[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Wed Feb 23 16:18:01 UTC 2022
The branch, master has been updated
via 8246ccc23d0 s3:winbind: Use the canonical principal name to renew the credentials
via 0f4f330773d s3:winbind: Store canonical principal and realm in ccache entry
via 00b1f44a7e8 s3:libads: Return canonical principal and realm from kerberos_return_pac()
via 1b5b4107a50 lib:krb5_wrap: Fix wrong debug message and use newer debug macro
via ed14513be05 lib:krb5_wrap: Improve debug message and use newer debug macro
via 3dbcd20de98 s3:libads: Fix memory leak in kerberos_return_pac() error path
from a5bcbc239db autobuild: Run admem_idmap_autorid tests
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8246ccc23d064147412bb3475e6431a9fffc0d27
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Feb 22 14:28:44 2022 +0100
s3:winbind: Use the canonical principal name to renew the credentials
The principal name stored in the winbindd ccache entry might be an
enterprise principal name if enterprise principals are enabled. Use
the canonical name to renew the credentials.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Feb 23 16:17:29 UTC 2022 on sn-devel-184
commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Feb 22 13:19:02 2022 +0100
s3:winbind: Store canonical principal and realm in ccache entry
They will be used later to refresh the tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Feb 22 13:08:56 2022 +0100
s3:libads: Return canonical principal and realm from kerberos_return_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Feb 22 14:28:28 2022 +0100
lib:krb5_wrap: Fix wrong debug message and use newer debug macro
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ed14513be055cc56eb39785323df2c538a813865
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Feb 22 13:00:05 2022 +0100
lib:krb5_wrap: Improve debug message and use newer debug macro
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 3dbcd20de98cd28683a9c248368e5082b6388111
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Feb 22 12:59:44 2022 +0100
s3:libads: Fix memory leak in kerberos_return_pac() error path
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/krb5_wrap/krb5_samba.c | 7 +++++--
source3/libads/authdata.c | 33 +++++++++++++++++++++++++++++----
source3/libads/kerberos_proto.h | 2 ++
source3/utils/net_ads.c | 2 ++
source3/winbindd/winbindd.h | 2 ++
source3/winbindd/winbindd_cred_cache.c | 18 ++++++++++++++++--
source3/winbindd/winbindd_pam.c | 12 ++++++++++--
source3/winbindd/winbindd_proto.h | 4 +++-
8 files changed, 69 insertions(+), 11 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 61d651b4d5f..99809ffea27 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1084,7 +1084,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
goto done;
}
- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
+ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string);
/* FIXME: we should not fall back to defaults */
ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache);
@@ -1106,7 +1106,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string));
if (ret) {
- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
+ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' "
+ "for client '%s' and service '%s' failed: %s\n",
+ ccache_string, client_string, service_string,
+ error_message(ret));
goto done;
}
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index dd21d895fc2..bf9a2335445 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -57,11 +57,16 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
time_t renewable_time,
const char *impersonate_princ_s,
const char *local_service,
+ char **_canon_principal,
+ char **_canon_realm,
struct PAC_DATA_CTR **_pac_data_ctr)
{
krb5_error_code ret;
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
+ DATA_BLOB tkt = data_blob_null;
+ DATA_BLOB tkt_wrapped = data_blob_null;
+ DATA_BLOB ap_rep = data_blob_null;
+ DATA_BLOB sesskey1 = data_blob_null;
const char *auth_princ = NULL;
const char *cc = "MEMORY:kerberos_return_pac";
struct auth_session_info *session_info;
@@ -72,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
struct auth4_context *auth_context;
struct loadparm_context *lp_ctx;
struct PAC_DATA_CTR *pac_data_ctr = NULL;
+ char *canon_principal = NULL;
+ char *canon_realm = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
@@ -81,7 +88,16 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
ZERO_STRUCT(sesskey1);
if (!name || !pass) {
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
+ }
+
+ if (_canon_principal != NULL) {
+ *_canon_principal = NULL;
+ }
+
+ if (_canon_realm != NULL) {
+ *_canon_realm = NULL;
}
if (cache_name) {
@@ -105,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
request_pac,
add_netbios_addr,
renewable_time,
- NULL, NULL, NULL,
+ tmp_ctx,
+ &canon_principal,
+ &canon_realm,
&status);
if (ret) {
DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
@@ -131,7 +149,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
if (expire_time && renew_till_time &&
(*expire_time == 0) && (*renew_till_time == 0)) {
- return NT_STATUS_INVALID_LOGON_TYPE;
+ status = NT_STATUS_INVALID_LOGON_TYPE;
+ goto out;
}
ret = ads_krb5_cli_get_ticket(mem_ctx,
@@ -238,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
}
*_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
+ if (_canon_principal != NULL) {
+ *_canon_principal = talloc_move(mem_ctx, &canon_principal);
+ }
+ if (_canon_realm != NULL) {
+ *_canon_realm = talloc_move(mem_ctx, &canon_realm);
+ }
out:
talloc_free(tmp_ctx);
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index 3d7b5bc074b..807381248c8 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
time_t renewable_time,
const char *impersonate_princ_s,
const char *local_service,
+ char **_canon_principal,
+ char **_canon_realm,
struct PAC_DATA_CTR **pac_data_ctr);
/* The following definitions come from libads/krb5_setpw.c */
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index d1fc3289184..d666f7fc3ec 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2976,6 +2976,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch
2592000, /* one month */
impersonate_princ_s,
local_service,
+ NULL,
+ NULL,
pac_data_ctr);
if (!NT_STATUS_IS_OK(status)) {
d_printf(_("failed to query kerberos PAC: %s\n"),
diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
index a6b2238cec1..dac4a1fa927 100644
--- a/source3/winbindd/winbindd.h
+++ b/source3/winbindd/winbindd.h
@@ -344,6 +344,8 @@ struct WINBINDD_CCACHE_ENTRY {
const char *service;
const char *username;
const char *realm;
+ const char *canon_principal;
+ const char *canon_realm;
struct WINBINDD_MEMORY_CREDS *cred_ptr;
int ref_count;
uid_t uid;
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
index c3077e21989..6c65db6a73f 100644
--- a/source3/winbindd/winbindd_cred_cache.c
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -209,7 +209,7 @@ rekinit:
set_effective_uid(entry->uid);
ret = smb_krb5_renew_ticket(entry->ccname,
- entry->principal_name,
+ entry->canon_principal,
entry->service,
&new_start);
#if defined(DEBUG_KRB5_TKT_RENEWAL)
@@ -501,7 +501,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
time_t create_time,
time_t ticket_end,
time_t renew_until,
- bool postponed_request)
+ bool postponed_request,
+ const char *canon_principal,
+ const char *canon_realm)
{
struct WINBINDD_CCACHE_ENTRY *entry = NULL;
struct timeval t;
@@ -617,6 +619,18 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
goto no_mem;
}
}
+ if (canon_principal != NULL) {
+ entry->canon_principal = talloc_strdup(entry, canon_principal);
+ if (entry->canon_principal == NULL) {
+ goto no_mem;
+ }
+ }
+ if (canon_realm != NULL) {
+ entry->canon_realm = talloc_strdup(entry, canon_realm);
+ if (entry->canon_realm == NULL) {
+ goto no_mem;
+ }
+ }
entry->ccname = talloc_strdup(entry, ccname);
if (!entry->ccname) {
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index dfbaf52d482..ca89d48cb49 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -687,6 +687,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
const char *local_service;
uint32_t i;
struct netr_SamInfo6 *info6_copy = NULL;
+ char *canon_principal = NULL;
+ char *canon_realm = NULL;
bool ok;
*info6 = NULL;
@@ -789,6 +791,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
NULL,
local_service,
+ &canon_principal,
+ &canon_realm,
&pac_data_ctr);
if (user_ccache_file != NULL) {
gain_root_privilege();
@@ -854,7 +858,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
time(NULL),
ticket_lifetime,
renewal_until,
- false);
+ false,
+ canon_principal,
+ canon_realm);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
@@ -1231,7 +1237,9 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
time(NULL),
time(NULL) + lp_winbind_cache_time(),
time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
- true);
+ true,
+ principal_s,
+ realm);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index c0d653a6d77..16c23f3de40 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -236,7 +236,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
time_t create_time,
time_t ticket_end,
time_t renew_until,
- bool postponed_request);
+ bool postponed_request,
+ const char *canon_principal,
+ const char *canon_realm);
NTSTATUS remove_ccache(const char *username);
struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username);
NTSTATUS winbindd_add_memory_creds(const char *username,
--
Samba Shared Repository
More information about the samba-cvs
mailing list