[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Thu Jun 11 02:50:05 UTC 2020


The branch, master has been updated
       via  6095a4f0d58 kdc: allow checksum of PA-FOR-USER to be HMAC_MD5
       via  c8080bbd708 s3-libads: use ldap_init_fd() to initialize a ldap session if possible
      from  317538154a0 smbclient: Simplify do_list()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 6095a4f0d58cad3dde6e76cadd7bcae0a240c9e6
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Mon Nov 12 12:26:25 2018 +0200

    kdc: allow checksum of PA-FOR-USER to be HMAC_MD5
    
    even if the tgt session key uses different hmac.
    
    Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is
    always HMAC_MD5, and that's what windows 7 client
    and MIT client send.
    
    In heimdal both the client and kdc use the checksum of
    the tgt key instead and therefore work with each other
    but windows and MIT clients fail against heimdal KDC.
    
    Windows KDC allows either checksum (HMAC_MD5 or from
    tgt) so we should do the same to support all clients.
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Thu Jun 11 02:48:58 UTC 2020 on sn-devel-184

commit c8080bbd708eaa3212fa516861ac9e3b267989a0
Author: Björn Baumbach <bb at sernet.de>
Date:   Wed Jun 3 19:40:59 2020 +0200

    s3-libads: use ldap_init_fd() to initialize a ldap session if possible
    
    Use the known ip address of the ldap server to open the connection and
    initialize the ldap session with ldap_init_fd().
    
    This avoid unnecessary DNS lookups which might block or prevent the
    successful connection.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124
    
    Signed-off-by: Björn Baumbach <bb at sernet.de>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 selftest/knownfail                          |  2 --
 source3/libads/ldap.c                       | 18 +++++++++++++++++-
 source4/heimdal/kdc/krb5tgs.c               | 29 +++++++++++++++++++++++------
 source4/heimdal/lib/krb5/version-script.map |  1 +
 4 files changed, 41 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/selftest/knownfail b/selftest/knownfail
index 38e8597deda..57a4d93a37d 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -393,5 +393,3 @@
 ^samba.tests.ntlmdisabled.python\(ktest\).python2.ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\)
 ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python3.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)
 ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python2.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)
-# Fixed upstream heimdal in PR #439
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_hmac_md5_checksum
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index eb5fef0c7f3..d443e3ee20c 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -92,7 +92,23 @@ static void gotalarm_sig(int signum)
 		return NULL;
 	}
 
-#ifdef HAVE_LDAP_INITIALIZE
+#ifdef HAVE_LDAP_INIT_FD
+	{
+		int fd = -1;
+		NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+
+		status = open_socket_out(ss, port, to, &fd);
+		if (!NT_STATUS_IS_OK(status)) {
+			return NULL;
+		}
+
+/* define LDAP_PROTO_TCP from openldap.h if required */
+#ifndef LDAP_PROTO_TCP
+#define LDAP_PROTO_TCP 1
+#endif
+		ldap_err = ldap_init_fd(fd, LDAP_PROTO_TCP, uri, &ldp);
+	}
+#elif defined(HAVE_LDAP_INITIALIZE)
 	ldap_err = ldap_initialize(&ldp, uri);
 #else
 	ldp = ldap_open(server, port);
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index ee3ac3d8f53..53d0eaf935b 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1946,12 +1946,29 @@ server_lookup:
 		goto out;
 	    }
 
-	    ret = krb5_verify_checksum(context,
-				       crypto,
-				       KRB5_KU_OTHER_CKSUM,
-				       datack.data,
-				       datack.length,
-				       &self.cksum);
+	    /* Allow HMAC_MD5 checksum with any key type */
+	    if (self.cksum.cksumtype == CKSUMTYPE_HMAC_MD5) {
+		unsigned char csdata[16];
+		Checksum cs;
+
+		cs.checksum.length = sizeof(csdata);
+		cs.checksum.data = &csdata;
+
+		ret = _krb5_HMAC_MD5_checksum(context, &crypto->key,
+					      datack.data, datack.length,
+					      KRB5_KU_OTHER_CKSUM, &cs);
+		if (ret == 0 &&
+		    krb5_data_ct_cmp(&cs.checksum, &self.cksum.checksum) != 0)
+		    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+	    }
+	    else {
+		ret = krb5_verify_checksum(context,
+					   crypto,
+					   KRB5_KU_OTHER_CKSUM,
+					   datack.data,
+					   datack.length,
+					   &self.cksum);
+	    }
 	    krb5_data_free(&datack);
 	    krb5_crypto_destroy(context, crypto);
 	    if (ret) {
diff --git a/source4/heimdal/lib/krb5/version-script.map b/source4/heimdal/lib/krb5/version-script.map
index ddae2a06764..b95ba92f4f6 100644
--- a/source4/heimdal/lib/krb5/version-script.map
+++ b/source4/heimdal/lib/krb5/version-script.map
@@ -764,6 +764,7 @@ HEIMDAL_KRB5_2.0 {
 		_krb5_principalname2krb5_principal;
 		_krb5_put_int;
 		_krb5_s4u2self_to_checksumdata;
+		_krb5_HMAC_MD5_checksum;
 
 		# kinit helper
 		krb5_get_init_creds_opt_set_pkinit_user_certs;


-- 
Samba Shared Repository



More information about the samba-cvs mailing list