[SCM] Samba Shared Repository - branch v4-6-test updated

Karolin Seeger kseeger at samba.org
Thu Mar 23 15:59:02 UTC 2017


The branch, v4-6-test has been updated
       via  32f7ba9 Changes to make the Solaris C compiler happy.
       via  36a2ee2 lib/crypto: implement samba.crypto Python module for RC4
       via  137b26f Fix for Solaris C compiler.
       via  e418059 s3:libsmb: Only print error message if kerberos use is forced
       via  177dba4 ctdb-readonly: Avoid a tight loop waiting for revoke to complete
       via  71b8b1d s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes.
       via  9c8b11b s3:vfs_expand_msdfs: Do not open the remote address as a file
       via  1fc5090 testprogs: Test 'net ads join' with a dedicated keytab
       via  a54601e param: Allow to specify kerberos method on the commandline
       via  6717c67 s3:libads: Correctly handle the keytab kerberos methods
       via  323ba48 krb5_wrap: Print a warning for an invalid keytab name
       via  0abbc39 testprogs: Correctly expand shell parameters
       via  d6c9486 auth/credentials: Always set the the realm if we set the principal from the ccache
       via  906c8a3 s3-gse: move krb5 fallback to smb_gss_krb5_import_cred wrapper
       via  9bf6381 s3-gse: convert to use smb_gss_krb5_import_cred
       via  92e6351 libads: convert to use smb_gss_krb5_import_cred
       via  4b74d31 credentials_krb5: convert to use smb_gss_krb5_import_cred
       via  cb44a31 lib/krb5_wrap: add smb_gss_krb5_import_cred wrapper
       via  7f963d9 gssapi: check for gss_acquire_cred_from
      from  c47fee6 VERSION: Bump version up to 4.6.2.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-test


- Log -----------------------------------------------------------------
commit 32f7ba9dad215dd177a19b9c04d35c9e4d69f77e
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Mar 16 09:17:51 2017 -0700

    Changes to make the Solaris C compiler happy.
    
    Fix Bug 12693 dbwrap_watch.c syntax error before or at: }
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12693
    
    Signed-off-by: Tom schulz <schulz at adi.com>
    Reviewed-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 2780a56d0bb7848e017314a033ef22ee944d8b05)
    
    Autobuild-User(v4-6-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-6-test): Thu Mar 23 16:58:20 CET 2017 on sn-devel-144

commit 36a2ee20bcbad64d61a51fd395565a4fb63075ca
Author: Alexander Bokovoy <ab at samba.org>
Date:   Fri Mar 10 16:20:06 2017 +0200

    lib/crypto: implement samba.crypto Python module for RC4
    
    Implement a small Python module that exposes arcfour_crypt_blob()
    function widely used in Samba C code.
    
    When Samba Python bindings are used to call LSA CreateTrustedDomainEx2,
    there is a need to encrypt trusted credentials with RC4 cipher.
    
    Current Samba Python code relies on Python runtime to provide RC4
    cipher. However, in FIPS 140-2 mode system crypto libraries do not
    provide access RC4 cipher at all. According to Microsoft dochelp team,
    Windows is treating AuthenticationInformation blob encryption as 'plain
    text' in terms of FIPS 140-2, thus doing application-level encryption.
    
    Replace samba.arcfour_encrypt() implementation with a call to
    samba.crypto.arcfour_crypt_blob().
    
    Signed-off-by: Alexander Bokovoy <ab at samba.org>
    Reviewed-by: Simo Sorce <idra at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    
    Autobuild-User(master): G√ľnther Deschner <gd at samba.org>
    Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144
    
    (cherry picked from commit bbeef554f2c15e739f6095fcb57d9ef6646b411c)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12690
    Include samba.crypto Python module to 4.6

commit 137b26fd57fb029e3957c4048805612fb9a5e223
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Mar 16 09:10:52 2017 -0700

    Fix for Solaris C compiler.
    
    Inspired by comment 4 in bug 12559.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12559
    
    Signed-off-by: Tom Schulz <schulz at adi.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Martin Schwenke <martin at meltin.net>
    (cherry picked from commit 59229276bcf5e2b7fa0ddf3ceb6fd3adccc01f9a)

commit e418059fbd799700776a4fe80b80437123b7bc57
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Mar 20 16:08:20 2017 +0100

    s3:libsmb: Only print error message if kerberos use is forced
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Tue Mar 21 14:25:54 CET 2017 on sn-devel-144
    
    (cherry picked from commit c0e196b2238914f88015c0f8a9073beee473120b)

commit 177dba42d0625be450c0ffba6ee0be090fab615e
Author: Amitay Isaacs <amitay at gmail.com>
Date:   Tue Mar 14 16:12:55 2017 +1100

    ctdb-readonly: Avoid a tight loop waiting for revoke to complete
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12697
    
    During revoking readonly delegations, if one of the nodes disappears, then
    there is no point re-trying revoking readonly delegation.  The database
    needs to be recovered before the revoke operation can succeed.  So retry
    only after a grace period.
    
    Signed-off-by: Amitay Isaacs <amitay at gmail.com>
    Reviewed-by: Martin Schwenke <martin at meltin.net>
    
    Autobuild-User(master): Martin Schwenke <martins at samba.org>
    Autobuild-Date(master): Fri Mar 17 14:05:57 CET 2017 on sn-devel-144
    
    (cherry picked from commit ad758cb869ac83534993caa212abc9fe9905ec68)

commit 71b8b1d00cb7aa1886dcdf07d277c08437405de4
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Mar 15 13:52:05 2017 -0700

    s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes.
    
    We expect the following attributes to be present in an LDAP GPO object:
    
    displayName
    flags
    gPCFileSysPath
    name
    ntSecurityDescriptor
    versionNumber
    
    and fail if a result is returned without them. Change this
    to skip results that don't contain these attributes instead.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12695
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    (cherry picked from commit 24622bab3a6f1e959c79dc9fc1850e9e64b15adc)

commit 9c8b11b42e672d5b09702b6dec397efdb7ca0d86
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Mar 14 16:12:20 2017 +0100

    s3:vfs_expand_msdfs: Do not open the remote address as a file
    
    The arguments get passed in the wrong order to read_target_host().
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit 1115f152de9ec25bc9e5e499874b4a7c92c888c0)

commit 1fc5090ac00eef19f95c85cb3c285df64d8b7aec
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Mar 13 16:34:05 2017 +0100

    testprogs: Test 'net ads join' with a dedicated keytab
    
    This checks that a 'net ads join' can create the keytab and make sure we
    will not regress in future.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlet <abartlet at samba.org>
    (cherry picked from commit 00e22fe3f63f986978d946e063e19e615cb00ab3)
    
    The last 5 patches address
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12685
    REGRESSION: net ads keytab handling is broken

commit a54601ef71045564b6c57ec496512fc6ebb52910
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Mar 13 17:28:58 2017 +0100

    param: Allow to specify kerberos method on the commandline
    
    We support --option for our tools but you cannot set an option where the
    value of the option includes a space.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlet <abartlet at samba.org>
    (cherry picked from commit 12d26899a45ce5d05ac4279fa5915318daa4f2e0)

commit 6717c674fe3d4e49de8f7b8818f9d388490dd547
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Mar 13 16:24:52 2017 +0100

    s3:libads: Correctly handle the keytab kerberos methods
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlet <abartlet at samba.org>
    (cherry picked from commit ca2d8f3161c647c425c8c1eaaac1837c2e97faad)

commit 323ba48d98b287d05f82e23e90745e083e161068
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Mar 13 16:11:39 2017 +0100

    krb5_wrap: Print a warning for an invalid keytab name
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlet <abartlet at samba.org>
    (cherry picked from commit a6a527e1e83a979ef035c49a087b5e79599c10a4)

commit 0abbc3907cdcffccc87757ca0893208fcfb45a72
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Mar 13 17:30:37 2017 +0100

    testprogs: Correctly expand shell parameters
    
    The old behaviour is:
    
      for var in $*
      do
        echo "$var"
      done
    
    And you get this:
    
    $ sh test.sh 1 2 '3 4'
    1
    2
    3
    4
    
    Changing it to:
    
      for var in "$@"
      do
        echo "$var"
      done
    
    will correctly expand to:
    
    $ sh test.sh 1 2 '3 4'
    1
    2
    3 4
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Wed Mar 15 05:26:17 CET 2017 on sn-devel-144
    
    (cherry picked from commit acad0adc2977ca26df44e5b22d8b8e991177af71)

commit d6c9486eca46819dbd012097af753bff9f74e0af
Author: Andreas Schneider <asn at samba.org>
Date:   Wed Dec 21 22:17:22 2016 +0100

    auth/credentials: Always set the the realm if we set the principal from the ccache
    
    This fixes a bug in gensec_gssapi_client_start() where an invalid realm
    is used to get a Kerberos ticket.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit 30c07065300281e3a67197fe39ed928346480ff7)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611

commit 906c8a338abbeab96f8126239ec9c99e0a3a1cb8
Author: Alexander Bokovoy <ab at samba.org>
Date:   Wed Mar 8 12:38:49 2017 +0200

    s3-gse: move krb5 fallback to smb_gss_krb5_import_cred wrapper
    
    MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing
    credentials from a keytab without specifying actual principal.
    This was fixed in MIT krb5 1.9.2 (see commit
    71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git
    master's version is bd18687a705a8a6cdcb7c140764d1a7c6a3381b5).
    
    Move fallback code to the smb_gss_krb5_import_cred wrapper. We only
    expect this fallback to happen with krb5 GSSAPI mechanism, thus hard
    code use of krb5 mech when calling to gss_acquire_cred.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
    
    Signed-off-by: Alexander Bokovoy <ab at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Alexander Bokovoy <ab at samba.org>
    Autobuild-Date(master): Wed Mar  8 22:00:24 CET 2017 on sn-devel-144
    
    (cherry picked from commit 57286d57732d49fdb8b8e21f584787cdbc917c32)

commit 9bf63819979a3ab1452935a3e26a44a9bbeb08d0
Author: Alexander Bokovoy <ab at samba.org>
Date:   Fri Mar 3 16:58:14 2017 +0200

    s3-gse: convert to use smb_gss_krb5_import_cred
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
    
    Signed-off-by: Alexander Bokovoy <ab at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit 3d733d5791a6d82edda13ac39790bd8ba893f3d7)

commit 92e63519baa2d150c41fb4582b12a2378ef48ae6
Author: Alexander Bokovoy <ab at samba.org>
Date:   Fri Mar 3 16:57:50 2017 +0200

    libads: convert to use smb_gss_krb5_import_cred
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
    
    Signed-off-by: Alexander Bokovoy <ab at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit 520167992bd2477bc11920d2dc9ec87f2cb339c9)

commit 4b74d31f24962a2ce25177c34e267ed0d17d9f5a
Author: Alexander Bokovoy <ab at samba.org>
Date:   Fri Mar 3 16:57:13 2017 +0200

    credentials_krb5: convert to use smb_gss_krb5_import_cred
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
    
    Signed-off-by: Alexander Bokovoy <ab at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit ca8fd793930173b4e625d3f286739de214155bc1)

commit cb44a31979bcd70b607abc5804e3b7b393764bad
Author: Alexander Bokovoy <ab at samba.org>
Date:   Fri Mar 3 16:14:57 2017 +0200

    lib/krb5_wrap: add smb_gss_krb5_import_cred wrapper
    
    Wrap gss_krb5_import_cred() to allow re-implementing it with
    gss_acquire_cred_from() for newer MIT versions. gss_acquire_cred_from()
    works fine with GSSAPI interposer (GSS-proxy) while
    gss_krb5_import_cred() is not interposed yet.
    
    The wrapper has additional parameter, krb5_context handle, to facilitate
    with credentials cache name discovery. All our callers to
    gss_krb5_import_cred() already have krb5 context handy.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
    
    Signed-off-by: Alexander Bokovoy <ab at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit 0e6e8dd2600c699a7a02e3d11fed21b5bc49858d)

commit 7f963d9aa5cba9a3a054703c50886501ad77596c
Author: Alexander Bokovoy <ab at samba.org>
Date:   Fri Mar 3 17:08:09 2017 +0200

    gssapi: check for gss_acquire_cred_from
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
    
    Signed-off-by: Alexander Bokovoy <ab at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit d630a364f9d74443e482934f76cd7107c331e108)

-----------------------------------------------------------------------

Summary of changes:
 auth/credentials/credentials_krb5.c |  42 +++++++---
 ctdb/server/ctdb_call.c             |   8 +-
 lib/crypto/py_crypto.c              |  90 ++++++++++++++++++++
 lib/crypto/wscript_build            |   7 ++
 lib/krb5_wrap/gss_samba.c           | 161 ++++++++++++++++++++++++++++++++++++
 lib/krb5_wrap/gss_samba.h           |  13 +++
 lib/krb5_wrap/krb5_samba.c          |   2 +
 lib/param/param_table.c             |   4 +
 libgpo/gpo_ldap.c                   |  27 ++++--
 python/samba/__init__.py            |  16 +---
 source3/include/tldap.h             |   6 ++
 source3/lib/dbwrap/dbwrap_watch.c   |   2 +-
 source3/libads/kerberos_keytab.c    |  69 +++++++++++++---
 source3/libads/sasl.c               |   2 +-
 source3/librpc/crypto/gse.c         |  69 +++-------------
 source3/libsmb/cliconnect.c         |  12 ++-
 source3/modules/vfs_expand_msdfs.c  |   3 +-
 testprogs/blackbox/subunit.sh       |   4 +-
 testprogs/blackbox/test_net_ads.sh  |   9 ++
 wscript_configure_system_mitkrb5    |   1 +
 20 files changed, 434 insertions(+), 113 deletions(-)
 create mode 100644 lib/crypto/py_crypto.c


Changeset truncated at 500 lines:

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index e974df9..1912c48 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -107,7 +107,8 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
 					   enum credentials_obtained obtained,
 					   const char **error_string)
 {
-	
+	bool ok;
+	char *realm;
 	krb5_principal princ;
 	krb5_error_code ret;
 	char *name;
@@ -134,11 +135,24 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
 		return ret;
 	}
 
-	cli_credentials_set_principal(cred, name, obtained);
-
+	ok = cli_credentials_set_principal(cred, name, obtained);
+	if (!ok) {
+		krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
+		return ENOMEM;
+	}
 	free(name);
 
+	realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context,
+					     princ);
 	krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
+	if (realm == NULL) {
+		return ENOMEM;
+	}
+	ok = cli_credentials_set_realm(cred, realm, obtained);
+	SAFE_FREE(realm);
+	if (!ok) {
+		return ENOMEM;
+	}
 
 	/* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */
 	cred->ccache_obtained = obtained;
@@ -579,8 +593,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 		return ENOMEM;
 	}
 
-	maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL, 
-					&gcc->creds);
+	maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context,
+					    ccache->ccache, NULL, NULL,
+					    &gcc->creds);
 	if ((maj_stat == GSS_S_FAILURE) &&
 	    (min_stat == (OM_uint32)KRB5_CC_END ||
 	     min_stat == (OM_uint32)KRB5_CC_NOTFOUND ||
@@ -597,8 +612,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 			return ret;
 		}
 
-		maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
-						&gcc->creds);
+		maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context,
+						    ccache->ccache, NULL, NULL,
+						    &gcc->creds);
 
 	}
 
@@ -609,7 +625,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 		} else {
 			ret = EINVAL;
 		}
-		(*error_string) = talloc_asprintf(cred, "gss_krb5_import_cred failed: %s", error_message(ret));
+		(*error_string) = talloc_asprintf(cred, "smb_gss_krb5_import_cred failed: %s", error_message(ret));
 		return ret;
 	}
 
@@ -1076,12 +1092,14 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
 
 	if (ktc->password_based || obtained < CRED_SPECIFIED) {
 		/* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */
-		maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab,
-						&gcc->creds);
+		maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
+						    NULL, NULL, ktc->keytab,
+						    &gcc->creds);
 	} else {
 		/* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */
-		maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab,
-						&gcc->creds);
+		maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
+						    NULL, princ, ktc->keytab,
+						    &gcc->creds);
 	}
 	if (maj_stat) {
 		if (min_stat) {
diff --git a/ctdb/server/ctdb_call.c b/ctdb/server/ctdb_call.c
index a05ec1a..8ce3928 100644
--- a/ctdb/server/ctdb_call.c
+++ b/ctdb/server/ctdb_call.c
@@ -1600,7 +1600,6 @@ static int deferred_call_destructor(struct revokechild_deferred_call *deferred_c
 {
 	struct ctdb_context *ctdb = deferred_call->ctdb;
 	struct revokechild_requeue_handle *requeue_handle = talloc(ctdb, struct revokechild_requeue_handle);
-	struct ctdb_req_call_old *c = (struct ctdb_req_call_old *)deferred_call->hdr;
 
 	requeue_handle->ctdb = ctdb;
 	requeue_handle->hdr  = deferred_call->hdr;
@@ -1608,9 +1607,12 @@ static int deferred_call_destructor(struct revokechild_deferred_call *deferred_c
 	requeue_handle->ctx  = deferred_call->ctx;
 	talloc_steal(requeue_handle, requeue_handle->hdr);
 
-	/* when revoking, any READONLY requests have 1 second grace to let read/write finish first */
+	/* Always delay revoke requests.  Either wait for the read/write
+	 * operation to complete, or if revoking failed wait for recovery to
+	 * complete
+	 */
 	tevent_add_timer(ctdb->ev, requeue_handle,
-			 timeval_current_ofs(c->flags & CTDB_WANT_READONLY ? 1 : 0, 0),
+			 timeval_current_ofs(1, 0),
 			 deferred_call_requeue, requeue_handle);
 
 	return 0;
diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c
new file mode 100644
index 0000000..bf7f9f4
--- /dev/null
+++ b/lib/crypto/py_crypto.c
@@ -0,0 +1,90 @@
+/*
+   Unix SMB/CIFS implementation.
+   Samba crypto functions
+
+   Copyright (C) Alexander Bokovoy <ab at samba.org> 2017
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <Python.h>
+#include "includes.h"
+#include "python/py3compat.h"
+#include "lib/crypto/arcfour.h"
+
+static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args, PyObject *kwargs)
+{
+	DATA_BLOB data, key;
+	PyObject *py_data, *py_key, *result;
+	TALLOC_CTX *ctx;
+
+	if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key))
+		return NULL;
+
+	if (!PyBytes_Check(py_data)) {
+		PyErr_Format(PyExc_TypeError, "bytes expected");
+		return NULL;
+	}
+
+	if (!PyBytes_Check(py_key)) {
+		PyErr_Format(PyExc_TypeError, "bytes expected");
+		return NULL;
+	}
+
+	ctx = talloc_new(NULL);
+
+	data.length = PyBytes_Size(py_data);
+	data.data = talloc_memdup(ctx, PyBytes_AsString(py_data), data.length);
+	if (!data.data) {
+		talloc_free(ctx);
+		return PyErr_NoMemory();
+	}
+
+	key.data = (uint8_t *)PyBytes_AsString(py_key);
+	key.length = PyBytes_Size(py_key);
+
+	arcfour_crypt_blob(data.data, data.length, &key);
+
+	result = PyBytes_FromStringAndSize((const char*) data.data, data.length);
+	talloc_free(ctx);
+	return result;
+}
+
+
+static const char py_crypto_arcfour_crypt_blob_doc[] = "arcfour_crypt_blob(data, key)\n"
+					 "Encrypt the data with RC4 algorithm using the key";
+
+static PyMethodDef py_crypto_methods[] = {
+	{ "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, METH_VARARGS, py_crypto_arcfour_crypt_blob_doc },
+	{ NULL },
+};
+
+static struct PyModuleDef moduledef = {
+	PyModuleDef_HEAD_INIT,
+	.m_name = "crypto",
+	.m_doc = "Crypto functions required for SMB",
+	.m_size = -1,
+	.m_methods = py_crypto_methods,
+};
+
+MODULE_INIT_FUNC(crypto)
+{
+	PyObject *m;
+
+	m = PyModule_Create(&moduledef);
+	if (m == NULL)
+		return NULL;
+
+	return m;
+}
diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
index 7f94532..d1f152e 100644
--- a/lib/crypto/wscript_build
+++ b/lib/crypto/wscript_build
@@ -25,3 +25,10 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO',
         autoproto='test_proto.h',
         deps='LIBCRYPTO'
         )
+
+for env in bld.gen_python_environments():
+	bld.SAMBA_PYTHON('python_crypto',
+		source='py_crypto.c',
+		deps='LIBCRYPTO',
+		realname='samba/crypto.so'
+		)
diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
index b444633..9e5ad4a 100644
--- a/lib/krb5_wrap/gss_samba.c
+++ b/lib/krb5_wrap/gss_samba.c
@@ -48,4 +48,165 @@ int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid)
 }
 #endif /* !HAVE_GSS_OID_EQUAL */
 
+
+/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
+ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly
+ * interposed by GSSPROXY while gss_krb5_import_cred() is not.
+ *
+ * This wrapper requires a proper krb5_context to resolve ccache name.
+ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
+uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
+				  krb5_ccache id, krb5_principal keytab_principal,
+				  krb5_keytab keytab, gss_cred_id_t *cred)
+{
+	uint32_t major_status = 0;
+
+#if HAVE_GSS_ACQUIRE_CRED_FROM
+	uint32_t minor = 0;
+	gss_key_value_element_desc ccache_element = {
+		.key = "ccache",
+		.value = NULL,
+	};
+
+	gss_key_value_element_desc keytab_element = {
+		.key = "keytab",
+		.value = NULL,
+	};
+
+	gss_key_value_element_desc elements[2];
+
+	gss_key_value_set_desc cred_store = {
+		.elements = &ccache_element,
+		.count = 1,
+	};
+
+	gss_OID_set mech_set = GSS_C_NO_OID_SET;
+	gss_cred_usage_t cred_usage = GSS_C_INITIATE;
+	gss_name_t name = NULL;
+	gss_buffer_desc pr_name = {
+		.value = NULL,
+		.length = 0,
+	};
+
+	if (id != NULL) {
+		major_status = krb5_cc_get_full_name(ctx,
+						     id,
+						     discard_const(&ccache_element.value));
+		if (major_status != 0) {
+			return major_status;
+		}
+	}
+
+	if (keytab != NULL) {
+		keytab_element.value = malloc(4096);
+		if (!keytab_element.value) {
+			return ENOMEM;
+		}
+		major_status = krb5_kt_get_name(ctx,
+						keytab,
+						discard_const(keytab_element.value), 4096);
+		if (major_status != 0) {
+			free(discard_const(keytab_element.value));
+			return major_status;
+		}
+		cred_usage = GSS_C_ACCEPT;
+		cred_store.elements = &keytab_element;
+
+		if (keytab_principal != NULL) {
+			major_status = krb5_unparse_name(ctx, keytab_principal, (char**)&pr_name.value);
+			if (major_status != 0) {
+				free(discard_const(keytab_element.value));
+				return major_status;
+			}
+			pr_name.length = strlen(pr_name.value);
+
+			major_status = gss_import_name(minor_status,
+						       &pr_name,
+						       discard_const(GSS_KRB5_NT_PRINCIPAL_NAME),
+						       &name);
+			if (major_status != 0) {
+				krb5_free_unparsed_name(ctx, pr_name.value);
+				free(discard_const(keytab_element.value));
+				return major_status;
+			}
+		}
+	}
+
+	if (id != NULL && keytab != NULL) {
+		elements[0] = ccache_element;
+		elements[1] = keytab_element;
+
+		cred_store.elements = elements;
+		cred_store.count = 2;
+		cred_usage = GSS_C_BOTH;
+	}
+
+	major_status = gss_acquire_cred_from(minor_status,
+					     name,
+					     0,
+					     mech_set,
+					     cred_usage,
+					     &cred_store,
+					     cred,
+					     NULL,
+					     NULL);
+
+	if (pr_name.value != NULL) {
+		(void)gss_release_name(&minor, &name);
+		krb5_free_unparsed_name(ctx, pr_name.value);
+	}
+	if (keytab_element.value != NULL) {
+		free(discard_const(keytab_element.value));
+	}
+	krb5_free_string(ctx, discard_const(ccache_element.value));
+#else
+	major_status = gss_krb5_import_cred(minor_status,
+					    id,
+					    keytab_principal,
+					    keytab, cred);
+
+	if (major_status == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
+		if ((keytab_principal == NULL) && (keytab != NULL)) {
+			/* No principal was specified and MIT krb5 1.9 version failed.
+			 * We have to fall back to set global acceptor identity */
+			gss_OID_set_desc mech_set;
+			char *kt_name = NULL;
+
+			kt_name = malloc(4096);
+			if (!kt_name) {
+				return ENOMEM;
+			}
+
+			major_status = krb5_kt_get_name(ctx,
+							keytab,
+							kt_name, 4096);
+			if (major_status != 0) {
+				free(kt_name);
+				return major_status;
+			}
+
+			major_status = gsskrb5_register_acceptor_identity(kt_name);
+			if (major_status) {
+				free(kt_name);
+				return major_status;
+			}
+
+			/* We are dealing with krb5 GSSAPI mech in this fallback */
+			mech_set.count = 1;
+			mech_set.elements = gss_mech_krb5;
+			major_status = gss_acquire_cred(minor_status,
+							GSS_C_NO_NAME,
+							GSS_C_INDEFINITE,
+							&mech_set,
+							GSS_C_ACCEPT,
+							cred,
+							NULL, NULL);
+			free(kt_name);
+		}
+	}
+#endif
+	return major_status;
+}
+
+
 #endif /* HAVE_GSSAPI */
diff --git a/lib/krb5_wrap/gss_samba.h b/lib/krb5_wrap/gss_samba.h
index 5319932..89aee34 100644
--- a/lib/krb5_wrap/gss_samba.h
+++ b/lib/krb5_wrap/gss_samba.h
@@ -25,6 +25,7 @@
 #ifdef HAVE_GSSAPI
 
 #include "system/gssapi.h"
+#include "krb5_samba.h"
 
 #if defined(HAVE_GSS_OID_EQUAL)
 #define smb_gss_oid_equal gss_oid_equal
@@ -32,5 +33,17 @@
 int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid);
 #endif /* HAVE_GSS_OID_EQUAL */
 
+/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
+ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly
+ * interposed by GSS-proxy while gss_krb5_import_cred() is not.
+ *
+ * This wrapper requires a proper krb5_context to resolve the ccache name for
+ * gss_acquire_cred_from().
+ *
+ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
+uint32_t smb_gss_krb5_import_cred(OM_uint32 *minor_status, krb5_context ctx,
+				  krb5_ccache id, krb5_principal keytab_principal,
+				  krb5_keytab keytab, gss_cred_id_t *cred);
+
 #endif /* HAVE_GSSAPI */
 #endif /* _GSS_SAMBA_H */
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 0b67ea5..4fbc2e0 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1187,6 +1187,8 @@ krb5_error_code smb_krb5_kt_open(krb5_context context,
 		goto open_keytab;
 	}
 
+	DBG_WARNING("ERROR: Invalid keytab name: %s\n", keytab_name_req);
+
 	return KRB5_KT_BADNAME;
 
 open_keytab:
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 4b5234a..9a944ef 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -202,9 +202,13 @@ static const struct enum_list enum_smbd_profiling_level[] = {
 static const struct enum_list enum_kerberos_method[] = {
 	{KERBEROS_VERIFY_SECRETS, "default"},
 	{KERBEROS_VERIFY_SECRETS, "secrets only"},
+	{KERBEROS_VERIFY_SECRETS, "secretsonly"},
 	{KERBEROS_VERIFY_SYSTEM_KEYTAB, "system keytab"},
+	{KERBEROS_VERIFY_SYSTEM_KEYTAB, "systemkeytab"},
 	{KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicated keytab"},
+	{KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicatedkeytab"},
 	{KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secrets and keytab"},
+	{KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secretsandkeytab"},
 	{-1, NULL}
 };
 
diff --git a/libgpo/gpo_ldap.c b/libgpo/gpo_ldap.c
index 9a95f8b..4533d61 100644
--- a/libgpo/gpo_ldap.c
+++ b/libgpo/gpo_ldap.c
@@ -424,24 +424,30 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
 	ADS_ERROR_HAVE_NO_MEMORY(gpo->ds_path);
 
 	if (!ads_pull_uint32(ads, res, "versionNumber", &gpo->version)) {
-		return ADS_ERROR(LDAP_NO_MEMORY);
+		return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
 	}
 
 	if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) {
-		return ADS_ERROR(LDAP_NO_MEMORY);
+		return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
 	}
 
 	gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res,
 		"gPCFileSysPath");
-	ADS_ERROR_HAVE_NO_MEMORY(gpo->file_sys_path);
+	if (gpo->file_sys_path == NULL) {
+		return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
+	}
 
 	gpo->display_name = ads_pull_string(ads, mem_ctx, res,
 		"displayName");
-	ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
+	if (gpo->display_name == NULL) {
+		return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
+	}
 
 	gpo->name = ads_pull_string(ads, mem_ctx, res,
 		"name");
-	ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
+	if (gpo->name == NULL) {
+		return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
+	}
 


-- 
Samba Shared Repository



More information about the samba-cvs mailing list