[SCM] Samba Shared Repository - branch v4-16-test updated
Jule Anger
janger at samba.org
Mon Jul 18 09:41:01 UTC 2022
The branch, v4-16-test has been updated
via 89b914b3c51 s3:winbind: Use the canonical realm name to renew the credentials
via e388fe2b701 s3:winbind: Create service principal inside add_ccache_to_list()
via c5569b4f7a5 rpc_server3: Initialize mangle_fns in classic and spoolss
via 17451c5a17a third_party/heimdal: Fix build with gcc version 12.1
via 3537ef5acbb replace: Check for -Wuse-after-free
via 52ac4ce2326 nfs4_acls: Correctly skip chown when gid did not change
from a708af36656 s3:libads: Check if we have a valid sockaddr
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test
- Log -----------------------------------------------------------------
commit 89b914b3c515f4fc91f8870031c359652ebb77a7
Author: Samuel Cabrero <scabrero at samba.org>
Date: Thu Jul 7 11:32:39 2022 +0200
s3:winbind: Use the canonical realm name to renew the credentials
Consider the following AD topology where all trusts are parent-child
trusts:
ADOM.AFOREST.AD
|
ACHILD.ADOM.AFOREST.AD
|
AGRANDCHILD.ACHILD.ADOM.AFOREST.AD <-- Samba joined
When logging into the Samba machine using pam_winbind with kerberos enabled
with user ACHILD\user1, the ccache content is:
Default principal: user1 at ACHILD.ADOM.AFOREST.AD
Valid starting Expires Service principal
07/06/2022 16:09:23 07/06/2022 16:14:23 krbtgt/ACHILD.ADOM.AFOREST.AD at ACHILD.ADOM.AFOREST.AD
renew until 07/13/2022 16:09:23
--> 07/06/2022 16:09:23 07/06/2022 16:14:23 krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD at ACHILD.ADOM.AFOREST.AD <-- NOTE this TGT ticket
renew until 07/13/2022 16:09:23
07/06/2022 16:09:23 07/06/2022 16:14:23 SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
renew until 07/13/2022 16:09:23
But when logging in with user ADOM\user1, the ccache content is:
Default principal: user1 at ADOM.AFOREST.AD
Valid starting Expires Service principal
07/06/2022 16:04:37 07/06/2022 16:09:37 krbtgt/ADOM.AFOREST.AD at ADOM.AFOREST.AD
renew until 07/13/2022 16:04:37
07/06/2022 16:04:37 07/06/2022 16:09:37 SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
renew until 07/13/2022 16:04:37
MIT does not store the intermediate TGTs when there is more than one hop:
ads_krb5_cli_get_ticket: Getting ticket for service [SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD] using creds from [FILE:/tmp/krb5cc_11105] and impersonating [(null)]
Getting credentials user1 at ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD using ccache FILE:/tmp/krb5cc_11105
Starting with TGT for client realm: user1 at ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD at ADOM.AFOREST.AD
Requesting TGT krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD at ADOM.AFOREST.AD using TGT krbtgt/ADOM.AFOREST.AD at ADOM.AFOREST.AD
Sending request to ADOM.AFOREST.AD
Received answer from stream 192.168.101.32:88
TGS reply is for user1 at ADOM.AFOREST.AD -> krbtgt/ACHILD.ADOM.AFOREST.AD at ADOM.AFOREST.AD with session key rc4-hmac/D88B
--> Received TGT for offpath realm ACHILD.ADOM.AFOREST.AD <-- NOTE this TGT ticket is not stored
Requesting TGT krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD at ACHILD.ADOM.AFOREST.AD using TGT krbtgt/ACHILD.ADOM.AFOREST.AD at ADOM.AFOREST.AD
Sending request (1748 bytes) to ACHILD.ADOM.AFOREST.AD
Received answer (1628 bytes) from stream 192.168.101.33:88
TGS reply is for user1 at ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD at ACHILD.ADOM.AFOREST.AD with session key rc4-hmac/D015
--> Received TGT for service realm: krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD at ACHILD.ADOM.AFOREST.AD <-- NOTE this TGT is not stored
Requesting tickets for SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD, referrals on
Sending request (1721 bytes) to AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
Received answer (1647 bytes) from stream 192.168.101.34:88
TGS reply is for user1 at ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD with session key aes256-cts/345A
Received creds for desired service SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
Storing user1 at ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_11105
In the case of ACHILD\user1:
ads_krb5_cli_get_ticket: Getting ticket for service [SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD] using creds from [FILE:/tmp/krb5cc_2000] and impersonating [(null)]
Getting credentials user1 at ACHILD.ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD using ccache FILE:/tmp/krb5cc_2000
Starting with TGT for client realm: user1 at ACHILD.ADOM.AFOREST.AD -> krbtgt/ACHILD.ADOM.AFOREST.AD at ACHILD.ADOM.AFOREST.AD
Requesting TGT krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD at ACHILD.ADOM.AFOREST.AD using TGT krbtgt/ACHILD.ADOM.AFOREST.AD at ACHILD.ADOM.AFOREST.AD
Sending request to ACHILD.ADOM.AFOREST.AD
Received answer from stream 192.168.101.33:88
TGS reply is for user1 at ACHILD.ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD at ACHILD.ADOM.AFOREST.AD with session key rc4-hmac/0F60
--> Storing user1 at ACHILD.ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD at ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_2000 <-- NOTE this TGT is stored
Received TGT for service realm: krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD at ACHILD.ADOM.AFOREST.AD
Requesting tickets for SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD, referrals on
Sending request (1745 bytes) to AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
Received answer (1675 bytes) from stream 192.168.101.34:88
TGS reply is for user1 at ACHILD.ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD with session key aes256-cts/3576
Received creds for desired service SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
Storing user1 at ACHILD.ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_2000
The result is that winbindd can't refresh the tickets for ADOM\user1
because the local realm is used to build the TGT service name.
smb_krb5_renew_ticket: Using FILE:/tmp/krb5cc_11105 as ccache for client 'user1 at ADOM.AFOREST.AD' and service 'krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD at AGRANDCHILD.ACHILD.ADOM.AFOREST.AD'
Retrieving user1 at ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD at ADOM.AFOREST.AD from FILE:/tmp/krb5cc_11105 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_11105)
The canonical realm name must be used instead:
smb_krb5_renew_ticket: Using FILE:/tmp/krb5cc_11105 as ccache for client 'user1 at ADOM.AFOREST.AD' and service 'krbtgt/ADOM.AFOREST.AD at ADOM.AFOREST.AD'
Retrieving user1 at ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD at ADOM.AFOREST.AD from FILE:/tmp/krb5cc_11105 with result: 0/Success
Get cred via TGT krbtgt/ADOM.AFOREST.AD at ADOM.AFOREST.AD after requesting krbtgt/ADOM.AFOREST.AD at ADOM.AFOREST.AD (canonicalize off)
Sending request to ADOM.AFOREST.AD
Received answer from stream 192.168.101.32:88
TGS reply is for user1 at ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD at ADOM.AFOREST.AD with session key aes256-cts/8C7B
Storing user1 at ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD at ADOM.AFOREST.AD in FILE:/tmp/krb5cc_11105
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Jul 12 12:38:55 UTC 2022 on sn-devel-184
(cherry picked from commit 116af0df4f74aa450cbb77c79f8cac4bfc288631)
Autobuild-User(v4-16-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-16-test): Mon Jul 18 09:40:12 UTC 2022 on sn-devel-184
commit e388fe2b70120253be6eed5ed7e53cec9ea0b0ef
Author: Samuel Cabrero <scabrero at samba.org>
Date: Thu Jul 7 11:22:05 2022 +0200
s3:winbind: Create service principal inside add_ccache_to_list()
The function can build the service principal itself, there is no
need to do it in the caller. This removes code duplication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 8bef8e3de9fc96ff45319f80529e878977563f3a)
commit c5569b4f7a5a93da1fdeaba50a3ac6771200de62
Author: Volker Lendecke <vl at samba.org>
Date: Fri Jul 8 14:14:22 2022 +0200
rpc_server3: Initialize mangle_fns in classic and spoolss
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15118
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky at samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky at samba.org>
Autobuild-Date(master): Tue Jul 12 13:33:14 UTC 2022 on sn-devel-184
(cherry picked from commit 11d3d2aeac599ebbedd5332c5520465970319448)
commit 17451c5a17a8867e9722666a28f14f52810d505a
Author: Samuel Cabrero <scabrero at samba.org>
Date: Thu Jun 9 10:51:54 2022 +0200
third_party/heimdal: Fix build with gcc version 12.1
Split lib/krb5/crypto to its own subsystem to built with its own CFLAGS
and avoid the following error:
[1510/4771] Compiling third_party/heimdal/lib/krb5/crypto.c
../../third_party/heimdal/lib/krb5/crypto.c: In function ‘_krb5_internal_hmac’:
../../third_party/heimdal/lib/krb5/crypto.c:302:24: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
302 | iov[0].data.data = (void *) data;
| ^
../../third_party/heimdal/lib/krb5/crypto.c: In function ‘derive_key_sp800_hmac’:
../../third_party/heimdal/lib/krb5/crypto.c:2427:18: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
2427 | label.data = (void *)constant;
| ^
../../third_party/heimdal/lib/krb5/crypto.c: In function ‘decrypt_internal_derived’:
../../third_party/heimdal/lib/krb5/crypto.c:1280:9: error: pointer ‘p’ may be used after ‘realloc’ [-Werror=use-after-free]
1280 | free(p);
| ^~~~~~~
../../third_party/heimdal/lib/krb5/crypto.c:1278:20: note: call to ‘realloc’ here
1278 | result->data = realloc(p, l);
| ^~~~~~~~~~~~~
../../third_party/heimdal/lib/krb5/crypto.c: In function ‘decrypt_internal_enc_then_cksum’:
../../third_party/heimdal/lib/krb5/crypto.c:1365:9: error: pointer ‘p’ may be used after ‘realloc’ [-Werror=use-after-free]
1365 | free(p);
| ^~~~~~~
../../third_party/heimdal/lib/krb5/crypto.c:1363:20: note: call to ‘realloc’ here
1363 | result->data = realloc(p, l);
| ^~~~~~~~~~~~~
../../third_party/heimdal/lib/krb5/crypto.c: In function ‘decrypt_internal’:
../../third_party/heimdal/lib/krb5/crypto.c:1431:9: error: pointer ‘p’ may be used after ‘realloc’ [-Werror=use-after-free]
1431 | free(p);
| ^~~~~~~
../../third_party/heimdal/lib/krb5/crypto.c:1429:20: note: call to ‘realloc’ here
1429 | result->data = realloc(p, l);
| ^~~~~~~~~~~~~
../../third_party/heimdal/lib/krb5/crypto.c: In function ‘decrypt_internal_special’:
../../third_party/heimdal/lib/krb5/crypto.c:1478:9: error: pointer ‘p’ may be used after ‘realloc’ [-Werror=use-after-free]
1478 | free(p);
| ^~~~~~~
../../third_party/heimdal/lib/krb5/crypto.c:1476:20: note: call to ‘realloc’ here
1476 | result->data = realloc(p, sz);
| ^~~~~~~~~~~~~~
cc1: all warnings being treated as errors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15095
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Samuel Cabrero <scabrero at samba.org>
Autobuild-Date(master): Tue Jun 14 10:16:18 UTC 2022 on sn-devel-184
(cherry picked from commit 971441ca5244b0e56f6b664d785fcefa3867ede1)
commit 3537ef5acbb887495861bb1668876afd69999e74
Author: Samuel Cabrero <scabrero at samba.org>
Date: Wed Jun 1 11:56:19 2022 +0200
replace: Check for -Wuse-after-free
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15095
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 89e0c732b1c45f6498ed0f39add77c2a52afddce)
commit 52ac4ce23268cd0975da55adb090248096b1cfc5
Author: Christof Schmitt <cs at samba.org>
Date: Tue Jul 12 05:12:21 2022 -0700
nfs4_acls: Correctly skip chown when gid did not change
Commit 86f7af84 introduced a problem that a chown is always attempted,
even when the owning gid did not change. Then the ACL is set in the file
system as root. Fix the check by correctly comparing with gid, not uid.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15120
Signed-off-by: Christof Schmitt <cs at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Christof Schmitt <cs at samba.org>
Autobuild-Date(master): Wed Jul 13 17:30:30 UTC 2022 on sn-devel-184
(cherry picked from commit a6ccceb97ebd43d453ae4f835927cbacde0fdcef)
-----------------------------------------------------------------------
Summary of changes:
lib/replace/wscript | 3 +++
source3/modules/nfs4_acls.c | 2 +-
source3/rpc_server/rpcd_classic.c | 3 +++
source3/rpc_server/rpcd_spoolss.c | 3 +++
source3/winbindd/winbindd_cred_cache.c | 16 +++++++++-------
source3/winbindd/winbindd_pam.c | 14 --------------
source3/winbindd/winbindd_proto.h | 1 -
third_party/heimdal_build/wscript_build | 17 ++++++++++++++---
8 files changed, 33 insertions(+), 26 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/replace/wscript b/lib/replace/wscript
index e60ff15f903..e4c2d513076 100644
--- a/lib/replace/wscript
+++ b/lib/replace/wscript
@@ -128,6 +128,9 @@ def configure(conf):
if conf.CHECK_CFLAGS('-Wno-strict-overflow'):
conf.define('HAVE_WNO_STRICT_OVERFLOW', '1')
+ if conf.CHECK_CFLAGS('-Wuse-after-free=1'):
+ conf.define('HAVE_WUSE_AFTER_FREE_1', '1')
+
# Check for process set name support
conf.CHECK_CODE('''
#include <sys/prctl.h>
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index c7808037a09..ff446bb1166 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -1022,7 +1022,7 @@ NTSTATUS smb_set_nt_acl_nfs4(vfs_handle_struct *handle, files_struct *fsp,
/* chown logic is a copy/paste from posix_acl.c:set_nt_acl */
uid_t old_uid = fsp->fsp_name->st.st_ex_uid;
- uid_t old_gid = fsp->fsp_name->st.st_ex_uid;
+ gid_t old_gid = fsp->fsp_name->st.st_ex_gid;
status = unpack_nt_owners(fsp->conn, &newUID, &newGID,
security_info_sent, psd);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/rpc_server/rpcd_classic.c b/source3/rpc_server/rpcd_classic.c
index d3607d2e19c..4f6164c814c 100644
--- a/source3/rpc_server/rpcd_classic.c
+++ b/source3/rpc_server/rpcd_classic.c
@@ -33,6 +33,7 @@
#include "librpc/gen_ndr/ndr_initshutdown_scompat.h"
#include "source3/include/secrets.h"
#include "locking/share_mode_lock.h"
+#include "source3/smbd/proto.h"
static size_t classic_interfaces(
const struct ndr_interface_table ***pifaces,
@@ -81,6 +82,8 @@ static size_t classic_servers(
lp_load_with_shares(get_dyn_CONFIGFILE());
+ mangle_reset_cache();
+
*_ep_servers = ep_servers;
return ARRAY_SIZE(ep_servers);
}
diff --git a/source3/rpc_server/rpcd_spoolss.c b/source3/rpc_server/rpcd_spoolss.c
index 733e70764a5..16b4667cd02 100644
--- a/source3/rpc_server/rpcd_spoolss.c
+++ b/source3/rpc_server/rpcd_spoolss.c
@@ -24,6 +24,7 @@
#include "source3/printing/queue_process.h"
#include "source3/include/messages.h"
#include "source3/include/secrets.h"
+#include "source3/smbd/proto.h"
static size_t spoolss_interfaces(
const struct ndr_interface_table ***pifaces,
@@ -68,6 +69,8 @@ static size_t spoolss_servers(
exit(1);
}
+ mangle_reset_cache();
+
*_ep_servers = ep_servers;
return ARRAY_SIZE(ep_servers);
}
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
index 6c65db6a73f..9d27cbe8f78 100644
--- a/source3/winbindd/winbindd_cred_cache.c
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -493,7 +493,6 @@ bool ccache_entry_identical(const char *username,
NTSTATUS add_ccache_to_list(const char *princ_name,
const char *ccname,
- const char *service,
const char *username,
const char *pass,
const char *realm,
@@ -613,12 +612,6 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
goto no_mem;
}
}
- if (service) {
- entry->service = talloc_strdup(entry, service);
- if (!entry->service) {
- goto no_mem;
- }
- }
if (canon_principal != NULL) {
entry->canon_principal = talloc_strdup(entry, canon_principal);
if (entry->canon_principal == NULL) {
@@ -642,6 +635,15 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
goto no_mem;
}
+ entry->service = talloc_asprintf(entry,
+ "%s/%s@%s",
+ KRB5_TGS_NAME,
+ canon_realm,
+ canon_realm);
+ if (entry->service == NULL) {
+ goto no_mem;
+ }
+
entry->create_time = create_time;
entry->renew_until = renew_until;
entry->uid = uid;
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 84c3720c19f..e600ad27e54 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -672,7 +672,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
krb5_error_code krb5_ret;
const char *cc = NULL;
const char *principal_s = NULL;
- const char *service = NULL;
char *realm = NULL;
fstring name_namespace, name_domain, name_user;
time_t ticket_lifetime = 0;
@@ -755,11 +754,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- service = talloc_asprintf(mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
- if (service == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
local_service = talloc_asprintf(mem_ctx, "%s$@%s",
lp_netbios_name(), lp_realm());
if (local_service == NULL) {
@@ -848,7 +842,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
result = add_ccache_to_list(principal_s,
cc,
- service,
user,
pass,
realm,
@@ -1180,7 +1173,6 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
const char *cc = NULL;
char *realm = NULL;
const char *principal_s = NULL;
- const char *service = NULL;
const char *user_ccache_file;
if (domain->alt_name == NULL) {
@@ -1215,11 +1207,6 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
return NT_STATUS_NO_MEMORY;
}
- service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
- if (service == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
if (user_ccache_file != NULL) {
fstrcpy(state->response->data.auth.krb5ccname,
@@ -1227,7 +1214,6 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
result = add_ccache_to_list(principal_s,
cc,
- service,
state->request->data.auth.user,
state->request->data.auth.pass,
realm,
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 16c23f3de40..c685fab2606 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -228,7 +228,6 @@ void ccache_remove_all_after_fork(void);
void ccache_regain_all_now(void);
NTSTATUS add_ccache_to_list(const char *princ_name,
const char *ccname,
- const char *service,
const char *username,
const char *password,
const char *realm,
diff --git a/third_party/heimdal_build/wscript_build b/third_party/heimdal_build/wscript_build
index a395430c28f..fc136bc4116 100644
--- a/third_party/heimdal_build/wscript_build
+++ b/third_party/heimdal_build/wscript_build
@@ -670,6 +670,17 @@ if not bld.CONFIG_SET("USING_SYSTEM_KRB5"):
HEIMDAL_ERRTABLE('HEIMDAL_HEIM_ERR_ET', 'lib/base/heim_err.et')
+ krb5_crypto_cflags = []
+ if bld.CONFIG_SET('HAVE_WUSE_AFTER_FREE_1'):
+ krb5_crypto_cflags.append('-Werror=use-after-free=1')
+
+
+ HEIMDAL_SUBSYSTEM('KRB5_CRYPTO',
+ 'lib/krb5/crypto.c',
+ includes='../heimdal/lib/krb5 ../heimdal/include',
+ deps='wind hcrypto',
+ cflags=krb5_crypto_cflags)
+
KRB5_SOURCE = [os.path.join('lib/krb5/', x) for x in TO_LIST(
'''acache.c add_et_list.c
addr_families.c appdefault.c
@@ -678,7 +689,7 @@ if not bld.CONFIG_SET("USING_SYSTEM_KRB5"):
changepw.c codec.c config_file.c
constants.c convert_creds.c
copy_host_realm.c crc.c creds.c
- crypto.c crypto-aes-sha1.c crypto-aes-sha2.c crypto-algs.c
+ crypto-aes-sha1.c crypto-aes-sha2.c crypto-algs.c
crypto-arcfour.c crypto-des3.c crypto-des.c
crypto-des-common.c crypto-evp.c
crypto-null.c crypto-pk.c crypto-rand.c
@@ -712,10 +723,10 @@ if not bld.CONFIG_SET("USING_SYSTEM_KRB5"):
HEIMDAL_LIBRARY('krb5', KRB5_SOURCE,
version_script='lib/krb5/version-script.map',
includes='../heimdal/lib/krb5 ../heimdal/lib/asn1 ../heimdal/include',
- deps='roken wind asn1 hx509 HEIMDAL_KX509_ASN1 hcrypto com_err HEIMDAL_CONFIG heimbase execinfo samba_intl HEIMDAL_IPC_CLIENT',
+ deps='roken wind asn1 hx509 HEIMDAL_KX509_ASN1 hcrypto com_err HEIMDAL_CONFIG heimbase execinfo samba_intl HEIMDAL_IPC_CLIENT KRB5_CRYPTO',
cflags=['-DLOCALSTATEDIR="/2"'] + bld.dynconfig_cflags(),
)
- KRB5_PROTO_SOURCE = KRB5_SOURCE + ['lib/krb5/expand_path.c', 'lib/krb5/plugin.c', 'lib/krb5/context.c']
+ KRB5_PROTO_SOURCE = KRB5_SOURCE + ['lib/krb5/expand_path.c', 'lib/krb5/plugin.c', 'lib/krb5/context.c', 'lib/krb5/crypto.c']
HEIMDAL_AUTOPROTO_PRIVATE('lib/krb5/krb5-private.h', KRB5_PROTO_SOURCE)
HEIMDAL_AUTOPROTO('lib/krb5/krb5-protos.h', KRB5_PROTO_SOURCE,
--
Samba Shared Repository
More information about the samba-cvs
mailing list