[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Fri Jan 19 00:37:04 UTC 2018 

The branch, master has been updated
       via  7c1c8c6 mit-kdb: support MIT Kerberos 1.16 KDB API changes
      from  3be1e68 winbind: Fix CID 1427626 Uninitialized scalar variable

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7c1c8c68174ed484fe86a0d9e429daad3a47a57d
Author: Alexander Bokovoy <ab at samba.org>
Date:   Tue Oct 24 12:01:39 2017 +0300

    mit-kdb: support MIT Kerberos 1.16 KDB API changes
    
    MIT Kerberos 1.16 adds ability to audit local and remote addresses
    during AS_REQ processing. As result, audit_as_req callback signature
    was changed to include the addresses and KDB API version was increased.
    
    Change mit-kdb code to properly expose audit_as_req signature KDC
    expects in 1.16 version. Also update #ifdefs to account for the new
    KDB API version.
    
    This commit does not add actual audit of the local and remote IP
    addresses, it only makes it possible to compile against MIT Kerberos
    1.16.
    
    Signed-off-by: Alexander Bokovoy <ab at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Fri Jan 19 01:36:22 CET 2018 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
 source4/kdc/mit-kdb/kdb_samba.h            | 13 ++++++++-
 source4/kdc/mit-kdb/kdb_samba_policies.c   | 42 +++++++++++++++++++++---------
 source4/kdc/mit-kdb/kdb_samba_principals.c |  2 +-
 3 files changed, 42 insertions(+), 15 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h
index abca2c1..b9c571f 100644
--- a/source4/kdc/mit-kdb/kdb_samba.h
+++ b/source4/kdc/mit-kdb/kdb_samba.h
@@ -78,7 +78,7 @@ krb5_error_code kdb_samba_db_put_principal(krb5_context context,
 krb5_error_code kdb_samba_db_delete_principal(krb5_context context,
 					      krb5_const_principal princ);
 
-#if KRB5_KDB_API_VERSION == 8
+#if KRB5_KDB_API_VERSION >= 8
 krb5_error_code kdb_samba_db_iterate(krb5_context context,
 				     char *match_entry,
 				     int (*func)(krb5_pointer, krb5_db_entry *),
@@ -148,12 +148,23 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
 						       const krb5_db_entry *server,
 						       krb5_const_principal proxy);
 
+#if KRB5_KDB_API_VERSION >= 9
 void kdb_samba_db_audit_as_req(krb5_context kcontext,
 			       krb5_kdc_req *request,
+			       const krb5_address *local_addr,
+			       const krb5_address *remote_addr,
 			       krb5_db_entry *client,
 			       krb5_db_entry *server,
 			       krb5_timestamp authtime,
 			       krb5_error_code error_code);
+#else
+void kdb_samba_db_audit_as_req(krb5_context kcontext,
+			       krb5_kdc_req *request,
+			       krb5_db_entry *client,
+			       krb5_db_entry *server,
+			       krb5_timestamp authtime,
+			       krb5_error_code error_code);
+#endif
 
 /* from kdb_samba_change_pwd.c */
 
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index 81140ab..de5813b 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -432,20 +432,10 @@ done:
 	return code;
 }
 
-void kdb_samba_db_audit_as_req(krb5_context context,
-			       krb5_kdc_req *request,
-			       krb5_db_entry *client,
-			       krb5_db_entry *server,
-			       krb5_timestamp authtime,
-			       krb5_error_code error_code)
-{
-	struct mit_samba_context *mit_ctx;
-
-	mit_ctx = ks_get_context(context);
-	if (mit_ctx == NULL) {
-		return;
-	}
 
+static void samba_bad_password_count(krb5_db_entry *client,
+				     krb5_error_code error_code)
+{
 	switch (error_code) {
 	case 0:
 		mit_samba_zero_bad_password_count(client);
@@ -456,3 +446,29 @@ void kdb_samba_db_audit_as_req(krb5_context context,
 		break;
 	}
 }
+
+#if KRB5_KDB_API_VERSION >= 9
+void kdb_samba_db_audit_as_req(krb5_context context,
+			       krb5_kdc_req *request,
+			       const krb5_address *local_addr,
+			       const krb5_address *remote_addr,
+			       krb5_db_entry *client,
+			       krb5_db_entry *server,
+			       krb5_timestamp authtime,
+			       krb5_error_code error_code)
+{
+	samba_bad_password_count(client, error_code);
+
+	/* TODO: perform proper audit logging for addresses */
+}
+#else
+void kdb_samba_db_audit_as_req(krb5_context context,
+			       krb5_kdc_req *request,
+			       krb5_db_entry *client,
+			       krb5_db_entry *server,
+			       krb5_timestamp authtime,
+			       krb5_error_code error_code)
+{
+	samba_bad_password_count(client, error_code);
+}
+#endif
diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c
index 1dbb69b..8b67436 100644
--- a/source4/kdc/mit-kdb/kdb_samba_principals.c
+++ b/source4/kdc/mit-kdb/kdb_samba_principals.c
@@ -308,7 +308,7 @@ krb5_error_code kdb_samba_db_delete_principal(krb5_context context,
 	return KRB5_KDB_DB_INUSE;
 }
 
-#if KRB5_KDB_API_VERSION == 8
+#if KRB5_KDB_API_VERSION >= 8
 krb5_error_code kdb_samba_db_iterate(krb5_context context,
 				     char *match_entry,
 				     int (*func)(krb5_pointer, krb5_db_entry *),


-- 
Samba Shared Repository

More information about the samba-cvs mailing list