[PATCH] Add back --with-fake-kaserver option to the build

Christian Ambach ambi at samba.org
Sun Apr 27 13:51:32 MDT 2014


Hi list,

during the transition to waf, the AFS fake kaserver configuration option
was not migrated and so this feature got lost in 4.1 (in 4.0, it was
still available via the autoconf-based build).
The attached patchset brings back the option. Once it gets reviewed, I
can backport it to 4.1 so we close this gap (that is properly the last
piece that was missing from waf when comparing it to the autoconf build).

Cheers,
Christian
-------------- next part --------------
>From 7fc8f246f2000077b297c1a53f88f3617d26138d Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Sun, 13 Apr 2014 13:18:37 +0200
Subject: [PATCH 1/8] s3:lib/util move util_sec to common lib

we need some of the code in util_sec for wbinfo that lives in the toplevel
nsswitch directory, so move the util_sec.c file to the top-level lib directory

Signed-off-by: Christian Ambach <ambi at samba.org>
---
 lib/util/util_sec.c        | 553 +++++++++++++++++++++++++++++++++++++++++++++
 lib/util/util_sec.h        |  45 ++++
 lib/util/wscript_build     |   2 +-
 source3/include/includes.h |   1 +
 source3/include/proto.h    |  24 --
 source3/lib/util_sec.c     | 553 ---------------------------------------------
 source3/wscript            |  12 +-
 source3/wscript_build      |   2 +-
 8 files changed, 607 insertions(+), 585 deletions(-)
 create mode 100644 lib/util/util_sec.c
 create mode 100644 lib/util/util_sec.h
 delete mode 100644 source3/lib/util_sec.c

diff --git a/lib/util/util_sec.c b/lib/util/util_sec.c
new file mode 100644
index 0000000..9ccd04e
--- /dev/null
+++ b/lib/util/util_sec.c
@@ -0,0 +1,553 @@
+/*
+   Unix SMB/CIFS implementation.
+   Copyright (C) Jeremy Allison 1998.
+   rewritten for version 2.0.6 by Tridge
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef AUTOCONF_TEST
+#include "includes.h"
+#include "system/passwd.h" /* uid_wrapper */
+#include "../lib/util/setid.h"
+
+#else
+/* we are running this code in autoconf test mode to see which type of setuid
+   function works */
+#if defined(HAVE_UNISTD_H)
+#include <unistd.h>
+#endif
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <errno.h>
+
+#ifdef HAVE_SYS_PRIV_H
+#include <sys/priv.h>
+#endif
+#ifdef HAVE_SYS_ID_H
+#include <sys/id.h>
+#endif
+
+#define DEBUG(x, y) printf y
+#define smb_panic(x) exit(1)
+#define bool int
+#endif
+
+/* are we running as non-root? This is used by the regresison test code,
+   and potentially also for sites that want non-root smbd */
+static uid_t initial_uid;
+static gid_t initial_gid;
+
+/****************************************************************************
+remember what uid we got started as - this allows us to run correctly
+as non-root while catching trapdoor systems
+****************************************************************************/
+
+void sec_init(void)
+{
+	static int initialized;
+
+	if (!initialized) {
+		initial_uid = geteuid();
+		initial_gid = getegid();
+		initialized = 1;
+	}
+}
+
+/****************************************************************************
+some code (eg. winbindd) needs to know what uid we started as
+****************************************************************************/
+uid_t sec_initial_uid(void)
+{
+	return initial_uid;
+}
+
+/****************************************************************************
+some code (eg. winbindd, profiling shm) needs to know what gid we started as
+****************************************************************************/
+gid_t sec_initial_gid(void)
+{
+	return initial_gid;
+}
+
+/**
+ * @brief Check if we are running in root mode.
+ *
+ * @return If we samba root privileges it returns true, false otehrwise.
+ */
+bool root_mode(void)
+{
+	uid_t euid;
+
+	euid = geteuid();
+
+#ifndef AUTOCONF_TEST
+	if (uid_wrapper_enabled()) {
+		return (euid == initial_uid || euid == (uid_t)0);
+	}
+#endif
+
+	return (initial_uid == euid);
+}
+
+/****************************************************************************
+are we running in non-root mode?
+****************************************************************************/
+bool non_root_mode(void)
+{
+	return (initial_uid != (uid_t)0);
+}
+
+/****************************************************************************
+abort if we haven't set the uid correctly
+****************************************************************************/
+static void assert_uid(uid_t ruid, uid_t euid)
+{
+	if ((euid != (uid_t)-1 && geteuid() != euid) ||
+	    (ruid != (uid_t)-1 && getuid() != ruid)) {
+		if (!non_root_mode()) {
+			DEBUG(0,("Failed to set uid privileges to (%d,%d) now set to (%d,%d)\n",
+				 (int)ruid, (int)euid,
+				 (int)getuid(), (int)geteuid()));
+			smb_panic("failed to set uid\n");
+			exit(1);
+		}
+	}
+}
+
+/****************************************************************************
+abort if we haven't set the gid correctly
+****************************************************************************/
+static void assert_gid(gid_t rgid, gid_t egid)
+{
+	if ((egid != (gid_t)-1 && getegid() != egid) ||
+	    (rgid != (gid_t)-1 && getgid() != rgid)) {
+		if (!non_root_mode()) {
+			DEBUG(0,("Failed to set gid privileges to (%d,%d) now set to (%d,%d) uid=(%d,%d)\n",
+				 (int)rgid, (int)egid,
+				 (int)getgid(), (int)getegid(),
+				 (int)getuid(), (int)geteuid()));
+			smb_panic("failed to set gid\n");
+			exit(1);
+		}
+	}
+}
+
+/****************************************************************************
+ Gain root privilege before doing something. 
+ We want to end up with ruid==euid==0
+****************************************************************************/
+void gain_root_privilege(void)
+{	
+#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
+	samba_setresuid(0,0,0);
+#endif
+    
+#if USE_SETEUID
+	samba_seteuid(0);
+#endif
+
+#if USE_SETREUID
+	samba_setreuid(0, 0);
+#endif
+
+#if USE_SETUIDX
+	samba_setuidx(ID_EFFECTIVE, 0);
+	samba_setuidx(ID_REAL, 0);
+#endif
+
+	/* this is needed on some systems */
+	samba_setuid(0);
+
+	assert_uid(0, 0);
+}
+
+
+/****************************************************************************
+ Ensure our real and effective groups are zero.
+ we want to end up with rgid==egid==0
+****************************************************************************/
+void gain_root_group_privilege(void)
+{
+#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
+	samba_setresgid(0,0,0);
+#endif
+
+#if USE_SETREUID
+	samba_setregid(0,0);
+#endif
+
+#if USE_SETEUID
+	samba_setegid(0);
+#endif
+
+#if USE_SETUIDX
+	samba_setgidx(ID_EFFECTIVE, 0);
+	samba_setgidx(ID_REAL, 0);
+#endif
+
+	samba_setgid(0);
+
+	assert_gid(0, 0);
+}
+
+
+/****************************************************************************
+ Set effective uid, and possibly the real uid too.
+ We want to end up with either:
+  
+   ruid==uid and euid==uid
+
+ or
+
+   ruid==0 and euid==uid
+
+ depending on what the local OS will allow us to regain root from.
+****************************************************************************/
+void set_effective_uid(uid_t uid)
+{
+#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
+        /* Set the effective as well as the real uid. */
+	if (samba_setresuid(uid,uid,-1) == -1) {
+		if (errno == EAGAIN) {
+			DEBUG(0, ("samba_setresuid failed with EAGAIN. uid(%d) "
+				  "might be over its NPROC limit\n",
+				  (int)uid));
+		}
+	}
+#endif
+
+#if USE_SETREUID
+	samba_setreuid(-1,uid);
+#endif
+
+#if USE_SETEUID
+	samba_seteuid(uid);
+#endif
+
+#if USE_SETUIDX
+	samba_setuidx(ID_EFFECTIVE, uid);
+#endif
+
+	assert_uid(-1, uid);
+}
+
+/****************************************************************************
+ Set *only* the effective gid.
+ we want to end up with rgid==0 and egid==gid
+****************************************************************************/
+void set_effective_gid(gid_t gid)
+{
+#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
+	samba_setresgid(-1,gid,-1);
+#endif
+
+#if USE_SETREUID
+	samba_setregid(-1,gid);
+#endif
+
+#if USE_SETEUID
+	samba_setegid(gid);
+#endif
+
+#if USE_SETUIDX
+	samba_setgidx(ID_EFFECTIVE, gid);
+#endif
+
+	assert_gid(-1, gid);
+}
+
+static uid_t saved_euid, saved_ruid;
+static gid_t saved_egid, saved_rgid;
+
+/****************************************************************************
+ save the real and effective uid for later restoration. Used by the quotas
+ code
+****************************************************************************/
+void save_re_uid(void)
+{
+	saved_ruid = getuid();
+	saved_euid = geteuid();
+}
+
+
+/****************************************************************************
+ and restore them!
+****************************************************************************/
+
+void restore_re_uid_fromroot(void)
+{
+#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
+	samba_setresuid(saved_ruid, saved_euid, -1);
+#elif USE_SETREUID
+	samba_setreuid(saved_ruid, -1);
+	samba_setreuid(-1,saved_euid);
+#elif USE_SETUIDX
+	samba_setuidx(ID_REAL, saved_ruid);
+	samba_setuidx(ID_EFFECTIVE, saved_euid);
+#else
+	set_effective_uid(saved_euid);
+	if (getuid() != saved_ruid)
+		samba_setuid(saved_ruid);
+	set_effective_uid(saved_euid);
+#endif
+
+	assert_uid(saved_ruid, saved_euid);
+}
+
+void restore_re_uid(void)
+{
+	set_effective_uid(0);
+	restore_re_uid_fromroot();
+}
+
+/****************************************************************************
+ save the real and effective gid for later restoration. Used by the 
+ getgroups code
+****************************************************************************/
+void save_re_gid(void)
+{
+	saved_rgid = getgid();
+	saved_egid = getegid();
+}
+
+/****************************************************************************
+ and restore them!
+****************************************************************************/
+void restore_re_gid(void)
+{
+#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
+	samba_setresgid(saved_rgid, saved_egid, -1);
+#elif USE_SETREUID
+	samba_setregid(saved_rgid, -1);
+	samba_setregid(-1,saved_egid);
+#elif USE_SETUIDX
+	samba_setgidx(ID_REAL, saved_rgid);
+	samba_setgidx(ID_EFFECTIVE, saved_egid);
+#else
+	set_effective_gid(saved_egid);
+	if (getgid() != saved_rgid)
+		samba_setgid(saved_rgid);
+	set_effective_gid(saved_egid);
+#endif
+
+	assert_gid(saved_rgid, saved_egid);
+}
+
+
+/****************************************************************************
+ set the real AND effective uid to the current effective uid in a way that
+ allows root to be regained.
+ This is only possible on some platforms.
+****************************************************************************/
+int set_re_uid(void)
+{
+	uid_t uid = geteuid();
+
+#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
+	samba_setresuid(uid, uid, -1);
+#endif
+
+#if USE_SETREUID
+	samba_setreuid(0, 0);
+	samba_setreuid(uid, -1);
+	samba_setreuid(-1, uid);
+#endif
+
+#if USE_SETEUID
+	/* can't be done */
+	return -1;
+#endif
+
+#if USE_SETUIDX
+	/* can't be done */
+	return -1;
+#endif
+
+	assert_uid(uid, uid);
+	return 0;
+}
+
+
+/****************************************************************************
+ Become the specified uid and gid - permanently !
+ there should be no way back if possible
+****************************************************************************/
+void become_user_permanently(uid_t uid, gid_t gid)
+{
+	/*
+	 * First - gain root privilege. We do this to ensure
+	 * we can lose it again.
+	 */
+
+	gain_root_privilege();
+	gain_root_group_privilege();
+
+#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
+	samba_setresgid(gid,gid,gid);
+	samba_setgid(gid);
+	samba_setresuid(uid,uid,uid);
+	samba_setuid(uid);
+#endif
+
+#if USE_SETREUID
+	samba_setregid(gid,gid);
+	samba_setgid(gid);
+	samba_setreuid(uid,uid);
+	samba_setuid(uid);
+#endif
+
+#if USE_SETEUID
+	samba_setegid(gid);
+	samba_setgid(gid);
+	samba_setuid(uid);
+	samba_seteuid(uid);
+	samba_setuid(uid);
+#endif
+
+#if USE_SETUIDX
+	samba_setgidx(ID_REAL, gid);
+	samba_setgidx(ID_EFFECTIVE, gid);
+	samba_setgid(gid);
+	samba_setuidx(ID_REAL, uid);
+	samba_setuidx(ID_EFFECTIVE, uid);
+	samba_setuid(uid);
+#endif
+	
+	assert_uid(uid, uid);
+	assert_gid(gid, gid);
+}
+
+/**********************************************************
+ Function to set thread specific credentials. Leave
+ saved-set uid/gid alone.Must be thread-safe code.
+**********************************************************/
+
+int set_thread_credentials(uid_t uid,
+			gid_t gid,
+			size_t setlen,
+			const gid_t *gidset)
+{
+#if defined(USE_LINUX_THREAD_CREDENTIALS)
+	/*
+	 * With Linux thread-specific credentials
+	 * we know we have setresuid/setresgid
+	 * available.
+	 */
+
+	/* Become root. */
+	/* Set ru=0, eu=0 */
+	if (samba_setresuid(0, 0, -1) != 0) {
+		return -1;
+	}
+	/* Set our primary gid. */
+	/* Set rg=gid, eg=gid */
+	if (samba_setresgid(gid, gid, -1) != 0) {
+		return -1;
+	}
+	/* Set extra groups list. */
+	if (samba_setgroups(setlen, gidset) != 0) {
+		return -1;
+	}
+	/* Become the requested user. */
+	/* Set ru=uid, eu=uid */
+	if (samba_setresuid(uid, uid, -1) != 0) {
+		return -1;
+	}
+	if (geteuid() != uid || getuid() != uid ||
+			getegid() != gid || getgid() != gid) {
+		smb_panic("set_thread_credentials failed\n");
+		return -1;
+	}
+	return 0;
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+#ifdef AUTOCONF_TEST
+
+/****************************************************************************
+this function just checks that we don't get ENOSYS back
+****************************************************************************/
+static int have_syscall(void)
+{
+	errno = 0;
+
+#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
+	samba_setresuid(-1,-1,-1);
+#endif
+
+#if USE_SETREUID
+	samba_setreuid(-1,-1);
+#endif
+
+#if USE_SETEUID
+	samba_seteuid(-1);
+#endif
+
+#if USE_SETUIDX
+	samba_setuidx(ID_EFFECTIVE, -1);
+#endif
+
+	if (errno == ENOSYS) return -1;
+	
+	return 0;
+}
+
+main()
+{
+        if (getuid() != 0) {
+#if (defined(AIX) && defined(USE_SETREUID))
+		/* setreuid is badly broken on AIX 4.1, we avoid it completely */
+                fprintf(stderr,"avoiding possibly broken setreuid\n");
+		exit(1);
+#endif
+
+		/* if not running as root then at least check to see if we get ENOSYS - this 
+		   handles Linux 2.0.x with glibc 2.1 */
+                fprintf(stderr,"not running as root: checking for ENOSYS\n");
+		exit(have_syscall());
+	}
+
+	gain_root_privilege();
+	gain_root_group_privilege();
+	set_effective_gid(1);
+	set_effective_uid(1);
+	save_re_uid();
+	restore_re_uid();
+	gain_root_privilege();
+	gain_root_group_privilege();
+	become_user_permanently(1, 1);
+	samba_setuid(0);
+	if (getuid() == 0) {
+		fprintf(stderr,"uid not set permanently\n");
+		exit(1);
+	}
+
+	printf("OK\n");
+
+	exit(0);
+}
+#endif
+
+/****************************************************************************
+Check if we are setuid root.  Used in libsmb and smbpasswd paranoia checks.
+****************************************************************************/
+bool is_setuid_root(void) 
+{
+	return (geteuid() == (uid_t)0) && (getuid() != (uid_t)0);
+}
diff --git a/lib/util/util_sec.h b/lib/util/util_sec.h
new file mode 100644
index 0000000..afbf9c8
--- /dev/null
+++ b/lib/util/util_sec.h
@@ -0,0 +1,45 @@
+/*
+   Unix SMB/CIFS implementation.
+   Copyright (C) Jeremy Allison 1998.
+   rewritten for version 2.0.6 by Tridge
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef LIB_UTIL_SEC_H
+#define LIB_UTIL_SEC_H 1
+
+void sec_init(void);
+uid_t sec_initial_uid(void);
+gid_t sec_initial_gid(void);
+bool root_mode(void);
+bool non_root_mode(void);
+void gain_root_privilege(void);
+void gain_root_group_privilege(void);
+void set_effective_uid(uid_t uid);
+void set_effective_gid(gid_t gid);
+void save_re_uid(void);
+void restore_re_uid_fromroot(void);
+void restore_re_uid(void);
+void save_re_gid(void);
+void restore_re_gid(void);
+int set_re_uid(void);
+void become_user_permanently(uid_t uid, gid_t gid);
+int set_thread_credentials(uid_t uid,
+			   gid_t gid,
+			   size_t setlen,
+			   const gid_t *gidset);
+bool is_setuid_root(void);
+
+#endif
diff --git a/lib/util/wscript_build b/lib/util/wscript_build
index fe2c183..0e6d12e 100755
--- a/lib/util/wscript_build
+++ b/lib/util/wscript_build
@@ -8,7 +8,7 @@ bld.SAMBA_LIBRARY('samba-util',
                     util_strlist.c util_paths.c idtree.c debug.c fault.c base64.c
                     util_str.c util_str_common.c substitute.c ms_fnmatch.c
                     server_id.c dprintf.c parmlist.c bitmap.c pidfile.c
-                    tevent_debug.c util_process.c''',
+                    tevent_debug.c util_process.c util_sec.c''',
                   deps='DYNCONFIG',
                   public_deps='talloc tevent execinfo pthread LIBCRYPTO charset util_setid systemd-daemon',
                   public_headers='debug.h attr.h byteorder.h data_blob.h memory.h safe_string.h time.h talloc_stack.h xfile.h dlinklist.h samba_util.h string_wrappers.h',
diff --git a/source3/include/includes.h b/source3/include/includes.h
index de44fd2..967c52b 100644
--- a/source3/include/includes.h
+++ b/source3/include/includes.h
@@ -398,6 +398,7 @@ typedef char fstring[FSTRING_LEN];
 
 /* samba_setXXid functions. */
 #include "../lib/util/setid.h"
+#include "../lib/util/util_sec.h"
 
 /***** prototypes *****/
 #ifndef NO_PROTO_H
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 0a4db86..46d12a4 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -506,30 +506,6 @@ NTSTATUS merge_nt_token(TALLOC_CTX *mem_ctx,
 			struct security_token **token_out);
 bool token_sid_in_ace(const struct security_token *token, const struct security_ace *ace);
 
-/* The following definitions come from lib/util_sec.c  */
-
-void sec_init(void);
-uid_t sec_initial_uid(void);
-gid_t sec_initial_gid(void);
-bool root_mode(void);
-bool non_root_mode(void);
-void gain_root_privilege(void);
-void gain_root_group_privilege(void);
-void set_effective_uid(uid_t uid);
-void set_effective_gid(gid_t gid);
-void save_re_uid(void);
-void restore_re_uid_fromroot(void);
-void restore_re_uid(void);
-void save_re_gid(void);
-void restore_re_gid(void);
-int set_re_uid(void);
-void become_user_permanently(uid_t uid, gid_t gid);
-int set_thread_credentials(uid_t uid,
-			gid_t gid,
-			size_t setlen,
-			const gid_t *gidset);
-bool is_setuid_root(void) ;
-
 /* The following definitions come from lib/util_sid.c  */
 
 char *sid_to_fstring(fstring sidstr_out, const struct dom_sid *sid);
diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c
deleted file mode 100644
index 9ccd04e..0000000
--- a/source3/lib/util_sec.c
+++ /dev/null
@@ -1,553 +0,0 @@
-/*
-   Unix SMB/CIFS implementation.
-   Copyright (C) Jeremy Allison 1998.
-   rewritten for version 2.0.6 by Tridge
-
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 3 of the License, or
-   (at your option) any later version.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#ifndef AUTOCONF_TEST
-#include "includes.h"
-#include "system/passwd.h" /* uid_wrapper */
-#include "../lib/util/setid.h"
-
-#else
-/* we are running this code in autoconf test mode to see which type of setuid
-   function works */
-#if defined(HAVE_UNISTD_H)
-#include <unistd.h>
-#endif
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <errno.h>
-
-#ifdef HAVE_SYS_PRIV_H
-#include <sys/priv.h>
-#endif
-#ifdef HAVE_SYS_ID_H
-#include <sys/id.h>
-#endif
-
-#define DEBUG(x, y) printf y
-#define smb_panic(x) exit(1)
-#define bool int
-#endif
-
-/* are we running as non-root? This is used by the regresison test code,
-   and potentially also for sites that want non-root smbd */
-static uid_t initial_uid;
-static gid_t initial_gid;
-
-/****************************************************************************
-remember what uid we got started as - this allows us to run correctly
-as non-root while catching trapdoor systems
-****************************************************************************/
-
-void sec_init(void)
-{
-	static int initialized;
-
-	if (!initialized) {
-		initial_uid = geteuid();
-		initial_gid = getegid();
-		initialized = 1;
-	}
-}
-
-/****************************************************************************
-some code (eg. winbindd) needs to know what uid we started as
-****************************************************************************/
-uid_t sec_initial_uid(void)
-{
-	return initial_uid;
-}
-
-/****************************************************************************
-some code (eg. winbindd, profiling shm) needs to know what gid we started as
-****************************************************************************/
-gid_t sec_initial_gid(void)
-{
-	return initial_gid;
-}
-
-/**
- * @brief Check if we are running in root mode.
- *
- * @return If we samba root privileges it returns true, false otehrwise.
- */
-bool root_mode(void)
-{
-	uid_t euid;
-
-	euid = geteuid();
-
-#ifndef AUTOCONF_TEST
-	if (uid_wrapper_enabled()) {
-		return (euid == initial_uid || euid == (uid_t)0);
-	}
-#endif
-
-	return (initial_uid == euid);
-}
-
-/****************************************************************************
-are we running in non-root mode?
-****************************************************************************/
-bool non_root_mode(void)
-{
-	return (initial_uid != (uid_t)0);
-}
-
-/****************************************************************************
-abort if we haven't set the uid correctly
-****************************************************************************/
-static void assert_uid(uid_t ruid, uid_t euid)
-{
-	if ((euid != (uid_t)-1 && geteuid() != euid) ||
-	    (ruid != (uid_t)-1 && getuid() != ruid)) {
-		if (!non_root_mode()) {
-			DEBUG(0,("Failed to set uid privileges to (%d,%d) now set to (%d,%d)\n",
-				 (int)ruid, (int)euid,
-				 (int)getuid(), (int)geteuid()));
-			smb_panic("failed to set uid\n");
-			exit(1);
-		}
-	}
-}
-
-/****************************************************************************
-abort if we haven't set the gid correctly
-****************************************************************************/
-static void assert_gid(gid_t rgid, gid_t egid)
-{
-	if ((egid != (gid_t)-1 && getegid() != egid) ||
-	    (rgid != (gid_t)-1 && getgid() != rgid)) {
-		if (!non_root_mode()) {
-			DEBUG(0,("Failed to set gid privileges to (%d,%d) now set to (%d,%d) uid=(%d,%d)\n",
-				 (int)rgid, (int)egid,
-				 (int)getgid(), (int)getegid(),
-				 (int)getuid(), (int)geteuid()));
-			smb_panic("failed to set gid\n");
-			exit(1);
-		}
-	}
-}
-
-/****************************************************************************
- Gain root privilege before doing something. 
- We want to end up with ruid==euid==0
-****************************************************************************/
-void gain_root_privilege(void)
-{	
-#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
-	samba_setresuid(0,0,0);
-#endif
-    
-#if USE_SETEUID
-	samba_seteuid(0);
-#endif
-
-#if USE_SETREUID
-	samba_setreuid(0, 0);
-#endif
-
-#if USE_SETUIDX
-	samba_setuidx(ID_EFFECTIVE, 0);
-	samba_setuidx(ID_REAL, 0);
-#endif
-
-	/* this is needed on some systems */
-	samba_setuid(0);
-
-	assert_uid(0, 0);
-}
-
-
-/****************************************************************************
- Ensure our real and effective groups are zero.
- we want to end up with rgid==egid==0
-****************************************************************************/
-void gain_root_group_privilege(void)
-{
-#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
-	samba_setresgid(0,0,0);
-#endif
-
-#if USE_SETREUID
-	samba_setregid(0,0);
-#endif
-
-#if USE_SETEUID
-	samba_setegid(0);
-#endif
-
-#if USE_SETUIDX
-	samba_setgidx(ID_EFFECTIVE, 0);
-	samba_setgidx(ID_REAL, 0);
-#endif
-
-	samba_setgid(0);
-
-	assert_gid(0, 0);
-}
-
-
-/****************************************************************************
- Set effective uid, and possibly the real uid too.
- We want to end up with either:
-  
-   ruid==uid and euid==uid
-
- or
-
-   ruid==0 and euid==uid
-
- depending on what the local OS will allow us to regain root from.
-****************************************************************************/
-void set_effective_uid(uid_t uid)
-{
-#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
-        /* Set the effective as well as the real uid. */
-	if (samba_setresuid(uid,uid,-1) == -1) {
-		if (errno == EAGAIN) {
-			DEBUG(0, ("samba_setresuid failed with EAGAIN. uid(%d) "
-				  "might be over its NPROC limit\n",
-				  (int)uid));
-		}
-	}
-#endif
-
-#if USE_SETREUID
-	samba_setreuid(-1,uid);
-#endif
-
-#if USE_SETEUID
-	samba_seteuid(uid);
-#endif
-
-#if USE_SETUIDX
-	samba_setuidx(ID_EFFECTIVE, uid);
-#endif
-
-	assert_uid(-1, uid);
-}
-
-/****************************************************************************
- Set *only* the effective gid.
- we want to end up with rgid==0 and egid==gid
-****************************************************************************/
-void set_effective_gid(gid_t gid)
-{
-#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
-	samba_setresgid(-1,gid,-1);
-#endif
-
-#if USE_SETREUID
-	samba_setregid(-1,gid);
-#endif
-
-#if USE_SETEUID
-	samba_setegid(gid);
-#endif
-
-#if USE_SETUIDX
-	samba_setgidx(ID_EFFECTIVE, gid);
-#endif
-
-	assert_gid(-1, gid);
-}
-
-static uid_t saved_euid, saved_ruid;
-static gid_t saved_egid, saved_rgid;
-
-/****************************************************************************
- save the real and effective uid for later restoration. Used by the quotas
- code
-****************************************************************************/
-void save_re_uid(void)
-{
-	saved_ruid = getuid();
-	saved_euid = geteuid();
-}
-
-
-/****************************************************************************
- and restore them!
-****************************************************************************/
-
-void restore_re_uid_fromroot(void)
-{
-#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
-	samba_setresuid(saved_ruid, saved_euid, -1);
-#elif USE_SETREUID
-	samba_setreuid(saved_ruid, -1);
-	samba_setreuid(-1,saved_euid);
-#elif USE_SETUIDX
-	samba_setuidx(ID_REAL, saved_ruid);
-	samba_setuidx(ID_EFFECTIVE, saved_euid);
-#else
-	set_effective_uid(saved_euid);
-	if (getuid() != saved_ruid)
-		samba_setuid(saved_ruid);
-	set_effective_uid(saved_euid);
-#endif
-
-	assert_uid(saved_ruid, saved_euid);
-}
-
-void restore_re_uid(void)
-{
-	set_effective_uid(0);
-	restore_re_uid_fromroot();
-}
-
-/****************************************************************************
- save the real and effective gid for later restoration. Used by the 
- getgroups code
-****************************************************************************/
-void save_re_gid(void)
-{
-	saved_rgid = getgid();
-	saved_egid = getegid();
-}
-
-/****************************************************************************
- and restore them!
-****************************************************************************/
-void restore_re_gid(void)
-{
-#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
-	samba_setresgid(saved_rgid, saved_egid, -1);
-#elif USE_SETREUID
-	samba_setregid(saved_rgid, -1);
-	samba_setregid(-1,saved_egid);
-#elif USE_SETUIDX
-	samba_setgidx(ID_REAL, saved_rgid);
-	samba_setgidx(ID_EFFECTIVE, saved_egid);
-#else
-	set_effective_gid(saved_egid);
-	if (getgid() != saved_rgid)
-		samba_setgid(saved_rgid);
-	set_effective_gid(saved_egid);
-#endif
-
-	assert_gid(saved_rgid, saved_egid);
-}
-
-
-/****************************************************************************
- set the real AND effective uid to the current effective uid in a way that
- allows root to be regained.
- This is only possible on some platforms.
-****************************************************************************/
-int set_re_uid(void)
-{
-	uid_t uid = geteuid();
-
-#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
-	samba_setresuid(uid, uid, -1);
-#endif
-
-#if USE_SETREUID
-	samba_setreuid(0, 0);
-	samba_setreuid(uid, -1);
-	samba_setreuid(-1, uid);
-#endif
-
-#if USE_SETEUID
-	/* can't be done */
-	return -1;
-#endif
-
-#if USE_SETUIDX
-	/* can't be done */
-	return -1;
-#endif
-
-	assert_uid(uid, uid);
-	return 0;
-}
-
-
-/****************************************************************************
- Become the specified uid and gid - permanently !
- there should be no way back if possible
-****************************************************************************/
-void become_user_permanently(uid_t uid, gid_t gid)
-{
-	/*
-	 * First - gain root privilege. We do this to ensure
-	 * we can lose it again.
-	 */
-
-	gain_root_privilege();
-	gain_root_group_privilege();
-
-#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
-	samba_setresgid(gid,gid,gid);
-	samba_setgid(gid);
-	samba_setresuid(uid,uid,uid);
-	samba_setuid(uid);
-#endif
-
-#if USE_SETREUID
-	samba_setregid(gid,gid);
-	samba_setgid(gid);
-	samba_setreuid(uid,uid);
-	samba_setuid(uid);
-#endif
-
-#if USE_SETEUID
-	samba_setegid(gid);
-	samba_setgid(gid);
-	samba_setuid(uid);
-	samba_seteuid(uid);
-	samba_setuid(uid);
-#endif
-
-#if USE_SETUIDX
-	samba_setgidx(ID_REAL, gid);
-	samba_setgidx(ID_EFFECTIVE, gid);
-	samba_setgid(gid);
-	samba_setuidx(ID_REAL, uid);
-	samba_setuidx(ID_EFFECTIVE, uid);
-	samba_setuid(uid);
-#endif
-	
-	assert_uid(uid, uid);
-	assert_gid(gid, gid);
-}
-
-/**********************************************************
- Function to set thread specific credentials. Leave
- saved-set uid/gid alone.Must be thread-safe code.
-**********************************************************/
-
-int set_thread_credentials(uid_t uid,
-			gid_t gid,
-			size_t setlen,
-			const gid_t *gidset)
-{
-#if defined(USE_LINUX_THREAD_CREDENTIALS)
-	/*
-	 * With Linux thread-specific credentials
-	 * we know we have setresuid/setresgid
-	 * available.
-	 */
-
-	/* Become root. */
-	/* Set ru=0, eu=0 */
-	if (samba_setresuid(0, 0, -1) != 0) {
-		return -1;
-	}
-	/* Set our primary gid. */
-	/* Set rg=gid, eg=gid */
-	if (samba_setresgid(gid, gid, -1) != 0) {
-		return -1;
-	}
-	/* Set extra groups list. */
-	if (samba_setgroups(setlen, gidset) != 0) {
-		return -1;
-	}
-	/* Become the requested user. */
-	/* Set ru=uid, eu=uid */
-	if (samba_setresuid(uid, uid, -1) != 0) {
-		return -1;
-	}
-	if (geteuid() != uid || getuid() != uid ||
-			getegid() != gid || getgid() != gid) {
-		smb_panic("set_thread_credentials failed\n");
-		return -1;
-	}
-	return 0;
-#else
-	errno = ENOSYS;
-	return -1;
-#endif
-}
-
-#ifdef AUTOCONF_TEST
-
-/****************************************************************************
-this function just checks that we don't get ENOSYS back
-****************************************************************************/
-static int have_syscall(void)
-{
-	errno = 0;
-
-#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
-	samba_setresuid(-1,-1,-1);
-#endif
-
-#if USE_SETREUID
-	samba_setreuid(-1,-1);
-#endif
-
-#if USE_SETEUID
-	samba_seteuid(-1);
-#endif
-
-#if USE_SETUIDX
-	samba_setuidx(ID_EFFECTIVE, -1);
-#endif
-
-	if (errno == ENOSYS) return -1;
-	
-	return 0;
-}
-
-main()
-{
-        if (getuid() != 0) {
-#if (defined(AIX) && defined(USE_SETREUID))
-		/* setreuid is badly broken on AIX 4.1, we avoid it completely */
-                fprintf(stderr,"avoiding possibly broken setreuid\n");
-		exit(1);
-#endif
-
-		/* if not running as root then at least check to see if we get ENOSYS - this 
-		   handles Linux 2.0.x with glibc 2.1 */
-                fprintf(stderr,"not running as root: checking for ENOSYS\n");
-		exit(have_syscall());
-	}
-
-	gain_root_privilege();
-	gain_root_group_privilege();
-	set_effective_gid(1);
-	set_effective_uid(1);
-	save_re_uid();
-	restore_re_uid();
-	gain_root_privilege();
-	gain_root_group_privilege();
-	become_user_permanently(1, 1);
-	samba_setuid(0);
-	if (getuid() == 0) {
-		fprintf(stderr,"uid not set permanently\n");
-		exit(1);
-	}
-
-	printf("OK\n");
-
-	exit(0);
-}
-#endif
-
-/****************************************************************************
-Check if we are setuid root.  Used in libsmb and smbpasswd paranoia checks.
-****************************************************************************/
-bool is_setuid_root(void) 
-{
-	return (geteuid() == (uid_t)0) && (getuid() != (uid_t)0);
-}
diff --git a/source3/wscript b/source3/wscript
index 4fe49fa..91f976a 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -964,7 +964,7 @@ syscall(SYS_setgroups32, 0, NULL);
                                 #define USE_LINUX_THREAD_CREDENTIALS 1
                                 #define USE_LINUX_32BIT_SYSCALLS 1
                                 #include "../lib/util/setid.c"
-                                #include "./lib/util_sec.c"
+                                #include "../lib/util/util_sec.c"
                                 ''',
                                 'USE_LINUX_THREAD_CREDENTIALS',
                                 addmain=False,
@@ -975,7 +975,7 @@ syscall(SYS_setgroups32, 0, NULL);
                                 #define AUTOCONF_TEST 1
                                 #define USE_LINUX_THREAD_CREDENTIALS 1
                                 #include "../lib/util/setid.c"
-                                #include "./lib/util_sec.c"
+                                #include "../lib/util/util_sec.c"
                                 ''',
                                 'USE_LINUX_THREAD_CREDENTIALS',
                                 addmain=False,
@@ -986,7 +986,7 @@ syscall(SYS_setgroups32, 0, NULL);
                                 #define AUTOCONF_TEST 1
                                 #define USE_SETREUID 1
                                 #include "../lib/util/setid.c"
-                                #include "./lib/util_sec.c"
+                                #include "../lib/util/util_sec.c"
                                 ''',
                                 'USE_SETREUID',
                                 addmain=False,
@@ -997,7 +997,7 @@ syscall(SYS_setgroups32, 0, NULL);
                                 #define AUTOCONF_TEST 1
                                 #define USE_SETRESUID 1
                                 #include "../lib/util/setid.c"
-                                #include "./lib/util_sec.c"
+                                #include "../lib/util/util_sec.c"
                                 ''',
                                 'USE_SETRESUID',
                                 addmain=False,
@@ -1008,7 +1008,7 @@ syscall(SYS_setgroups32, 0, NULL);
                                 #define AUTOCONF_TEST 1
                                 #define USE_SETEUID 1
                                 #include "../lib/util/setid.c"
-                                #include "./lib/util_sec.c"
+                                #include "../lib/util/util_sec.c"
                                 ''',
                                 'USE_SETEUID',
                                 addmain=False,
@@ -1019,7 +1019,7 @@ syscall(SYS_setgroups32, 0, NULL);
                                 #define AUTOCONF_TEST 1
                                 #define USE_SETUIDX 1
                                 #include "../lib/util/setid.c"
-                                #include "./lib/util_sec.c"
+                                #include "../lib/util/util_sec.c"
                                 ''',
                                 'USE_SETUIDX',
                                 addmain=False,
diff --git a/source3/wscript_build b/source3/wscript_build
index e9c2f91..a074148 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -772,7 +772,7 @@ bld.SAMBA3_SUBSYSTEM('tdb-wrap3',
                     deps='talloc samba3-util')
 
 bld.SAMBA3_LIBRARY('samba3-util',
-                   source='''lib/util_sec.c lib/util_str.c lib/adt_tree.c lib/util_malloc.c lib/memcache.c lib/namearray.c lib/file_id.c''',
+                   source='''lib/util_str.c lib/adt_tree.c lib/util_malloc.c lib/memcache.c lib/namearray.c lib/file_id.c''',
                    deps='samba-util charset',
                    private_library=True)
 
-- 
1.8.3.2


>From 3ae9f79f92c9b4bd91e113c754086a2148f44014 Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Sun, 13 Apr 2014 13:22:34 +0200
Subject: [PATCH 2/8] lib/util: whitespace cleanup

Signed-off-by: Christian Ambach <ambi at samba.org>
---
 lib/util/util_sec.c | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/lib/util/util_sec.c b/lib/util/util_sec.c
index 9ccd04e..859b103 100644
--- a/lib/util/util_sec.c
+++ b/lib/util/util_sec.c
@@ -146,15 +146,15 @@ static void assert_gid(gid_t rgid, gid_t egid)
 }
 
 /****************************************************************************
- Gain root privilege before doing something. 
+ Gain root privilege before doing something.
  We want to end up with ruid==euid==0
 ****************************************************************************/
 void gain_root_privilege(void)
-{	
+{
 #if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
 	samba_setresuid(0,0,0);
 #endif
-    
+
 #if USE_SETEUID
 	samba_seteuid(0);
 #endif
@@ -207,7 +207,7 @@ void gain_root_group_privilege(void)
 /****************************************************************************
  Set effective uid, and possibly the real uid too.
  We want to end up with either:
-  
+
    ruid==uid and euid==uid
 
  or
@@ -219,7 +219,7 @@ void gain_root_group_privilege(void)
 void set_effective_uid(uid_t uid)
 {
 #if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
-        /* Set the effective as well as the real uid. */
+	/* Set the effective as well as the real uid. */
 	if (samba_setresuid(uid,uid,-1) == -1) {
 		if (errno == EAGAIN) {
 			DEBUG(0, ("samba_setresuid failed with EAGAIN. uid(%d) "
@@ -314,7 +314,7 @@ void restore_re_uid(void)
 }
 
 /****************************************************************************
- save the real and effective gid for later restoration. Used by the 
+ save the real and effective gid for later restoration. Used by the
  getgroups code
 ****************************************************************************/
 void save_re_gid(void)
@@ -425,7 +425,7 @@ void become_user_permanently(uid_t uid, gid_t gid)
 	samba_setuidx(ID_EFFECTIVE, uid);
 	samba_setuid(uid);
 #endif
-	
+
 	assert_uid(uid, uid);
 	assert_gid(gid, gid);
 }
@@ -504,22 +504,22 @@ static int have_syscall(void)
 #endif
 
 	if (errno == ENOSYS) return -1;
-	
+
 	return 0;
 }
 
 main()
 {
-        if (getuid() != 0) {
+	if (getuid() != 0) {
 #if (defined(AIX) && defined(USE_SETREUID))
 		/* setreuid is badly broken on AIX 4.1, we avoid it completely */
-                fprintf(stderr,"avoiding possibly broken setreuid\n");
+		fprintf(stderr,"avoiding possibly broken setreuid\n");
 		exit(1);
 #endif
 
 		/* if not running as root then at least check to see if we get ENOSYS - this 
 		   handles Linux 2.0.x with glibc 2.1 */
-                fprintf(stderr,"not running as root: checking for ENOSYS\n");
+		fprintf(stderr,"not running as root: checking for ENOSYS\n");
 		exit(have_syscall());
 	}
 
@@ -547,7 +547,7 @@ main()
 /****************************************************************************
 Check if we are setuid root.  Used in libsmb and smbpasswd paranoia checks.
 ****************************************************************************/
-bool is_setuid_root(void) 
+bool is_setuid_root(void)
 {
 	return (geteuid() == (uid_t)0) && (getuid() != (uid_t)0);
 }
-- 
1.8.3.2


>From fcdf4e8b32664a97b6dc4f13040af5c068b5c8c9 Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Mon, 14 Apr 2014 22:11:12 +0200
Subject: [PATCH 3/8] s3:lib/afs move afs.c to common lib dir

some of the code in afs.c is needed by wbinfo that lives in the toplevel
nsswitch directory, so move the afs.c file to a new top-level lib/afs
directory

Signed-off-by: Christian Ambach <ambi at samba.org>
---
 lib/afs/afs.c                   | 310 ++++++++++++++++++++++++++++++++++++++++
 lib/afs/afs.h                   |  42 ++++++
 lib/afs/wscript_build           |   6 +
 source3/include/proto.h         |   6 -
 source3/lib/afs.c               | 309 ---------------------------------------
 source3/utils/net_afs.c         |   1 +
 source3/winbindd/winbindd_pam.c |   1 +
 source3/wscript_build           |   4 -
 wscript_build                   |   1 +
 9 files changed, 361 insertions(+), 319 deletions(-)
 create mode 100644 lib/afs/afs.c
 create mode 100644 lib/afs/afs.h
 create mode 100644 lib/afs/wscript_build
 delete mode 100644 source3/lib/afs.c

diff --git a/lib/afs/afs.c b/lib/afs/afs.c
new file mode 100644
index 0000000..5ad462b
--- /dev/null
+++ b/lib/afs/afs.c
@@ -0,0 +1,310 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  Generate AFS tickets
+ *  Copyright (C) Volker Lendecke 2003
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "lib/afs/afs.h"
+
+#ifdef WITH_FAKE_KASERVER
+
+#define NO_ASN1_TYPEDEFS 1
+
+#include "secrets.h"
+#include "passdb.h"
+#include "auth.h"
+#include "../librpc/gen_ndr/ndr_netlogon.h"
+
+#include <afs/param.h>
+#include <afs/stds.h>
+#include <afs/afs.h>
+#include <afs/auth.h>
+#include <afs/venus.h>
+#include <asm/unistd.h>
+#include <openssl/des.h>
+
+struct ClearToken {
+	uint32 AuthHandle;
+	char HandShakeKey[8];
+	uint32 ViceId;
+	uint32 BeginTimestamp;
+	uint32 EndTimestamp;
+};
+
+static char *afs_encode_token(const char *cell, const DATA_BLOB ticket,
+			      const struct ClearToken *ct)
+{
+	char *base64_ticket;
+	char *result = NULL;
+
+	DATA_BLOB key = data_blob(ct->HandShakeKey, 8);
+	char *base64_key;
+	TALLOC_CTX *mem_ctx;
+
+	mem_ctx = talloc_stackframe();
+	if (mem_ctx == NULL)
+		goto done;
+
+	base64_ticket = base64_encode_data_blob(mem_ctx, ticket);
+	if (base64_ticket == NULL)
+		goto done;
+
+	base64_key = base64_encode_data_blob(mem_ctx, key);
+	if (base64_key == NULL)
+		goto done;
+
+	asprintf(&result, "%s\n%u\n%s\n%u\n%u\n%u\n%s\n", cell,
+		 ct->AuthHandle, base64_key, ct->ViceId, ct->BeginTimestamp,
+		 ct->EndTimestamp, base64_ticket);
+
+	DEBUG(10, ("Got ticket string:\n%s\n", result));
+
+done:
+	TALLOC_FREE(mem_ctx);
+
+	return result;
+}
+
+/* Create a ClearToken and an encrypted ticket. ClearToken has not yet the
+ * ViceId set, this should be set by the caller. */
+
+static bool afs_createtoken(const char *username, const char *cell,
+			    DATA_BLOB *ticket, struct ClearToken *ct)
+{
+	fstring clear_ticket;
+	char *p = clear_ticket;
+	uint32 len;
+	uint32 now;
+
+	struct afs_key key;
+	des_key_schedule key_schedule;
+
+	if (!secrets_init())
+		return false;
+
+	if (!secrets_fetch_afs_key(cell, &key)) {
+		DEBUG(1, ("Could not fetch AFS service key\n"));
+		return false;
+	}
+
+	ct->AuthHandle = key.kvno;
+
+	/* Build the ticket. This is going to be encrypted, so in our
+	   way we fill in ct while we still have the unencrypted
+	   form. */
+
+	p = clear_ticket;
+
+	/* The byte-order */
+	*p = 1;
+	p += 1;
+
+	/* "Alice", the client username */
+	strncpy(p, username, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+	p += strlen(p)+1;
+	strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+	p += strlen(p)+1;
+	strncpy(p, cell, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+	p += strlen(p)+1;
+
+	/* Alice's network layer address. At least Openafs-1.2.10
+	   ignores this, so we fill in a dummy value here. */
+	SIVAL(p, 0, 0);
+	p += 4;
+
+	/* We need to create a session key */
+	generate_random_buffer((uint8_t *)p, 8);
+
+	/* Our client code needs the the key in the clear, it does not
+	   know the server-key ... */
+	memcpy(ct->HandShakeKey, p, 8);
+
+	p += 8;
+
+	/* This is a kerberos 4 life time. The life time is expressed
+	 * in units of 5 minute intervals up to 38400 seconds, after
+	 * that a table is used up to lifetime 0xBF. Values between
+	 * 0xC0 and 0xFF is undefined. 0xFF is defined to be the
+	 * infinite time that never expire.
+	 *
+	 * So here we cheat and use the infinite time */
+	*p = 255;
+	p += 1;
+
+	/* Ticket creation time */
+	now = time(NULL);
+	SIVAL(p, 0, now);
+	ct->BeginTimestamp = now;
+
+	if(lp_afs_token_lifetime() == 0)
+		ct->EndTimestamp = NEVERDATE;
+	else
+		ct->EndTimestamp = now + lp_afs_token_lifetime();
+
+	if (((ct->EndTimestamp - ct->BeginTimestamp) & 1) == 1) {
+		ct->BeginTimestamp += 1; /* Lifetime must be even */
+	}
+	p += 4;
+
+	/* And here comes Bob's name and instance, in this case the
+	   AFS server. */
+	strncpy(p, "afs", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+	p += strlen(p)+1;
+	strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+	p += strlen(p)+1;
+
+	/* And zero-pad to a multiple of 8 bytes */
+	len = PTR_DIFF(p, clear_ticket);
+	if (len & 7) {
+		uint32 extra_space = 8-(len & 7);
+		memset(p, 0, extra_space);
+		p+=extra_space;
+	}
+	len = PTR_DIFF(p, clear_ticket);
+
+	des_key_sched((const_des_cblock *)key.key, key_schedule);
+	des_pcbc_encrypt((const unsigned char*) clear_ticket,
+			 (unsigned char*) clear_ticket,
+			 len, key_schedule, (C_Block *)key.key, 1);
+
+	ZERO_STRUCT(key);
+
+	*ticket = data_blob(clear_ticket, len);
+
+	return true;
+}
+
+char *afs_createtoken_str(const char *username, const char *cell)
+{
+	DATA_BLOB ticket;
+	struct ClearToken ct;
+	char *result;
+
+	if (!afs_createtoken(username, cell, &ticket, &ct))
+		return NULL;
+
+	result = afs_encode_token(cell, ticket, &ct);
+
+	data_blob_free(&ticket);
+
+	return result;
+}
+
+/*
+  This routine takes a radical approach completely bypassing the
+  Kerberos idea of security and using AFS simply as an intelligent
+  file backend. Samba has persuaded itself somehow that the user is
+  actually correctly identified and then we create a ticket that the
+  AFS server hopefully accepts using its KeyFile that the admin has
+  kindly stored to our secrets.tdb.
+
+  Thanks to the book "Network Security -- PRIVATE Communication in a
+  PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner
+  Kerberos 4 tickets are not really hard to construct.
+
+  For the comments "Alice" is the User to be auth'ed, and "Bob" is the
+  AFS server.  */
+
+bool afs_login(connection_struct *conn)
+{
+	DATA_BLOB ticket;
+	char *afs_username = NULL;
+	char *cell = NULL;
+	bool result;
+	char *ticket_str = NULL;
+	const struct dom_sid *user_sid;
+	TALLOC_CTX *ctx = talloc_tos();
+
+	struct ClearToken ct;
+
+	afs_username = talloc_strdup(ctx,
+				lp_afs_username_map());
+	if (!afs_username) {
+		return false;
+	}
+
+	afs_username = talloc_sub_advanced(ctx,
+				lp_servicename(ctx, SNUM(conn)),
+				conn->session_info->unix_info->unix_name,
+				conn->connectpath,
+				conn->session_info->unix_token->gid,
+				conn->session_info->unix_info->sanitized_username,
+				conn->session_info->info->domain_name,
+				afs_username);
+	if (!afs_username) {
+		return false;
+	}
+
+	user_sid = &conn->session_info->security_token->sids[0];
+	afs_username = talloc_string_sub(talloc_tos(),
+					afs_username,
+					"%s",
+					sid_string_tos(user_sid));
+	if (!afs_username) {
+		return false;
+	}
+
+	/* The pts command always generates completely lower-case user
+	 * names. */
+	if (!strlower_m(afs_username)) {
+		return false;
+	}
+
+	cell = strchr(afs_username, '@');
+
+	if (cell == NULL) {
+		DEBUG(1, ("AFS username doesn't contain a @, "
+			  "could not find cell\n"));
+		return false;
+	}
+
+	*cell = '\0';
+	cell += 1;
+
+	DEBUG(10, ("Trying to log into AFS for user %s@%s\n",
+		   afs_username, cell));
+
+	if (!afs_createtoken(afs_username, cell, &ticket, &ct))
+		return false;
+
+	/* For which Unix-UID do we want to set the token? */
+	ct.ViceId = getuid();
+
+	ticket_str = afs_encode_token(cell, ticket, &ct);
+
+	result = afs_settoken_str(ticket_str);
+
+	SAFE_FREE(ticket_str);
+
+	data_blob_free(&ticket);
+
+	return result;
+}
+
+#else
+
+bool afs_login(connection_struct *conn)
+{
+	return true;
+}
+
+char *afs_createtoken_str(const char *username, const char *cell)
+{
+	return NULL;
+}
+
+#endif /* WITH_FAKE_KASERVER */
diff --git a/lib/afs/afs.h b/lib/afs/afs.h
new file mode 100644
index 0000000..d905503
--- /dev/null
+++ b/lib/afs/afs.h
@@ -0,0 +1,42 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  Generate AFS tickets
+ *  Copyright (C) Volker Lendecke 2003
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef LIB_AFS_AFS_H
+#define LIB_AFS_AFS_H 1
+
+char *afs_createtoken_str(const char *username, const char *cell);
+
+/*
+  This routine takes a radical approach completely bypassing the
+  Kerberos idea of security and using AFS simply as an intelligent
+  file backend. Samba has persuaded itself somehow that the user is
+  actually correctly identified and then we create a ticket that the
+  AFS server hopefully accepts using its KeyFile that the admin has
+  kindly stored to our secrets.tdb.
+
+  Thanks to the book "Network Security -- PRIVATE Communication in a
+  PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner
+  Kerberos 4 tickets are not really hard to construct.
+
+  For the comments "Alice" is the User to be auth'ed, and "Bob" is the
+  AFS server.  */
+
+bool afs_login(connection_struct *conn);
+
+#endif
diff --git a/lib/afs/wscript_build b/lib/afs/wscript_build
new file mode 100644
index 0000000..6ea9fd3
--- /dev/null
+++ b/lib/afs/wscript_build
@@ -0,0 +1,6 @@
+#!/usr/bin/env python
+
+bld.SAMBA3_SUBSYSTEM('LIBAFS',
+                    source='afs.c',
+                    deps='samba-util LIBAFS_SETTOKEN')
+
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 46d12a4..e494615 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -35,12 +35,6 @@ bool allow_access(const char **deny_list,
 
 /* The following definitions come from lib/adt_tree.c  */
 
-
-/* The following definitions come from lib/afs.c  */
-
-char *afs_createtoken_str(const char *username, const char *cell);
-bool afs_login(connection_struct *conn);
-
 /* The following definitions come from lib/afs_settoken.c  */
 
 int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow);
diff --git a/source3/lib/afs.c b/source3/lib/afs.c
deleted file mode 100644
index 2d77526..0000000
--- a/source3/lib/afs.c
+++ /dev/null
@@ -1,309 +0,0 @@
-/*
- *  Unix SMB/CIFS implementation.
- *  Generate AFS tickets
- *  Copyright (C) Volker Lendecke 2003
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 3 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License
- *  along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "includes.h"
-
-#ifdef WITH_FAKE_KASERVER
-
-#define NO_ASN1_TYPEDEFS 1
-
-#include "secrets.h"
-#include "passdb.h"
-#include "auth.h"
-#include "../librpc/gen_ndr/ndr_netlogon.h"
-
-#include <afs/param.h>
-#include <afs/stds.h>
-#include <afs/afs.h>
-#include <afs/auth.h>
-#include <afs/venus.h>
-#include <asm/unistd.h>
-#include <openssl/des.h>
-
-struct ClearToken {
-	uint32 AuthHandle;
-	char HandShakeKey[8];
-	uint32 ViceId;
-	uint32 BeginTimestamp;
-	uint32 EndTimestamp;
-};
-
-static char *afs_encode_token(const char *cell, const DATA_BLOB ticket,
-			      const struct ClearToken *ct)
-{
-	char *base64_ticket;
-	char *result = NULL;
-
-	DATA_BLOB key = data_blob(ct->HandShakeKey, 8);
-	char *base64_key;
-	TALLOC_CTX *mem_ctx;
-
-	mem_ctx = talloc_stackframe();
-	if (mem_ctx == NULL)
-		goto done;
-
-	base64_ticket = base64_encode_data_blob(mem_ctx, ticket);
-	if (base64_ticket == NULL)
-		goto done;
-
-	base64_key = base64_encode_data_blob(mem_ctx, key);
-	if (base64_key == NULL)
-		goto done;
-
-	asprintf(&result, "%s\n%u\n%s\n%u\n%u\n%u\n%s\n", cell,
-		 ct->AuthHandle, base64_key, ct->ViceId, ct->BeginTimestamp,
-		 ct->EndTimestamp, base64_ticket);
-
-	DEBUG(10, ("Got ticket string:\n%s\n", result));
-
-done:
-	TALLOC_FREE(mem_ctx);
-
-	return result;
-}
-
-/* Create a ClearToken and an encrypted ticket. ClearToken has not yet the
- * ViceId set, this should be set by the caller. */
-
-static bool afs_createtoken(const char *username, const char *cell,
-			    DATA_BLOB *ticket, struct ClearToken *ct)
-{
-	fstring clear_ticket;
-	char *p = clear_ticket;
-	uint32 len;
-	uint32 now;
-
-	struct afs_key key;
-	des_key_schedule key_schedule;
-
-	if (!secrets_init()) 
-		return false;
-
-	if (!secrets_fetch_afs_key(cell, &key)) {
-		DEBUG(1, ("Could not fetch AFS service key\n"));
-		return false;
-	}
-
-	ct->AuthHandle = key.kvno;
-
-	/* Build the ticket. This is going to be encrypted, so in our
-           way we fill in ct while we still have the unencrypted
-           form. */
-
-	p = clear_ticket;
-
-	/* The byte-order */
-	*p = 1;
-	p += 1;
-
-	/* "Alice", the client username */
-	strncpy(p, username, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
-	p += strlen(p)+1;
-	strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
-	p += strlen(p)+1;
-	strncpy(p, cell, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
-	p += strlen(p)+1;
-
-	/* Alice's network layer address. At least Openafs-1.2.10
-           ignores this, so we fill in a dummy value here. */
-	SIVAL(p, 0, 0);
-	p += 4;
-
-	/* We need to create a session key */
-	generate_random_buffer((uint8_t *)p, 8);
-
-	/* Our client code needs the the key in the clear, it does not
-           know the server-key ... */
-	memcpy(ct->HandShakeKey, p, 8);
-
-	p += 8;
-
-	/* This is a kerberos 4 life time. The life time is expressed
-	 * in units of 5 minute intervals up to 38400 seconds, after
-	 * that a table is used up to lifetime 0xBF. Values between
-	 * 0xC0 and 0xFF is undefined. 0xFF is defined to be the
-	 * infinite time that never expire.
-	 *
-	 * So here we cheat and use the infinite time */
-	*p = 255;
-	p += 1;
-
-	/* Ticket creation time */
-	now = time(NULL);
-	SIVAL(p, 0, now);
-	ct->BeginTimestamp = now;
-
-	if(lp_afs_token_lifetime() == 0)
-		ct->EndTimestamp = NEVERDATE;
-	else
-		ct->EndTimestamp = now + lp_afs_token_lifetime();
-
-	if (((ct->EndTimestamp - ct->BeginTimestamp) & 1) == 1) {
-		ct->BeginTimestamp += 1; /* Lifetime must be even */
-	}
-	p += 4;
-
-	/* And here comes Bob's name and instance, in this case the
-           AFS server. */
-	strncpy(p, "afs", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
-	p += strlen(p)+1;
-	strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
-	p += strlen(p)+1;
-
-	/* And zero-pad to a multiple of 8 bytes */
-	len = PTR_DIFF(p, clear_ticket);
-	if (len & 7) {
-		uint32 extra_space = 8-(len & 7);
-		memset(p, 0, extra_space);
-		p+=extra_space;
-	}
-	len = PTR_DIFF(p, clear_ticket);
-
-	des_key_sched((const_des_cblock *)key.key, key_schedule);
-	des_pcbc_encrypt((const unsigned char*) clear_ticket,
-			 (unsigned char*) clear_ticket,
-			 len, key_schedule, (C_Block *)key.key, 1);
-
-	ZERO_STRUCT(key);
-
-	*ticket = data_blob(clear_ticket, len);
-
-	return true;
-}
-
-char *afs_createtoken_str(const char *username, const char *cell)
-{
-	DATA_BLOB ticket;
-	struct ClearToken ct;
-	char *result;
-
-	if (!afs_createtoken(username, cell, &ticket, &ct))
-		return NULL;
-
-	result = afs_encode_token(cell, ticket, &ct);
-
-	data_blob_free(&ticket);
-
-	return result;
-}
-
-/*
-  This routine takes a radical approach completely bypassing the
-  Kerberos idea of security and using AFS simply as an intelligent
-  file backend. Samba has persuaded itself somehow that the user is
-  actually correctly identified and then we create a ticket that the
-  AFS server hopefully accepts using its KeyFile that the admin has
-  kindly stored to our secrets.tdb.
-
-  Thanks to the book "Network Security -- PRIVATE Communication in a
-  PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner
-  Kerberos 4 tickets are not really hard to construct.
-
-  For the comments "Alice" is the User to be auth'ed, and "Bob" is the
-  AFS server.  */
-
-bool afs_login(connection_struct *conn)
-{
-	DATA_BLOB ticket;
-	char *afs_username = NULL;
-	char *cell = NULL;
-	bool result;
-	char *ticket_str = NULL;
-	const struct dom_sid *user_sid;
-	TALLOC_CTX *ctx = talloc_tos();
-
-	struct ClearToken ct;
-
-	afs_username = talloc_strdup(ctx,
-				lp_afs_username_map());
-	if (!afs_username) {
-		return false;
-	}
-
-	afs_username = talloc_sub_advanced(ctx,
-				lp_servicename(ctx, SNUM(conn)),
-				conn->session_info->unix_info->unix_name,
-				conn->connectpath,
-				conn->session_info->unix_token->gid,
-				conn->session_info->unix_info->sanitized_username,
-				conn->session_info->info->domain_name,
-				afs_username);
-	if (!afs_username) {
-		return false;
-	}
-
-	user_sid = &conn->session_info->security_token->sids[0];
-	afs_username = talloc_string_sub(talloc_tos(),
-					afs_username,
-					"%s",
-					sid_string_tos(user_sid));
-	if (!afs_username) {
-		return false;
-	}
-
-	/* The pts command always generates completely lower-case user
-	 * names. */
-	if (!strlower_m(afs_username)) {
-		return false;
-	}
-
-	cell = strchr(afs_username, '@');
-
-	if (cell == NULL) {
-		DEBUG(1, ("AFS username doesn't contain a @, "
-			  "could not find cell\n"));
-		return false;
-	}
-
-	*cell = '\0';
-	cell += 1;
-
-	DEBUG(10, ("Trying to log into AFS for user %s@%s\n",
-		   afs_username, cell));
-
-	if (!afs_createtoken(afs_username, cell, &ticket, &ct))
-		return false;
-
-	/* For which Unix-UID do we want to set the token? */
-	ct.ViceId = getuid();
-
-	ticket_str = afs_encode_token(cell, ticket, &ct);
-
-	result = afs_settoken_str(ticket_str);
-
-	SAFE_FREE(ticket_str);
-
-	data_blob_free(&ticket);
-
-	return result;
-}
-
-#else
-
-bool afs_login(connection_struct *conn)
-{
-	return true;
-}
-
-char *afs_createtoken_str(const char *username, const char *cell)
-{
-	return NULL;
-}
-
-#endif /* WITH_FAKE_KASERVER */
diff --git a/source3/utils/net_afs.c b/source3/utils/net_afs.c
index 3c7f282..b0a22b8 100644
--- a/source3/utils/net_afs.c
+++ b/source3/utils/net_afs.c
@@ -22,6 +22,7 @@
 #include "utils/net_afs.h"
 #include "secrets.h"
 #include "system/filesys.h"
+#include "lib/afs/afs.h"
 
 int net_afs_usage(struct net_context *c, int argc, const char **argv)
 {
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 415dc79..1fd3e8a 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -41,6 +41,7 @@
 #include "auth/kerberos/pac_utils.h"
 #include "auth/gensec/gensec.h"
 #include "librpc/crypto/gse_krb5.h"
+#include "lib/afs/afs.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
diff --git a/source3/wscript_build b/source3/wscript_build
index a074148..211b069 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -471,10 +471,6 @@ bld.SAMBA3_SUBSYSTEM('LIBAFS_SETTOKEN',
                     source='lib/afs_settoken.c',
                     deps='samba-util')
 
-bld.SAMBA3_SUBSYSTEM('LIBAFS',
-                    source='lib/afs.c',
-                    deps='samba-util LIBAFS_SETTOKEN')
-
 bld.SAMBA3_LIBRARY('smbconf',
                    source='''lib/smbconf/smbconf_init.c
                    lib/smbconf/smbconf_reg.c''',
diff --git a/wscript_build b/wscript_build
index 9228d15..59ba354 100644
--- a/wscript_build
+++ b/wscript_build
@@ -74,6 +74,7 @@ bld.RECURSE('lib/uid_wrapper')
 bld.RECURSE('lib/popt')
 bld.RECURSE('lib/iniparser/src')
 bld.RECURSE('source4/lib/stream')
+bld.RECURSE('lib/afs')
 bld.RECURSE('lib/util')
 bld.RECURSE('lib/tdb_wrap')
 bld.RECURSE('lib/tdr')
-- 
1.8.3.2


>From f953dc84855de1e0585d48cf69abd6d5ea4e97c1 Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Mon, 14 Apr 2014 22:35:21 +0200
Subject: [PATCH 4/8] s3:lib/afs move afs_settoken.c to common lib dir

Signed-off-by: Christian Ambach <ambi at samba.org>
---
 lib/afs/afs_settoken.c     | 263 +++++++++++++++++++++++++++++++++++++++++++++
 lib/afs/afs_settoken.h     |  21 ++++
 lib/afs/wscript_build      |   4 +
 nsswitch/wbinfo.c          |   1 +
 source3/include/proto.h    |   5 -
 source3/lib/afs_settoken.c | 262 --------------------------------------------
 source3/utils/net_afs.c    |   1 +
 source3/wscript_build      |   4 -
 8 files changed, 290 insertions(+), 271 deletions(-)
 create mode 100644 lib/afs/afs_settoken.c
 create mode 100644 lib/afs/afs_settoken.h
 delete mode 100644 source3/lib/afs_settoken.c

diff --git a/lib/afs/afs_settoken.c b/lib/afs/afs_settoken.c
new file mode 100644
index 0000000..18ad302
--- /dev/null
+++ b/lib/afs/afs_settoken.c
@@ -0,0 +1,263 @@
+/* 
+ *  Unix SMB/CIFS implementation.
+ *  Generate AFS tickets
+ *  Copyright (C) Volker Lendecke 2004
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "lib/afs/afs_settoken.h"
+
+#ifdef WITH_FAKE_KASERVER
+
+#define NO_ASN1_TYPEDEFS 1
+
+#include "system/filesys.h"
+
+#include <afs/param.h>
+#include <afs/stds.h>
+#include <afs/afs.h>
+#include <afs/auth.h>
+#include <afs/venus.h>
+#include <asm/unistd.h>
+#include <openssl/des.h>
+#include <sys/syscall.h>
+
+int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow)
+{
+/*
+	return( syscall( SYS_afs_syscall, subcall, path, cmd, cmarg, follow));
+*/
+	int errcode;
+	int proc_afs_file;
+	struct afsprocdata afs_syscall_data;
+	afs_syscall_data.syscall = subcall;
+	afs_syscall_data.param1 = (long)path;
+	afs_syscall_data.param2 = cmd;
+	afs_syscall_data.param3 = (long)cmarg;
+	afs_syscall_data.param4 = follow;
+	proc_afs_file = open(PROC_SYSCALL_FNAME, O_RDWR);
+	if (proc_afs_file < 0)
+		proc_afs_file = open(PROC_SYSCALL_ARLA_FNAME, O_RDWR);
+	if (proc_afs_file < 0)
+		return -1;
+	errcode = ioctl(proc_afs_file, VIOC_SYSCALL, &afs_syscall_data);
+	close(proc_afs_file);
+	return errcode;
+}
+
+struct ClearToken {
+	uint32 AuthHandle;
+	char HandShakeKey[8];
+	uint32 ViceId;
+	uint32 BeginTimestamp;
+	uint32 EndTimestamp;
+};
+
+static bool afs_decode_token(const char *string, char **cell,
+			     DATA_BLOB *ticket, struct ClearToken *ct)
+{
+	DATA_BLOB blob;
+	struct ClearToken result_ct;
+	char *saveptr;
+
+	char *s = SMB_STRDUP(string);
+
+	char *t;
+
+	if ((t = strtok_r(s, "\n", &saveptr)) == NULL) {
+		DEBUG(10, ("strtok_r failed\n"));
+		return false;
+	}
+
+	*cell = SMB_STRDUP(t);
+
+	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+		DEBUG(10, ("strtok_r failed\n"));
+		return false;
+	}
+
+	if (sscanf(t, "%u", &result_ct.AuthHandle) != 1) {
+		DEBUG(10, ("sscanf AuthHandle failed\n"));
+		return false;
+	}
+		
+	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+		DEBUG(10, ("strtok_r failed\n"));
+		return false;
+	}
+
+	blob = base64_decode_data_blob(t);
+
+	if ( (blob.data == NULL) ||
+	     (blob.length != sizeof(result_ct.HandShakeKey) )) {
+		DEBUG(10, ("invalid key: %x/%lu\n", (uint8_t)*blob.data,
+			   (unsigned long) blob.length));
+		return false;
+	}
+
+	memcpy(result_ct.HandShakeKey, blob.data, blob.length);
+
+	data_blob_free(&blob);
+
+	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+		DEBUG(10, ("strtok_r failed\n"));
+		return false;
+	}
+
+	if (sscanf(t, "%u", &result_ct.ViceId) != 1) {
+		DEBUG(10, ("sscanf ViceId failed\n"));
+		return false;
+	}
+		
+	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+		DEBUG(10, ("strtok_r failed\n"));
+		return false;
+	}
+
+	if (sscanf(t, "%u", &result_ct.BeginTimestamp) != 1) {
+		DEBUG(10, ("sscanf BeginTimestamp failed\n"));
+		return false;
+	}
+		
+	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+		DEBUG(10, ("strtok_r failed\n"));
+		return false;
+	}
+
+	if (sscanf(t, "%u", &result_ct.EndTimestamp) != 1) {
+		DEBUG(10, ("sscanf EndTimestamp failed\n"));
+		return false;
+	}
+		
+	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+		DEBUG(10, ("strtok_r failed\n"));
+		return false;
+	}
+
+	blob = base64_decode_data_blob(t);
+
+	if (blob.data == NULL) {
+		DEBUG(10, ("Could not get ticket\n"));
+		return false;
+	}
+
+	*ticket = blob;
+	*ct = result_ct;
+
+	return true;
+}
+
+/*
+  Put an AFS token into the Kernel so that it can authenticate against
+  the AFS server. This assumes correct local uid settings.
+
+  This is currently highly Linux and OpenAFS-specific. The correct API
+  call for this would be ktc_SetToken. But to do that we would have to
+  import a REALLY big bunch of libraries which I would currently like
+  to avoid. 
+*/
+
+static bool afs_settoken(const char *cell,
+			 const struct ClearToken *ctok,
+			 DATA_BLOB ticket)
+{
+	int ret;
+	struct {
+		char *in, *out;
+		uint16 in_size, out_size;
+	} iob;
+
+	char buf[1024];
+	char *p = buf;
+	int tmp;
+
+	memcpy(p, &ticket.length, sizeof(uint32));
+	p += sizeof(uint32);
+	memcpy(p, ticket.data, ticket.length);
+	p += ticket.length;
+
+	tmp = sizeof(struct ClearToken);
+	memcpy(p, &tmp, sizeof(uint32));
+	p += sizeof(uint32);
+	memcpy(p, ctok, tmp);
+	p += tmp;
+
+	tmp = 0;
+
+	memcpy(p, &tmp, sizeof(uint32));
+	p += sizeof(uint32);
+
+	tmp = strlen(cell);
+	if (tmp >= MAXKTCREALMLEN) {
+		DEBUG(1, ("Realm too long\n"));
+		return false;
+	}
+
+	strncpy(p, cell, tmp);
+	p += tmp;
+	*p = 0;
+	p +=1;
+
+	iob.in = buf;
+	iob.in_size = PTR_DIFF(p,buf);
+	iob.out = buf;
+	iob.out_size = sizeof(buf);
+
+#if 0
+	file_save("/tmp/ioctlbuf", iob.in, iob.in_size);
+#endif
+
+	ret = afs_syscall(AFSCALL_PIOCTL, 0, VIOCSETTOK, (char *)&iob, 0);
+
+	DEBUG(10, ("afs VIOCSETTOK returned %d\n", ret));
+	return (ret == 0);
+}
+
+bool afs_settoken_str(const char *token_string)
+{
+	DATA_BLOB ticket;
+	struct ClearToken ct;
+	bool result;
+	char *cell;
+
+	if (!afs_decode_token(token_string, &cell, &ticket, &ct))
+		return false;
+
+	if (geteuid() != sec_initial_uid())
+		ct.ViceId = getuid();
+
+	result = afs_settoken(cell, &ct, ticket);
+
+	SAFE_FREE(cell);
+	data_blob_free(&ticket);
+
+	return result;
+}
+
+#else
+
+int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow)
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+bool afs_settoken_str(const char *token_string)
+{
+	return false;
+}
+
+#endif
diff --git a/lib/afs/afs_settoken.h b/lib/afs/afs_settoken.h
new file mode 100644
index 0000000..d6cc462
--- /dev/null
+++ b/lib/afs/afs_settoken.h
@@ -0,0 +1,21 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  Generate AFS tickets
+ *  Copyright (C) Volker Lendecke 2004
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow);
+bool afs_settoken_str(const char *token_string);
diff --git a/lib/afs/wscript_build b/lib/afs/wscript_build
index 6ea9fd3..a1bb5bc 100644
--- a/lib/afs/wscript_build
+++ b/lib/afs/wscript_build
@@ -4,3 +4,7 @@ bld.SAMBA3_SUBSYSTEM('LIBAFS',
                     source='afs.c',
                     deps='samba-util LIBAFS_SETTOKEN')
 
+bld.SAMBA3_SUBSYSTEM('LIBAFS_SETTOKEN',
+                    source='afs_settoken.c',
+                    deps='samba-util')
+
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index bc25a17..a3e6451 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -27,6 +27,7 @@
 #include "lib/popt/popt.h"
 #include "../libcli/auth/libcli_auth.h"
 #include "lib/cmdline/popt_common.h"
+#include "lib/afs/afs_settoken.h"
 
 #ifdef DBGC_CLASS
 #undef DBGC_CLASS
diff --git a/source3/include/proto.h b/source3/include/proto.h
index e494615..3127dfb 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -35,11 +35,6 @@ bool allow_access(const char **deny_list,
 
 /* The following definitions come from lib/adt_tree.c  */
 
-/* The following definitions come from lib/afs_settoken.c  */
-
-int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow);
-bool afs_settoken_str(const char *token_string);
-
 /* The following definitions come from lib/audit.c  */
 
 const char *audit_category_str(uint32 category);
diff --git a/source3/lib/afs_settoken.c b/source3/lib/afs_settoken.c
deleted file mode 100644
index 7aff55f..0000000
--- a/source3/lib/afs_settoken.c
+++ /dev/null
@@ -1,262 +0,0 @@
-/* 
- *  Unix SMB/CIFS implementation.
- *  Generate AFS tickets
- *  Copyright (C) Volker Lendecke 2004
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 3 of the License, or
- *  (at your option) any later version.
- *  
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *  
- *  You should have received a copy of the GNU General Public License
- *  along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "includes.h"
-
-#ifdef WITH_FAKE_KASERVER
-
-#define NO_ASN1_TYPEDEFS 1
-
-#include "system/filesys.h"
-
-#include <afs/param.h>
-#include <afs/stds.h>
-#include <afs/afs.h>
-#include <afs/auth.h>
-#include <afs/venus.h>
-#include <asm/unistd.h>
-#include <openssl/des.h>
-#include <sys/syscall.h>
-
-int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow)
-{
-/*
-	return( syscall( SYS_afs_syscall, subcall, path, cmd, cmarg, follow));
-*/
-	int errcode;
-	int proc_afs_file;
-	struct afsprocdata afs_syscall_data;
-	afs_syscall_data.syscall = subcall;
-	afs_syscall_data.param1 = (long)path;
-	afs_syscall_data.param2 = cmd;
-	afs_syscall_data.param3 = (long)cmarg;
-	afs_syscall_data.param4 = follow;
-	proc_afs_file = open(PROC_SYSCALL_FNAME, O_RDWR);
-	if (proc_afs_file < 0)
-		proc_afs_file = open(PROC_SYSCALL_ARLA_FNAME, O_RDWR);
-	if (proc_afs_file < 0)
-		return -1;
-	errcode = ioctl(proc_afs_file, VIOC_SYSCALL, &afs_syscall_data);
-	close(proc_afs_file);
-	return errcode;
-}
-
-struct ClearToken {
-	uint32 AuthHandle;
-	char HandShakeKey[8];
-	uint32 ViceId;
-	uint32 BeginTimestamp;
-	uint32 EndTimestamp;
-};
-
-static bool afs_decode_token(const char *string, char **cell,
-			     DATA_BLOB *ticket, struct ClearToken *ct)
-{
-	DATA_BLOB blob;
-	struct ClearToken result_ct;
-	char *saveptr;
-
-	char *s = SMB_STRDUP(string);
-
-	char *t;
-
-	if ((t = strtok_r(s, "\n", &saveptr)) == NULL) {
-		DEBUG(10, ("strtok_r failed\n"));
-		return false;
-	}
-
-	*cell = SMB_STRDUP(t);
-
-	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
-		DEBUG(10, ("strtok_r failed\n"));
-		return false;
-	}
-
-	if (sscanf(t, "%u", &result_ct.AuthHandle) != 1) {
-		DEBUG(10, ("sscanf AuthHandle failed\n"));
-		return false;
-	}
-		
-	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
-		DEBUG(10, ("strtok_r failed\n"));
-		return false;
-	}
-
-	blob = base64_decode_data_blob(t);
-
-	if ( (blob.data == NULL) ||
-	     (blob.length != sizeof(result_ct.HandShakeKey) )) {
-		DEBUG(10, ("invalid key: %x/%lu\n", (uint8_t)*blob.data,
-			   (unsigned long) blob.length));
-		return false;
-	}
-
-	memcpy(result_ct.HandShakeKey, blob.data, blob.length);
-
-	data_blob_free(&blob);
-
-	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
-		DEBUG(10, ("strtok_r failed\n"));
-		return false;
-	}
-
-	if (sscanf(t, "%u", &result_ct.ViceId) != 1) {
-		DEBUG(10, ("sscanf ViceId failed\n"));
-		return false;
-	}
-		
-	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
-		DEBUG(10, ("strtok_r failed\n"));
-		return false;
-	}
-
-	if (sscanf(t, "%u", &result_ct.BeginTimestamp) != 1) {
-		DEBUG(10, ("sscanf BeginTimestamp failed\n"));
-		return false;
-	}
-		
-	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
-		DEBUG(10, ("strtok_r failed\n"));
-		return false;
-	}
-
-	if (sscanf(t, "%u", &result_ct.EndTimestamp) != 1) {
-		DEBUG(10, ("sscanf EndTimestamp failed\n"));
-		return false;
-	}
-		
-	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
-		DEBUG(10, ("strtok_r failed\n"));
-		return false;
-	}
-
-	blob = base64_decode_data_blob(t);
-
-	if (blob.data == NULL) {
-		DEBUG(10, ("Could not get ticket\n"));
-		return false;
-	}
-
-	*ticket = blob;
-	*ct = result_ct;
-
-	return true;
-}
-
-/*
-  Put an AFS token into the Kernel so that it can authenticate against
-  the AFS server. This assumes correct local uid settings.
-
-  This is currently highly Linux and OpenAFS-specific. The correct API
-  call for this would be ktc_SetToken. But to do that we would have to
-  import a REALLY big bunch of libraries which I would currently like
-  to avoid. 
-*/
-
-static bool afs_settoken(const char *cell,
-			 const struct ClearToken *ctok,
-			 DATA_BLOB ticket)
-{
-	int ret;
-	struct {
-		char *in, *out;
-		uint16 in_size, out_size;
-	} iob;
-
-	char buf[1024];
-	char *p = buf;
-	int tmp;
-
-	memcpy(p, &ticket.length, sizeof(uint32));
-	p += sizeof(uint32);
-	memcpy(p, ticket.data, ticket.length);
-	p += ticket.length;
-
-	tmp = sizeof(struct ClearToken);
-	memcpy(p, &tmp, sizeof(uint32));
-	p += sizeof(uint32);
-	memcpy(p, ctok, tmp);
-	p += tmp;
-
-	tmp = 0;
-
-	memcpy(p, &tmp, sizeof(uint32));
-	p += sizeof(uint32);
-
-	tmp = strlen(cell);
-	if (tmp >= MAXKTCREALMLEN) {
-		DEBUG(1, ("Realm too long\n"));
-		return false;
-	}
-
-	strncpy(p, cell, tmp);
-	p += tmp;
-	*p = 0;
-	p +=1;
-
-	iob.in = buf;
-	iob.in_size = PTR_DIFF(p,buf);
-	iob.out = buf;
-	iob.out_size = sizeof(buf);
-
-#if 0
-	file_save("/tmp/ioctlbuf", iob.in, iob.in_size);
-#endif
-
-	ret = afs_syscall(AFSCALL_PIOCTL, 0, VIOCSETTOK, (char *)&iob, 0);
-
-	DEBUG(10, ("afs VIOCSETTOK returned %d\n", ret));
-	return (ret == 0);
-}
-
-bool afs_settoken_str(const char *token_string)
-{
-	DATA_BLOB ticket;
-	struct ClearToken ct;
-	bool result;
-	char *cell;
-
-	if (!afs_decode_token(token_string, &cell, &ticket, &ct))
-		return false;
-
-	if (geteuid() != sec_initial_uid())
-		ct.ViceId = getuid();
-
-	result = afs_settoken(cell, &ct, ticket);
-
-	SAFE_FREE(cell);
-	data_blob_free(&ticket);
-
-	return result;
-}
-
-#else
-
-int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow)
-{
-	errno = ENOSYS;
-	return -1;
-}
-
-bool afs_settoken_str(const char *token_string)
-{
-	return false;
-}
-
-#endif
diff --git a/source3/utils/net_afs.c b/source3/utils/net_afs.c
index b0a22b8..f1098f2 100644
--- a/source3/utils/net_afs.c
+++ b/source3/utils/net_afs.c
@@ -23,6 +23,7 @@
 #include "secrets.h"
 #include "system/filesys.h"
 #include "lib/afs/afs.h"
+#include "lib/afs/afs_settoken.h"
 
 int net_afs_usage(struct net_context *c, int argc, const char **argv)
 {
diff --git a/source3/wscript_build b/source3/wscript_build
index 211b069..f7ebfc9 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -467,10 +467,6 @@ bld.SAMBA3_SUBSYSTEM('LIBADS_PRINTER',
                     source='libads/ldap_printer.c',
                     deps='samba-util krb5samba')
 
-bld.SAMBA3_SUBSYSTEM('LIBAFS_SETTOKEN',
-                    source='lib/afs_settoken.c',
-                    deps='samba-util')
-
 bld.SAMBA3_LIBRARY('smbconf',
                    source='''lib/smbconf/smbconf_init.c
                    lib/smbconf/smbconf_reg.c''',
-- 
1.8.3.2


>From 27a09e2fe1c3588fb21c572ca698b78e5827f881 Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Mon, 14 Apr 2014 22:37:26 +0200
Subject: [PATCH 5/8] lib/afs: whitespace cleanup

Signed-off-by: Christian Ambach <ambi at samba.org>
---
 lib/afs/afs_settoken.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/lib/afs/afs_settoken.c b/lib/afs/afs_settoken.c
index 18ad302..9a795ff 100644
--- a/lib/afs/afs_settoken.c
+++ b/lib/afs/afs_settoken.c
@@ -1,4 +1,4 @@
-/* 
+/*
  *  Unix SMB/CIFS implementation.
  *  Generate AFS tickets
  *  Copyright (C) Volker Lendecke 2004
@@ -7,12 +7,12 @@
  *  it under the terms of the GNU General Public License as published by
  *  the Free Software Foundation; either version 3 of the License, or
  *  (at your option) any later version.
- *  
+ *
  *  This program is distributed in the hope that it will be useful,
  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  *  GNU General Public License for more details.
- *  
+ *
  *  You should have received a copy of the GNU General Public License
  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  */
@@ -93,7 +93,7 @@ static bool afs_decode_token(const char *string, char **cell,
 		DEBUG(10, ("sscanf AuthHandle failed\n"));
 		return false;
 	}
-		
+
 	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
 		DEBUG(10, ("strtok_r failed\n"));
 		return false;
@@ -121,7 +121,7 @@ static bool afs_decode_token(const char *string, char **cell,
 		DEBUG(10, ("sscanf ViceId failed\n"));
 		return false;
 	}
-		
+
 	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
 		DEBUG(10, ("strtok_r failed\n"));
 		return false;
@@ -131,7 +131,7 @@ static bool afs_decode_token(const char *string, char **cell,
 		DEBUG(10, ("sscanf BeginTimestamp failed\n"));
 		return false;
 	}
-		
+
 	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
 		DEBUG(10, ("strtok_r failed\n"));
 		return false;
@@ -141,7 +141,7 @@ static bool afs_decode_token(const char *string, char **cell,
 		DEBUG(10, ("sscanf EndTimestamp failed\n"));
 		return false;
 	}
-		
+
 	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
 		DEBUG(10, ("strtok_r failed\n"));
 		return false;
@@ -167,7 +167,7 @@ static bool afs_decode_token(const char *string, char **cell,
   This is currently highly Linux and OpenAFS-specific. The correct API
   call for this would be ktc_SetToken. But to do that we would have to
   import a REALLY big bunch of libraries which I would currently like
-  to avoid. 
+  to avoid.
 */
 
 static bool afs_settoken(const char *cell,
-- 
1.8.3.2


>From fb045e996c0ec0bbca9980b816c1f66c7a783ca0 Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Wed, 16 Apr 2014 00:36:25 +0200
Subject: [PATCH 6/8] waf: add --with-fake-kaserver option

This option was not added during the transition from autoconf
to waf.
Bring it back so that the code can be used again.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9916
Signed-off-by: Christian Ambach <ambi at samba.org>
---
 lib/afs/wscript_build |  2 +-
 source3/wscript       | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/lib/afs/wscript_build b/lib/afs/wscript_build
index a1bb5bc..1fa3b14 100644
--- a/lib/afs/wscript_build
+++ b/lib/afs/wscript_build
@@ -2,7 +2,7 @@
 
 bld.SAMBA3_SUBSYSTEM('LIBAFS',
                     source='afs.c',
-                    deps='samba-util LIBAFS_SETTOKEN')
+                    deps='samba-util crypto LIBAFS_SETTOKEN')
 
 bld.SAMBA3_SUBSYSTEM('LIBAFS_SETTOKEN',
                     source='afs_settoken.c',
diff --git a/source3/wscript b/source3/wscript
index 91f976a..33e2453 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -49,6 +49,9 @@ def set_options(opt):
 
     opt.SAMBA3_ADD_OPTION('regedit', default=None)
 
+    opt.SAMBA3_ADD_OPTION('fake-kaserver',
+                          help=("Include AFS fake-kaserver support"), default=False)
+
     opt.add_option('--with-ctdb-dir',
                    help=("Directory under which ctdb is installed"),
                    action="store", dest='ctdb_dir', default=None)
@@ -1825,6 +1828,16 @@ main() {
         else:
             Logs.info("ncurses not available, not building regedit")
 
+    conf.CHECK_FUNCS_IN('DES_pcbc_encrypt', 'crypto')
+    if Options.options.with_fake_kaserver == True:
+        conf.CHECK_HEADERS('afs/param.h afs/stds.h afs.h', together=True)
+        conf.CHECK_HEADERS('afs/param.h afs/stds.h afs/afs.h', together=True)
+        if (conf.CONFIG_SET('HAVE_AFS_AFS_H') or conf.CONFIG_SET('HAVE_AFS_H')) and conf.CONFIG_SET('HAVE_DES_PCBC_ENCRYPT'):
+            conf.DEFINE('WITH_FAKE_KASERVER', '1')
+        else:
+            conf.fatal('AFS headers not available, but --with-fake-kaserver was specified')
+
+
 
     default_static_modules.extend(TO_LIST('''pdb_smbpasswd pdb_tdbsam pdb_wbc_sam
                                       auth_sam auth_unix auth_winbind auth_wbc
-- 
1.8.3.2


>From 692bc3c54c54da78030289984295cab076245522 Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Wed, 23 Apr 2014 17:03:47 +0200
Subject: [PATCH 7/8] waf: fixup build with fake kaserver enabled

Signed-off-by: Christian Ambach <ambi at samba.org>
---
 source3/utils/net_afs.c | 3 +++
 source3/wscript_build   | 1 +
 2 files changed, 4 insertions(+)

diff --git a/source3/utils/net_afs.c b/source3/utils/net_afs.c
index f1098f2..8cf2ff2 100644
--- a/source3/utils/net_afs.c
+++ b/source3/utils/net_afs.c
@@ -25,6 +25,8 @@
 #include "lib/afs/afs.h"
 #include "lib/afs/afs_settoken.h"
 
+#ifdef WITH_FAKE_KASERVER
+
 int net_afs_usage(struct net_context *c, int argc, const char **argv)
 {
 	d_printf(_("  net afs key filename\n"
@@ -120,3 +122,4 @@ int net_afs(struct net_context *c, int argc, const char **argv)
 	return net_run_function(c, argc, argv, "net afs", func);
 }
 
+#endif /* WITH_FAKE_KASERVER */
diff --git a/source3/wscript_build b/source3/wscript_build
index f7ebfc9..4b621ab 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -1083,6 +1083,7 @@ bld.SAMBA3_BINARY('net',
                  utils/net_printing.c
                  utils/net_rpc_trust.c
                  utils/net_rpc_conf.c
+                 utils/net_afs.c
                  registry/reg_parse.c
                  registry/reg_format.c
                  registry/reg_import.c
-- 
1.8.3.2


>From b5ba9ffe7902d7f24263cd90d28b40475ade62de Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Wed, 23 Apr 2014 16:50:19 +0200
Subject: [PATCH 8/8] s4:heimdal fix build when a system des.h is around

heimdal's own des.h should be not be included with <> as there
might be an incompatible system des.h around

Signed-off-by: Christian Ambach <ambi at samba.org>
---
 source4/heimdal/lib/hcrypto/evp-hcrypto.c | 2 +-
 source4/heimdal/lib/hcrypto/rnd_keys.c    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/source4/heimdal/lib/hcrypto/evp-hcrypto.c b/source4/heimdal/lib/hcrypto/evp-hcrypto.c
index bf37b42..be74a9c 100644
--- a/source4/heimdal/lib/hcrypto/evp-hcrypto.c
+++ b/source4/heimdal/lib/hcrypto/evp-hcrypto.c
@@ -46,7 +46,7 @@
 
 #include <krb5-types.h>
 
-#include <des.h>
+#include "des.h"
 #include "camellia.h"
 #include <aes.h>
 
diff --git a/source4/heimdal/lib/hcrypto/rnd_keys.c b/source4/heimdal/lib/hcrypto/rnd_keys.c
index 49c7634..6a3495b 100644
--- a/source4/heimdal/lib/hcrypto/rnd_keys.c
+++ b/source4/heimdal/lib/hcrypto/rnd_keys.c
@@ -41,7 +41,7 @@
 #endif
 #include <stdlib.h>
 
-#include <des.h>
+#include "des.h"
 #include <rand.h>
 
 #undef __attribute__
-- 
1.8.3.2



More information about the samba-technical mailing list