[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Tue Mar 14 18:16:02 UTC 2017
The branch, master has been updated
via 64b20a1 examples:clifuse: Add a stub for getattr
via 6b8e599 examples: Add '-p', '--port' to smb2mount
via 455bbf1 libsmb: Slightly simplify trustdom_cache_fetch
via d6a2893 libsmb: Use talloc in trustdom_cache_key
via 5d763eb libsmb: Simplify trustdom_cache_store
via b960651 libsmb: Make a few functions static
via 92f3742 libsmb: Remove some stale code
via 6b73f75 krb5_wrap: Fix smb_gss_krb5_import_cred() picky-developer build
via 00e22fe testprogs: Test 'net ads join' with a dedicated keytab
via 12d2689 param: Allow to specify kerberos method on the commandline
via ca2d8f3 s3:libads: Correctly handle the keytab kerberos methods
via a6a527e krb5_wrap: Print a warning for an invalid keytab name
from d05f0a7 remove historic source3/change-log
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 64b20a1d42064854faa697b9e53d695601bba42f
Author: Volker Lendecke <vl at samba.org>
Date: Mon Mar 13 19:09:27 2017 +0100
examples:clifuse: Add a stub for getattr
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Mar 14 19:15:03 CET 2017 on sn-devel-144
commit 6b8e599310ae1ac72f1eacc9f3bd4749367db442
Author: Volker Lendecke <vl at samba.org>
Date: Mon Mar 13 17:48:56 2017 +0100
examples: Add '-p', '--port' to smb2mount
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 455bbf1756b402f334fb6b7e3bd01963b8fb9812
Author: Volker Lendecke <vl at samba.org>
Date: Tue Jan 24 21:42:51 2017 +0100
libsmb: Slightly simplify trustdom_cache_fetch
Also adapt to modern coding standards
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d6a2893f45884ad8483d0ca59ba78b6afb0c9eec
Author: Volker Lendecke <vl at samba.org>
Date: Tue Jan 24 21:40:42 2017 +0100
libsmb: Use talloc in trustdom_cache_key
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5d763eb6ea1cde7066d7e7c34ca1fae7bdb4d674
Author: Volker Lendecke <vl at samba.org>
Date: Tue Jan 24 21:35:16 2017 +0100
libsmb: Simplify trustdom_cache_store
The additional arguments were never used
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b9606514d011929db0a9d4ebe16ccb427651deb2
Author: Volker Lendecke <vl at samba.org>
Date: Tue Jan 24 21:30:40 2017 +0100
libsmb: Make a few functions static
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 92f37420cc0f79519f35c348f678a295029f7c8a
Author: Volker Lendecke <vl at samba.org>
Date: Fri Jan 20 13:40:23 2017 +0100
libsmb: Remove some stale code
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 6b73f75540b9b2f72ae87ea0dad62824c36de769
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 13 15:34:20 2017 +0100
krb5_wrap: Fix smb_gss_krb5_import_cred() picky-developer build
This does not build on Fedora 25 with picky-developer turned on.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 00e22fe3f63f986978d946e063e19e615cb00ab3
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 13 16:34:05 2017 +0100
testprogs: Test 'net ads join' with a dedicated keytab
This checks that a 'net ads join' can create the keytab and make sure we
will not regress in future.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlet <abartlet at samba.org>
commit 12d26899a45ce5d05ac4279fa5915318daa4f2e0
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 13 17:28:58 2017 +0100
param: Allow to specify kerberos method on the commandline
We support --option for our tools but you cannot set an option where the
value of the option includes a space.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlet <abartlet at samba.org>
commit ca2d8f3161c647c425c8c1eaaac1837c2e97faad
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 13 16:24:52 2017 +0100
s3:libads: Correctly handle the keytab kerberos methods
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlet <abartlet at samba.org>
commit a6a527e1e83a979ef035c49a087b5e79599c10a4
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 13 16:11:39 2017 +0100
krb5_wrap: Print a warning for an invalid keytab name
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlet <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
examples/fuse/clifuse.c | 67 +++++++++++++++++++++++
examples/fuse/smb2mount.c | 12 +++-
lib/krb5_wrap/gss_samba.c | 4 +-
lib/krb5_wrap/krb5_samba.c | 2 +
lib/param/param_table.c | 4 ++
source3/include/proto.h | 7 +--
source3/libads/kerberos_keytab.c | 69 +++++++++++++++++++----
source3/libsmb/trustdom_cache.c | 109 +++++++++++--------------------------
source3/winbindd/winbindd.c | 2 -
testprogs/blackbox/test_net_ads.sh | 9 +++
10 files changed, 183 insertions(+), 102 deletions(-)
Changeset truncated at 500 lines:
diff --git a/examples/fuse/clifuse.c b/examples/fuse/clifuse.c
index fc57ec7..da9dd4d 100644
--- a/examples/fuse/clifuse.c
+++ b/examples/fuse/clifuse.c
@@ -717,6 +717,72 @@ static void cli_ll_lookup_done(struct tevent_req *req)
TALLOC_FREE(state);
}
+struct ll_getattr_state {
+ struct mount_state *mstate;
+ fuse_req_t freq;
+ struct fuse_file_info fi;
+};
+
+static void cli_ll_getattr_done(struct tevent_req *req);
+
+static void cli_ll_getattr(fuse_req_t freq, fuse_ino_t ino,
+ struct fuse_file_info *fi)
+{
+ struct mount_state *mstate = talloc_get_type_abort(
+ fuse_req_userdata(freq), struct mount_state);
+ struct ll_getattr_state *state;
+ struct inode_state *istate;
+ struct tevent_req *req;
+
+ DBG_DEBUG("ino=%ju\n", (uintmax_t)ino);
+
+ istate = idr_find(mstate->ino_ctx, ino);
+ if (istate == NULL) {
+ fuse_reply_err(freq, ENOENT);
+ return;
+ }
+
+ state = talloc(mstate, struct ll_getattr_state);
+ if (state == NULL) {
+ fuse_reply_err(freq, ENOMEM);
+ return;
+ }
+ state->mstate = mstate;
+ state->freq = freq;
+
+ req = cli_get_unixattr_send(state, mstate->ev, mstate->cli,
+ istate->path);
+ if (req == NULL) {
+ TALLOC_FREE(state);
+ fuse_reply_err(freq, ENOMEM);
+ return;
+ }
+ tevent_req_set_callback(req, cli_ll_getattr_done, state);
+}
+
+static void cli_ll_getattr_done(struct tevent_req *req)
+{
+ struct ll_getattr_state *state = tevent_req_callback_data(
+ req, struct ll_getattr_state);
+ struct stat st;
+ NTSTATUS status;
+ int ret;
+
+ status = cli_get_unixattr_recv(req, &st);
+ TALLOC_FREE(req);
+ if (!NT_STATUS_IS_OK(status)) {
+ fuse_reply_err(state->freq, map_errno_from_nt_status(status));
+ return;
+ }
+
+ ret = fuse_reply_attr(state->freq, &st, 1);
+ if (ret != 0) {
+ DBG_NOTICE("fuse_reply_attr failed: %s\n",
+ strerror(-errno));
+ }
+}
+
+
struct ll_open_state {
struct mount_state *mstate;
fuse_req_t freq;
@@ -1302,6 +1368,7 @@ static void cli_ll_releasedir_done(struct tevent_req *req)
static struct fuse_lowlevel_ops cli_ll_ops = {
.lookup = cli_ll_lookup,
+ .getattr = cli_ll_getattr,
.open = cli_ll_open,
.create = cli_ll_create,
.release = cli_ll_release,
diff --git a/examples/fuse/smb2mount.c b/examples/fuse/smb2mount.c
index b90e115..4ed985f 100644
--- a/examples/fuse/smb2mount.c
+++ b/examples/fuse/smb2mount.c
@@ -26,7 +26,8 @@
#include "clifuse.h"
static struct cli_state *connect_one(const struct user_auth_info *auth_info,
- const char *server, const char *share)
+ const char *server, int port,
+ const char *share)
{
struct cli_state *c = NULL;
NTSTATUS nt_status;
@@ -38,7 +39,7 @@ static struct cli_state *connect_one(const struct user_auth_info *auth_info,
}
nt_status = cli_full_connection(&c, lp_netbios_name(), server,
- NULL, 0,
+ NULL, port,
share, "?????",
get_cmdline_auth_info_username(auth_info),
lp_workgroup(),
@@ -73,6 +74,7 @@ int main(int argc, char *argv[])
TALLOC_CTX *frame = talloc_stackframe();
poptContext pc;
int opt, ret;
+ int port = 0;
char *unc, *mountpoint, *server, *share;
struct cli_state *cli;
@@ -80,6 +82,8 @@ int main(int argc, char *argv[])
POPT_AUTOHELP
POPT_COMMON_SAMBA
POPT_COMMON_CREDENTIALS
+ { "port", 'p', POPT_ARG_INT, &port, 'p', "Port to connect to",
+ "PORT" },
POPT_TABLEEND
};
@@ -96,6 +100,8 @@ int main(int argc, char *argv[])
while ((opt = poptGetNextOpt(pc)) != -1) {
switch(opt) {
+ case 'p':
+ break;
default:
fprintf(stderr, "Unknown Option: %c\n", opt);
exit(1);
@@ -137,7 +143,7 @@ int main(int argc, char *argv[])
*share = 0;
share++;
- cli = connect_one(cmdline_auth_info, server, share);
+ cli = connect_one(cmdline_auth_info, server, port, share);
if (cli == NULL) {
return -1;
}
diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
index 9e5ad4a..860f444 100644
--- a/lib/krb5_wrap/gss_samba.c
+++ b/lib/krb5_wrap/gss_samba.c
@@ -193,7 +193,9 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
/* We are dealing with krb5 GSSAPI mech in this fallback */
mech_set.count = 1;
- mech_set.elements = gss_mech_krb5;
+ mech_set.elements =
+ discard_const_p(struct gss_OID_desc_struct,
+ gss_mech_krb5);
major_status = gss_acquire_cred(minor_status,
GSS_C_NO_NAME,
GSS_C_INDEFINITE,
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 6fa0d82..2e43f79 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1187,6 +1187,8 @@ krb5_error_code smb_krb5_kt_open(krb5_context context,
goto open_keytab;
}
+ DBG_WARNING("ERROR: Invalid keytab name: %s\n", keytab_name_req);
+
return KRB5_KT_BADNAME;
open_keytab:
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 95c3b8c..21cac10 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -202,9 +202,13 @@ static const struct enum_list enum_smbd_profiling_level[] = {
static const struct enum_list enum_kerberos_method[] = {
{KERBEROS_VERIFY_SECRETS, "default"},
{KERBEROS_VERIFY_SECRETS, "secrets only"},
+ {KERBEROS_VERIFY_SECRETS, "secretsonly"},
{KERBEROS_VERIFY_SYSTEM_KEYTAB, "system keytab"},
+ {KERBEROS_VERIFY_SYSTEM_KEYTAB, "systemkeytab"},
{KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicated keytab"},
+ {KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicatedkeytab"},
{KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secrets and keytab"},
+ {KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secretsandkeytab"},
{-1, NULL}
};
diff --git a/source3/include/proto.h b/source3/include/proto.h
index e6d4284..bb40056 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -847,13 +847,8 @@ WERROR map_werror_from_unix(int error);
/* The following definitions come from libsmb/trustdom_cache.c */
-bool trustdom_cache_enable(void);
-bool trustdom_cache_shutdown(void);
-bool trustdom_cache_store(const char *name, const char *alt_name,
- const struct dom_sid *sid, time_t timeout);
+bool trustdom_cache_store(const char *name, const struct dom_sid *sid);
bool trustdom_cache_fetch(const char* name, struct dom_sid* sid);
-uint32_t trustdom_cache_fetch_timestamp( void );
-bool trustdom_cache_store_timestamp( uint32_t t, time_t timeout );
void trustdom_cache_flush(void);
void update_trustdom_cache( void );
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 3c73b08..96df10f 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -34,6 +34,57 @@
#ifdef HAVE_ADS
+/* This MAX_NAME_LEN is a constant defined in krb5.h */
+#ifndef MAX_KEYTAB_NAME_LEN
+#define MAX_KEYTAB_NAME_LEN 1100
+#endif
+
+static krb5_error_code ads_keytab_open(krb5_context context,
+ krb5_keytab *keytab)
+{
+ char keytab_str[MAX_KEYTAB_NAME_LEN] = {0};
+ const char *keytab_name = NULL;
+ krb5_error_code ret = 0;
+
+ switch (lp_kerberos_method()) {
+ case KERBEROS_VERIFY_SYSTEM_KEYTAB:
+ case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
+ ret = krb5_kt_default_name(context,
+ keytab_str,
+ sizeof(keytab_str) - 2);
+ if (ret != 0) {
+ DBG_WARNING("Failed to get default keytab name");
+ goto out;
+ }
+ keytab_name = keytab_str;
+ break;
+ case KERBEROS_VERIFY_DEDICATED_KEYTAB:
+ keytab_name = lp_dedicated_keytab_file();
+ break;
+ default:
+ DBG_ERR("Invalid kerberos method set (%d)\n",
+ lp_kerberos_method());
+ ret = KRB5_KT_BADNAME;
+ goto out;
+ }
+
+ if (keytab_name == NULL || keytab_name[0] == '\0') {
+ DBG_ERR("Invalid keytab name\n");
+ ret = KRB5_KT_BADNAME;
+ goto out;
+ }
+
+ ret = smb_krb5_kt_open(context, keytab_name, true, keytab);
+ if (ret != 0) {
+ DBG_WARNING("smb_krb5_kt_open failed (%s)\n",
+ error_message(ret));
+ goto out;
+ }
+
+out:
+ return ret;
+}
+
/**********************************************************************
Adds a single service principal, i.e. 'host' to the system keytab
***********************************************************************/
@@ -75,10 +126,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
return -1;
}
- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
- if (ret) {
- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
- error_message(ret)));
+ ret = ads_keytab_open(context, &keytab);
+ if (ret != 0) {
goto out;
}
@@ -262,10 +311,8 @@ int ads_keytab_flush(ADS_STRUCT *ads)
return ret;
}
- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
- if (ret) {
- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
- error_message(ret)));
+ ret = ads_keytab_open(context, &keytab);
+ if (ret != 0) {
goto out;
}
@@ -447,10 +494,8 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
"and update.\n"));
- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
- if (ret) {
- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
- error_message(ret)));
+ ret = ads_keytab_open(context, &keytab);
+ if (ret != 0) {
goto done;
}
diff --git a/source3/libsmb/trustdom_cache.c b/source3/libsmb/trustdom_cache.c
index d78a28c..54f9591 100644
--- a/source3/libsmb/trustdom_cache.c
+++ b/source3/libsmb/trustdom_cache.c
@@ -31,6 +31,7 @@
#define TDOMKEY_FMT "TDOM/%s"
#define TDOMTSKEY "TDOMCACHE/TIMESTAMP"
+#define TRUSTDOM_UPDATE_INTERVAL 600
/**
@@ -44,34 +45,6 @@
**/
/**
- * Initialise trustdom name caching system. Call gencache
- * initialisation routine to perform necessary activities.
- *
- * @return true upon successful cache initialisation or
- * false if cache init failed
- **/
-
-bool trustdom_cache_enable(void)
-{
- return True;
-}
-
-
-/**
- * Shutdown trustdom name caching system. Calls gencache
- * shutdown function.
- *
- * @return true upon successful cache close or
- * false if it failed
- **/
-
-bool trustdom_cache_shutdown(void)
-{
- return True;
-}
-
-
-/**
* Form up trustdom name key. It is based only
* on domain name now.
*
@@ -79,12 +52,9 @@ bool trustdom_cache_shutdown(void)
* @return cache key for use in gencache mechanism
**/
-static char* trustdom_cache_key(const char* name)
+static char *trustdom_cache_key(TALLOC_CTX *mem_ctx, const char *name)
{
- char* keystr = NULL;
- asprintf_strupper_m(&keystr, TDOMKEY_FMT, name);
-
- return keystr;
+ return talloc_asprintf_strupper_m(mem_ctx, TDOMKEY_FMT, name);
}
@@ -100,37 +70,23 @@ static char* trustdom_cache_key(const char* name)
* false if store attempt failed
**/
-bool trustdom_cache_store(const char *name, const char *alt_name,
- const struct dom_sid *sid, time_t timeout)
+bool trustdom_cache_store(const char *name, const struct dom_sid *sid)
{
- char *key, *alt_key;
+ char *key;
fstring sid_string;
bool ret;
DEBUG(5, ("trustdom_store: storing SID %s of domain %s\n",
sid_string_dbg(sid), name));
- key = trustdom_cache_key(name);
- alt_key = alt_name ? trustdom_cache_key(alt_name) : NULL;
+ key = trustdom_cache_key(talloc_tos(), name);
/* Generate string representation domain SID */
sid_to_fstring(sid_string, sid);
- /*
- * try to put the names in the cache
- */
- if (alt_key) {
- ret = gencache_set(alt_key, sid_string, timeout);
- if ( ret ) {
- ret = gencache_set(key, sid_string, timeout);
- }
- SAFE_FREE(alt_key);
- SAFE_FREE(key);
- return ret;
- }
-
- ret = gencache_set(key, sid_string, timeout);
- SAFE_FREE(key);
+ ret = gencache_set(key, sid_string,
+ time(NULL) + TRUSTDOM_UPDATE_INTERVAL);
+ TALLOC_FREE(key);
return ret;
}
@@ -150,42 +106,39 @@ bool trustdom_cache_fetch(const char* name, struct dom_sid* sid)
{
char *key = NULL, *value = NULL;
time_t timeout;
+ bool ok;
/* exit now if null pointers were passed as they're required further */
- if (!sid)
- return False;
+ if (sid == NULL) {
+ return false;
+ }
/* prepare a key and get the value */
- key = trustdom_cache_key(name);
- if (!key)
- return False;
+ key = trustdom_cache_key(talloc_tos(), name);
+ if (key == NULL) {
+ return false;
+ }
- if (!gencache_get(key, talloc_tos(), &value, &timeout)) {
+ ok = gencache_get(key, talloc_tos(), &value, &timeout);
+ TALLOC_FREE(key);
+ if (!ok) {
DEBUG(5, ("no entry for trusted domain %s found.\n", name));
- SAFE_FREE(key);
- return False;
- } else {
- SAFE_FREE(key);
- DEBUG(5, ("trusted domain %s found (%s)\n", name, value));
+ return false;
}
- /* convert sid string representation into struct dom_sid structure */
- if(! string_to_sid(sid, value)) {
- sid = NULL;
- TALLOC_FREE(value);
- return False;
- }
+ DEBUG(5, ("trusted domain %s found (%s)\n", name, value));
+ /* convert sid string representation into struct dom_sid structure */
+ ok = string_to_sid(sid, value);
TALLOC_FREE(value);
- return True;
+ return ok;
}
-
/*******************************************************************
fetch the timestamp from the last update
*******************************************************************/
-uint32_t trustdom_cache_fetch_timestamp( void )
+static uint32_t trustdom_cache_fetch_timestamp(void)
{
char *value = NULL;
time_t timeout;
@@ -207,7 +160,7 @@ uint32_t trustdom_cache_fetch_timestamp( void )
store the timestamp from the last update
*******************************************************************/
-bool trustdom_cache_store_timestamp( uint32_t t, time_t timeout )
+static bool trustdom_cache_store_timestamp(uint32_t t, time_t timeout)
{
fstring value;
@@ -241,11 +194,13 @@ static void flush_trustdom_name(const char* key, const char *value, time_t timeo
void trustdom_cache_flush(void)
{
+ char *key = trustdom_cache_key(talloc_tos(), "*");
/*
* iterate through each TDOM cache's entry and flush it
* by flush_trustdom_name function
*/
- gencache_iterate(flush_trustdom_name, NULL, trustdom_cache_key("*"));
+ gencache_iterate(flush_trustdom_name, NULL, key);
+ TALLOC_FREE(key);
DEBUG(5, ("Trusted domains cache flushed\n"));
}
@@ -351,7 +306,6 @@ done:
--
Samba Shared Repository
More information about the samba-cvs
mailing list