[SCM] Samba Shared Repository - branch master updated
Uri Simchoni
uri at samba.org
Wed Mar 22 09:59:02 UTC 2017
The branch, master has been updated
via e7d1d8c nsswtich: Add negative tests for authentication with wbinfo
via e202883 s3:libads: Remove obsolete smb_krb5_get_ntstatus_from_init_creds()
via 21fbbfd idmap_rfc2307: Clarify the documentation a bit
via d8a063b idmap_rfc2307: Slightly simplify idmap_rfc2307_initialize()
via 7ff3ae7 idmap_tdb: Avoid a few casts
from c0e196b s3:libsmb: Only print error message if kerberos use is forced
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e7d1d8c49322a131e7ca1993f9956f0bddcaff3c
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 20 12:22:44 2017 +0100
nsswtich: Add negative tests for authentication with wbinfo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Uri Simchoni <uri at samba.org>
Autobuild-User(master): Uri Simchoni <uri at samba.org>
Autobuild-Date(master): Wed Mar 22 10:58:58 CET 2017 on sn-devel-144
commit e2028837b958618a66449a77ee628e4e176e521e
Author: Andreas Schneider <asn at samba.org>
Date: Tue Mar 21 09:57:30 2017 +0100
s3:libads: Remove obsolete smb_krb5_get_ntstatus_from_init_creds()
There is no way we can get a better error code out of this. The original
function called was krb5_get_init_creds_opt_get_error() which has been
deprecated in 2008.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Uri Simchoni <uri at samba.org>
commit 21fbbfded1cb46edf31d39f80d0faefb896065fa
Author: Volker Lendecke <vl at samba.org>
Date: Tue Mar 21 16:00:27 2017 +0100
idmap_rfc2307: Clarify the documentation a bit
"bind_path" is a variable name internally used inside Samba. If you
look at "man ldapsearch" from OpenLDAP for example, the more common
term for this parameter is "search base". Adapt the documentation
accordingly.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Uri Simchoni <uri at samba.org>
commit d8a063b4e64ae4325c4fc229927aaf8319fcbad0
Author: Volker Lendecke <vl at samba.org>
Date: Tue Mar 21 15:52:37 2017 +0100
idmap_rfc2307: Slightly simplify idmap_rfc2307_initialize()
Replace an "else" branch with an early "goto err"
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Uri Simchoni <uri at samba.org>
commit 7ff3ae73741c42e8081b8fc242cddc4b1b436449
Author: Volker Lendecke <vl at samba.org>
Date: Sun Jan 8 13:00:39 2017 +0000
idmap_tdb: Avoid a few casts
The times of attempting to be C++ compatible are gone since C compilers
can do very good warnings too.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Uri Simchoni <uri at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/idmap_rfc2307.8.xml | 4 +-
nsswitch/tests/test_wbinfo.sh | 4 +
source3/libads/kerberos.c | 169 ----------------------------------
source3/winbindd/idmap_rfc2307.c | 26 +++---
source3/winbindd/idmap_tdb_common.c | 12 +--
5 files changed, 21 insertions(+), 194 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/idmap_rfc2307.8.xml b/docs-xml/manpages/idmap_rfc2307.8.xml
index 024415a..5785662 100644
--- a/docs-xml/manpages/idmap_rfc2307.8.xml
+++ b/docs-xml/manpages/idmap_rfc2307.8.xml
@@ -70,13 +70,13 @@
</varlistentry>
<varlistentry>
<term>bind_path_user</term>
- <listitem><para>Specifies the bind path where
+ <listitem><para>Specifies the search base where
user objects can be found in the LDAP
server.</para></listitem>
</varlistentry>
<varlistentry>
<term>bind_path_group</term>
- <listitem><para>Specifies the bind path where
+ <listitem><para>Specifies the search base where
group objects can be found in the LDAP
server.</para></listitem>
</varlistentry>
diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
index 69cc437..cfe582d 100755
--- a/nsswitch/tests/test_wbinfo.sh
+++ b/nsswitch/tests/test_wbinfo.sh
@@ -254,6 +254,10 @@ testit "wbinfo -K against $TARGET with domain creds" $wbinfo --krb5ccname=$KRB5C
testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=`expr $failed + 1`
+testit_expect_failure "wbinfo -a against $TARGET with invalid password" $wbinfo -a "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
+
+testit_expect_failure "wbinfo -K against $TARGET with invalid password" $wbinfo -K "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
+
rm -f $KRB5CCNAME_PATH
exit $failed
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index dcb268e..13c48ca 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -99,156 +99,6 @@ kerb_prompter(krb5_context ctx, void *data,
return 0;
}
-static bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
- DATA_BLOB *edata,
- DATA_BLOB *edata_out)
-{
- DATA_BLOB edata_contents;
- ASN1_DATA *data;
- int edata_type;
-
- if (!edata->length) {
- return false;
- }
-
- data = asn1_init(mem_ctx);
- if (data == NULL) {
- return false;
- }
-
- if (!asn1_load(data, *edata)) goto err;
- if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err;
- if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err;
- if (!asn1_read_Integer(data, &edata_type)) goto err;
-
- if (edata_type != KRB5_PADATA_PW_SALT) {
- DEBUG(0,("edata is not of required type %d but of type %d\n",
- KRB5_PADATA_PW_SALT, edata_type));
- goto err;
- }
-
- if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err;
- if (!asn1_read_OctetString(data, talloc_tos(), &edata_contents)) goto err;
- if (!asn1_end_tag(data)) goto err;
- if (!asn1_end_tag(data)) goto err;
- if (!asn1_end_tag(data)) goto err;
- asn1_free(data);
-
- *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length);
-
- data_blob_free(&edata_contents);
-
- return true;
-
- err:
-
- asn1_free(data);
- return false;
-}
-
- static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error,
- NTSTATUS *nt_status)
-{
- DATA_BLOB edata;
- DATA_BLOB unwrapped_edata;
- TALLOC_CTX *mem_ctx;
- struct KRB5_EDATA_NTSTATUS parsed_edata;
- enum ndr_err_code ndr_err;
-
-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
- edata = data_blob(error->e_data->data, error->e_data->length);
-#else
- edata = data_blob(error->e_data.data, error->e_data.length);
-#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
-
-#ifdef DEVELOPER
- dump_data(10, edata.data, edata.length);
-#endif /* DEVELOPER */
-
- mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error");
- if (mem_ctx == NULL) {
- data_blob_free(&edata);
- return False;
- }
-
- if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) {
- data_blob_free(&edata);
- TALLOC_FREE(mem_ctx);
- return False;
- }
-
- data_blob_free(&edata);
-
- ndr_err = ndr_pull_struct_blob_all(&unwrapped_edata, mem_ctx,
- &parsed_edata, (ndr_pull_flags_fn_t)ndr_pull_KRB5_EDATA_NTSTATUS);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- data_blob_free(&unwrapped_edata);
- TALLOC_FREE(mem_ctx);
- return False;
- }
-
- data_blob_free(&unwrapped_edata);
-
- if (nt_status) {
- *nt_status = parsed_edata.ntstatus;
- }
-
- TALLOC_FREE(mem_ctx);
-
- return True;
-}
-
-static bool smb_krb5_get_ntstatus_from_init_creds(krb5_context ctx,
- krb5_principal client,
- krb5_get_init_creds_opt *opt,
- NTSTATUS *nt_status)
-{
- krb5_init_creds_context icc;
- krb5_error_code code;
-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
- /* HEIMDAL */
- krb5_error error;
-#else
- krb5_error *error = NULL;
-#endif
- bool ok;
-
- code = krb5_init_creds_init(ctx,
- client,
- NULL,
- NULL,
- 0,
- opt,
- &icc);
- if (code != 0) {
- DBG_WARNING("krb5_init_creds_init failed with: %s\n",
- error_message(code));
- return false;
- }
-
- code = krb5_init_creds_get_error(ctx,
- icc,
- &error);
- if (code != 0) {
- DBG_WARNING("krb5_init_creds_get_error failed with: %s\n",
- error_message(code));
- return false;
- }
- krb5_init_creds_free(ctx, icc);
-
-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
- ok = smb_krb5_get_ntstatus_from_krb5_error(&error, nt_status);
-
- krb5_free_error_contents(ctx, &error);
-#else
- ok = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status);
-
- krb5_free_error(ctx, error);
-#endif
-
- return ok;
-}
-
/*
simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
place in default cache location.
@@ -356,31 +206,12 @@ int kerberos_kinit_password_ext(const char *principal,
}
out:
if (ntstatus) {
-
- NTSTATUS status;
-
/* fast path */
if (code == 0) {
*ntstatus = NT_STATUS_OK;
goto cleanup;
}
- /* try to get ntstatus code out of krb5_error when we have it
- * inside the krb5_get_init_creds_opt - gd */
-
- if (opt != NULL) {
- bool ok;
-
- ok = smb_krb5_get_ntstatus_from_init_creds(ctx,
- me,
- opt,
- &status);
- if (ok) {
- *ntstatus = status;
- goto cleanup;
- }
- }
-
/* fall back to self-made-mapping */
*ntstatus = krb5_to_nt_status(code);
}
diff --git a/source3/winbindd/idmap_rfc2307.c b/source3/winbindd/idmap_rfc2307.c
index 340757a..8ee84f7 100644
--- a/source3/winbindd/idmap_rfc2307.c
+++ b/source3/winbindd/idmap_rfc2307.c
@@ -774,29 +774,27 @@ static NTSTATUS idmap_rfc2307_initialize(struct idmap_domain *domain)
bind_path_user = idmap_config_const_string(
domain->name, "bind_path_user", NULL);
- if (bind_path_user) {
- ctx->bind_path_user = talloc_strdup(ctx, bind_path_user);
- if (ctx->bind_path_user == NULL) {
- status = NT_STATUS_NO_MEMORY;
- goto err;
- }
- } else {
+ if (bind_path_user == NULL) {
status = NT_STATUS_INVALID_PARAMETER;
goto err;
}
+ ctx->bind_path_user = talloc_strdup(ctx, bind_path_user);
+ if (ctx->bind_path_user == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto err;
+ }
bind_path_group = idmap_config_const_string(
domain->name, "bind_path_group", NULL);
- if (bind_path_group) {
- ctx->bind_path_group = talloc_strdup(ctx, bind_path_group);
- if (ctx->bind_path_group == NULL) {
- status = NT_STATUS_NO_MEMORY;
- goto err;
- }
- } else {
+ if (bind_path_group == NULL) {
status = NT_STATUS_INVALID_PARAMETER;
goto err;
}
+ ctx->bind_path_group = talloc_strdup(ctx, bind_path_group);
+ if (ctx->bind_path_group == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto err;
+ }
ldap_server = idmap_config_const_string(
domain->name, "ldap_server", NULL);
diff --git a/source3/winbindd/idmap_tdb_common.c b/source3/winbindd/idmap_tdb_common.c
index 0d7e734..e873b60 100644
--- a/source3/winbindd/idmap_tdb_common.c
+++ b/source3/winbindd/idmap_tdb_common.c
@@ -51,11 +51,9 @@ static NTSTATUS idmap_tdb_common_allocate_id_action(struct db_context *db,
void *private_data)
{
NTSTATUS ret;
- struct idmap_tdb_common_allocate_id_context *state;
+ struct idmap_tdb_common_allocate_id_context *state = private_data;
uint32_t hwm;
- state = (struct idmap_tdb_common_allocate_id_context *)private_data;
-
ret = dbwrap_fetch_uint32_bystring(db, state->hwmkey, &hwm);
if (!NT_STATUS_IS_OK(ret)) {
ret = NT_STATUS_INTERNAL_DB_ERROR;
@@ -180,11 +178,9 @@ static NTSTATUS idmap_tdb_common_set_mapping_action(struct db_context *db,
{
TDB_DATA data;
NTSTATUS ret;
- struct idmap_tdb_common_set_mapping_context *state;
+ struct idmap_tdb_common_set_mapping_context *state = private_data;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
- state = (struct idmap_tdb_common_set_mapping_context *)private_data;
-
DEBUG(10, ("Storing %s <-> %s map\n", state->ksidstr, state->kidstr));
/* check whether sid mapping is already present in db */
@@ -546,12 +542,10 @@ struct idmap_tdb_common_sids_to_unixids_context {
static NTSTATUS idmap_tdb_common_sids_to_unixids_action(struct db_context *db,
void *private_data)
{
- struct idmap_tdb_common_sids_to_unixids_context *state;
+ struct idmap_tdb_common_sids_to_unixids_context *state = private_data;
int i, num_mapped = 0;
NTSTATUS ret = NT_STATUS_OK;
- state = (struct idmap_tdb_common_sids_to_unixids_context *)private_data;
-
DEBUG(10, ("idmap_tdb_common_sids_to_unixids: "
" domain: [%s], allocate: %s\n",
state->dom->name, state->allocate_unmapped ? "yes" : "no"));
--
Samba Shared Repository
More information about the samba-cvs
mailing list