[SCM] Samba Shared Repository - branch master updated
Isaac Boukris
iboukris at samba.org
Tue Mar 10 14:47:02 UTC 2020
The branch, master has been updated
via 0982980dc6d mit-kdc: Explicitly reject S4U requests
via 8b0c796f533 selftest: Set KRB5RCACHETYPE to none for selftest
via 34347586375 Sign and verify PAC with ticket principal instead of canon principal
via 5d73cc408bd Fix uxsuccess test with new MIT krb5 library 1.18
via bebad45b29a Adapt sign_authdata in our KDB module for krb5 v1.18
from 9f9dcfb6c32 ctdb-tests: Use built-in hexdump() in system socket tests
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0982980dc6d869cf7ee8d735bb14fc20f33a96ae
Author: Isaac Boukris <iboukris at gmail.com>
Date: Fri Jan 31 22:34:21 2020 +0100
mit-kdc: Explicitly reject S4U requests
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Isaac Boukris <iboukris at samba.org>
Autobuild-Date(master): Tue Mar 10 14:46:04 UTC 2020 on sn-devel-184
commit 8b0c796f5334f0b219feecc1a39c0b8fae8f7af4
Author: Andreas Schneider <asn at samba.org>
Date: Fri Mar 6 17:15:45 2020 +0100
selftest: Set KRB5RCACHETYPE to none for selftest
This is required that out tests work with MIT KRB5 1.18.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
commit 34347586375dea9b615fb6a0218bcb5927031e4d
Author: Isaac Boukris <iboukris at gmail.com>
Date: Thu Jan 16 22:00:21 2020 +0100
Sign and verify PAC with ticket principal instead of canon principal
With MIT library 1.18 the KDC no longer set
KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows
us to not canonicalize them (like in Windows / Heimdal).
However, it now breaks the PAC signature verification as it was
wrongly done using canonical client rather than ticket client name.
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit 5d73cc408bd7d0aab7ec3d4dbc93066e07bfa72c
Author: Isaac Boukris <iboukris at gmail.com>
Date: Thu Jan 16 21:36:24 2020 +0100
Fix uxsuccess test with new MIT krb5 library 1.18
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
commit bebad45b29ad8e90828b55ddbbdb9379691f8d62
Author: Isaac Boukris <iboukris at gmail.com>
Date: Mon Sep 16 16:40:12 2019 +0300
Adapt sign_authdata in our KDB module for krb5 v1.18
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.../kinit_mit => knownfail_mit_krb5_pre_1_18} | 0
selftest/selftest.pl | 1 +
selftest/wscript | 3 ++
source4/kdc/mit-kdb/kdb_samba.c | 2 +-
source4/kdc/mit-kdb/kdb_samba.h | 21 ++++++++++++
source4/kdc/mit-kdb/kdb_samba_policies.c | 40 +++++++++++++++++-----
testprogs/blackbox/test_kinit_mit.sh | 4 ---
wscript_configure_system_mitkrb5 | 3 ++
8 files changed, 61 insertions(+), 13 deletions(-)
rename selftest/{knownfail.d/kinit_mit => knownfail_mit_krb5_pre_1_18} (100%)
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail.d/kinit_mit b/selftest/knownfail_mit_krb5_pre_1_18
similarity index 100%
rename from selftest/knownfail.d/kinit_mit
rename to selftest/knownfail_mit_krb5_pre_1_18
diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index 02848f83794..be83a0bd0e6 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -426,6 +426,7 @@ my $testenv_default = "none";
if ($opt_mitkrb5 == 1) {
$ENV{MITKRB5} = $opt_mitkrb5;
+ $ENV{KRB5RCACHETYPE} = "none";
}
# After this many seconds, the server will self-terminate. All tests
diff --git a/selftest/wscript b/selftest/wscript
index 4d03eb76842..501a5df5824 100644
--- a/selftest/wscript
+++ b/selftest/wscript
@@ -142,6 +142,9 @@ def cmd_testonly(opt):
'--flapping=${srcdir}/selftest/flapping '
'--flapping=${srcdir}/selftest/flapping.d')
+ if CONFIG_GET(opt, 'HAVE_MIT_KRB5_PRE_1_18'):
+ env.FILTER_XFAIL += ' --expected-failures=${srcdir}/selftest/knownfail_mit_krb5_pre_1_18'
+
if Options.options.FAIL_IMMEDIATELY:
env.FILTER_XFAIL += ' --fail-immediately'
diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c
index c5157d6ed1b..02bbdca9f54 100644
--- a/source4/kdc/mit-kdb/kdb_samba.c
+++ b/source4/kdc/mit-kdb/kdb_samba.c
@@ -139,7 +139,7 @@ static void kdb_samba_db_free_principal_e_data(krb5_context context,
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
- .min_ver = 1,
+ .min_ver = KRB5_KDB_DAL_MAJOR_VERSION == 6 ? 1 : 0,
.init_library = kdb_samba_init_library,
.fini_library = kdb_samba_fini_library,
diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h
index 22ef9085b6a..ad4f6e27573 100644
--- a/source4/kdc/mit-kdb/kdb_samba.h
+++ b/source4/kdc/mit-kdb/kdb_samba.h
@@ -114,6 +114,7 @@ krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context,
/* from kdb_samba_policies.c */
+#if KRB5_KDB_API_VERSION < 10
krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
unsigned int flags,
krb5_const_principal client_princ,
@@ -127,6 +128,26 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krb5_timestamp authtime,
krb5_authdata **tgt_auth_data,
krb5_authdata ***signed_auth_data);
+#else
+krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ unsigned int flags,
+ krb5_const_principal client_princ,
+ krb5_const_principal server_princ,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_db_entry *local_krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_keyblock *local_krbtgt_key,
+ krb5_keyblock *session_key,
+ krb5_timestamp authtime,
+ krb5_authdata **tgt_auth_data,
+ void *authdata_info,
+ krb5_data ***auth_indicators,
+ krb5_authdata ***signed_auth_data);
+#endif
krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
krb5_kdc_req *kdcreq,
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index fc80329f221..9197551ed61 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -287,6 +287,7 @@ done:
return code;
}
+#if KRB5_KDB_API_VERSION < 10
krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
unsigned int flags,
krb5_const_principal client_princ,
@@ -301,18 +302,41 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krb5_authdata **tgt_auth_data,
krb5_authdata ***signed_auth_data)
{
- krb5_const_principal ks_client_princ;
+#else
+krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ unsigned int flags,
+ krb5_const_principal client_princ,
+ krb5_const_principal server_princ,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_db_entry *local_krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_keyblock *local_krbtgt_key,
+ krb5_keyblock *session_key,
+ krb5_timestamp authtime,
+ krb5_authdata **tgt_auth_data,
+ void *authdata_info,
+ krb5_data ***auth_indicators,
+ krb5_authdata ***signed_auth_data)
+{
+#endif
krb5_authdata **authdata = NULL;
krb5_boolean is_as_req;
krb5_error_code code;
krb5_pac pac = NULL;
krb5_data pac_data;
- /* Prefer canonicalised name from client entry */
- if (client != NULL) {
- ks_client_princ = client->princ;
- } else {
- ks_client_princ = client_princ;
+#if KRB5_KDB_API_VERSION >= 10
+ krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
+ krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
+#endif
+
+ /* FIXME: We don't support S4U yet */
+ if (flags & KRB5_KDB_FLAGS_S4U) {
+ return KRB5_KDB_DBTYPE_NOSUP;
}
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
@@ -327,7 +351,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
if (!is_as_req) {
code = ks_verify_pac(context,
flags,
- ks_client_princ,
+ client_princ,
client,
server,
krbtgt,
@@ -354,7 +378,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
goto done;
}
- code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
+ code = krb5_pac_sign(context, pac, authtime, client_princ,
server_key, krbtgt_key, &pac_data);
if (code != 0) {
DBG_ERR("krb5_pac_sign failed: %d\n", code);
diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh
index d28caecd603..61029a5e04c 100755
--- a/testprogs/blackbox/test_kinit_mit.sh
+++ b/testprogs/blackbox/test_kinit_mit.sh
@@ -134,10 +134,6 @@ testit "enable user with kerberos cache" $VALGRIND $PYTHON $samba_enableaccount
### Test kinit with canonicalization
###########################################################
-# This is currently not working due to an upstream bug in MIT Kerberos. The
-# test will ensure that we get notified when we can turn on canonicalization
-# in ads_krb5_chg_password().
-# https://bugzilla.samba.org/show_bug.cgi?id=14155
upperusername=$(echo $USERNAME | tr '[a-z]' '[A-Z]')
testit "kinit with canonicalize" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -C $upperusername@$REALM -S kadmin/changepw@$REALM || failed=`expr $failed + 1`
diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
index b14881f094c..b0bf2a8b40d 100644
--- a/wscript_configure_system_mitkrb5
+++ b/wscript_configure_system_mitkrb5
@@ -77,6 +77,9 @@ if conf.env.KRB5_CONFIG:
else:
Logs.info('MIT Kerberos %s detected, MIT krb5 build can proceed' % (krb5_version))
+ if parse_version(krb5_version) < parse_version('1.18'):
+ conf.DEFINE('HAVE_MIT_KRB5_PRE_1_18', 1)
+
conf.CHECK_CFG(args="--cflags --libs", package="com_err", uselib_store="com_err")
conf.CHECK_FUNCS_IN('_et_list', 'com_err')
conf.CHECK_HEADERS('com_err.h', lib='com_err')
--
Samba Shared Repository
More information about the samba-cvs
mailing list