[SCM] Samba Shared Repository - branch v4-16-test updated
Jule Anger
janger at samba.org
Fri Feb 25 18:09:01 UTC 2022
The branch, v4-16-test has been updated
via 4346dac73a4 s3:winbind: Use the canonical principal name to renew the credentials
via e3efe2d0de2 s3:winbind: Store canonical principal and realm in ccache entry
via 85fdd88e3ca s3:libads: Return canonical principal and realm from kerberos_return_pac()
via a4b9a9ce8ef lib:krb5_wrap: Fix wrong debug message and use newer debug macro
via 7db685f8422 lib:krb5_wrap: Improve debug message and use newer debug macro
via 3fef25f2e62 s3:libads: Fix memory leak in kerberos_return_pac() error path
from 48929ba6634 docs-xml: Fix idmap_autorid documentation
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test
- Log -----------------------------------------------------------------
commit 4346dac73a4e74b1e286346f1e6d867a8369f5fd
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Feb 22 14:28:44 2022 +0100
s3:winbind: Use the canonical principal name to renew the credentials
The principal name stored in the winbindd ccache entry might be an
enterprise principal name if enterprise principals are enabled. Use
the canonical name to renew the credentials.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 8246ccc23d064147412bb3475e6431a9fffc0d27)
Autobuild-User(v4-16-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-16-test): Fri Feb 25 18:08:19 UTC 2022 on sn-devel-184
commit e3efe2d0de20216ea7ecbc8e41ae8c6968507d29
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Feb 22 13:19:02 2022 +0100
s3:winbind: Store canonical principal and realm in ccache entry
They will be used later to refresh the tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b)
commit 85fdd88e3cabbd405ddfda32b0b2b4e7eeee673e
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Feb 22 13:08:56 2022 +0100
s3:libads: Return canonical principal and realm from kerberos_return_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f)
commit a4b9a9ce8ef9c8947a7cd45044033a2aa3d7e40f
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Feb 22 14:28:28 2022 +0100
lib:krb5_wrap: Fix wrong debug message and use newer debug macro
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a)
commit 7db685f8422a0000f2e77ad3dda743ea606537c6
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Feb 22 13:00:05 2022 +0100
lib:krb5_wrap: Improve debug message and use newer debug macro
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ed14513be055cc56eb39785323df2c538a813865)
commit 3fef25f2e62ac2e835abb97b9b1d6f63d8ac0edc
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Feb 22 12:59:44 2022 +0100
s3:libads: Fix memory leak in kerberos_return_pac() error path
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 3dbcd20de98cd28683a9c248368e5082b6388111)
-----------------------------------------------------------------------
Summary of changes:
lib/krb5_wrap/krb5_samba.c | 7 +++++--
source3/libads/authdata.c | 33 +++++++++++++++++++++++++++++----
source3/libads/kerberos_proto.h | 2 ++
source3/utils/net_ads.c | 2 ++
source3/winbindd/winbindd.h | 2 ++
source3/winbindd/winbindd_cred_cache.c | 18 ++++++++++++++++--
source3/winbindd/winbindd_pam.c | 12 ++++++++++--
source3/winbindd/winbindd_proto.h | 4 +++-
8 files changed, 69 insertions(+), 11 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 61d651b4d5f..99809ffea27 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1084,7 +1084,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
goto done;
}
- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
+ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string);
/* FIXME: we should not fall back to defaults */
ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache);
@@ -1106,7 +1106,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string));
if (ret) {
- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
+ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' "
+ "for client '%s' and service '%s' failed: %s\n",
+ ccache_string, client_string, service_string,
+ error_message(ret));
goto done;
}
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index dd21d895fc2..bf9a2335445 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -57,11 +57,16 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
time_t renewable_time,
const char *impersonate_princ_s,
const char *local_service,
+ char **_canon_principal,
+ char **_canon_realm,
struct PAC_DATA_CTR **_pac_data_ctr)
{
krb5_error_code ret;
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
+ DATA_BLOB tkt = data_blob_null;
+ DATA_BLOB tkt_wrapped = data_blob_null;
+ DATA_BLOB ap_rep = data_blob_null;
+ DATA_BLOB sesskey1 = data_blob_null;
const char *auth_princ = NULL;
const char *cc = "MEMORY:kerberos_return_pac";
struct auth_session_info *session_info;
@@ -72,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
struct auth4_context *auth_context;
struct loadparm_context *lp_ctx;
struct PAC_DATA_CTR *pac_data_ctr = NULL;
+ char *canon_principal = NULL;
+ char *canon_realm = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
@@ -81,7 +88,16 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
ZERO_STRUCT(sesskey1);
if (!name || !pass) {
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
+ }
+
+ if (_canon_principal != NULL) {
+ *_canon_principal = NULL;
+ }
+
+ if (_canon_realm != NULL) {
+ *_canon_realm = NULL;
}
if (cache_name) {
@@ -105,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
request_pac,
add_netbios_addr,
renewable_time,
- NULL, NULL, NULL,
+ tmp_ctx,
+ &canon_principal,
+ &canon_realm,
&status);
if (ret) {
DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
@@ -131,7 +149,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
if (expire_time && renew_till_time &&
(*expire_time == 0) && (*renew_till_time == 0)) {
- return NT_STATUS_INVALID_LOGON_TYPE;
+ status = NT_STATUS_INVALID_LOGON_TYPE;
+ goto out;
}
ret = ads_krb5_cli_get_ticket(mem_ctx,
@@ -238,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
}
*_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
+ if (_canon_principal != NULL) {
+ *_canon_principal = talloc_move(mem_ctx, &canon_principal);
+ }
+ if (_canon_realm != NULL) {
+ *_canon_realm = talloc_move(mem_ctx, &canon_realm);
+ }
out:
talloc_free(tmp_ctx);
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index 3d7b5bc074b..807381248c8 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
time_t renewable_time,
const char *impersonate_princ_s,
const char *local_service,
+ char **_canon_principal,
+ char **_canon_realm,
struct PAC_DATA_CTR **pac_data_ctr);
/* The following definitions come from libads/krb5_setpw.c */
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index d1fc3289184..d666f7fc3ec 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2976,6 +2976,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch
2592000, /* one month */
impersonate_princ_s,
local_service,
+ NULL,
+ NULL,
pac_data_ctr);
if (!NT_STATUS_IS_OK(status)) {
d_printf(_("failed to query kerberos PAC: %s\n"),
diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
index a6b2238cec1..dac4a1fa927 100644
--- a/source3/winbindd/winbindd.h
+++ b/source3/winbindd/winbindd.h
@@ -344,6 +344,8 @@ struct WINBINDD_CCACHE_ENTRY {
const char *service;
const char *username;
const char *realm;
+ const char *canon_principal;
+ const char *canon_realm;
struct WINBINDD_MEMORY_CREDS *cred_ptr;
int ref_count;
uid_t uid;
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
index c3077e21989..6c65db6a73f 100644
--- a/source3/winbindd/winbindd_cred_cache.c
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -209,7 +209,7 @@ rekinit:
set_effective_uid(entry->uid);
ret = smb_krb5_renew_ticket(entry->ccname,
- entry->principal_name,
+ entry->canon_principal,
entry->service,
&new_start);
#if defined(DEBUG_KRB5_TKT_RENEWAL)
@@ -501,7 +501,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
time_t create_time,
time_t ticket_end,
time_t renew_until,
- bool postponed_request)
+ bool postponed_request,
+ const char *canon_principal,
+ const char *canon_realm)
{
struct WINBINDD_CCACHE_ENTRY *entry = NULL;
struct timeval t;
@@ -617,6 +619,18 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
goto no_mem;
}
}
+ if (canon_principal != NULL) {
+ entry->canon_principal = talloc_strdup(entry, canon_principal);
+ if (entry->canon_principal == NULL) {
+ goto no_mem;
+ }
+ }
+ if (canon_realm != NULL) {
+ entry->canon_realm = talloc_strdup(entry, canon_realm);
+ if (entry->canon_realm == NULL) {
+ goto no_mem;
+ }
+ }
entry->ccname = talloc_strdup(entry, ccname);
if (!entry->ccname) {
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index dfbaf52d482..ca89d48cb49 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -687,6 +687,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
const char *local_service;
uint32_t i;
struct netr_SamInfo6 *info6_copy = NULL;
+ char *canon_principal = NULL;
+ char *canon_realm = NULL;
bool ok;
*info6 = NULL;
@@ -789,6 +791,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
NULL,
local_service,
+ &canon_principal,
+ &canon_realm,
&pac_data_ctr);
if (user_ccache_file != NULL) {
gain_root_privilege();
@@ -854,7 +858,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
time(NULL),
ticket_lifetime,
renewal_until,
- false);
+ false,
+ canon_principal,
+ canon_realm);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
@@ -1231,7 +1237,9 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
time(NULL),
time(NULL) + lp_winbind_cache_time(),
time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
- true);
+ true,
+ principal_s,
+ realm);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index c0d653a6d77..16c23f3de40 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -236,7 +236,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
time_t create_time,
time_t ticket_end,
time_t renew_until,
- bool postponed_request);
+ bool postponed_request,
+ const char *canon_principal,
+ const char *canon_realm);
NTSTATUS remove_ccache(const char *username);
struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username);
NTSTATUS winbindd_add_memory_creds(const char *username,
--
Samba Shared Repository
More information about the samba-cvs
mailing list