[SCM] Samba Shared Repository - branch v4-15-test updated
Jule Anger
janger at samba.org
Sun Feb 27 10:32:01 UTC 2022
The branch, v4-15-test has been updated
via 4d91f6dafd1 s3:winbind: Use the canonical principal name to renew the credentials
via d0d70d9f630 s3:winbind: Store canonical principal and realm in ccache entry
via 29218c61b0a s3:libads: Return canonical principal and realm from kerberos_return_pac()
via 66568436d27 lib:krb5_wrap: Fix wrong debug message and use newer debug macro
via 696c3e46397 lib:krb5_wrap: Improve debug message and use newer debug macro
via 4aa677729cc s3:libads: Fix memory leak in kerberos_return_pac() error path
from 49779a9f86f docs-xml: Fix idmap_autorid documentation
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -----------------------------------------------------------------
commit 4d91f6dafd164cee7118410232aef8e7a762da71
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Feb 22 14:28:44 2022 +0100
s3:winbind: Use the canonical principal name to renew the credentials
The principal name stored in the winbindd ccache entry might be an
enterprise principal name if enterprise principals are enabled. Use
the canonical name to renew the credentials.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 8246ccc23d064147412bb3475e6431a9fffc0d27)
Autobuild-User(v4-15-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-15-test): Sun Feb 27 10:31:47 UTC 2022 on sn-devel-184
commit d0d70d9f6309c2779d6c912010ebd1a9ca571b87
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Feb 22 13:19:02 2022 +0100
s3:winbind: Store canonical principal and realm in ccache entry
They will be used later to refresh the tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b)
commit 29218c61b0ad240fa7c88f93a914063fb28f52e0
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Feb 22 13:08:56 2022 +0100
s3:libads: Return canonical principal and realm from kerberos_return_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f)
commit 66568436d2782c0504dffd7ab41f73ab5079a8f3
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Feb 22 14:28:28 2022 +0100
lib:krb5_wrap: Fix wrong debug message and use newer debug macro
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a)
commit 696c3e46397284e2c2397ec25435c824183700a7
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Feb 22 13:00:05 2022 +0100
lib:krb5_wrap: Improve debug message and use newer debug macro
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ed14513be055cc56eb39785323df2c538a813865)
commit 4aa677729cc177ef9481430b2949312e0002e3fc
Author: Samuel Cabrero <scabrero at suse.de>
Date: Tue Feb 22 12:59:44 2022 +0100
s3:libads: Fix memory leak in kerberos_return_pac() error path
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 3dbcd20de98cd28683a9c248368e5082b6388111)
-----------------------------------------------------------------------
Summary of changes:
lib/krb5_wrap/krb5_samba.c | 7 +++++--
source3/libads/authdata.c | 33 +++++++++++++++++++++++++++++----
source3/libads/kerberos_proto.h | 2 ++
source3/utils/net_ads.c | 2 ++
source3/winbindd/winbindd.h | 2 ++
source3/winbindd/winbindd_cred_cache.c | 18 ++++++++++++++++--
source3/winbindd/winbindd_pam.c | 12 ++++++++++--
source3/winbindd/winbindd_proto.h | 4 +++-
8 files changed, 69 insertions(+), 11 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index fff5b4e2a22..76c2dcd2126 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1079,7 +1079,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
goto done;
}
- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
+ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string);
/* FIXME: we should not fall back to defaults */
ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache);
@@ -1101,7 +1101,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string));
if (ret) {
- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
+ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' "
+ "for client '%s' and service '%s' failed: %s\n",
+ ccache_string, client_string, service_string,
+ error_message(ret));
goto done;
}
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index dd21d895fc2..bf9a2335445 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -57,11 +57,16 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
time_t renewable_time,
const char *impersonate_princ_s,
const char *local_service,
+ char **_canon_principal,
+ char **_canon_realm,
struct PAC_DATA_CTR **_pac_data_ctr)
{
krb5_error_code ret;
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
+ DATA_BLOB tkt = data_blob_null;
+ DATA_BLOB tkt_wrapped = data_blob_null;
+ DATA_BLOB ap_rep = data_blob_null;
+ DATA_BLOB sesskey1 = data_blob_null;
const char *auth_princ = NULL;
const char *cc = "MEMORY:kerberos_return_pac";
struct auth_session_info *session_info;
@@ -72,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
struct auth4_context *auth_context;
struct loadparm_context *lp_ctx;
struct PAC_DATA_CTR *pac_data_ctr = NULL;
+ char *canon_principal = NULL;
+ char *canon_realm = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
@@ -81,7 +88,16 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
ZERO_STRUCT(sesskey1);
if (!name || !pass) {
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
+ }
+
+ if (_canon_principal != NULL) {
+ *_canon_principal = NULL;
+ }
+
+ if (_canon_realm != NULL) {
+ *_canon_realm = NULL;
}
if (cache_name) {
@@ -105,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
request_pac,
add_netbios_addr,
renewable_time,
- NULL, NULL, NULL,
+ tmp_ctx,
+ &canon_principal,
+ &canon_realm,
&status);
if (ret) {
DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
@@ -131,7 +149,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
if (expire_time && renew_till_time &&
(*expire_time == 0) && (*renew_till_time == 0)) {
- return NT_STATUS_INVALID_LOGON_TYPE;
+ status = NT_STATUS_INVALID_LOGON_TYPE;
+ goto out;
}
ret = ads_krb5_cli_get_ticket(mem_ctx,
@@ -238,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
}
*_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
+ if (_canon_principal != NULL) {
+ *_canon_principal = talloc_move(mem_ctx, &canon_principal);
+ }
+ if (_canon_realm != NULL) {
+ *_canon_realm = talloc_move(mem_ctx, &canon_realm);
+ }
out:
talloc_free(tmp_ctx);
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index 3d7b5bc074b..807381248c8 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
time_t renewable_time,
const char *impersonate_princ_s,
const char *local_service,
+ char **_canon_principal,
+ char **_canon_realm,
struct PAC_DATA_CTR **pac_data_ctr);
/* The following definitions come from libads/krb5_setpw.c */
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 8f993f9ba4c..c41fb0afe9c 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -3273,6 +3273,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch
2592000, /* one month */
impersonate_princ_s,
local_service,
+ NULL,
+ NULL,
pac_data_ctr);
if (!NT_STATUS_IS_OK(status)) {
d_printf(_("failed to query kerberos PAC: %s\n"),
diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
index a6b2238cec1..dac4a1fa927 100644
--- a/source3/winbindd/winbindd.h
+++ b/source3/winbindd/winbindd.h
@@ -344,6 +344,8 @@ struct WINBINDD_CCACHE_ENTRY {
const char *service;
const char *username;
const char *realm;
+ const char *canon_principal;
+ const char *canon_realm;
struct WINBINDD_MEMORY_CREDS *cred_ptr;
int ref_count;
uid_t uid;
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
index c3077e21989..6c65db6a73f 100644
--- a/source3/winbindd/winbindd_cred_cache.c
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -209,7 +209,7 @@ rekinit:
set_effective_uid(entry->uid);
ret = smb_krb5_renew_ticket(entry->ccname,
- entry->principal_name,
+ entry->canon_principal,
entry->service,
&new_start);
#if defined(DEBUG_KRB5_TKT_RENEWAL)
@@ -501,7 +501,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
time_t create_time,
time_t ticket_end,
time_t renew_until,
- bool postponed_request)
+ bool postponed_request,
+ const char *canon_principal,
+ const char *canon_realm)
{
struct WINBINDD_CCACHE_ENTRY *entry = NULL;
struct timeval t;
@@ -617,6 +619,18 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
goto no_mem;
}
}
+ if (canon_principal != NULL) {
+ entry->canon_principal = talloc_strdup(entry, canon_principal);
+ if (entry->canon_principal == NULL) {
+ goto no_mem;
+ }
+ }
+ if (canon_realm != NULL) {
+ entry->canon_realm = talloc_strdup(entry, canon_realm);
+ if (entry->canon_realm == NULL) {
+ goto no_mem;
+ }
+ }
entry->ccname = talloc_strdup(entry, ccname);
if (!entry->ccname) {
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 7606bfb4ecd..a24cef78440 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -687,6 +687,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
const char *local_service;
uint32_t i;
struct netr_SamInfo6 *info6_copy = NULL;
+ char *canon_principal = NULL;
+ char *canon_realm = NULL;
bool ok;
*info6 = NULL;
@@ -789,6 +791,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
NULL,
local_service,
+ &canon_principal,
+ &canon_realm,
&pac_data_ctr);
if (user_ccache_file != NULL) {
gain_root_privilege();
@@ -854,7 +858,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
time(NULL),
ticket_lifetime,
renewal_until,
- false);
+ false,
+ canon_principal,
+ canon_realm);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
@@ -1231,7 +1237,9 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
time(NULL),
time(NULL) + lp_winbind_cache_time(),
time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
- true);
+ true,
+ principal_s,
+ realm);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index c0d653a6d77..16c23f3de40 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -236,7 +236,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
time_t create_time,
time_t ticket_end,
time_t renew_until,
- bool postponed_request);
+ bool postponed_request,
+ const char *canon_principal,
+ const char *canon_realm);
NTSTATUS remove_ccache(const char *username);
struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username);
NTSTATUS winbindd_add_memory_creds(const char *username,
--
Samba Shared Repository
More information about the samba-cvs
mailing list