[SCM] Samba Shared Repository - branch master updated
Uri Simchoni
uri at samba.org
Mon Oct 3 09:13:03 UTC 2016
The branch, master has been updated
via 3f1f6e0 heimdal: revert 1f90983324b9f5804dc57f87c5f7695b0e53db8d
via 0b61d9e heimdal-lib/krb5: keep a copy of config etypes in the context
from 780a80c bug 12293: stop group.py throwing errors if group is unknown
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 3f1f6e03cd38e241060ff10f1f153cc266dca888
Author: Uri Simchoni <uri at samba.org>
Date: Fri Sep 23 19:28:10 2016 +0300
heimdal: revert 1f90983324b9f5804dc57f87c5f7695b0e53db8d
A different version has gone upstream, fixing the problem
elsewhere.
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Uri Simchoni <uri at samba.org>
Autobuild-Date(master): Mon Oct 3 11:12:29 CEST 2016 on sn-devel-144
commit 0b61d9e02ea0680fbb3ef927d09a573813b4ed15
Author: Uri Simchoni <uri at samba.org>
Date: Fri Sep 30 20:18:14 2016 +0300
heimdal-lib/krb5: keep a copy of config etypes in the context
When reading configuration file, keep an extra copy of
the encryption types, and use this when resetting the
encryption types to default.
GSSAPI always resets the enctypes to default before obtaining
a TGS, because the enctypes might have previously altered,
so this prevents changing the etypes from the configured ones
to the full set of supported etypes.
The same patch has gone into upstream heimdal as commit
a3bece1. It is a different solution to the problem fixed
here by commit 1f90983, so this commit will be reverted next
to keep compatibility with uptream.
Signed-off-by: Uri Simchoni <uri at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source4/heimdal/lib/gssapi/krb5/init_sec_context.c | 11 +++++---
source4/heimdal/lib/krb5/context.c | 29 ++++++++++++++++++++++
source4/heimdal/lib/krb5/krb5_locl.h | 1 +
3 files changed, 37 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
index efc4215..0a89ae1 100644
--- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
@@ -427,12 +427,15 @@ init_auth
/*
* This is hideous glue for (NFS) clients that wants to limit the
* available enctypes to what it can support (encryption in
- * kernel).
+ * kernel). If there is no enctypes selected for this credential,
+ * reset it to the default set of enctypes.
*/
{
- if (cred && cred->enctypes) {
- krb5_set_default_in_tkt_etypes(context, cred->enctypes);
- }
+ krb5_enctype *enctypes = NULL;
+
+ if (cred && cred->enctypes)
+ enctypes = cred->enctypes;
+ krb5_set_default_in_tkt_etypes(context, enctypes);
}
/* canon name if needed for client + target realm */
diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c
index 4290b71..23e3879 100644
--- a/source4/heimdal/lib/krb5/context.c
+++ b/source4/heimdal/lib/krb5/context.c
@@ -48,6 +48,11 @@
} \
} while(0)
+static krb5_error_code
+copy_enctypes(krb5_context context,
+ const krb5_enctype *in,
+ krb5_enctype **out);
+
/*
* Set the list of etypes `ret_etypes' from the configuration variable
* `name'
@@ -123,6 +128,18 @@ init_context_from_config_file(krb5_context context)
free(context->etypes);
context->etypes = tmptypes;
+ /* The etypes member may change during the lifetime
+ * of the context. To be able to reset it to
+ * config value, we keep another copy.
+ */
+ free(context->cfg_etypes);
+ context->cfg_etypes = NULL;
+ if (tmptypes) {
+ ret = copy_enctypes(context, tmptypes, &context->cfg_etypes);
+ if (ret)
+ return ret;
+ }
+
ret = set_etypes (context, "default_etypes_des", &tmptypes);
if(ret)
return ret;
@@ -506,6 +523,11 @@ krb5_copy_context(krb5_context context, krb5_context *out)
if (ret)
goto out;
}
+ if (context->cfg_etypes) {
+ ret = copy_etypes(context, context->cfg_etypes, &p->cfg_etypes);
+ if (ret)
+ goto out;
+ }
if (context->etypes_des) {
ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
if (ret)
@@ -574,6 +596,7 @@ krb5_free_context(krb5_context context)
if (context->default_cc_name_env)
free(context->default_cc_name_env);
free(context->etypes);
+ free(context->cfg_etypes);
free(context->etypes_des);
krb5_free_host_realm (context, context->default_realms);
krb5_config_file_free (context, context->cf);
@@ -944,6 +967,8 @@ default_etypes(krb5_context context, krb5_enctype **etype)
*
* @param context Kerberos 5 context.
* @param etypes Encryption types, array terminated with ETYPE_NULL (0).
+ * A value of NULL resets the encryption types to the defaults set in the
+ * configuration file.
*
* @return Returns 0 to indicate success. Otherwise an kerberos et
* error code is returned, see krb5_get_error_message().
@@ -958,6 +983,10 @@ krb5_set_default_in_tkt_etypes(krb5_context context,
krb5_error_code ret;
krb5_enctype *p = NULL;
+ if(!etypes) {
+ etypes = context->cfg_etypes;
+ }
+
if(etypes) {
ret = copy_enctypes(context, etypes, &p);
if (ret)
diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h
index d0c6892..49c614d 100644
--- a/source4/heimdal/lib/krb5/krb5_locl.h
+++ b/source4/heimdal/lib/krb5/krb5_locl.h
@@ -250,6 +250,7 @@ typedef uint32_t krb5_enctype_set;
typedef struct krb5_context_data {
krb5_enctype *etypes;
+ krb5_enctype *cfg_etypes;
krb5_enctype *etypes_des;/* deprecated */
krb5_enctype *as_etypes;
krb5_enctype *tgs_etypes;
--
Samba Shared Repository
More information about the samba-cvs
mailing list