gensec/gensec_krb5_heimdal.c
index 1e72293..7e9cb5a 100644
--- a/source4/auth/gensec/gensec_krb5_util.c
+++ b/source4/auth/gensec/gensec_krb5_heimdal.c
@@ -1,34 +1,34 @@
 /*
  * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
 /* This file for code taken from the Heimdal code, to preserve licence */
@@ -37,16 +37,16 @@
 #include "includes.h"
 #include "system/kerberos.h"
 #include "auth/kerberos/kerberos.h"
-#include "gensec_krb5_util.h"
+#include "gensec_krb5.h"
 
 /* Taken from  accept_sec_context.c,v 1.65 */
-krb5_error_code smb_rd_req_return_stuff(krb5_context context, 
+krb5_error_code smb_krb5_rd_req_decoded(krb5_context context,
 					krb5_auth_context *auth_context,
 					const krb5_data *inbuf,
-					krb5_keytab keytab, 
+					krb5_keytab keytab,
 					krb5_principal acceptor_principal,
-					krb5_data *outbuf, 
-					krb5_ticket **ticket, 
+					krb5_data *outbuf,
+					krb5_ticket **ticket,
 					krb5_keyblock **keyblock)
 {
 	krb5_rd_req_in_ctx in = NULL;
@@ -80,7 +80,7 @@ krb5_error_code smb_rd_req_return_stuff(krb5_context context,
 	/*
 	 * We need to remember some data on the context_handle.
 	 */
-	kret = krb5_rd_req_out_get_ticket(context, out, 
+	kret = krb5_rd_req_out_get_ticket(context, out,
 					  ticket);
 	if (kret == 0) {
 	    kret = krb5_rd_req_out_get_keyblock(context, out,
@@ -100,4 +100,3 @@ krb5_error_code smb_rd_req_return_stuff(krb5_context context,
 
 	return kret;
 }
-    
diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build
index 3c7cc2e..c4e6918 100755
--- a/source4/auth/gensec/wscript_build
+++ b/source4/auth/gensec/wscript_build
@@ -6,7 +6,7 @@ bld.SAMBA_SUBSYSTEM('gensec_util',
                     autoproto='gensec_proto.h')
 
 bld.SAMBA_MODULE('gensec_krb5',
-	source='gensec_krb5.c gensec_krb5_util.c',
+	source='gensec_krb5.c gensec_krb5_heimdal.c',
 	subsystem='gensec',
 	init_function='gensec_krb5_init',
 	deps='samba-credentials authkrb5 com_err gensec_util',
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 69cddac..f501584 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -2,6 +2,8 @@
    MIT-Samba4 library
 
    Copyright (c) 2010, Simo Sorce <idra at samba.org>
+   Copyright (c) 2014-2015 Guenther Deschner <gd at samba.org>
+   Copyright (c) 2014-2016 Andreas Schneider <asn at samba.org>
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -644,6 +646,7 @@ int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
 					   ctx->db_ctx->samdb,
 					   lpcfg_netbios_name(ctx->db_ctx->lp_ctx),
 					   lpcfg_sam_name(ctx->db_ctx->lp_ctx),
+					   lpcfg_sam_dnsname(ctx->db_ctx->lp_ctx),
 					   p->realm_dn,
 					   p->msg,
 					   data_blob(NULL, 0),
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index ff3f62a..ad72e2e 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -234,6 +234,7 @@ NTSTATUS samba_get_cred_info_ndr_blob(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
+#ifdef SAMBA4_USES_HEIMDAL
 krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context,
 						  const krb5_keyblock *pkreplykey,
 						  const DATA_BLOB *cred_ndr_blob,
@@ -309,6 +310,106 @@ krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context,
 
 	return 0;
 }
+#else /* SAMBA4_USES_HEIMDAL */
+krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context,
+						  const krb5_keyblock *pkreplykey,
+						  const DATA_BLOB *cred_ndr_blob,
+						  TALLOC_CTX *mem_ctx,
+						  DATA_BLOB *cred_info_blob)
+{
+	krb5_key cred_key;
+	krb5_enctype cred_enctype;
+	struct PAC_CREDENTIAL_INFO pac_cred_info = { .version = 0, };
+	krb5_error_code code;
+	const char *krb5err;
+	enum ndr_err_code ndr_err;
+	NTSTATUS nt_status;
+	krb5_data cred_ndr_data;
+	krb5_enc_data cred_ndr_crypt;
+	size_t enc_len = 0;
+
+	*cred_info_blob = data_blob_null;
+
+	code = krb5_k_create_key(context,
+				 pkreplykey,
+				 &cred_key);
+	if (code != 0) {
+		krb5err = krb5_get_error_message(context, code);
+		DEBUG(1, ("Failed initializing cred data crypto: %s\n", krb5err));
+		krb5_free_error_message(context, krb5err);
+		return code;
+	}
+
+	cred_enctype = krb5_k_key_enctype(context, cred_key);
+
+	DEBUG(10, ("Plain cred_ndr_blob (len %zu)\n",
+		  cred_ndr_blob->length));
+	dump_data_pw("PAC_CREDENTIAL_DATA_NDR",
+		     cred_ndr_blob->data, cred_ndr_blob->length);
+
+	pac_cred_info.encryption_type = cred_enctype;
+
+	cred_ndr_data.magic = 0;
+	cred_ndr_data.data = (char *)cred_ndr_blob->data;
+	cred_ndr_data.length = cred_ndr_blob->length;
+
+	code = krb5_c_encrypt_length(context,
+				     cred_enctype,
+				     cred_ndr_data.length,
+				     &enc_len);
+	if (code != 0) {
+		krb5err = krb5_get_error_message(context, code);
+		DEBUG(1, ("Failed initializing cred data crypto: %s\n", krb5err));
+		krb5_free_error_message(context, krb5err);
+		return code;
+	}
+
+	pac_cred_info.encrypted_data = data_blob_talloc_zero(mem_ctx, enc_len);
+	if (pac_cred_info.encrypted_data.data == NULL) {
+		DBG_ERR("Out of memory\n");
+		return ENOMEM;
+	}
+
+	cred_ndr_crypt.ciphertext.length = enc_len;
+	cred_ndr_crypt.ciphertext.data = (char *)pac_cred_info.encrypted_data.data;
+
+	code = krb5_k_encrypt(context,
+			      cred_key,
+			      KRB5_KU_OTHER_ENCRYPTED,
+			      NULL,
+			      &cred_ndr_data,
+			      &cred_ndr_crypt);
+	krb5_k_free_key(context, cred_key);
+	if (code != 0) {
+		krb5err = krb5_get_error_message(context, code);
+		DEBUG(1, ("Failed crypt of cred data: %s\n", krb5err));
+		krb5_free_error_message(context, krb5err);
+		return code;
+	}
+
+	if (DEBUGLVL(10)) {
+		NDR_PRINT_DEBUG(PAC_CREDENTIAL_INFO, &pac_cred_info);
+	}
+
+	ndr_err = ndr_push_struct_blob(cred_info_blob, mem_ctx, &pac_cred_info,
+			(ndr_push_flags_fn_t)ndr_push_PAC_CREDENTIAL_INFO);
+	TALLOC_FREE(pac_cred_info.encrypted_data.data);
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		nt_status = ndr_map_error2ntstatus(ndr_err);


-- 
Samba Shared Repository



More information about the samba-cvs mailing list