[SCM] Samba Shared Repository - branch v4-8-test updated
Karolin Seeger
kseeger at samba.org
Mon Jun 25 15:31:02 UTC 2018
The branch, v4-8-test has been updated
via be00b89 heimdal: lib/krb5: do not fail set_config_files due to parse error
via 0196569 krb5_plugin: Add winbind localauth plugin for MIT Kerberos
via 228e5d4 krb5_wrap: fix keep_old_entries logic for older kerberos libraries
via df16008 bla
from 7f32430 python: Fix talloc frame use in make_simple_acl().
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-test
- Log -----------------------------------------------------------------
commit be00b892e9183e1980b8445a071003fc56f439e5
Author: Jeffrey Altman <jaltman at secure-endpoints.com>
Date: Thu Jun 16 16:25:41 2016 -0400
heimdal: lib/krb5: do not fail set_config_files due to parse error
Follow Apple's lead and do not fail krb5_set_config_files() simply
because one of the files in the profile list fails to parse correctly.
Doing so can lead to hard to find failures and could lead to an end
user shooting themselves in the foot and no longer be able to login
to their system to fix it.
Parse as many of the files as we can. Only fail krb5_set_config_files()
if init_context_from_config_file() fails.
Change-Id: I122664c6d707a5f926643808ba414bf4f681f8b8
Cherry-pick of Heimdal commit b7cf5e7caf9b270f4d4151d2690177b11a7a1bdf
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11573
Signed-off-by: Björn Baumbach <bb at sernet.de>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit f05a1554b770c6a2c905170347bfb41157f4aa78)
Autobuild-User(v4-8-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-8-test): Mon Jun 25 17:30:14 CEST 2018 on sn-devel-144
commit 0196569dbe834a9d3de075fd279f6fdcb1774874
Author: Andreas Schneider <asn at samba.org>
Date: Fri Jun 15 14:59:00 2018 +0200
krb5_plugin: Add winbind localauth plugin for MIT Kerberos
Applications (like OpenSSH) don't know about users and and
their relationship to Kerberos principals. This plugin allows that
Kerberos principals can be validated against local user accounts.
Administrator at WURST.WORLD -> WURST\Administrator
https://web.mit.edu/kerberos/krb5-latest/doc/plugindev/localauth.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13480
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 5e89a23ffaceccdc83d70a4ab2798ae25c10d580)
commit 228e5d4f75bd8e02ea06fe2ebb1ae41038c369d9
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jun 19 15:09:41 2018 -0700
krb5_wrap: fix keep_old_entries logic for older kerberos libraries
MIT kerberos 1.13 and older only stores 8 bits of the KVNO. The change
from commit 35b2fb4ff32 resulted in breakage for these kerberos
versions: 'net ads keytab create' reads a large KVNO from AD, and only
the lower 8 bits are stored. The next check then removed the entry again
as the 8 bit value did not match the currently valid KVNO.
Fix this by limiting the check to only 8 bits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13478
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Christof Schmitt <cs at samba.org>
Autobuild-Date(master): Sat Jun 23 00:57:47 CEST 2018 on sn-devel-144
(cherry picked from commit 97eaeea6a130871cfac5be42459380c0c4e0fae6)
commit df16008c2368387c524cab4ff8660c9538a5060a
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Jun 25 12:45:35 2018 +0200
bla
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 55 +++++-
lib/krb5_wrap/krb5_samba.c | 2 +-
nsswitch/krb5_plugin/winbind_krb5_localauth.c | 267 ++++++++++++++++++++++++++
nsswitch/wscript_build | 6 +
source4/heimdal/lib/krb5/config_file.c | 4 +-
source4/heimdal/lib/krb5/context.c | 3 +-
wscript_configure_system_mitkrb5 | 1 +
7 files changed, 332 insertions(+), 6 deletions(-)
create mode 100644 nsswitch/krb5_plugin/winbind_krb5_localauth.c
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 6aa0f91..c9f3554 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,42 @@
=============================
+ Release Notes for Samba 4.8.3
+ June 26, 2018
+ =============================
+
+
+This is the latest stable release of the Samba 4.8 release series.
+
+
+Changes since 4.8.2:
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 4.8.2
May 16, 2018
=============================
@@ -86,8 +124,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.8.1
@@ -450,6 +488,19 @@ This new module integrates with Sophos, F-Secure and ClamAV anti-virus
software to provide scanning and filtering of files on a Samba share.
+Local authorization plugin for MIT Kerberos
+-------------------------------------------
+
+This plugin controls the relationship between Kerberos principals and AD
+accounts through winbind. The module receives the Kerberos principal and the
+local account name as inputs and can then check if they match. This can resolve
+issues with canonicalized names returned by Kerberos within AD. If the user
+tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
+Kerberos would return ALICE as the username. Kerberos would not be able to map
+'alice' to 'ALICE' in this case and auth would fail. With this plugin account
+names can be correctly mapped. This only applies to GSSAPI authentication,
+not for the geting the initial ticket granting ticket.
+
REMOVED FEATURES
================
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 7c461e5..0ba8aae 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1549,7 +1549,7 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
}
if (!flush &&
- (kt_entry.vno == kvno) &&
+ ((kt_entry.vno & 0xff) == (kvno & 0xff)) &&
(kt_entry_enctype != enctype))
{
DEBUG(5, (__location__ ": Saving entry with kvno [%d] "
diff --git a/nsswitch/krb5_plugin/winbind_krb5_localauth.c b/nsswitch/krb5_plugin/winbind_krb5_localauth.c
new file mode 100644
index 0000000..7c77609
--- /dev/null
+++ b/nsswitch/krb5_plugin/winbind_krb5_localauth.c
@@ -0,0 +1,267 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ A localauth plugin for MIT Kerberos
+
+ Copyright (C) 2018 Andreas Schneider <asn at samba.org>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "replace.h"
+#include <krb5/localauth_plugin.h>
+#include <wbclient.h>
+#if HAVE_COM_ERR_H
+#include <com_err.h>
+#endif
+
+struct krb5_localauth_moddata_st {
+ struct wbcContext *wbc_ctx;
+};
+
+/*
+ * Initialize the module data.
+ *
+ * This creates the wbclient context.
+ */
+static krb5_error_code winbind_init(krb5_context context,
+ krb5_localauth_moddata *data)
+{
+ krb5_localauth_moddata d;
+
+ *data = NULL;
+ d = malloc(sizeof(struct krb5_localauth_moddata_st));
+ if (d == NULL) {
+ return ENOMEM;
+ }
+
+ d->wbc_ctx = wbcCtxCreate();
+ if (d->wbc_ctx == NULL) {
+ free(d);
+ return ENOMEM;
+ }
+
+ *data = d;
+
+ return 0;
+}
+
+/*
+ * Release resources used by module data.
+ */
+static void winbind_fini(krb5_context context, krb5_localauth_moddata data)
+{
+ wbcCtxFree(data->wbc_ctx);
+ free(data);
+ data = NULL;
+}
+
+/*
+ * Determine whether aname is authorized to log in as the local account lname.
+ *
+ * Return 0 if aname is authorized, EPERM if aname is authoritatively not
+ * authorized, KRB5_PLUGIN_NO_HANDLE if the module cannot determine whether
+ * aname is authorized, and any other error code for a serious failure to
+ * process the request. aname will be considered authorized if at least one
+ * module returns 0 and all other modules return KRB5_PLUGIN_NO_HANDLE.
+ */
+static krb5_error_code winbind_userok(krb5_context context,
+ krb5_localauth_moddata data,
+ krb5_const_principal aname,
+ const char *lname)
+{
+ krb5_error_code code = 0;
+ char *princ_str = NULL;
+ struct passwd *pwd = NULL;
+ uid_t princ_uid;
+ uid_t lname_uid;
+ wbcErr wbc_status;
+ int cmp;
+
+ code = krb5_unparse_name(context, aname, &princ_str);
+ if (code != 0) {
+ return code;
+ }
+
+ cmp = strcasecmp(princ_str, lname);
+ if (cmp == 0) {
+ krb5_free_unparsed_name(context, princ_str);
+ return 0;
+ }
+
+ wbc_status = wbcCtxGetpwnam(data->wbc_ctx,
+ princ_str,
+ &pwd);
+ krb5_free_unparsed_name(context, princ_str);
+ switch (wbc_status) {
+ case WBC_ERR_SUCCESS:
+ princ_uid = pwd->pw_uid;
+ code = 0;
+ break;
+ case WBC_ERR_UNKNOWN_USER:
+ /* match other insane libwbclient return codes */
+ case WBC_ERR_WINBIND_NOT_AVAILABLE:
+ case WBC_ERR_DOMAIN_NOT_FOUND:
+ code = KRB5_PLUGIN_NO_HANDLE;
+ break;
+ default:
+ code = EIO;
+ break;
+ }
+ wbcFreeMemory(pwd);
+ if (code != 0) {
+ return code;
+ }
+
+ wbc_status = wbcCtxGetpwnam(data->wbc_ctx,
+ lname,
+ &pwd);
+ switch (wbc_status) {
+ case WBC_ERR_SUCCESS:
+ lname_uid = pwd->pw_uid;
+ break;
+ case WBC_ERR_UNKNOWN_USER:
+ /* match other insane libwbclient return codes */
+ case WBC_ERR_WINBIND_NOT_AVAILABLE:
+ case WBC_ERR_DOMAIN_NOT_FOUND:
+ code = KRB5_PLUGIN_NO_HANDLE;
+ break;
+ default:
+ code = EIO;
+ break;
+ }
+ wbcFreeMemory(pwd);
+ if (code != 0) {
+ return code;
+ }
+
+ if (princ_uid != lname_uid) {
+ code = EPERM;
+ }
+
+ return code;
+}
+
+/*
+ * Determine the local account name corresponding to aname.
+ *
+ * Return 0 and set *lname_out if a mapping can be determined; the contents of
+ * *lname_out will later be released with a call to the module's free_string
+ * method. Return KRB5_LNAME_NOTRANS if no mapping can be determined. Return
+ * any other error code for a serious failure to process the request; this will
+ * halt the krb5_aname_to_localname operation.
+ *
+ * If the module's an2ln_types field is set, this method will only be invoked
+ * when a profile "auth_to_local" value references one of the module's types.
+ * type and residual will be set to the type and residual of the auth_to_local
+ * value.
+ *
+ * If the module's an2ln_types field is not set but the an2ln method is
+ * implemented, this method will be invoked independently of the profile's
+ * auth_to_local settings, with type and residual set to NULL. If multiple
+ * modules are registered with an2ln methods but no an2ln_types field, the
+ * order of invocation is not defined, but all such modules will be consulted
+ * before the built-in mechanisms are tried.
+ */
+static krb5_error_code winbind_an2ln(krb5_context context,
+ krb5_localauth_moddata data,
+ const char *type,
+ const char *residual,
+ krb5_const_principal aname,
+ char **lname_out)
+{
+ krb5_error_code code = 0;
+ char *princ_str = NULL;
+ char *name = NULL;
+ struct passwd *pwd = NULL;
+ wbcErr wbc_status;
+
+ code = krb5_unparse_name(context, aname, &princ_str);
+ if (code != 0) {
+ return code;
+ }
+
+ wbc_status = wbcCtxGetpwnam(data->wbc_ctx,
+ princ_str,
+ &pwd);
+ krb5_free_unparsed_name(context, princ_str);
+ switch (wbc_status) {
+ case WBC_ERR_SUCCESS:
+ name = strdup(pwd->pw_name);
+ code = 0;
+ break;
+ case WBC_ERR_UNKNOWN_USER:
+ /* match other insane libwbclient return codes */
+ case WBC_ERR_WINBIND_NOT_AVAILABLE:
+ case WBC_ERR_DOMAIN_NOT_FOUND:
+ code = KRB5_LNAME_NOTRANS;
+ break;
+ default:
+ code = EIO;
+ break;
+ }
+ wbcFreeMemory(pwd);
+ if (code != 0) {
+ return code;
+ }
+
+ if (name == NULL) {
+ return ENOMEM;
+ }
+
+ *lname_out = name;
+
+ return code;
+}
+
+/*
+ * Release the memory returned by an invocation of an2ln.
+ */
+static void winbind_free_string(krb5_context context,
+ krb5_localauth_moddata data,
+ char *str)
+{
+ free(str);
+}
+
+krb5_error_code
+localauth_winbind_initvt(krb5_context context,
+ int maj_ver,
+ int min_ver,
+ krb5_plugin_vtable vtable);
+
+krb5_error_code
+localauth_winbind_initvt(krb5_context context,
+ int maj_ver,
+ int min_ver,
+ krb5_plugin_vtable vtable)
+{
+ krb5_localauth_vtable vt = (krb5_localauth_vtable)vtable;
+
+ if (maj_ver != 1) {
+ com_err("winbind_localauth",
+ EINVAL,
+ "Failed to load, plugin API changed.");
+ return KRB5_PLUGIN_VER_NOTSUPP;
+ }
+
+ vt->init = winbind_init;
+ vt->fini = winbind_fini;
+ vt->name = "winbind";
+ vt->an2ln = winbind_an2ln;
+ vt->userok = winbind_userok;
+ vt->free_string = winbind_free_string;
+
+ return 0;
+}
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
index ab8f8ea..15e93db 100644
--- a/nsswitch/wscript_build
+++ b/nsswitch/wscript_build
@@ -110,6 +110,12 @@ if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
deps='wbclient krb5 com_err',
realname='winbind_krb5_locator.so')
+if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'):
+ bld.SAMBA_LIBRARY('winbind_krb5_localauth',
+ source='krb5_plugin/winbind_krb5_localauth.c',
+ deps='wbclient krb5 com_err',
+ realname='winbind-krb5-localauth.so')
+
bld.SAMBA_SUBSYSTEM('WB_REQTRANS',
source='wb_reqtrans.c',
deps='talloc tevent LIBASYNC_REQ'
diff --git a/source4/heimdal/lib/krb5/config_file.c b/source4/heimdal/lib/krb5/config_file.c
index 4ac25ae..f5ddcc9 100644
--- a/source4/heimdal/lib/krb5/config_file.c
+++ b/source4/heimdal/lib/krb5/config_file.c
@@ -370,11 +370,11 @@ krb5_config_parse_debug (struct fileptr *f,
b = NULL;
} else if (*p == '}') {
*err_message = "unmatched }";
- return EINVAL; /* XXX */
+ return KRB5_CONFIG_BADFORMAT;
} else if(*p != '\0') {
if (s == NULL) {
*err_message = "binding before section";
- return EINVAL;
+ return KRB5_CONFIG_BADFORMAT;
}
ret = parse_binding(f, lineno, p, &b, &s->u.list, err_message);
if (ret)
diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c
index 23e3879..770f012 100644
--- a/source4/heimdal/lib/krb5/context.c
+++ b/source4/heimdal/lib/krb5/context.c
@@ -646,7 +646,8 @@ krb5_set_config_files(krb5_context context, char **filenames)
krb5_config_binding *tmp = NULL;
while(filenames != NULL && *filenames != NULL && **filenames != '\0') {
ret = krb5_config_parse_file_multi(context, *filenames, &tmp);
- if(ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM) {
+ if (ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM
+ && ret != KRB5_CONFIG_BADFORMAT) {
krb5_config_file_free(context, tmp);
return ret;
}
diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
index 803dad7..facf415 100644
--- a/wscript_configure_system_mitkrb5
+++ b/wscript_configure_system_mitkrb5
@@ -80,6 +80,7 @@ conf.CHECK_HEADERS('com_err.h', lib='com_err')
conf.CHECK_HEADERS('kdb.h', lib='kdb5')
conf.CHECK_HEADERS('krb5.h krb5/locate_plugin.h', lib='krb5')
+conf.CHECK_HEADERS('krb5.h krb5/localauth_plugin.h', lib='krb5')
possible_gssapi_headers="gssapi.h gssapi/gssapi_generic.h gssapi/gssapi.h gssapi/gssapi_ext.h gssapi/gssapi_krb5.h gssapi/gssapi_oid.h"
conf.CHECK_HEADERS(possible_gssapi_headers, lib='gssapi')
--
Samba Shared Repository
More information about the samba-cvs
mailing list