[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Thu Dec 9 07:43:01 UTC 2021


The branch, master has been updated
       via  102ad9ee6a0 librpc: match gensec_gssapi and call gsskrb5_set_dns_canonicalize() for Heimdal
       via  cd5a5f590ff build: Add missing dependency on addns
      from  b948aeac539 hdb: Initialise HDB structure

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 102ad9ee6a037e2aa6296d0dfbf17f3e4175a581
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Sep 26 15:10:12 2017 +1300

    librpc: match gensec_gssapi and call gsskrb5_set_dns_canonicalize() for Heimdal
    
    This is needed to ensure Heimdal does not attempt to use nss to canonicalize the name.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Thu Dec  9 07:42:38 UTC 2021 on sn-devel-184

commit cd5a5f590ff21587a45405977ab6bef9ff3c2db6
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Dec 7 16:04:08 2021 +1300

    build: Add missing dependency on addns
    
    This becomes noticed when we upgrade Heimdal as we do not find
    the correct gssapi headers any more.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/librpc/crypto/gse.c | 42 ++++++++++++++++++++++++++++++++++++------
 source3/utils/wscript_build |  3 ++-
 2 files changed, 38 insertions(+), 7 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 1cf111bd974..c50a8a036df 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -31,6 +31,7 @@
 #include "auth/gensec/gensec_internal.h"
 #include "auth/credentials/credentials.h"
 #include "../librpc/gen_ndr/dcerpc.h"
+#include "param/param.h"
 
 #if defined(HAVE_KRB5)
 
@@ -248,7 +249,7 @@ err_out:
 	return status;
 }
 
-static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+static NTSTATUS gse_init_client(struct gensec_security *gensec_security,
 				bool do_sign, bool do_seal,
 				const char *ccache_name,
 				const char *server,
@@ -271,13 +272,42 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	status = gse_context_init(mem_ctx, do_sign, do_seal,
+	status = gse_context_init(gensec_security, do_sign, do_seal,
 				  ccache_name, add_gss_c_flags,
 				  &gse_ctx);
 	if (!NT_STATUS_IS_OK(status)) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
+#ifdef SAMBA4_USES_HEIMDAL
+	{
+		int ret;
+		bool set_dns_canon = gensec_setting_bool(
+				gensec_security->settings,
+				"krb5", "set_dns_canonicalize",
+				false);
+		const char *server_realm = lpcfg_realm(
+				gensec_security->settings->lp_ctx);
+		if (server_realm != NULL) {
+			ret = gsskrb5_set_default_realm(server_realm);
+			if (ret) {
+				DBG_ERR("gsskrb5_set_default_realm failed\n");
+				return NT_STATUS_INTERNAL_ERROR;
+			}
+		}
+
+		/*
+		 * don't do DNS lookups of any kind, it might/will
+		 * fail for a netbios name
+		 */
+		ret = gsskrb5_set_dns_canonicalize(set_dns_canon);
+		if (ret != GSS_S_COMPLETE) {
+			DBG_ERR("gsskrb5_set_dns_canonicalize failed\n");
+			return NT_STATUS_INTERNAL_ERROR;
+		}
+	}
+#endif
+
 	/* TODO: get krb5 ticket using username/password, if no valid
 	 * one already available in ccache */
 
@@ -1151,13 +1181,13 @@ static bool gensec_gse_have_feature(struct gensec_security *gensec_security,
 			return false;
 		}
 
-		status = gssapi_get_session_key(talloc_tos(), 
+		status = gssapi_get_session_key(talloc_tos(),
 						gse_ctx->gssapi_context, NULL, &keytype);
-		/* 
+		/*
 		 * We should do a proper sig on the mechListMic unless
 		 * we know we have to be backwards compatible with
-		 * earlier windows versions.  
-		 * 
+		 * earlier windows versions.
+		 *
 		 * Negotiating a non-krb5
 		 * mech for example should be regarded as having
 		 * NEW_SPNEGO
diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
index 48ce876db27..a89a4db8b59 100644
--- a/source3/utils/wscript_build
+++ b/source3/utils/wscript_build
@@ -8,7 +8,8 @@ bld.SAMBA3_SUBSYSTEM('CONN_TDB',
                      source='conn_tdb.c')
 
 bld.SAMBA3_SUBSYSTEM('DNS_UTIL',
-                     source='net_dns.c net_ads_join_dns.c')
+                     source='net_dns.c net_ads_join_dns.c',
+                     deps='addns')
 
 bld.SAMBA3_BINARY('profiles',
                  source='profiles.c',


-- 
Samba Shared Repository



More information about the samba-cvs mailing list