[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Mon Feb 10 18:00:02 UTC 2020
The branch, master has been updated
via c90824a24a5 krb5_wrap: map KRB5_REALM_UNKNOWN to NT_STATUS_NO_SUCH_DOMAIN
via 765b0eac63e krb5_wrap: map KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN to NT_STATUS_INVALID_COMPUTER_NAME
via c403fa1a7fe krb5_wrap: move source3/libads/krb5_errs.c to lib/krb5_wrap/krb5_errs.c
via 98d2d5a4035 auth/gensec: map NT_STATUS_{INVALID_ACCOUNT_NAME,NO_SUCH_DOMAIN} to NT_STATUS_NO_SUCH_USER
via 28d9493d232 gensec/spnego: fallback on INVALID_{ACCOUNT,COMPUTER}_NAME and NO_SUCH_DOMAIN
via 62ee0d93cc5 winbindd_cm: fallback to anonymous for INVALID_COMPUTER_NAME and NO_SUCH_DOMAIN too
via d032569f2e4 smbspool: add more error codes to the auth_errors array
via a0c6ae24c99 smbspool: use one element per line for the auth_errors array
via 15d2130bad3 s4:gensec_krb5: remove unused argument of gensec_krb5_common_client_creds()
via 8ec0e3194bf s4:gensec_krb5: make use of talloc_zero() in gensec_krb5_start()
via a8ba35fa97b s4:gensec_krb5: make use of struct samba_sockaddr
via 240e5cf325b s3:libads: prefer ENCTYPE_AES256_CTS_HMAC_SHA1_96 in ads_keytab_add_entry()
via 0be55059429 lib/krb5_wrap: prefer new enctyptes in ms_suptypes_to_ietf_enctypes()
via fd2ca9d26d5 s3:libads: make use auth4_context_{for,get}_PAC_DATA_CTR() in kerberos_return_pac()
via f8e7c3d3821 auth/kerberos: add auth4_context_{for,get}_PAC_DATA_CTR() helpers
from 0b3db29bd5f ctdb-tests: Add some tool unit tests to ensure that timeouts work
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit c90824a24a513a39dd7bbf42c81bd9e9b552fd06
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 29 08:46:21 2019 +0000
krb5_wrap: map KRB5_REALM_UNKNOWN to NT_STATUS_NO_SUCH_DOMAIN
This is much better than mapping it to NT_STATUS_UNSUCCESSFUL.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Mon Feb 10 17:59:34 UTC 2020 on sn-devel-184
commit 765b0eac63ef508c66f4e615882d8eb5bb7ae929
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 14 15:38:42 2019 +0100
krb5_wrap: map KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN to NT_STATUS_INVALID_COMPUTER_NAME
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN is already mapped to
NT_STATUS_INVALID_ACCOUNT_NAME and we need a way to
distinguish between client and server principal
at the NTSTATUS layer too.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit c403fa1a7fe6725957aab7e8039877d1becad8bf
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 6 15:38:23 2019 +0100
krb5_wrap: move source3/libads/krb5_errs.c to lib/krb5_wrap/krb5_errs.c
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 98d2d5a40358e26d34c81047d80b79876a8ddab9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 11 14:53:20 2019 +0100
auth/gensec: map NT_STATUS_{INVALID_ACCOUNT_NAME,NO_SUCH_DOMAIN} to NT_STATUS_NO_SUCH_USER
This means nt_status_squash() will map NT_STATUS_NO_SUCH_USER to
LOGON_FAILURE later.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 28d9493d232020a65b1b4634408c9341ef1dc39c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 19 12:10:11 2019 +0100
gensec/spnego: fallback on INVALID_{ACCOUNT,COMPUTER}_NAME and NO_SUCH_DOMAIN
I think it's better to handle them in spnego.c, instead of squashing
them already in the gssapi/gse modules. This is related to
KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN and KRB5_REALM_UNKNOWN.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 62ee0d93cc5f809ebc5c4bcb4aa818aa4c69a9e3
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 19 12:10:11 2019 +0100
winbindd_cm: fallback to anonymous for INVALID_COMPUTER_NAME and NO_SUCH_DOMAIN too
These error codes are soon propagated in addition to
INVALID_ACOUNT_NAME through the gensec/spnego layers.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d032569f2e441afd59b85a16ae7e0adcdd9f8ad2
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 7 13:08:43 2020 +0100
smbspool: add more error codes to the auth_errors array
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a0c6ae24c99c6ba6969e849fd17fdd9ebbeba0a4
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 7 13:06:46 2020 +0100
smbspool: use one element per line for the auth_errors array
This makes it more obvious if the later change the array.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 15d2130bad3126e1f8f26a0309eee19d248fa120
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 12 22:01:43 2019 +0100
s4:gensec_krb5: remove unused argument of gensec_krb5_common_client_creds()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 8ec0e3194bf3a7b1897e24ecc8294d8324a22809
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 13 11:07:31 2019 +0100
s4:gensec_krb5: make use of talloc_zero() in gensec_krb5_start()
This is simpler and safter in case the structure gets new elements.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a8ba35fa97bedaf6161978f7b15121ad6a293643
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 12 22:16:55 2019 +0100
s4:gensec_krb5: make use of struct samba_sockaddr
This avoids some strict-aliasing warnings.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 240e5cf325b2a07fcdbd9ad37d5a499a2defc100
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 29 13:48:24 2019 +0100
s3:libads: prefer ENCTYPE_AES256_CTS_HMAC_SHA1_96 in ads_keytab_add_entry()
This is currently not critical as we only use keytabs
only as acceptor, but in future we'll also use them
for kinit() and there we should prefer the newest type.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0be5505942917c068c5996c02c4772c40c072dba
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 29 13:47:16 2019 +0100
lib/krb5_wrap: prefer new enctyptes in ms_suptypes_to_ietf_enctypes()
This is currently not critical as we only use keytabs
only as acceptor, but in future we'll also use them
for kinit() and there we should prefer the newest type.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit fd2ca9d26d52b9c007192baf2d91219325f3e292
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 19 15:50:24 2019 +0100
s3:libads: make use auth4_context_{for,get}_PAC_DATA_CTR() in kerberos_return_pac()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit f8e7c3d3821c0d6389f98cc2c2044e7b8fcdbb7d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 19 15:34:36 2019 +0100
auth/kerberos: add auth4_context_{for,get}_PAC_DATA_CTR() helpers
This adds a generic way to get to the raw (verified) PAC
and will be used in multiple places in future.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/gensec.c | 39 +++++++++++-
auth/gensec/spnego.c | 3 +
auth/kerberos/kerberos_pac.c | 85 +++++++++++++++++++++++++++
auth/kerberos/pac_utils.h | 10 ++++
lib/krb5_wrap/enctype_convert.c | 10 +++-
{source3/libads => lib/krb5_wrap}/krb5_errs.c | 24 ++++----
lib/krb5_wrap/krb5_samba.h | 3 +
lib/krb5_wrap/wscript_build | 16 ++++-
source3/client/smbspool.c | 24 ++++++--
source3/libads/ads_status.c | 1 -
source3/libads/authdata.c | 71 +---------------------
source3/libads/kerberos.c | 1 -
source3/libads/kerberos_keytab.c | 6 +-
source3/libads/kerberos_proto.h | 7 +--
source3/libads/krb5_errs.h | 30 ----------
source3/libnet/libnet_dssync.c | 1 -
source3/libnet/libnet_dssync_keytab.c | 1 -
source3/libsmb/cliconnect.c | 1 -
source3/passdb/machine_account_secrets.c | 1 -
source3/utils/net_ads.c | 1 +
source3/winbindd/winbindd_cm.c | 4 ++
source3/winbindd/winbindd_cred_cache.c | 1 -
source3/winbindd/winbindd_pam.c | 1 -
source3/wscript_build | 1 -
source4/auth/gensec/gensec_krb5.c | 38 +++++-------
25 files changed, 214 insertions(+), 166 deletions(-)
rename {source3/libads => lib/krb5_wrap}/krb5_errs.c (96%)
delete mode 100644 source3/libads/krb5_errs.h
Changeset truncated at 500 lines:
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index 91d8cce3f4c..becf4ce8685 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -502,8 +502,43 @@ static void gensec_update_done(struct tevent_req *subreq)
TALLOC_FREE(subreq);
state->status = status;
if (GENSEC_UPDATE_IS_NTERROR(status)) {
- DBG_INFO("%s[%p]: %s%s%s\n", state->ops->name,
- state->gensec_security, nt_errstr(status),
+ NTSTATUS orig_status = status;
+ bool force_no_such_user = false;
+
+ /*
+ * callers only expect NT_STATUS_NO_SUCH_USER.
+ */
+ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_ACCOUNT_NAME)) {
+ force_no_such_user = true;
+ } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN)) {
+ force_no_such_user = true;
+ }
+
+ if (state->gensec_security->subcontext) {
+ /*
+ * We should only map on the outer
+ * gensec_update exchange, spnego
+ * needs the raw status.
+ */
+ force_no_such_user = false;
+ }
+
+ if (force_no_such_user) {
+ /*
+ * nt_status_squash() may map
+ * to NT_STATUS_LOGON_FAILURE later
+ */
+ status = NT_STATUS_NO_SUCH_USER;
+ }
+
+ DBG_INFO("%s[%p]: %s%s%s%s%s\n",
+ state->ops->name,
+ state->gensec_security,
+ NT_STATUS_EQUAL(status, orig_status) ?
+ "" : nt_errstr(orig_status),
+ NT_STATUS_EQUAL(status, orig_status) ?
+ "" : " ",
+ nt_errstr(status),
debug_subreq ? " " : "",
debug_subreq ? debug_subreq : "");
tevent_req_nterror(req, status);
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index db8a91b6f34..87545d860e8 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -569,6 +569,9 @@ static NTSTATUS gensec_spnego_client_negTokenInit_step(
* of this mech
*/
if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_INVALID_ACCOUNT_NAME) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_INVALID_COMPUTER_NAME) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN) ||
NT_STATUS_EQUAL(status, NT_STATUS_NO_LOGON_SERVERS) ||
NT_STATUS_EQUAL(status, NT_STATUS_TIME_DIFFERENCE_AT_DC) ||
NT_STATUS_EQUAL(status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO))
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 0ab0e9a4594..650c851bf13 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -30,6 +30,8 @@
#ifdef HAVE_KRB5
#include "librpc/gen_ndr/ndr_krb5pac.h"
+#include "librpc/gen_ndr/auth.h"
+#include "auth/common_auth.h"
#include "auth/kerberos/pac_utils.h"
krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
@@ -466,4 +468,87 @@ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
+static NTSTATUS auth4_context_fetch_PAC_DATA_CTR(
+ struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx,
+ struct smb_krb5_context *smb_krb5_context,
+ DATA_BLOB *pac_blob,
+ const char *princ_name,
+ const struct tsocket_address *remote_address,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info)
+{
+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
+ NTSTATUS status;
+
+ if (pac_blob == NULL) {
+ return NT_STATUS_NO_IMPERSONATION_TOKEN;
+ }
+
+ pac_data_ctr = talloc_zero(mem_ctx, struct PAC_DATA_CTR);
+ if (pac_data_ctr == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ status = kerberos_decode_pac(pac_data_ctr,
+ *pac_blob,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ 0,
+ &pac_data_ctr->pac_data);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,
+ pac_blob->data,
+ pac_blob->length);
+ if (pac_data_ctr->pac_blob.length != pac_blob->length) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ *session_info = talloc_zero(mem_ctx, struct auth_session_info);
+ if (*session_info == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ TALLOC_FREE(auth_ctx->private_data);
+ auth_ctx->private_data = talloc_move(auth_ctx, &pac_data_ctr);
+
+ return NT_STATUS_OK;
+
+fail:
+ TALLOC_FREE(pac_data_ctr);
+
+ return status;
+}
+
+struct auth4_context *auth4_context_for_PAC_DATA_CTR(TALLOC_CTX *mem_ctx)
+{
+ struct auth4_context *auth_ctx = NULL;
+
+ auth_ctx = talloc_zero(mem_ctx, struct auth4_context);
+ if (auth_ctx == NULL) {
+ return NULL;
+ }
+ auth_ctx->generate_session_info_pac = auth4_context_fetch_PAC_DATA_CTR;
+
+ return auth_ctx;
+}
+
+struct PAC_DATA_CTR *auth4_context_get_PAC_DATA_CTR(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx)
+{
+ struct PAC_DATA_CTR *p = NULL;
+ SMB_ASSERT(auth_ctx->generate_session_info_pac == auth4_context_fetch_PAC_DATA_CTR);
+ p = talloc_get_type_abort(auth_ctx->private_data, struct PAC_DATA_CTR);
+ auth_ctx->private_data = NULL;
+ return talloc_move(mem_ctx, &p);
+}
+
#endif
diff --git a/auth/kerberos/pac_utils.h b/auth/kerberos/pac_utils.h
index d09e7b643d4..36fd60c3349 100644
--- a/auth/kerberos/pac_utils.h
+++ b/auth/kerberos/pac_utils.h
@@ -53,6 +53,16 @@ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
time_t tgs_authtime,
struct PAC_LOGON_INFO **logon_info);
+struct PAC_DATA;
+struct PAC_DATA_CTR {
+ DATA_BLOB pac_blob;
+ struct PAC_DATA *pac_data;
+};
+
+struct auth4_context *auth4_context_for_PAC_DATA_CTR(TALLOC_CTX *mem_ctx);
+struct PAC_DATA_CTR *auth4_context_get_PAC_DATA_CTR(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx);
+
NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
gss_ctx_id_t gssapi_context,
gss_name_t gss_client_name,
diff --git a/lib/krb5_wrap/enctype_convert.c b/lib/krb5_wrap/enctype_convert.c
index a658911190a..4a644358c17 100644
--- a/lib/krb5_wrap/enctype_convert.c
+++ b/lib/krb5_wrap/enctype_convert.c
@@ -83,13 +83,17 @@ krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx,
uint32_t enctype_bitmap,
krb5_enctype **enctypes)
{
- unsigned int i, j = 0;
+ size_t max_bits = 8 * sizeof(enctype_bitmap);
+ size_t j = 0;
+ ssize_t i;
+
*enctypes = talloc_zero_array(mem_ctx, krb5_enctype,
- (8 * sizeof(enctype_bitmap)) + 1);
+ max_bits + 1);
if (!*enctypes) {
return ENOMEM;
}
- for (i = 0; i < (8 * sizeof(enctype_bitmap)); i++) {
+
+ for (i = max_bits - 1; i >= 0; i--) {
uint32_t bit_value = (1U << i) & enctype_bitmap;
if (bit_value & enctype_bitmap) {
(*enctypes)[j] = ms_suptype_to_ietf_enctype(bit_value);
diff --git a/source3/libads/krb5_errs.c b/lib/krb5_wrap/krb5_errs.c
similarity index 96%
rename from source3/libads/krb5_errs.c
rename to lib/krb5_wrap/krb5_errs.c
index 0c2ada59966..d602b61cc7c 100644
--- a/source3/libads/krb5_errs.c
+++ b/lib/krb5_wrap/krb5_errs.c
@@ -1,26 +1,24 @@
-/*
+/*
* Unix SMB/CIFS implementation.
* Kerberos error mapping functions
* Copyright (C) Guenther Deschner 2005
- *
+ *
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
- *
+ *
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
-#include "smb_krb5.h"
-
-#include "krb5_errs.h"
+#include "krb5_samba.h"
#ifdef HAVE_KRB5
@@ -43,7 +41,7 @@ static const struct {
{KRB5KDC_ERR_POLICY, NT_STATUS_INVALID_WORKSTATION},
{KRB5KDC_ERR_PREAUTH_FAILED, NT_STATUS_LOGON_FAILURE},
{KRB5KDC_ERR_SERVICE_REVOKED, NT_STATUS_ACCESS_DENIED},
- {KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, NT_STATUS_INVALID_ACCOUNT_NAME},
+ {KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, NT_STATUS_INVALID_COMPUTER_NAME},
{KRB5KDC_ERR_SUMTYPE_NOSUPP, NT_STATUS_LOGON_FAILURE},
{KRB5KDC_ERR_TGT_REVOKED, NT_STATUS_ACCESS_DENIED},
{KRB5_KDC_UNREACH, NT_STATUS_NO_LOGON_SERVERS},
@@ -61,6 +59,7 @@ static const struct {
{KRB5_RC_MALLOC, NT_STATUS_NO_MEMORY},
{ENOMEM, NT_STATUS_NO_MEMORY},
{KRB5_REALM_CANT_RESOLVE, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND},
+ {KRB5_REALM_UNKNOWN, NT_STATUS_NO_SUCH_DOMAIN},
/* Must be last entry */
{KRB5KDC_ERR_NONE, NT_STATUS_OK}
@@ -81,11 +80,11 @@ convert a KRB5 error to a NT status32 code
NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error)
{
int i;
-
+
if (kerberos_error == 0) {
return NT_STATUS_OK;
}
-
+
for (i=0; NT_STATUS_V(krb5_to_nt_status_map[i].ntstatus); i++) {
if (kerberos_error == krb5_to_nt_status_map[i].krb5_code)
return krb5_to_nt_status_map[i].ntstatus;
@@ -100,11 +99,11 @@ convert an NT status32 code to a KRB5 error
krb5_error_code nt_status_to_krb5(NTSTATUS nt_status)
{
int i;
-
+
if NT_STATUS_IS_OK(nt_status) {
return 0;
}
-
+
for (i=0; NT_STATUS_V(nt_status_to_krb5_map[i].ntstatus); i++) {
if (NT_STATUS_EQUAL(nt_status,nt_status_to_krb5_map[i].ntstatus))
return nt_status_to_krb5_map[i].krb5_code;
@@ -114,4 +113,3 @@ convert an NT status32 code to a KRB5 error
}
#endif
-
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 64ae0275dbd..ca9a893e4f7 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -406,4 +406,7 @@ int ads_krb5_cli_get_ticket(TALLOC_CTX *mem_ctx,
time_t *tgs_expire,
const char *impersonate_princ_s);
+NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error);
+krb5_error_code nt_status_to_krb5(NTSTATUS nt_status);
+
#endif /* _KRB5_SAMBA_H */
diff --git a/lib/krb5_wrap/wscript_build b/lib/krb5_wrap/wscript_build
index 624964452af..dd9fc08fff7 100644
--- a/lib/krb5_wrap/wscript_build
+++ b/lib/krb5_wrap/wscript_build
@@ -5,7 +5,19 @@ if bld.CONFIG_SET('SAMBA4_USES_HEIMDAL'):
add_deps = ' asn1'
bld.SAMBA_LIBRARY('krb5samba',
- source='krb5_samba.c gss_samba.c keytab_util.c enctype_convert.c',
- deps='samba-util talloc krb5 com_err gssapi' + add_deps,
+ source='''
+ krb5_samba.c
+ gss_samba.c
+ keytab_util.c
+ enctype_convert.c
+ krb5_errs.c
+ ''',
+ deps='''
+ samba-util
+ talloc
+ krb5
+ com_err
+ gssapi
+ ''' + add_deps,
private_library=True
)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 5e2d230ab8b..e8be739f5cd 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -474,12 +474,24 @@ get_exit_code(NTSTATUS nt_status)
*/
static const NTSTATUS auth_errors[] =
{
- NT_STATUS_ACCESS_DENIED, NT_STATUS_ACCESS_VIOLATION,
- NT_STATUS_SHARING_VIOLATION, NT_STATUS_PRIVILEGE_NOT_HELD,
- NT_STATUS_INVALID_ACCOUNT_NAME, NT_STATUS_NO_SUCH_USER,
- NT_STATUS_WRONG_PASSWORD, NT_STATUS_LOGON_FAILURE,
- NT_STATUS_ACCOUNT_RESTRICTION, NT_STATUS_INVALID_LOGON_HOURS,
- NT_STATUS_PASSWORD_EXPIRED, NT_STATUS_ACCOUNT_DISABLED
+ NT_STATUS_ACCESS_DENIED,
+ NT_STATUS_ACCESS_VIOLATION,
+ NT_STATUS_ACCOUNT_DISABLED,
+ NT_STATUS_ACCOUNT_LOCKED_OUT,
+ NT_STATUS_ACCOUNT_RESTRICTION,
+ NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND,
+ NT_STATUS_INVALID_ACCOUNT_NAME,
+ NT_STATUS_INVALID_COMPUTER_NAME,
+ NT_STATUS_INVALID_LOGON_HOURS,
+ NT_STATUS_INVALID_WORKSTATION,
+ NT_STATUS_LOGON_FAILURE,
+ NT_STATUS_NO_SUCH_USER,
+ NT_STATUS_NO_SUCH_DOMAIN,
+ NT_STATUS_NO_LOGON_SERVERS,
+ NT_STATUS_PASSWORD_EXPIRED,
+ NT_STATUS_PRIVILEGE_NOT_HELD,
+ NT_STATUS_SHARING_VIOLATION,
+ NT_STATUS_WRONG_PASSWORD,
};
diff --git a/source3/libads/ads_status.c b/source3/libads/ads_status.c
index fb3646386ca..70569949aeb 100644
--- a/source3/libads/ads_status.c
+++ b/source3/libads/ads_status.c
@@ -25,7 +25,6 @@
#include "system/gssapi.h"
#include "smb_ldap.h"
#include "libads/ads_status.h"
-#include "krb5_errs.h"
/*
build a ADS_STATUS structure
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 6e6d5b397ff..dd21d895fc2 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -32,7 +32,6 @@
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
#include "../libcli/auth/spnego.h"
-#include "krb5_errs.h"
#ifdef HAVE_KRB5
@@ -40,70 +39,6 @@
struct smb_krb5_context;
-/****************************************************************
-Callback to get the PAC_LOGON_INFO from the blob
-****************************************************************/
-static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
- TALLOC_CTX *mem_ctx,
- struct smb_krb5_context *smb_krb5_context,
- DATA_BLOB *pac_blob,
- const char *princ_name,
- const struct tsocket_address *remote_address,
- uint32_t session_info_flags,
- struct auth_session_info **session_info)
-{
- TALLOC_CTX *tmp_ctx;
- struct PAC_DATA *pac_data = NULL;
- struct PAC_DATA_CTR *pac_data_ctr = NULL;
- NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
-
- tmp_ctx = talloc_new(mem_ctx);
- if (!tmp_ctx) {
- return NT_STATUS_NO_MEMORY;
- }
-
- if (pac_blob != NULL) {
- status = kerberos_decode_pac(tmp_ctx,
- *pac_blob,
- NULL,
- NULL,
- NULL,
- NULL,
- 0,
- &pac_data);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
-
- pac_data_ctr = talloc(mem_ctx, struct PAC_DATA_CTR);
- if (pac_data_ctr == NULL) {
- status = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- talloc_set_name_const(pac_data_ctr, "struct PAC_DATA_CTR");
-
- pac_data_ctr->pac_data = talloc_steal(pac_data_ctr, pac_data);
- pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,
- pac_blob->data,
- pac_blob->length);
-
- auth_ctx->private_data = talloc_steal(auth_ctx, pac_data_ctr);
- }
-
- *session_info = talloc_zero(mem_ctx, struct auth_session_info);
- if (!*session_info) {
- status = NT_STATUS_NO_MEMORY;
- goto done;
- }
- status = NT_STATUS_OK;
-
-done:
- TALLOC_FREE(tmp_ctx);
-
- return status;
-}
-
/*
* Given the username/password, do a kinit, store the ticket in
* cache_name if specified, and return the PAC_LOGON_INFO (the
@@ -226,12 +161,11 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
goto out;
}
- auth_context = talloc_zero(tmp_ctx, struct auth4_context);
+ auth_context = auth4_context_for_PAC_DATA_CTR(tmp_ctx);
if (auth_context == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
- auth_context->generate_session_info_pac = kerberos_fetch_pac;
lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_helpers());
if (lp_ctx == NULL) {
@@ -296,8 +230,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
goto out;
}
- pac_data_ctr = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
- struct PAC_DATA_CTR);
+ pac_data_ctr = auth4_context_get_PAC_DATA_CTR(auth_context, mem_ctx);
if (pac_data_ctr == NULL) {
DEBUG(1,("no PAC\n"));
status = NT_STATUS_INVALID_PARAMETER;
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 559ec3b7f53..5959da919b0 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -31,7 +31,6 @@
#include "secrets.h"
#include "../lib/tsocket/tsocket.h"
#include "lib/util/asn1.h"
--
Samba Shared Repository
More information about the samba-cvs
mailing list