[SCM] Samba Shared Repository - branch v4-12-test updated
Karolin Seeger
kseeger at samba.org
Wed Apr 15 13:21:02 UTC 2020
The branch, v4-12-test has been updated
via 8c537c8a402 s3/librpc/crypto: Fix double free with unresolved credential cache
via 8e3484c163c mit-kdc: Explicitly reject S4U requests
via 8bdcac936ea selftest: Set KRB5RCACHETYPE to none for selftest
via 95880710984 Sign and verify PAC with ticket principal instead of canon principal
via 25fefdb75f5 Fix uxsuccess test with new MIT krb5 library 1.18
via 6e3fd37ab24 Adapt sign_authdata in our KDB module for krb5 v1.18
from d0ca4d173cd testprogs: Add 'net ads join createupn' test also verifying the keytab
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-12-test
- Log -----------------------------------------------------------------
commit 8c537c8a40261c08742e76e6de9a1d08b6618ed3
Author: Noel Power <noel.power at suse.com>
Date: Tue Apr 14 11:21:22 2020 +0100
s3/librpc/crypto: Fix double free with unresolved credential cache
We free gse_ctx->k5ctx but then free it again in the
talloc dtor. This patch just lets the talloc dtor handle
things and removes the extra krb5_free_context
Failed to resolve credential cache 'DIR:/run/user/1000/krb5cc'! (No credentials cache found)
==30762== Invalid read of size 8
==30762== at 0x108100F4: k5_os_free_context (in /usr/lib64/libkrb5.so.3.3)
==30762== by 0x107EA661: krb5_free_context (in /usr/lib64/libkrb5.so.3.3)
==30762== by 0x7945D2E: gse_context_destructor (gse.c:84)
==30762== by 0x645FB49: _tc_free_internal (talloc.c:1157)
==30762== by 0x645FEC5: _talloc_free_internal (talloc.c:1247)
==30762== by 0x646118D: _talloc_free (talloc.c:1789)
==30762== by 0x79462E4: gse_context_init (gse.c:241)
==30762== by 0x794636E: gse_init_client (gse.c:268)
==30762== by 0x7947602: gensec_gse_client_start (gse.c:786)
==30762== by 0xBC87A3A: gensec_start_mech (gensec_start.c:743)
==30762== by 0xBC87BC6: gensec_start_mech_by_ops (gensec_start.c:774)
==30762== by 0xBC8167F: gensec_spnego_client_negTokenInit_step (spnego.c:633)
==30762== Address 0x17259928 is 40 bytes inside a block of size 496 free'd
==30762== at 0x4C2F50B: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==30762== by 0x79462CA: gse_context_init (gse.c:238)
==30762== by 0x794636E: gse_init_client (gse.c:268)
==30762== by 0x7947602: gensec_gse_client_start (gse.c:786)
==30762== by 0xBC87A3A: gensec_start_mech (gensec_start.c:743)
==30762== by 0xBC87BC6: gensec_start_mech_by_ops (gensec_start.c:774)
==30762== by 0xBC8167F: gensec_spnego_client_negTokenInit_step (spnego.c:633)
==30762== by 0xBC813E2: gensec_spnego_client_negTokenInit_start (spnego.c:537)
==30762== by 0xBC84084: gensec_spnego_update_pre (spnego.c:1943)
==30762== by 0xBC83AE5: gensec_spnego_update_send (spnego.c:1741)
==30762== by 0xBC85622: gensec_update_send (gensec.c:449)
==30762== by 0x551BFD0: cli_session_setup_gensec_local_next (cliconnect.c:997)
==30762== Block was alloc'd at
==30762== at 0x4C306B5: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==30762== by 0x107EA7AE: krb5_init_context_profile (in /usr/lib64/libkrb5.so.3.3)
==30762== by 0xB853215: smb_krb5_init_context_common (krb5_samba.c:3597)
==30762== by 0x794615B: gse_context_init (gse.c:209)
==30762== by 0x794636E: gse_init_client (gse.c:268)
==30762== by 0x7947602: gensec_gse_client_start (gse.c:786)
==30762== by 0xBC87A3A: gensec_start_mech (gensec_start.c:743)
==30762== by 0xBC87BC6: gensec_start_mech_by_ops (gensec_start.c:774)
==30762== by 0xBC8167F: gensec_spnego_client_negTokenInit_step (spnego.c:633)
==30762== by 0xBC813E2: gensec_spnego_client_negTokenInit_start (spnego.c:537)
==30762== by 0xBC84084: gensec_spnego_update_pre (spnego.c:1943)
==30762== by 0xBC83AE5: gensec_spnego_update_send (spnego.c:1741)
==30762==
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14344
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Tue Apr 14 22:55:51 UTC 2020 on sn-devel-184
(cherry picked from commit 34f8ab774d1484b0e60dbdec8ad2a1607ad92122)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-12-test): Wed Apr 15 13:20:28 UTC 2020 on sn-devel-184
commit 8e3484c163c07a69425edaa5790d2e33f406c993
Author: Isaac Boukris <iboukris at gmail.com>
Date: Fri Jan 31 22:34:21 2020 +0100
mit-kdc: Explicitly reject S4U requests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Isaac Boukris <iboukris at samba.org>
Autobuild-Date(master): Tue Mar 10 14:46:04 UTC 2020 on sn-devel-184
commit 8bdcac936ead95295f2203eb22effb10c07591c1
Author: Andreas Schneider <asn at samba.org>
Date: Fri Mar 6 17:15:45 2020 +0100
selftest: Set KRB5RCACHETYPE to none for selftest
This is required that out tests work with MIT KRB5 1.18.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit 958807109845313c35a0c6949b33ffbc09eeba59
Author: Isaac Boukris <iboukris at gmail.com>
Date: Thu Jan 16 22:00:21 2020 +0100
Sign and verify PAC with ticket principal instead of canon principal
With MIT library 1.18 the KDC no longer set
KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows
us to not canonicalize them (like in Windows / Heimdal).
However, it now breaks the PAC signature verification as it was
wrongly done using canonical client rather than ticket client name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 25fefdb75f50716e6ad812fd900092fb56a18647
Author: Isaac Boukris <iboukris at gmail.com>
Date: Thu Jan 16 21:36:24 2020 +0100
Fix uxsuccess test with new MIT krb5 library 1.18
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 6e3fd37ab243858e6494a37b3c805bff855ff5a7
Author: Isaac Boukris <iboukris at gmail.com>
Date: Mon Sep 16 16:40:12 2019 +0300
Adapt sign_authdata in our KDB module for krb5 v1.18
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.../kinit_mit => knownfail_mit_krb5_pre_1_18} | 0
selftest/selftest.pl | 1 +
selftest/wscript | 3 ++
source3/librpc/crypto/gse.c | 4 ---
source4/kdc/mit-kdb/kdb_samba.c | 2 +-
source4/kdc/mit-kdb/kdb_samba.h | 21 ++++++++++++
source4/kdc/mit-kdb/kdb_samba_policies.c | 40 +++++++++++++++++-----
testprogs/blackbox/test_kinit_mit.sh | 4 ---
wscript_configure_system_mitkrb5 | 3 ++
9 files changed, 61 insertions(+), 17 deletions(-)
rename selftest/{knownfail.d/kinit_mit => knownfail_mit_krb5_pre_1_18} (100%)
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail.d/kinit_mit b/selftest/knownfail_mit_krb5_pre_1_18
similarity index 100%
rename from selftest/knownfail.d/kinit_mit
rename to selftest/knownfail_mit_krb5_pre_1_18
diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index b6094fef3b9..b166b28e0cb 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -451,6 +451,7 @@ my $testenv_default = "none";
if ($opt_mitkrb5 == 1) {
$ENV{MITKRB5} = $opt_mitkrb5;
+ $ENV{KRB5RCACHETYPE} = "none";
}
# After this many seconds, the server will self-terminate. All tests
diff --git a/selftest/wscript b/selftest/wscript
index 4d03eb76842..501a5df5824 100644
--- a/selftest/wscript
+++ b/selftest/wscript
@@ -142,6 +142,9 @@ def cmd_testonly(opt):
'--flapping=${srcdir}/selftest/flapping '
'--flapping=${srcdir}/selftest/flapping.d')
+ if CONFIG_GET(opt, 'HAVE_MIT_KRB5_PRE_1_18'):
+ env.FILTER_XFAIL += ' --expected-failures=${srcdir}/selftest/knownfail_mit_krb5_pre_1_18'
+
if Options.options.FAIL_IMMEDIATELY:
env.FILTER_XFAIL += ' --fail-immediately'
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 6675f4dc597..1cf111bd974 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -244,10 +244,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
err_out:
- if (gse_ctx->k5ctx) {
- krb5_free_context(gse_ctx->k5ctx);
- }
-
TALLOC_FREE(gse_ctx);
return status;
}
diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c
index c5157d6ed1b..02bbdca9f54 100644
--- a/source4/kdc/mit-kdb/kdb_samba.c
+++ b/source4/kdc/mit-kdb/kdb_samba.c
@@ -139,7 +139,7 @@ static void kdb_samba_db_free_principal_e_data(krb5_context context,
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
- .min_ver = 1,
+ .min_ver = KRB5_KDB_DAL_MAJOR_VERSION == 6 ? 1 : 0,
.init_library = kdb_samba_init_library,
.fini_library = kdb_samba_fini_library,
diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h
index 22ef9085b6a..ad4f6e27573 100644
--- a/source4/kdc/mit-kdb/kdb_samba.h
+++ b/source4/kdc/mit-kdb/kdb_samba.h
@@ -114,6 +114,7 @@ krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context,
/* from kdb_samba_policies.c */
+#if KRB5_KDB_API_VERSION < 10
krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
unsigned int flags,
krb5_const_principal client_princ,
@@ -127,6 +128,26 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krb5_timestamp authtime,
krb5_authdata **tgt_auth_data,
krb5_authdata ***signed_auth_data);
+#else
+krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ unsigned int flags,
+ krb5_const_principal client_princ,
+ krb5_const_principal server_princ,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_db_entry *local_krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_keyblock *local_krbtgt_key,
+ krb5_keyblock *session_key,
+ krb5_timestamp authtime,
+ krb5_authdata **tgt_auth_data,
+ void *authdata_info,
+ krb5_data ***auth_indicators,
+ krb5_authdata ***signed_auth_data);
+#endif
krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
krb5_kdc_req *kdcreq,
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index fc80329f221..9197551ed61 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -287,6 +287,7 @@ done:
return code;
}
+#if KRB5_KDB_API_VERSION < 10
krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
unsigned int flags,
krb5_const_principal client_princ,
@@ -301,18 +302,41 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krb5_authdata **tgt_auth_data,
krb5_authdata ***signed_auth_data)
{
- krb5_const_principal ks_client_princ;
+#else
+krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ unsigned int flags,
+ krb5_const_principal client_princ,
+ krb5_const_principal server_princ,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_db_entry *local_krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_keyblock *local_krbtgt_key,
+ krb5_keyblock *session_key,
+ krb5_timestamp authtime,
+ krb5_authdata **tgt_auth_data,
+ void *authdata_info,
+ krb5_data ***auth_indicators,
+ krb5_authdata ***signed_auth_data)
+{
+#endif
krb5_authdata **authdata = NULL;
krb5_boolean is_as_req;
krb5_error_code code;
krb5_pac pac = NULL;
krb5_data pac_data;
- /* Prefer canonicalised name from client entry */
- if (client != NULL) {
- ks_client_princ = client->princ;
- } else {
- ks_client_princ = client_princ;
+#if KRB5_KDB_API_VERSION >= 10
+ krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
+ krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
+#endif
+
+ /* FIXME: We don't support S4U yet */
+ if (flags & KRB5_KDB_FLAGS_S4U) {
+ return KRB5_KDB_DBTYPE_NOSUP;
}
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
@@ -327,7 +351,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
if (!is_as_req) {
code = ks_verify_pac(context,
flags,
- ks_client_princ,
+ client_princ,
client,
server,
krbtgt,
@@ -354,7 +378,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
goto done;
}
- code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
+ code = krb5_pac_sign(context, pac, authtime, client_princ,
server_key, krbtgt_key, &pac_data);
if (code != 0) {
DBG_ERR("krb5_pac_sign failed: %d\n", code);
diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh
index d28caecd603..61029a5e04c 100755
--- a/testprogs/blackbox/test_kinit_mit.sh
+++ b/testprogs/blackbox/test_kinit_mit.sh
@@ -134,10 +134,6 @@ testit "enable user with kerberos cache" $VALGRIND $PYTHON $samba_enableaccount
### Test kinit with canonicalization
###########################################################
-# This is currently not working due to an upstream bug in MIT Kerberos. The
-# test will ensure that we get notified when we can turn on canonicalization
-# in ads_krb5_chg_password().
-# https://bugzilla.samba.org/show_bug.cgi?id=14155
upperusername=$(echo $USERNAME | tr '[a-z]' '[A-Z]')
testit "kinit with canonicalize" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -C $upperusername@$REALM -S kadmin/changepw@$REALM || failed=`expr $failed + 1`
diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
index b05ac3f3e50..23587797119 100644
--- a/wscript_configure_system_mitkrb5
+++ b/wscript_configure_system_mitkrb5
@@ -77,6 +77,9 @@ if conf.env.KRB5_CONFIG:
else:
Logs.info('MIT Kerberos %s detected, MIT krb5 build can proceed' % (krb5_version))
+ if parse_version(krb5_version) < parse_version('1.18'):
+ conf.DEFINE('HAVE_MIT_KRB5_PRE_1_18', 1)
+
conf.CHECK_CFG(args="--cflags --libs", package="com_err", uselib_store="com_err")
conf.CHECK_FUNCS_IN('_et_list', 'com_err')
conf.CHECK_HEADERS('com_err.h', lib='com_err')
--
Samba Shared Repository
More information about the samba-cvs
mailing list