[SCM] Samba Shared Repository - branch master updated
Douglas Bagnall
dbagnall at samba.org
Thu Jun 27 05:34:01 UTC 2024
The branch, master has been updated
via 3c1691aff55 Extended the documentation for the "tls certfile" parameter in the smb.conf.
via f9215b37544 third_party/heimdal: Import lorikeet-heimdal-202406270253 (commit cbd2c0b8ec604686dc7b363d1dcec69bf5f7a7ec)
via fe90576871b third_party/heimdal: Import lorikeet-heimdal-202406240121 (commit 4315286377278234be2f3b6d52225a17b6116d54)
via c5ee0b60b20 tests/krb5: Add tests for errors produced when logging in with unusable accounts
via 6dc6168719c tests/krb5: Allow creation of disabled accounts for testing
from 415f9f07456 ctdb-failover: Split statd_callout add-client/del-client
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 3c1691aff55518b8f361e43d2c80f40d896df1d7
Author: Oliver Mihatsch <om-git at q4k.de>
Date: Thu Jun 13 12:16:05 2024 +0200
Extended the documentation for the "tls certfile" parameter in the smb.conf.
Signed-off-by: Oliver Mihatsch <om-git at q4k.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Thu Jun 27 05:33:17 UTC 2024 on atb-devel-224
commit f9215b37544610d68eb070fd85225c4b615c8687
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Thu Jun 27 14:59:43 2024 +1200
third_party/heimdal: Import lorikeet-heimdal-202406270253 (commit cbd2c0b8ec604686dc7b363d1dcec69bf5f7a7ec)
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit fe90576871b5d644b9e888fd7a0b0351feaba750
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Wed Jun 12 14:42:38 2024 +1200
third_party/heimdal: Import lorikeet-heimdal-202406240121 (commit 4315286377278234be2f3b6d52225a17b6116d54)
This lets us match the Windows FAST reply when the password is expired.
Windows clients were upset by the NTSTATUS field in the edata,
apparently interpreting it to mean “insufficient resource”.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit c5ee0b60b20011aeaa60c2f549c2a78269c97c8f
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Thu Jun 27 12:29:52 2024 +1200
tests/krb5: Add tests for errors produced when logging in with unusable accounts
Heimdal matches Windows in the no‐FAST case, but produces NTSTATUS codes
when it shouldn’t in the FAST case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 6dc6168719cf232ac2c1d747f10aad9b13300c02
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Jun 25 12:51:48 2024 +1200
tests/krb5: Allow creation of disabled accounts for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/security/tlscertfile.xml | 3 +-
python/samba/tests/krb5/kdc_base_test.py | 9 +-
python/samba/tests/krb5/lockout_tests.py | 210 ++++++++++++++++++++-
selftest/knownfail_mit_kdc | 5 +
third_party/heimdal/ChangeLog.2005 | 2 +-
third_party/heimdal/ChangeLog.2006 | 4 +-
third_party/heimdal/ChangeLog.2007 | 2 +-
third_party/heimdal/appl/dceutils/dfspag.exp | 2 +-
third_party/heimdal/appl/dceutils/dpagaix.c | 2 +-
third_party/heimdal/cf/largefile.m4 | 2 +-
third_party/heimdal/doc/setup.texi | 4 +-
third_party/heimdal/kadmin/ext.c | 4 +-
third_party/heimdal/kdc/default_config.c | 21 +--
third_party/heimdal/kdc/fast.c | 13 +-
third_party/heimdal/kdc/kerberos5.c | 3 +
third_party/heimdal/kdc/process.c | 4 +-
third_party/heimdal/lib/asn1/ChangeLog | 2 +-
third_party/heimdal/lib/base/heimbase.h | 4 +-
third_party/heimdal/lib/gssapi/krb5/display_name.c | 8 +-
.../lib/gssapi/mech/gss_accept_sec_context.c | 6 +-
.../heimdal/lib/gssapi/mech/gss_compare_name.c | 2 +-
third_party/heimdal/lib/gssapi/oid.txt | 2 +-
.../heimdal/lib/hcrypto/libtommath/doc/bn.tex | 4 +-
third_party/heimdal/lib/hx509/ChangeLog | 2 +-
third_party/heimdal/lib/kadm5/ChangeLog | 2 +-
third_party/heimdal/lib/kafs/ChangeLog | 4 +-
third_party/heimdal/lib/kdfs/k5dfspag.c | 2 +-
third_party/heimdal/lib/krb5/acache.c | 2 +-
third_party/heimdal/lib/krb5/addr_families.c | 4 +-
third_party/heimdal/lib/krb5/context.c | 12 +-
third_party/heimdal/lib/krb5/dcache.c | 2 +-
third_party/heimdal/lib/krb5/doxygen.c | 6 +-
third_party/heimdal/lib/krb5/fcache.c | 2 +-
third_party/heimdal/lib/krb5/get_cred.c | 2 +-
third_party/heimdal/lib/krb5/get_for_creds.c | 2 +-
third_party/heimdal/lib/krb5/kcm.c | 2 +-
third_party/heimdal/lib/krb5/krbhst.c | 2 +-
third_party/heimdal/lib/krb5/mcache.c | 2 +-
third_party/heimdal/lib/krb5/scache.c | 2 +-
third_party/heimdal/lib/krb5/store.c | 2 +-
third_party/heimdal/lib/roken/dlfcn_w32.c | 2 +-
third_party/heimdal/lib/roken/rkpty.c | 2 +
third_party/heimdal/lib/sl/sl.c | 8 +-
third_party/heimdal/lib/wind/ChangeLog | 2 +-
44 files changed, 309 insertions(+), 75 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/tlscertfile.xml b/docs-xml/smbdotconf/security/tlscertfile.xml
index cf7095475f3..fe140bb3755 100644
--- a/docs-xml/smbdotconf/security/tlscertfile.xml
+++ b/docs-xml/smbdotconf/security/tlscertfile.xml
@@ -5,7 +5,8 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This option can be set to a file (PEM format)
- containing the RSA certificate. </para>
+ containing the RSA certificate to be used as TLS server certificate.
+ If required it can also contain additional intermediate certificates to be send along during the TLS handshake.</para>
<para>This path is relative to <smbconfoption name="private dir"/> if the path
does not start with a /.</para>
</description>
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index eb3497c554e..df5e22be4ae 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -79,6 +79,7 @@ from samba.dsdb import (
GTYPE_SECURITY_DOMAIN_LOCAL_GROUP,
GTYPE_SECURITY_GLOBAL_GROUP,
GTYPE_SECURITY_UNIVERSAL_GROUP,
+ UF_ACCOUNTDISABLE,
UF_NO_AUTH_DATA_REQUIRED,
UF_NORMAL_ACCOUNT,
UF_NOT_DELEGATED,
@@ -2016,7 +2017,8 @@ class KDCBaseTest(TestCaseInTempDir, RawKerberosTest):
'assigned_policy': None,
'assigned_silo': None,
'logon_hours': None,
- 'smartcard_required': False
+ 'smartcard_required': False,
+ 'enabled': True,
}
account_opts = {
@@ -2074,7 +2076,8 @@ class KDCBaseTest(TestCaseInTempDir, RawKerberosTest):
assigned_policy,
assigned_silo,
logon_hours,
- smartcard_required):
+ smartcard_required,
+ enabled):
if account_type is self.AccountType.USER:
self.assertIsNone(delegation_to_spn)
self.assertIsNone(delegation_from_dn)
@@ -2100,6 +2103,8 @@ class KDCBaseTest(TestCaseInTempDir, RawKerberosTest):
user_account_control |= UF_NO_AUTH_DATA_REQUIRED
if smartcard_required:
user_account_control |= UF_SMARTCARD_REQUIRED
+ if not enabled:
+ user_account_control |= UF_ACCOUNTDISABLE
if additional_details:
details = {k: v for k, v in additional_details}
diff --git a/python/samba/tests/krb5/lockout_tests.py b/python/samba/tests/krb5/lockout_tests.py
index 81002964a54..e33d9acb4a8 100755
--- a/python/samba/tests/krb5/lockout_tests.py
+++ b/python/samba/tests/krb5/lockout_tests.py
@@ -58,11 +58,12 @@ from samba.tests import connect_samdb, env_get_var_value, env_loadparm
from samba.tests.krb5.as_req_tests import AsReqBaseTest
from samba.tests.krb5 import kcrypto
-from samba.tests.krb5.kdc_base_test import KDCBaseTest
+from samba.tests.krb5.kdc_tgs_tests import KdcTgsBaseTests
from samba.tests.krb5.raw_testcase import KerberosCredentials
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
from samba.tests.krb5.rfc4120_constants import (
KDC_ERR_CLIENT_REVOKED,
+ KDC_ERR_KEY_EXPIRED,
KDC_ERR_PREAUTH_FAILED,
KRB_AS_REP,
KRB_ERROR,
@@ -518,7 +519,7 @@ def ldap_pwd_change(pipe,
return ConnectionResult.SUCCESS
-class LockoutTests(KDCBaseTest):
+class LockoutTests(KdcTgsBaseTests):
def setUp(self):
super().setUp()
@@ -603,6 +604,211 @@ class LockoutTests(KDCBaseTest):
def test_lockout_transaction_kdc_ntstatus(self):
self.do_lockout_transaction(partial(connect_kdc, expect_status=True))
+ # Test that performing AS‐REQs with accounts in various states of
+ # unusability results in appropriate NTSTATUS and Kerberos error codes.
+
+ def test_lockout_status_disabled(self):
+ self._run_lockout_status(
+ self._get_creds_disabled(),
+ expected_status=ntstatus.NT_STATUS_ACCOUNT_DISABLED,
+ expected_error=KDC_ERR_CLIENT_REVOKED,
+ )
+
+ def test_lockout_status_locked_out(self):
+ self._run_lockout_status(
+ self._get_creds_locked_out(),
+ expected_status=ntstatus.NT_STATUS_ACCOUNT_LOCKED_OUT,
+ expected_error=KDC_ERR_CLIENT_REVOKED,
+ )
+
+ def test_lockout_status_expired(self):
+ self._run_lockout_status(
+ self._get_creds_expired(),
+ expected_status=ntstatus.NT_STATUS_ACCOUNT_EXPIRED,
+ expected_error=KDC_ERR_CLIENT_REVOKED,
+ )
+
+ def test_lockout_status_must_change(self):
+ self._run_lockout_status(
+ self._get_creds_must_change(),
+ expected_status=ntstatus.NT_STATUS_PASSWORD_MUST_CHANGE,
+ expected_error=KDC_ERR_KEY_EXPIRED,
+ )
+
+ def test_lockout_status_password_expired(self):
+ self._run_lockout_status(
+ self._get_creds_password_expired(),
+ expected_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED,
+ expected_error=KDC_ERR_KEY_EXPIRED,
+ )
+
+ # Test that performing the same AS‐REQs, this time with FAST, does not
+ # result in NTSTATUS codes.
+
+ def test_lockout_status_disabled_fast(self):
+ self._run_lockout_status_fast(
+ self._get_creds_disabled(), expected_error=KDC_ERR_CLIENT_REVOKED
+ )
+
+ def test_lockout_status_locked_out_fast(self):
+ self._run_lockout_status_fast(
+ self._get_creds_locked_out(), expected_error=KDC_ERR_CLIENT_REVOKED
+ )
+
+ def test_lockout_status_expired_fast(self):
+ self._run_lockout_status_fast(
+ self._get_creds_expired(), expected_error=KDC_ERR_CLIENT_REVOKED
+ )
+
+ def test_lockout_status_must_change_fast(self):
+ self._run_lockout_status_fast(
+ self._get_creds_must_change(), expected_error=KDC_ERR_KEY_EXPIRED
+ )
+
+ def test_lockout_status_password_expired_fast(self):
+ self._run_lockout_status_fast(
+ self._get_creds_password_expired(), expected_error=KDC_ERR_KEY_EXPIRED
+ )
+
+ def _get_creds_disabled(self):
+ return self.get_cached_creds(
+ account_type=self.AccountType.USER, opts={"enabled": False}
+ )
+
+ def _get_creds_locked_out(self) -> KerberosCredentials:
+ samdb = self.get_samdb()
+
+ user_creds = self.get_cached_creds(
+ account_type=self.AccountType.USER, use_cache=False
+ )
+ user_dn = user_creds.get_dn()
+
+ # Lock out the account.
+
+ old_utf16pw = '"Secret007"'.encode("utf-16le") # invalid pwd
+ new_utf16pw = '"Secret008"'.encode("utf-16le")
+
+ msg = ldb.Message(user_dn)
+ msg["0"] = ldb.MessageElement(old_utf16pw, ldb.FLAG_MOD_DELETE, "unicodePwd")
+ msg["1"] = ldb.MessageElement(new_utf16pw, ldb.FLAG_MOD_ADD, "unicodePwd")
+
+ for _ in range(self.lockout_threshold):
+ try:
+ samdb.modify(msg)
+ except ldb.LdbError as err:
+ num, _ = err.args
+
+ # We get an error, but the bad password count should
+ # still be updated.
+ self.assertEqual(num, ldb.ERR_CONSTRAINT_VIOLATION)
+ else:
+ self.fail("pwd change should have failed")
+
+ # Ensure the account is locked out.
+
+ res = samdb.search(
+ user_dn, scope=ldb.SCOPE_BASE, attrs=["msDS-User-Account-Control-Computed"]
+ )
+ self.assertEqual(1, len(res))
+
+ uac = int(res[0].get("msDS-User-Account-Control-Computed", idx=0))
+ self.assertTrue(uac & dsdb.UF_LOCKOUT)
+
+ return user_creds
+
+ def _get_creds_expired(self) -> KerberosCredentials:
+ return self.get_cached_creds(
+ account_type=self.AccountType.USER,
+ opts={"additional_details": self.freeze({"accountExpires": "1"})},
+ )
+
+ def _get_creds_must_change(self) -> KerberosCredentials:
+ return self.get_cached_creds(
+ account_type=self.AccountType.USER,
+ opts={"additional_details": self.freeze({"pwdLastSet": "0"})},
+ )
+
+ def _get_creds_password_expired(self) -> KerberosCredentials:
+ samdb = self.get_samdb()
+ self.addCleanup(samdb.set_maxPwdAge, samdb.get_maxPwdAge())
+ low_pwd_age = -2
+ samdb.set_maxPwdAge(low_pwd_age)
+
+ return self.get_cached_creds(account_type=self.AccountType.USER)
+
+ def _run_lockout_status(
+ self,
+ user_creds: KerberosCredentials,
+ *,
+ expected_status: int,
+ expected_error: int,
+ ) -> None:
+ user_name = user_creds.get_username()
+ cname = self.PrincipalName_create(
+ name_type=NT_PRINCIPAL, names=user_name.split("/")
+ )
+
+ krbtgt_creds = self.get_krbtgt_creds()
+ realm = krbtgt_creds.get_realm()
+
+ sname = self.get_krbtgt_sname()
+
+ preauth_key = self.PasswordKey_from_creds(user_creds, kcrypto.Enctype.AES256)
+
+ ts_enc_padata = self.get_enc_timestamp_pa_data_from_key(preauth_key)
+ padata = [ts_enc_padata]
+
+ def _generate_padata_copy(_kdc_exchange_dict, _callback_dict, req_body):
+ return padata, req_body
+
+ kdc_exchange_dict = self.as_exchange_dict(
+ creds=user_creds,
+ expected_crealm=realm,
+ expected_cname=cname,
+ expected_srealm=realm,
+ expected_sname=sname,
+ expected_account_name=user_name,
+ expected_supported_etypes=krbtgt_creds.tgs_supported_enctypes,
+ expect_edata=True,
+ expect_status=True,
+ expected_status=expected_status,
+ ticket_decryption_key=self.TicketDecryptionKey_from_creds(krbtgt_creds),
+ generate_padata_fn=_generate_padata_copy,
+ check_error_fn=self.generic_check_kdc_error,
+ check_rep_fn=None,
+ check_kdc_private_fn=self.generic_check_kdc_private,
+ expected_error_mode=expected_error,
+ expected_salt=user_creds.get_salt(),
+ preauth_key=preauth_key,
+ kdc_options=str(krb5_asn1.KDCOptions("postdated")),
+ pac_request=True,
+ )
+
+ # Try making a Kerberos AS-REQ to the KDC. This might fail, either due
+ # to the user's account being locked out or due to using the wrong
+ # password.
+ self._generic_kdc_exchange(
+ kdc_exchange_dict,
+ cname=cname,
+ realm=realm,
+ sname=sname,
+ till_time=self.get_KerberosTime(offset=36000),
+ etypes=self.get_default_enctypes(user_creds),
+ )
+
+ def _run_lockout_status_fast(
+ self, user_creds: KerberosCredentials, *, expected_error: int
+ ) -> None:
+ self._armored_as_req(
+ user_creds,
+ self.get_krbtgt_creds(),
+ self.get_tgt(self.get_mach_creds()),
+ expected_error=expected_error,
+ expect_edata=self.expect_padata_outer,
+ # FAST‐armored responses never contain an NTSTATUS code.
+ expect_status=False,
+ )
+
def test_lockout_transaction_ntlm(self):
self.do_lockout_transaction(connect_ntlm)
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 725dc5fef77..0f7aec347a2 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -533,6 +533,11 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_kdc_ntstatus.ad_dc:local
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_rename_kdc.ad_dc:local
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_rename_kdc_ntstatus.ad_dc:local
+^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_disabled\(ad_dc:local\)$
+^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_expired\(ad_dc:local\)$
+^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_locked_out\(ad_dc:local\)$
+^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_must_change\(ad_dc:local\)$
+^samba\.tests\.krb5\.lockout_tests\.samba\.tests\.krb5\.lockout_tests\.LockoutTests\.test_lockout_status_password_expired\(ad_dc:local\)$
#
# Encryption type tests
#
diff --git a/third_party/heimdal/ChangeLog.2005 b/third_party/heimdal/ChangeLog.2005
index a594d092404..b92ee39bb4c 100644
--- a/third_party/heimdal/ChangeLog.2005
+++ b/third_party/heimdal/ChangeLog.2005
@@ -1323,7 +1323,7 @@
2005-05-07 Love Hörnquist Åstrand <lha at it.su.se>
* lib/krb5/addr_families.c (krb5_print_address): catch when the
- unknown adress don't fit. From Björn Sandell <biorn at dce.chalmers.se>
+ unknown address don't fit. From Björn Sandell <biorn at dce.chalmers.se>
2005-05-05 Dave Love <d.love at dl.ac.uk>
diff --git a/third_party/heimdal/ChangeLog.2006 b/third_party/heimdal/ChangeLog.2006
index d48ea8aba65..f9176a763a4 100644
--- a/third_party/heimdal/ChangeLog.2006
+++ b/third_party/heimdal/ChangeLog.2006
@@ -366,7 +366,7 @@
* lib/krb5/pac.c: Almost enough code to do PAC parsing and
verification, missing in the unix2NTTIME and ucs2 corner. The
- later will be adressed by finally adding libwind.
+ later will be addressed by finally adding libwind.
* lib/krb5/krb5_init_context.3: document krb5_[gs]et_max_time_skew
@@ -2016,7 +2016,7 @@
* lib/krb5/n-fold-test.c: main is not a KRB5_LIB_FUNCTION
* lib/krb5/mk_priv.c (krb5_mk_priv): abort if ASN1_MALLOC_ENCODE
- failes to produce the matching lenghts.
+ failes to produce the matching lengths.
2006-01-27 Love Hörnquist Åstrand <lha at it.su.se>
diff --git a/third_party/heimdal/ChangeLog.2007 b/third_party/heimdal/ChangeLog.2007
index 60c95459fb1..1ac528f53f5 100644
--- a/third_party/heimdal/ChangeLog.2007
+++ b/third_party/heimdal/ChangeLog.2007
@@ -423,7 +423,7 @@
2007-06-28 Love Hörnquist Åstrand <lha at it.su.se>
- * kdc/digest.c: On success, print username, not ip-adress.
+ * kdc/digest.c: On success, print username, not ip-address.
2007-06-26 Love Hörnquist Åstrand <lha at it.su.se>
diff --git a/third_party/heimdal/appl/dceutils/dfspag.exp b/third_party/heimdal/appl/dceutils/dfspag.exp
index ed39788d5ed..c30c98b4895 100644
--- a/third_party/heimdal/appl/dceutils/dfspag.exp
+++ b/third_party/heimdal/appl/dceutils/dfspag.exp
@@ -1,3 +1,3 @@
#!/unix
-* kernel extentions used to get the pag
+* kernel extensions used to get the pag
kafs_syscall syscall
diff --git a/third_party/heimdal/appl/dceutils/dpagaix.c b/third_party/heimdal/appl/dceutils/dpagaix.c
index 304a9a230ee..7694c5445de 100644
--- a/third_party/heimdal/appl/dceutils/dpagaix.c
+++ b/third_party/heimdal/appl/dceutils/dpagaix.c
@@ -1,6 +1,6 @@
/*
* dpagaix.c
- * On AIX we need to get the kernel extentions
+ * On AIX we need to get the kernel extensions
* with the DFS kafs_syscall in it.
* We might be running on a system
* where DFS is not active.
diff --git a/third_party/heimdal/cf/largefile.m4 b/third_party/heimdal/cf/largefile.m4
index 5c54897be48..cdbbc554314 100644
--- a/third_party/heimdal/cf/largefile.m4
+++ b/third_party/heimdal/cf/largefile.m4
@@ -10,7 +10,7 @@ dnl with generated code, such as lex
if test "$enable_largefile" != no -a "$ac_cv_sys_large_files" != no; then
CPPFLAGS="$CPPFLAGS -D_LARGE_FILES=$ac_cv_sys_large_files"
fi
-if test "$enable_largefile" != no -a "$ac_cv_sys_file_offset_bits" != no; then
+if test "$enable_largefile" != no -a "$ac_cv_sys_file_offset_bits" != no && test -n "$ac_cv_sys_file_offset_bits"; then
CPPFLAGS="$CPPFLAGS -D_FILE_OFFSET_BITS=$ac_cv_sys_file_offset_bits"
fi
])
diff --git a/third_party/heimdal/doc/setup.texi b/third_party/heimdal/doc/setup.texi
index 1df24d12c65..8177b7a7134 100644
--- a/third_party/heimdal/doc/setup.texi
+++ b/third_party/heimdal/doc/setup.texi
@@ -1468,8 +1468,8 @@ id-pkkdcekuoid (1.3.6.1.5.2.3.5) set. Second, there must be a
subjectAltName otherName using OID id-pkinit-san (1.3.6.1.5.2.2) in
the type field and a DER encoded KRB5PrincipalName that matches the
name of the TGS of the target realm. Also, if the certificate has a
-nameConstraints extension with a Generalname with dNSName or iPAdress,
-it must match the hostname or adress of the KDC.
+nameConstraints extension with a Generalname with dNSName or iPAddress,
+it must match the hostname or address of the KDC.
The client is not required by the standard to check the server
certificate for this information if the client has external
diff --git a/third_party/heimdal/kadmin/ext.c b/third_party/heimdal/kadmin/ext.c
index 04d4d79a17b..5a8281a0976 100644
--- a/third_party/heimdal/kadmin/ext.c
+++ b/third_party/heimdal/kadmin/ext.c
@@ -92,7 +92,7 @@ do_ext_keytab(krb5_principal principal, void *data)
krb5_warnx(context, "some keys for %s are corrupted in the HDB",
unparsed);
}
- keys = calloc(sizeof(*keys), princ.n_key_data);
+ keys = calloc(princ.n_key_data, sizeof(*keys));
if (keys == NULL) {
ret = krb5_enomem(context);
goto out;
@@ -118,7 +118,7 @@ do_ext_keytab(krb5_principal principal, void *data)
if (ret)
goto out;
- keys = calloc(sizeof(*keys), n_k);
+ keys = calloc(n_k, sizeof(*keys));
if (keys == NULL) {
ret = krb5_enomem(context);
goto out;
diff --git a/third_party/heimdal/kdc/default_config.c b/third_party/heimdal/kdc/default_config.c
index 8301b90f902..55eae26ae48 100644
--- a/third_party/heimdal/kdc/default_config.c
+++ b/third_party/heimdal/kdc/default_config.c
@@ -430,21 +430,18 @@ KDC_LIB_FUNCTION krb5_error_code KDC_LIB_CALL
krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config)
{
#ifdef PKINIT
+ if (config->enable_pkinit) {
#ifdef __APPLE__
- config->enable_pkinit = 1;
-
- if (config->pkinit_kdc_identity == NULL) {
- if (config->pkinit_kdc_friendly_name == NULL)
- config->pkinit_kdc_friendly_name =
- strdup("O=System Identity,CN=com.apple.kerberos.kdc");
- config->pkinit_kdc_identity = strdup("KEYCHAIN:");
- }
- if (config->pkinit_kdc_anchors == NULL)
- config->pkinit_kdc_anchors = strdup("KEYCHAIN:");
-
+ if (config->pkinit_kdc_identity == NULL) {
+ if (config->pkinit_kdc_friendly_name == NULL)
+ config->pkinit_kdc_friendly_name =
+ strdup("O=System Identity,CN=com.apple.kerberos.kdc");
+ config->pkinit_kdc_identity = strdup("KEYCHAIN:");
+ }
+ if (config->pkinit_kdc_anchors == NULL)
+ config->pkinit_kdc_anchors = strdup("KEYCHAIN:");
#endif /* __APPLE__ */
- if (config->enable_pkinit) {
if (config->pkinit_kdc_identity == NULL)
krb5_errx(context, 1, "pkinit enabled but no identity");
diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c
index bc77f74664c..d6b6ab2bbb3 100644
--- a/third_party/heimdal/kdc/fast.c
+++ b/third_party/heimdal/kdc/fast.c
@@ -482,7 +482,18 @@ _kdc_fast_mk_error(astgs_request_t r,
heim_assert(r != NULL, "invalid request in _kdc_fast_mk_error");
- if (r->e_data.length) {
+ if (!armor_crypto && r->e_data.length) {
+ /*
+ * If we’re not armoring the response with FAST, r->e_data
+ * takes precedence over the e‐data that would normally be
+ * generated. r->e_data typically contains a
+ * Microsoft‐specific NTSTATUS code.
+ *
+ * But if FAST is in use, Windows Server suppresses the
+ * NTSTATUS code in favour of an armored response
+ * encapsulating an ordinary KRB‐ERROR. So we ignore r->e_data
+ * in that case.
+ */
e_data = &r->e_data;
} else {
ret = _kdc_fast_mk_e_data(r,
diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c
index 3d3243787f3..3bcf00c984b 100644
--- a/third_party/heimdal/kdc/kerberos5.c
+++ b/third_party/heimdal/kdc/kerberos5.c
@@ -1204,6 +1204,9 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
goto out;
}
free_EncryptedData(&enc_data);
+ if (ret) {
+ goto out;
+ }
ret = decode_PA_ENC_TS_ENC(ts_data.data,
--
Samba Shared Repository
More information about the samba-cvs
mailing list