[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Thu Aug 26 07:06:01 UTC 2021


The branch, master has been updated
       via  9b9fd2a0d9c mit-kdc: Remove build time support for KDB_API < 10
       via  554bdfa8a04 build: Move minimum MIT krb5 version to 1.19 to align with what is tested
       via  ff267c3c790 autobuild.py: Do not build MIT builds by default (eg sn-devel)
       via  649b0741e17 gitlab-ci: Move MIT builds to current Fedora so we can test against a current MIT KDC
       via  6145c388d20 gitlab-ci/autobuild: Add new build confirming behaviour on older MIT Kerberos
       via  167ad96136b autobuild.py: Explain why each job is removed from the default set
      from  a41425ebd0f s4: ntvfs: Missed comma in 24c09f913d82528ada14013e3d673d277cf04a93, string would be concatenated.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 9b9fd2a0d9ca81aa16ddfe2f7e219b94e2ac158b
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Aug 16 14:46:31 2021 +1200

    mit-kdc: Remove build time support for KDB_API < 10
    
    The previous commits restricted to MIT KDC build to MIT 1.19 and this removes the
     #ifdef in the code of what will become untested code.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Thu Aug 26 07:05:44 UTC 2021 on sn-devel-184

commit 554bdfa8a04fd95c710b486890277dd92f685f2f
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Aug 16 14:25:54 2021 +1200

    build: Move minimum MIT krb5 version to 1.19 to align with what is tested
    
    This avoid shipping untested code and aligns with the version
    used in GitLab CI for all the MIT builds.
    
    The "bronze bit" (CVE-2020-17049) security fixes will need
    a new MIT KDB version in any case, this prepares the ground
    by removing the older version support.
    
    (knownfail_mit_kdc updates taken from a patch by
    Andreas Schneider <asn at samba.org> that did this optionally)
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit ff267c3c790c0ae9f276225f67fb543d6371cb53
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Aug 16 13:53:58 2021 +1200

    autobuild.py: Do not build MIT builds by default (eg sn-devel)
    
    This avoids the need for MIT KDC tests and the MIT KDC glue code to
    operate against the older MIT 1.16 found on Ubuntu 18.04, which
    is our current build environment.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 649b0741e17909afce762a5b84c1231600eec5f0
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Aug 16 13:52:04 2021 +1200

    gitlab-ci: Move MIT builds to current Fedora so we can test against a current MIT KDC
    
    Fedora packages current MIT builds pretty fast so we base our
    MIT KDC tests there, as this avoids backporting and tests against
    the most current code.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 6145c388d201d817444322dee67ca1ec1989ecd1
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Aug 18 14:59:47 2021 +1200

    gitlab-ci/autobuild: Add new build confirming behaviour on older MIT Kerberos
    
    Because the MIT KDC builds are moving to current MIT and out of the default autobuild
    this ensures that on our default host, which is closer to what most of our
    users operate, Samba still works with Kerberos.
    
    This uses the ktest environment that does not require the KDC to exist
    and instead uses a static ccache and keytab.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 167ad96136b42b5cb601decc0fc68c9603c8b172
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Aug 16 13:40:39 2021 +1200

    autobuild.py: Explain why each job is removed from the default set
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 .gitlab-ci-main.yml                        | 13 +++++++++
 script/autobuild.py                        | 47 ++++++++++++++++++++++++++++--
 selftest/knownfail_mit_kdc                 | 20 -------------
 selftest/knownfail_mit_krb5_pre_1_18       |  1 -
 selftest/wscript                           |  3 --
 source4/kdc/mit-kdb/kdb_samba.h            | 32 --------------------
 source4/kdc/mit-kdb/kdb_samba_policies.c   | 38 ------------------------
 source4/kdc/mit-kdb/kdb_samba_principals.c |  7 -----
 wscript_configure_system_mitkrb5           |  4 +--
 9 files changed, 59 insertions(+), 106 deletions(-)
 delete mode 100644 selftest/knownfail_mit_krb5_pre_1_18


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 657b28e274f..ce80561ba0f 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -234,10 +234,14 @@ samba-def-build:
 
 samba-mit-build:
   extends: .shared_template_build_only
+  variables:
+    SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora34}
   stage: build_first
 
 .needs_samba-mit-build:
   extends: .shared_template_test_only
+  variables:
+    SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora34}
   needs:
     - job: samba-mit-build
       artifacts: true
@@ -274,6 +278,8 @@ samba:
 
 samba-mitkrb5:
   extends: .shared_template
+  variables:
+    SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora34}
 
 samba-minimal-smbd:
   extends: .shared_template
@@ -383,6 +389,13 @@ samba-fips:
 samba-fileserver:
   extends: .needs_samba-h5l-build-private
 
+# This is a full build without the AD DC so we test the build with MIT
+# Kerberos from the default system (Ubuntu 18.04 at this stage).
+# Runtime behaviour checked via the ktest (static ccache and keytab)
+# environment
+samba-ktest-mit:
+ extends: .shared_template
+
 samba-ad-dc-1:
   extends: .needs_samba-def-build-private
 
diff --git a/script/autobuild.py b/script/autobuild.py
index efecaf41d74..6a15722b263 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -430,8 +430,28 @@ tasks = {
             "fileserver_smb1",
             "fileserver_smb1_done",
             "maptoguest",
-            "ktest", # ktest is also tested in samba and samba-mitkrb5
-                     # but is tested here against a system Heimdal
+            "ktest", # ktest is also tested in samba-ktest-mit samba
+                     # and samba-mitkrb5 but is tested here against
+                     # a system Heimdal
+            ])),
+            ("lcov", LCOV_CMD),
+            ("check-clean-tree", CLEAN_SOURCE_TREE_CMD),
+        ],
+    },
+
+    # This is a full build without the AD DC so we test the build with
+    # MIT Kerberos from the current system.  Runtime behaviour is
+    # confirmed via the ktest (static ccache and keytab) environment
+
+    "samba-ktest-mit": {
+        "sequence": [
+            ("random-sleep", random_sleep(300, 900)),
+            ("configure", "./configure.developer --without-ad-dc --with-system-mitkrb5 " + samba_configure_params),
+            ("make", "make -j"),
+            ("test", make_test(include_envs=[
+            "ktest", # ktest is also tested in fileserver, samba and
+                     # samba-mitkrb5 but is tested here against a
+                     # system MIT krb5
             ])),
             ("lcov", LCOV_CMD),
             ("check-clean-tree", CLEAN_SOURCE_TREE_CMD),
@@ -1006,14 +1026,37 @@ defaulttasks = list(tasks.keys())
 
 defaulttasks.remove("pass")
 defaulttasks.remove("fail")
+
+# The build tasks will be brought in by the test tasks as needed
 defaulttasks.remove("samba-def-build")
 defaulttasks.remove("samba-nt4-build")
 defaulttasks.remove("samba-mit-build")
 defaulttasks.remove("samba-h5l-build")
 defaulttasks.remove("samba-no-opath-build")
+
+# This is not a normal test, but a task to support manually running
+# one test under autobuild
 defaulttasks.remove("samba-test-only")
+
+# Only built on GitLab CI and not in the default autobuild because it
+# uses too much space (4GB of semi-static binaries)
 defaulttasks.remove("samba-fuzz")
+
+# The FIPS build runs only in GitLab CI on a current Fedora Docker
+# container where a simulated FIPS mode is possible.
 defaulttasks.remove("samba-fips")
+
+# The MIT build runs on a current Fedora where an up to date MIT KDC
+# is already packaged.  This avoids needing to backport a current MIT
+# to the default Ubuntu 18.04, particularly during development, and
+# the need to install on the shared sn-devel-184.
+
+defaulttasks.remove("samba-mitkrb5")
+defaulttasks.remove("samba-admem-mit")
+defaulttasks.remove("samba-addc-mit-1")
+defaulttasks.remove("samba-addc-mit-4a")
+defaulttasks.remove("samba-addc-mit-4b")
+
 if os.environ.get("AUTOBUILD_SKIP_SAMBA_O3", "0") == "1":
     defaulttasks.remove("samba-o3")
 
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 0e302343111..8b3015f254a 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -146,14 +146,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm\(
 samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm_UPN\(
 samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_UPN\(
-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm\(
-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN\(
-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName\(
-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN\(
-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm\(
-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UPN\(
-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName\(
-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_UPN\(
 samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_RemoveDollar\(
 samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_RemoveDollar\(
 samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_RemoveDollar\(
@@ -170,10 +162,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\(
 samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_RemoveDollar\(
 samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_RemoveDollar\(
-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_RemoveDollar\(
-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar\(
-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar\(
-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\(
 ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_AsReqSelf\(
 ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_AsReqSelf\(
 ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_AsReqSelf\(
@@ -239,14 +227,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_RemoveDollar_AsReqSelf\(
 ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_AsReqSelf\(
 ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_RemoveDollar_AsReqSelf\(
-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_AsReqSelf\(
-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_RemoveDollar_AsReqSelf\(
-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_AsReqSelf\(
-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar_AsReqSelf\(
-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_AsReqSelf\(
-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar_AsReqSelf\(
-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_AsReqSelf\(
-^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar_AsReqSelf\(
 ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_AsReqSelf\(
 ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_RemoveDollar_AsReqSelf\(
 ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN_AsReqSelf\(
diff --git a/selftest/knownfail_mit_krb5_pre_1_18 b/selftest/knownfail_mit_krb5_pre_1_18
deleted file mode 100644
index ef1a3d5aa91..00000000000
--- a/selftest/knownfail_mit_krb5_pre_1_18
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.blackbox.kinit.kinit.with.canonicalize
diff --git a/selftest/wscript b/selftest/wscript
index afb1fa936cd..a6be06c2ae9 100644
--- a/selftest/wscript
+++ b/selftest/wscript
@@ -142,9 +142,6 @@ def cmd_testonly(opt):
                         '--flapping=${srcdir}/selftest/flapping '
                         '--flapping=${srcdir}/selftest/flapping.d')
 
-    if CONFIG_GET(opt, 'HAVE_MIT_KRB5_PRE_1_18'):
-        env.FILTER_XFAIL += ' --expected-failures=${srcdir}/selftest/knownfail_mit_krb5_pre_1_18'
-
     if Options.options.FAIL_IMMEDIATELY:
         env.FILTER_XFAIL += ' --fail-immediately'
 
diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h
index ad4f6e27573..8a29334bcea 100644
--- a/source4/kdc/mit-kdb/kdb_samba.h
+++ b/source4/kdc/mit-kdb/kdb_samba.h
@@ -71,18 +71,11 @@ krb5_error_code kdb_samba_db_put_principal(krb5_context context,
 krb5_error_code kdb_samba_db_delete_principal(krb5_context context,
 					      krb5_const_principal princ);
 
-#if KRB5_KDB_API_VERSION >= 8
 krb5_error_code kdb_samba_db_iterate(krb5_context context,
 				     char *match_entry,
 				     int (*func)(krb5_pointer, krb5_db_entry *),
 				     krb5_pointer func_arg,
 				     krb5_flags iterflags);
-#else
-krb5_error_code kdb_samba_db_iterate(krb5_context context,
-				     char *match_entry,
-				     int (*func)(krb5_pointer, krb5_db_entry *),
-				     krb5_pointer func_arg);
-#endif
 
 /* from kdb_samba_masterkey.c */
 
@@ -114,21 +107,6 @@ krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context,
 
 /* from kdb_samba_policies.c */
 
-#if KRB5_KDB_API_VERSION < 10
-krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
-					    unsigned int flags,
-					    krb5_const_principal client_princ,
-					    krb5_db_entry *client,
-					    krb5_db_entry *server,
-					    krb5_db_entry *krbtgt,
-					    krb5_keyblock *client_key,
-					    krb5_keyblock *server_key,
-					    krb5_keyblock *krbtgt_key,
-					    krb5_keyblock *session_key,
-					    krb5_timestamp authtime,
-					    krb5_authdata **tgt_auth_data,
-					    krb5_authdata ***signed_auth_data);
-#else
 krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
 					    unsigned int flags,
 					    krb5_const_principal client_princ,
@@ -147,7 +125,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
 					    void *authdata_info,
 					    krb5_data ***auth_indicators,
 					    krb5_authdata ***signed_auth_data);
-#endif
 
 krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
 					     krb5_kdc_req *kdcreq,
@@ -162,7 +139,6 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
 						       const krb5_db_entry *server,
 						       krb5_const_principal proxy);
 
-#if KRB5_KDB_API_VERSION >= 9
 void kdb_samba_db_audit_as_req(krb5_context kcontext,
 			       krb5_kdc_req *request,
 			       const krb5_address *local_addr,
@@ -171,14 +147,6 @@ void kdb_samba_db_audit_as_req(krb5_context kcontext,
 			       krb5_db_entry *server,
 			       krb5_timestamp authtime,
 			       krb5_error_code error_code);
-#else
-void kdb_samba_db_audit_as_req(krb5_context kcontext,
-			       krb5_kdc_req *request,
-			       krb5_db_entry *client,
-			       krb5_db_entry *server,
-			       krb5_timestamp authtime,
-			       krb5_error_code error_code);
-#endif
 
 /* from kdb_samba_change_pwd.c */
 
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index c431567a7f4..ac9865aac60 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -290,21 +290,6 @@ done:
 	return code;
 }
 
-#if KRB5_KDB_API_VERSION < 10
-krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
-					    unsigned int flags,
-					    krb5_const_principal client_princ,
-					    krb5_db_entry *client,
-					    krb5_db_entry *server,
-					    krb5_db_entry *krbtgt,
-					    krb5_keyblock *client_key,
-					    krb5_keyblock *server_key,
-					    krb5_keyblock *krbtgt_key,
-					    krb5_keyblock *session_key,
-					    krb5_timestamp authtime,
-					    krb5_authdata **tgt_auth_data,
-					    krb5_authdata ***signed_auth_data)
-#else
 krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
 					    unsigned int flags,
 					    krb5_const_principal client_princ,
@@ -323,7 +308,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
 					    void *authdata_info,
 					    krb5_data ***auth_indicators,
 					    krb5_authdata ***signed_auth_data)
-#endif
 {
 	krb5_authdata **authdata = NULL;
 	krb5_boolean is_as_req;
@@ -331,10 +315,8 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
 	krb5_pac pac = NULL;
 	krb5_data pac_data;
 
-#if KRB5_KDB_API_VERSION >= 10
 	krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
 	krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
-#endif
 
 	/* FIXME: We don't support S4U yet */
 	if (flags & KRB5_KDB_FLAGS_S4U) {
@@ -477,7 +459,6 @@ static void samba_bad_password_count(krb5_db_entry *client,
 	}
 }
 
-#if KRB5_KDB_API_VERSION >= 9
 void kdb_samba_db_audit_as_req(krb5_context context,
 			       krb5_kdc_req *request,
 			       const krb5_address *local_addr,
@@ -499,22 +480,3 @@ void kdb_samba_db_audit_as_req(krb5_context context,
 
 	/* TODO: perform proper audit logging for addresses */
 }
-#else
-void kdb_samba_db_audit_as_req(krb5_context context,
-			       krb5_kdc_req *request,
-			       krb5_db_entry *client,
-			       krb5_db_entry *server,
-			       krb5_timestamp authtime,
-			       krb5_error_code error_code)
-{
-	/*
-	 * FIXME: This segfaulted with a FAST test
-	 * FIND_FAST: <unknown client> for <unknown server>, Unknown FAST armor type 0
-	 */
-	if (client == NULL) {
-		return;
-	}
-
-	samba_bad_password_count(client, error_code);
-}
-#endif
diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c
index c17fe8b0a14..a8c99b025c9 100644
--- a/source4/kdc/mit-kdb/kdb_samba_principals.c
+++ b/source4/kdc/mit-kdb/kdb_samba_principals.c
@@ -311,18 +311,11 @@ krb5_error_code kdb_samba_db_delete_principal(krb5_context context,
 	return KRB5_KDB_DB_INUSE;
 }
 
-#if KRB5_KDB_API_VERSION >= 8
 krb5_error_code kdb_samba_db_iterate(krb5_context context,
 				     char *match_entry,
 				     int (*func)(krb5_pointer, krb5_db_entry *),
 				     krb5_pointer func_arg,
 				     krb5_flags iterflags)
-#else
-krb5_error_code kdb_samba_db_iterate(krb5_context context,
-				     char *match_entry,
-				     int (*func)(krb5_pointer, krb5_db_entry *),
-				     krb5_pointer func_arg)
-#endif
 {
 	struct mit_samba_context *mit_ctx;
 	krb5_db_entry *kentry = NULL;
diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
index f971194c2cd..6f7bbd4ed13 100644
--- a/wscript_configure_system_mitkrb5
+++ b/wscript_configure_system_mitkrb5
@@ -9,7 +9,7 @@ krb5_min_required_version = "1.9"
 # Requried versions
 krb5_required_version = krb5_min_required_version
 if conf.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'):
-    krb5_required_version = "1.15.1"
+    krb5_required_version = "1.19"
 
 def parse_version(v):
     return tuple(map(int, (v.split("."))))
@@ -77,8 +77,6 @@ if conf.env.KRB5_CONFIG:
     else:
         Logs.info('MIT Kerberos %s detected, MIT krb5 build can proceed' % (krb5_version))
 
-    if parse_version(krb5_version) < parse_version('1.18'):
-        conf.DEFINE('HAVE_MIT_KRB5_PRE_1_18', 1)
     conf.define('USING_SYSTEM_MITKRB5', '"%s"' % krb5_version)
 
 conf.CHECK_CFG(args="--cflags --libs", package="com_err", uselib_store="com_err")


-- 
Samba Shared Repository



More information about the samba-cvs mailing list