[PATCH] Add back --with-fake-kaserver option to the build
Christian Ambach
ambi at samba.org
Mon Jun 2 13:21:35 MDT 2014
Am 16.05.14 08:14, schrieb Volker Lendecke:
> On Fri, May 16, 2014 at 07:58:56AM +1200, Andrew Bartlett wrote:
>> Please ask Volker why the override is there, and get an explanation
>> added, or remove it.
>
> To be honest, I don't remember that aspect of the code.
It seems that Volker had the same questions in mind when he wrote
that code ten years ago. So he asked on the openafs mailinglist and
the answer was that the ViceId can be to anything.
https://lists.openafs.org/pipermail/openafs-devel/2004-January/010031.html
This id is not used for access control, for that purpose the id in the
ptserver is used. I performed some tests to verify that it really does
not matter to which value the ViceId is set.
I reworked the patchset again and replaced this chunk now
with a call to geteuid(), as this might be useful for debugging a token.
So the move of the util_sec code could be left out.
Please give it another look.
Cheers,
Christian
-------------- next part --------------
>From 696336ff8e443527e4f490d32ad11129492f9405 Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Mon, 14 Apr 2014 22:11:12 +0200
Subject: [PATCH 1/7] s3:lib/afs move afs.c to common lib dir
some of the code in afs.c is needed by wbinfo that lives in the toplevel
nsswitch directory, so move the afs.c file to a new top-level lib/afs
directory. Use the name afs_funcs to avoid collisions with the afs.h
header from OpenAFS
Signed-off-by: Christian Ambach <ambi at samba.org>
---
lib/afs/afs_funcs.c | 309 ++++++++++++++++++++++++++++++++++++++++
lib/afs/afs_funcs.h | 42 ++++++
lib/afs/wscript_build | 6 +
source3/include/proto.h | 6 -
source3/lib/afs.c | 309 ----------------------------------------
source3/smbd/service.c | 1 +
source3/utils/net_afs.c | 1 +
source3/winbindd/winbindd_pam.c | 1 +
source3/wscript_build | 4 -
wscript_build | 1 +
10 files changed, 361 insertions(+), 319 deletions(-)
create mode 100644 lib/afs/afs_funcs.c
create mode 100644 lib/afs/afs_funcs.h
create mode 100644 lib/afs/wscript_build
delete mode 100644 source3/lib/afs.c
diff --git a/lib/afs/afs_funcs.c b/lib/afs/afs_funcs.c
new file mode 100644
index 0000000..316bb1b
--- /dev/null
+++ b/lib/afs/afs_funcs.c
@@ -0,0 +1,309 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Generate AFS tickets
+ * Copyright (C) Volker Lendecke 2003
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "lib/afs/afs_funcs.h"
+
+#ifdef WITH_FAKE_KASERVER
+
+#define NO_ASN1_TYPEDEFS 1
+
+#include "secrets.h"
+#include "passdb.h"
+#include "auth.h"
+#include "../librpc/gen_ndr/ndr_netlogon.h"
+
+#include <afs/param.h>
+#include <afs/stds.h>
+#include <afs/auth.h>
+#include <afs/venus.h>
+#include <asm/unistd.h>
+#include <openssl/des.h>
+
+struct ClearToken {
+ uint32 AuthHandle;
+ char HandShakeKey[8];
+ uint32 ViceId;
+ uint32 BeginTimestamp;
+ uint32 EndTimestamp;
+};
+
+static char *afs_encode_token(const char *cell, const DATA_BLOB ticket,
+ const struct ClearToken *ct)
+{
+ char *base64_ticket;
+ char *result = NULL;
+
+ DATA_BLOB key = data_blob(ct->HandShakeKey, 8);
+ char *base64_key;
+ TALLOC_CTX *mem_ctx;
+
+ mem_ctx = talloc_stackframe();
+ if (mem_ctx == NULL)
+ goto done;
+
+ base64_ticket = base64_encode_data_blob(mem_ctx, ticket);
+ if (base64_ticket == NULL)
+ goto done;
+
+ base64_key = base64_encode_data_blob(mem_ctx, key);
+ if (base64_key == NULL)
+ goto done;
+
+ asprintf(&result, "%s\n%u\n%s\n%u\n%u\n%u\n%s\n", cell,
+ ct->AuthHandle, base64_key, ct->ViceId, ct->BeginTimestamp,
+ ct->EndTimestamp, base64_ticket);
+
+ DEBUG(10, ("Got ticket string:\n%s\n", result));
+
+done:
+ TALLOC_FREE(mem_ctx);
+
+ return result;
+}
+
+/* Create a ClearToken and an encrypted ticket. ClearToken has not yet the
+ * ViceId set, this should be set by the caller. */
+
+static bool afs_createtoken(const char *username, const char *cell,
+ DATA_BLOB *ticket, struct ClearToken *ct)
+{
+ fstring clear_ticket;
+ char *p = clear_ticket;
+ uint32 len;
+ uint32 now;
+
+ struct afs_key key;
+ des_key_schedule key_schedule;
+
+ if (!secrets_init())
+ return false;
+
+ if (!secrets_fetch_afs_key(cell, &key)) {
+ DEBUG(1, ("Could not fetch AFS service key\n"));
+ return false;
+ }
+
+ ct->AuthHandle = key.kvno;
+
+ /* Build the ticket. This is going to be encrypted, so in our
+ way we fill in ct while we still have the unencrypted
+ form. */
+
+ p = clear_ticket;
+
+ /* The byte-order */
+ *p = 1;
+ p += 1;
+
+ /* "Alice", the client username */
+ strncpy(p, username, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+ p += strlen(p)+1;
+ strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+ p += strlen(p)+1;
+ strncpy(p, cell, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+ p += strlen(p)+1;
+
+ /* Alice's network layer address. At least Openafs-1.2.10
+ ignores this, so we fill in a dummy value here. */
+ SIVAL(p, 0, 0);
+ p += 4;
+
+ /* We need to create a session key */
+ generate_random_buffer((uint8_t *)p, 8);
+
+ /* Our client code needs the the key in the clear, it does not
+ know the server-key ... */
+ memcpy(ct->HandShakeKey, p, 8);
+
+ p += 8;
+
+ /* This is a kerberos 4 life time. The life time is expressed
+ * in units of 5 minute intervals up to 38400 seconds, after
+ * that a table is used up to lifetime 0xBF. Values between
+ * 0xC0 and 0xFF is undefined. 0xFF is defined to be the
+ * infinite time that never expire.
+ *
+ * So here we cheat and use the infinite time */
+ *p = 255;
+ p += 1;
+
+ /* Ticket creation time */
+ now = time(NULL);
+ SIVAL(p, 0, now);
+ ct->BeginTimestamp = now;
+
+ if(lp_afs_token_lifetime() == 0)
+ ct->EndTimestamp = NEVERDATE;
+ else
+ ct->EndTimestamp = now + lp_afs_token_lifetime();
+
+ if (((ct->EndTimestamp - ct->BeginTimestamp) & 1) == 1) {
+ ct->BeginTimestamp += 1; /* Lifetime must be even */
+ }
+ p += 4;
+
+ /* And here comes Bob's name and instance, in this case the
+ AFS server. */
+ strncpy(p, "afs", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+ p += strlen(p)+1;
+ strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+ p += strlen(p)+1;
+
+ /* And zero-pad to a multiple of 8 bytes */
+ len = PTR_DIFF(p, clear_ticket);
+ if (len & 7) {
+ uint32 extra_space = 8-(len & 7);
+ memset(p, 0, extra_space);
+ p+=extra_space;
+ }
+ len = PTR_DIFF(p, clear_ticket);
+
+ des_key_sched((const_des_cblock *)key.key, key_schedule);
+ des_pcbc_encrypt((const unsigned char*) clear_ticket,
+ (unsigned char*) clear_ticket,
+ len, key_schedule, (C_Block *)key.key, 1);
+
+ ZERO_STRUCT(key);
+
+ *ticket = data_blob(clear_ticket, len);
+
+ return true;
+}
+
+char *afs_createtoken_str(const char *username, const char *cell)
+{
+ DATA_BLOB ticket;
+ struct ClearToken ct;
+ char *result;
+
+ if (!afs_createtoken(username, cell, &ticket, &ct))
+ return NULL;
+
+ result = afs_encode_token(cell, ticket, &ct);
+
+ data_blob_free(&ticket);
+
+ return result;
+}
+
+/*
+ This routine takes a radical approach completely bypassing the
+ Kerberos idea of security and using AFS simply as an intelligent
+ file backend. Samba has persuaded itself somehow that the user is
+ actually correctly identified and then we create a ticket that the
+ AFS server hopefully accepts using its KeyFile that the admin has
+ kindly stored to our secrets.tdb.
+
+ Thanks to the book "Network Security -- PRIVATE Communication in a
+ PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner
+ Kerberos 4 tickets are not really hard to construct.
+
+ For the comments "Alice" is the User to be auth'ed, and "Bob" is the
+ AFS server. */
+
+bool afs_login(connection_struct *conn)
+{
+ DATA_BLOB ticket;
+ char *afs_username = NULL;
+ char *cell = NULL;
+ bool result;
+ char *ticket_str = NULL;
+ const struct dom_sid *user_sid;
+ TALLOC_CTX *ctx = talloc_tos();
+
+ struct ClearToken ct;
+
+ afs_username = talloc_strdup(ctx,
+ lp_afs_username_map());
+ if (!afs_username) {
+ return false;
+ }
+
+ afs_username = talloc_sub_advanced(ctx,
+ lp_servicename(ctx, SNUM(conn)),
+ conn->session_info->unix_info->unix_name,
+ conn->connectpath,
+ conn->session_info->unix_token->gid,
+ conn->session_info->unix_info->sanitized_username,
+ conn->session_info->info->domain_name,
+ afs_username);
+ if (!afs_username) {
+ return false;
+ }
+
+ user_sid = &conn->session_info->security_token->sids[0];
+ afs_username = talloc_string_sub(talloc_tos(),
+ afs_username,
+ "%s",
+ sid_string_tos(user_sid));
+ if (!afs_username) {
+ return false;
+ }
+
+ /* The pts command always generates completely lower-case user
+ * names. */
+ if (!strlower_m(afs_username)) {
+ return false;
+ }
+
+ cell = strchr(afs_username, '@');
+
+ if (cell == NULL) {
+ DEBUG(1, ("AFS username doesn't contain a @, "
+ "could not find cell\n"));
+ return false;
+ }
+
+ *cell = '\0';
+ cell += 1;
+
+ DEBUG(10, ("Trying to log into AFS for user %s@%s\n",
+ afs_username, cell));
+
+ if (!afs_createtoken(afs_username, cell, &ticket, &ct))
+ return false;
+
+ /* For which Unix-UID do we want to set the token? */
+ ct.ViceId = getuid();
+
+ ticket_str = afs_encode_token(cell, ticket, &ct);
+
+ result = afs_settoken_str(ticket_str);
+
+ SAFE_FREE(ticket_str);
+
+ data_blob_free(&ticket);
+
+ return result;
+}
+
+#else
+
+bool afs_login(connection_struct *conn)
+{
+ return true;
+}
+
+char *afs_createtoken_str(const char *username, const char *cell)
+{
+ return NULL;
+}
+
+#endif /* WITH_FAKE_KASERVER */
diff --git a/lib/afs/afs_funcs.h b/lib/afs/afs_funcs.h
new file mode 100644
index 0000000..95e916b
--- /dev/null
+++ b/lib/afs/afs_funcs.h
@@ -0,0 +1,42 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Generate AFS tickets
+ * Copyright (C) Volker Lendecke 2003
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef LIB_AFS_AFS_FUNCS_H
+#define LIB_AFS_AFS_FUNCS_H 1
+
+char *afs_createtoken_str(const char *username, const char *cell);
+
+/*
+ This routine takes a radical approach completely bypassing the
+ Kerberos idea of security and using AFS simply as an intelligent
+ file backend. Samba has persuaded itself somehow that the user is
+ actually correctly identified and then we create a ticket that the
+ AFS server hopefully accepts using its KeyFile that the admin has
+ kindly stored to our secrets.tdb.
+
+ Thanks to the book "Network Security -- PRIVATE Communication in a
+ PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner
+ Kerberos 4 tickets are not really hard to construct.
+
+ For the comments "Alice" is the User to be auth'ed, and "Bob" is the
+ AFS server. */
+
+bool afs_login(connection_struct *conn);
+
+#endif
diff --git a/lib/afs/wscript_build b/lib/afs/wscript_build
new file mode 100644
index 0000000..45d8be5
--- /dev/null
+++ b/lib/afs/wscript_build
@@ -0,0 +1,6 @@
+#!/usr/bin/env python
+
+bld.SAMBA3_SUBSYSTEM('LIBAFS',
+ source='afs_funcs.c',
+ deps='samba-util LIBAFS_SETTOKEN')
+
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 356bf91..942fb6a 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -35,12 +35,6 @@ bool allow_access(const char **deny_list,
/* The following definitions come from lib/adt_tree.c */
-
-/* The following definitions come from lib/afs.c */
-
-char *afs_createtoken_str(const char *username, const char *cell);
-bool afs_login(connection_struct *conn);
-
/* The following definitions come from lib/afs_settoken.c */
int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow);
diff --git a/source3/lib/afs.c b/source3/lib/afs.c
deleted file mode 100644
index 2d77526..0000000
--- a/source3/lib/afs.c
+++ /dev/null
@@ -1,309 +0,0 @@
-/*
- * Unix SMB/CIFS implementation.
- * Generate AFS tickets
- * Copyright (C) Volker Lendecke 2003
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "includes.h"
-
-#ifdef WITH_FAKE_KASERVER
-
-#define NO_ASN1_TYPEDEFS 1
-
-#include "secrets.h"
-#include "passdb.h"
-#include "auth.h"
-#include "../librpc/gen_ndr/ndr_netlogon.h"
-
-#include <afs/param.h>
-#include <afs/stds.h>
-#include <afs/afs.h>
-#include <afs/auth.h>
-#include <afs/venus.h>
-#include <asm/unistd.h>
-#include <openssl/des.h>
-
-struct ClearToken {
- uint32 AuthHandle;
- char HandShakeKey[8];
- uint32 ViceId;
- uint32 BeginTimestamp;
- uint32 EndTimestamp;
-};
-
-static char *afs_encode_token(const char *cell, const DATA_BLOB ticket,
- const struct ClearToken *ct)
-{
- char *base64_ticket;
- char *result = NULL;
-
- DATA_BLOB key = data_blob(ct->HandShakeKey, 8);
- char *base64_key;
- TALLOC_CTX *mem_ctx;
-
- mem_ctx = talloc_stackframe();
- if (mem_ctx == NULL)
- goto done;
-
- base64_ticket = base64_encode_data_blob(mem_ctx, ticket);
- if (base64_ticket == NULL)
- goto done;
-
- base64_key = base64_encode_data_blob(mem_ctx, key);
- if (base64_key == NULL)
- goto done;
-
- asprintf(&result, "%s\n%u\n%s\n%u\n%u\n%u\n%s\n", cell,
- ct->AuthHandle, base64_key, ct->ViceId, ct->BeginTimestamp,
- ct->EndTimestamp, base64_ticket);
-
- DEBUG(10, ("Got ticket string:\n%s\n", result));
-
-done:
- TALLOC_FREE(mem_ctx);
-
- return result;
-}
-
-/* Create a ClearToken and an encrypted ticket. ClearToken has not yet the
- * ViceId set, this should be set by the caller. */
-
-static bool afs_createtoken(const char *username, const char *cell,
- DATA_BLOB *ticket, struct ClearToken *ct)
-{
- fstring clear_ticket;
- char *p = clear_ticket;
- uint32 len;
- uint32 now;
-
- struct afs_key key;
- des_key_schedule key_schedule;
-
- if (!secrets_init())
- return false;
-
- if (!secrets_fetch_afs_key(cell, &key)) {
- DEBUG(1, ("Could not fetch AFS service key\n"));
- return false;
- }
-
- ct->AuthHandle = key.kvno;
-
- /* Build the ticket. This is going to be encrypted, so in our
- way we fill in ct while we still have the unencrypted
- form. */
-
- p = clear_ticket;
-
- /* The byte-order */
- *p = 1;
- p += 1;
-
- /* "Alice", the client username */
- strncpy(p, username, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
- p += strlen(p)+1;
- strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
- p += strlen(p)+1;
- strncpy(p, cell, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
- p += strlen(p)+1;
-
- /* Alice's network layer address. At least Openafs-1.2.10
- ignores this, so we fill in a dummy value here. */
- SIVAL(p, 0, 0);
- p += 4;
-
- /* We need to create a session key */
- generate_random_buffer((uint8_t *)p, 8);
-
- /* Our client code needs the the key in the clear, it does not
- know the server-key ... */
- memcpy(ct->HandShakeKey, p, 8);
-
- p += 8;
-
- /* This is a kerberos 4 life time. The life time is expressed
- * in units of 5 minute intervals up to 38400 seconds, after
- * that a table is used up to lifetime 0xBF. Values between
- * 0xC0 and 0xFF is undefined. 0xFF is defined to be the
- * infinite time that never expire.
- *
- * So here we cheat and use the infinite time */
- *p = 255;
- p += 1;
-
- /* Ticket creation time */
- now = time(NULL);
- SIVAL(p, 0, now);
- ct->BeginTimestamp = now;
-
- if(lp_afs_token_lifetime() == 0)
- ct->EndTimestamp = NEVERDATE;
- else
- ct->EndTimestamp = now + lp_afs_token_lifetime();
-
- if (((ct->EndTimestamp - ct->BeginTimestamp) & 1) == 1) {
- ct->BeginTimestamp += 1; /* Lifetime must be even */
- }
- p += 4;
-
- /* And here comes Bob's name and instance, in this case the
- AFS server. */
- strncpy(p, "afs", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
- p += strlen(p)+1;
- strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
- p += strlen(p)+1;
-
- /* And zero-pad to a multiple of 8 bytes */
- len = PTR_DIFF(p, clear_ticket);
- if (len & 7) {
- uint32 extra_space = 8-(len & 7);
- memset(p, 0, extra_space);
- p+=extra_space;
- }
- len = PTR_DIFF(p, clear_ticket);
-
- des_key_sched((const_des_cblock *)key.key, key_schedule);
- des_pcbc_encrypt((const unsigned char*) clear_ticket,
- (unsigned char*) clear_ticket,
- len, key_schedule, (C_Block *)key.key, 1);
-
- ZERO_STRUCT(key);
-
- *ticket = data_blob(clear_ticket, len);
-
- return true;
-}
-
-char *afs_createtoken_str(const char *username, const char *cell)
-{
- DATA_BLOB ticket;
- struct ClearToken ct;
- char *result;
-
- if (!afs_createtoken(username, cell, &ticket, &ct))
- return NULL;
-
- result = afs_encode_token(cell, ticket, &ct);
-
- data_blob_free(&ticket);
-
- return result;
-}
-
-/*
- This routine takes a radical approach completely bypassing the
- Kerberos idea of security and using AFS simply as an intelligent
- file backend. Samba has persuaded itself somehow that the user is
- actually correctly identified and then we create a ticket that the
- AFS server hopefully accepts using its KeyFile that the admin has
- kindly stored to our secrets.tdb.
-
- Thanks to the book "Network Security -- PRIVATE Communication in a
- PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner
- Kerberos 4 tickets are not really hard to construct.
-
- For the comments "Alice" is the User to be auth'ed, and "Bob" is the
- AFS server. */
-
-bool afs_login(connection_struct *conn)
-{
- DATA_BLOB ticket;
- char *afs_username = NULL;
- char *cell = NULL;
- bool result;
- char *ticket_str = NULL;
- const struct dom_sid *user_sid;
- TALLOC_CTX *ctx = talloc_tos();
-
- struct ClearToken ct;
-
- afs_username = talloc_strdup(ctx,
- lp_afs_username_map());
- if (!afs_username) {
- return false;
- }
-
- afs_username = talloc_sub_advanced(ctx,
- lp_servicename(ctx, SNUM(conn)),
- conn->session_info->unix_info->unix_name,
- conn->connectpath,
- conn->session_info->unix_token->gid,
- conn->session_info->unix_info->sanitized_username,
- conn->session_info->info->domain_name,
- afs_username);
- if (!afs_username) {
- return false;
- }
-
- user_sid = &conn->session_info->security_token->sids[0];
- afs_username = talloc_string_sub(talloc_tos(),
- afs_username,
- "%s",
- sid_string_tos(user_sid));
- if (!afs_username) {
- return false;
- }
-
- /* The pts command always generates completely lower-case user
- * names. */
- if (!strlower_m(afs_username)) {
- return false;
- }
-
- cell = strchr(afs_username, '@');
-
- if (cell == NULL) {
- DEBUG(1, ("AFS username doesn't contain a @, "
- "could not find cell\n"));
- return false;
- }
-
- *cell = '\0';
- cell += 1;
-
- DEBUG(10, ("Trying to log into AFS for user %s@%s\n",
- afs_username, cell));
-
- if (!afs_createtoken(afs_username, cell, &ticket, &ct))
- return false;
-
- /* For which Unix-UID do we want to set the token? */
- ct.ViceId = getuid();
-
- ticket_str = afs_encode_token(cell, ticket, &ct);
-
- result = afs_settoken_str(ticket_str);
-
- SAFE_FREE(ticket_str);
-
- data_blob_free(&ticket);
-
- return result;
-}
-
-#else
-
-bool afs_login(connection_struct *conn)
-{
- return true;
-}
-
-char *afs_createtoken_str(const char *username, const char *cell)
-{
- return NULL;
-}
-
-#endif /* WITH_FAKE_KASERVER */
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index a9ad847..d3eabf8 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -30,6 +30,7 @@
#include "auth.h"
#include "lib/param/loadparm.h"
#include "messages.h"
+#include "lib/afs/afs_funcs.h"
static bool canonicalize_connect_path(connection_struct *conn)
{
diff --git a/source3/utils/net_afs.c b/source3/utils/net_afs.c
index 3c7f282..44e5193 100644
--- a/source3/utils/net_afs.c
+++ b/source3/utils/net_afs.c
@@ -22,6 +22,7 @@
#include "utils/net_afs.h"
#include "secrets.h"
#include "system/filesys.h"
+#include "lib/afs/afs_funcs.h"
int net_afs_usage(struct net_context *c, int argc, const char **argv)
{
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 415dc79..65f27df 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -41,6 +41,7 @@
#include "auth/kerberos/pac_utils.h"
#include "auth/gensec/gensec.h"
#include "librpc/crypto/gse_krb5.h"
+#include "lib/afs/afs_funcs.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
diff --git a/source3/wscript_build b/source3/wscript_build
index d319e5e..1f1b750 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -472,10 +472,6 @@ bld.SAMBA3_SUBSYSTEM('LIBAFS_SETTOKEN',
source='lib/afs_settoken.c',
deps='samba-util')
-bld.SAMBA3_SUBSYSTEM('LIBAFS',
- source='lib/afs.c',
- deps='samba-util LIBAFS_SETTOKEN')
-
bld.SAMBA3_LIBRARY('smbconf',
source='''lib/smbconf/smbconf_init.c
lib/smbconf/smbconf_reg.c''',
diff --git a/wscript_build b/wscript_build
index 9228d15..59ba354 100644
--- a/wscript_build
+++ b/wscript_build
@@ -74,6 +74,7 @@ bld.RECURSE('lib/uid_wrapper')
bld.RECURSE('lib/popt')
bld.RECURSE('lib/iniparser/src')
bld.RECURSE('source4/lib/stream')
+bld.RECURSE('lib/afs')
bld.RECURSE('lib/util')
bld.RECURSE('lib/tdb_wrap')
bld.RECURSE('lib/tdr')
--
1.9.1
>From 00ddfeb5c56a6fcc437594981efe1c92e7d08206 Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Mon, 14 Apr 2014 22:35:21 +0200
Subject: [PATCH 2/7] s3:lib/afs move afs_settoken.c to common lib dir
Signed-off-by: Christian Ambach <ambi at samba.org>
---
lib/afs/afs_funcs.c | 1 +
lib/afs/afs_settoken.c | 264 +++++++++++++++++++++++++++++++++++++++++++
lib/afs/afs_settoken.h | 21 ++++
lib/afs/wscript_build | 4 +
nsswitch/wbinfo.c | 1 +
source3/include/proto.h | 5 -
source3/lib/afs_settoken.c | 262 ------------------------------------------
source3/modules/vfs_afsacl.c | 1 +
source3/utils/net_afs.c | 1 +
source3/wscript_build | 4 -
10 files changed, 293 insertions(+), 271 deletions(-)
create mode 100644 lib/afs/afs_settoken.c
create mode 100644 lib/afs/afs_settoken.h
delete mode 100644 source3/lib/afs_settoken.c
diff --git a/lib/afs/afs_funcs.c b/lib/afs/afs_funcs.c
index 316bb1b..8a3c90a 100644
--- a/lib/afs/afs_funcs.c
+++ b/lib/afs/afs_funcs.c
@@ -28,6 +28,7 @@
#include "passdb.h"
#include "auth.h"
#include "../librpc/gen_ndr/ndr_netlogon.h"
+#include "lib/afs/afs_settoken.h"
#include <afs/param.h>
#include <afs/stds.h>
diff --git a/lib/afs/afs_settoken.c b/lib/afs/afs_settoken.c
new file mode 100644
index 0000000..d0ffa49
--- /dev/null
+++ b/lib/afs/afs_settoken.c
@@ -0,0 +1,264 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Generate AFS tickets
+ * Copyright (C) Volker Lendecke 2004
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "lib/afs/afs_settoken.h"
+
+#ifdef WITH_FAKE_KASERVER
+
+#define NO_ASN1_TYPEDEFS 1
+
+#include "system/filesys.h"
+
+#include <afs/param.h>
+#include <afs/stds.h>
+#include <afs/afs_args.h>
+#include <afs/auth.h>
+#include <afs/venus.h>
+#include <asm/unistd.h>
+#include <openssl/des.h>
+#include <sys/syscall.h>
+
+int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow)
+{
+/*
+ return( syscall( SYS_afs_syscall, subcall, path, cmd, cmarg, follow));
+*/
+ int errcode;
+ int proc_afs_file;
+ struct afsprocdata afs_syscall_data;
+ afs_syscall_data.syscall = subcall;
+ afs_syscall_data.param1 = (long)path;
+ afs_syscall_data.param2 = cmd;
+ afs_syscall_data.param3 = (long)cmarg;
+ afs_syscall_data.param4 = follow;
+ proc_afs_file = open(PROC_SYSCALL_FNAME, O_RDWR);
+ if (proc_afs_file < 0)
+ proc_afs_file = open(PROC_SYSCALL_ARLA_FNAME, O_RDWR);
+ if (proc_afs_file < 0)
+ return -1;
+ errcode = ioctl(proc_afs_file, VIOC_SYSCALL, &afs_syscall_data);
+ close(proc_afs_file);
+ return errcode;
+}
+
+struct ClearToken {
+ uint32 AuthHandle;
+ char HandShakeKey[8];
+ uint32 ViceId;
+ uint32 BeginTimestamp;
+ uint32 EndTimestamp;
+};
+
+static bool afs_decode_token(const char *string, char **cell,
+ DATA_BLOB *ticket, struct ClearToken *ct)
+{
+ DATA_BLOB blob;
+ struct ClearToken result_ct;
+ char *saveptr;
+
+ char *s = SMB_STRDUP(string);
+
+ char *t;
+
+ if ((t = strtok_r(s, "\n", &saveptr)) == NULL) {
+ DEBUG(10, ("strtok_r failed\n"));
+ return false;
+ }
+
+ *cell = SMB_STRDUP(t);
+
+ if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+ DEBUG(10, ("strtok_r failed\n"));
+ return false;
+ }
+
+ if (sscanf(t, "%u", &result_ct.AuthHandle) != 1) {
+ DEBUG(10, ("sscanf AuthHandle failed\n"));
+ return false;
+ }
+
+ if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+ DEBUG(10, ("strtok_r failed\n"));
+ return false;
+ }
+
+ blob = base64_decode_data_blob(t);
+
+ if ( (blob.data == NULL) ||
+ (blob.length != sizeof(result_ct.HandShakeKey) )) {
+ DEBUG(10, ("invalid key: %x/%lu\n", (uint8_t)*blob.data,
+ (unsigned long) blob.length));
+ return false;
+ }
+
+ memcpy(result_ct.HandShakeKey, blob.data, blob.length);
+
+ data_blob_free(&blob);
+
+ if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+ DEBUG(10, ("strtok_r failed\n"));
+ return false;
+ }
+
+ if (sscanf(t, "%u", &result_ct.ViceId) != 1) {
+ DEBUG(10, ("sscanf ViceId failed\n"));
+ return false;
+ }
+
+ if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+ DEBUG(10, ("strtok_r failed\n"));
+ return false;
+ }
+
+ if (sscanf(t, "%u", &result_ct.BeginTimestamp) != 1) {
+ DEBUG(10, ("sscanf BeginTimestamp failed\n"));
+ return false;
+ }
+
+ if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+ DEBUG(10, ("strtok_r failed\n"));
+ return false;
+ }
+
+ if (sscanf(t, "%u", &result_ct.EndTimestamp) != 1) {
+ DEBUG(10, ("sscanf EndTimestamp failed\n"));
+ return false;
+ }
+
+ if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+ DEBUG(10, ("strtok_r failed\n"));
+ return false;
+ }
+
+ blob = base64_decode_data_blob(t);
+
+ if (blob.data == NULL) {
+ DEBUG(10, ("Could not get ticket\n"));
+ return false;
+ }
+
+ *ticket = blob;
+ *ct = result_ct;
+
+ return true;
+}
+
+/*
+ Put an AFS token into the Kernel so that it can authenticate against
+ the AFS server. This assumes correct local uid settings.
+
+ This is currently highly Linux and OpenAFS-specific. The correct API
+ call for this would be ktc_SetToken. But to do that we would have to
+ import a REALLY big bunch of libraries which I would currently like
+ to avoid.
+*/
+
+static bool afs_settoken(const char *cell,
+ const struct ClearToken *ctok,
+ DATA_BLOB ticket)
+{
+ int ret;
+ struct {
+ char *in, *out;
+ uint16 in_size, out_size;
+ } iob;
+
+ char buf[1024];
+ char *p = buf;
+ int tmp;
+
+ memcpy(p, &ticket.length, sizeof(uint32));
+ p += sizeof(uint32);
+ memcpy(p, ticket.data, ticket.length);
+ p += ticket.length;
+
+ tmp = sizeof(struct ClearToken);
+ memcpy(p, &tmp, sizeof(uint32));
+ p += sizeof(uint32);
+ memcpy(p, ctok, tmp);
+ p += tmp;
+
+ tmp = 0;
+
+ memcpy(p, &tmp, sizeof(uint32));
+ p += sizeof(uint32);
+
+ tmp = strlen(cell);
+ if (tmp >= MAXKTCREALMLEN) {
+ DEBUG(1, ("Realm too long\n"));
+ return false;
+ }
+
+ strncpy(p, cell, tmp);
+ p += tmp;
+ *p = 0;
+ p +=1;
+
+ iob.in = buf;
+ iob.in_size = PTR_DIFF(p,buf);
+ iob.out = buf;
+ iob.out_size = sizeof(buf);
+
+#if 0
+ file_save("/tmp/ioctlbuf", iob.in, iob.in_size);
+#endif
+
+ ret = afs_syscall(AFSCALL_PIOCTL, 0, VIOCSETTOK, (char *)&iob, 0);
+
+ DEBUG(10, ("afs VIOCSETTOK returned %d\n", ret));
+ return (ret == 0);
+}
+
+bool afs_settoken_str(const char *token_string)
+{
+ DATA_BLOB ticket;
+ struct ClearToken ct;
+ bool result;
+ char *cell;
+
+ if (!afs_decode_token(token_string, &cell, &ticket, &ct))
+ return false;
+
+ if (geteuid() != 0) {
+ ct.ViceId = geteuid();
+ }
+
+ result = afs_settoken(cell, &ct, ticket);
+
+ SAFE_FREE(cell);
+ data_blob_free(&ticket);
+
+ return result;
+}
+
+#else
+
+int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+bool afs_settoken_str(const char *token_string)
+{
+ return false;
+}
+
+#endif
diff --git a/lib/afs/afs_settoken.h b/lib/afs/afs_settoken.h
new file mode 100644
index 0000000..d6cc462
--- /dev/null
+++ b/lib/afs/afs_settoken.h
@@ -0,0 +1,21 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Generate AFS tickets
+ * Copyright (C) Volker Lendecke 2004
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow);
+bool afs_settoken_str(const char *token_string);
diff --git a/lib/afs/wscript_build b/lib/afs/wscript_build
index 45d8be5..7337491 100644
--- a/lib/afs/wscript_build
+++ b/lib/afs/wscript_build
@@ -4,3 +4,7 @@ bld.SAMBA3_SUBSYSTEM('LIBAFS',
source='afs_funcs.c',
deps='samba-util LIBAFS_SETTOKEN')
+bld.SAMBA3_SUBSYSTEM('LIBAFS_SETTOKEN',
+ source='afs_settoken.c',
+ deps='samba-util')
+
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index bc25a17..a3e6451 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -27,6 +27,7 @@
#include "lib/popt/popt.h"
#include "../libcli/auth/libcli_auth.h"
#include "lib/cmdline/popt_common.h"
+#include "lib/afs/afs_settoken.h"
#ifdef DBGC_CLASS
#undef DBGC_CLASS
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 942fb6a..347c700 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -35,11 +35,6 @@ bool allow_access(const char **deny_list,
/* The following definitions come from lib/adt_tree.c */
-/* The following definitions come from lib/afs_settoken.c */
-
-int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow);
-bool afs_settoken_str(const char *token_string);
-
/* The following definitions come from lib/audit.c */
const char *audit_category_str(uint32 category);
diff --git a/source3/lib/afs_settoken.c b/source3/lib/afs_settoken.c
deleted file mode 100644
index 7aff55f..0000000
--- a/source3/lib/afs_settoken.c
+++ /dev/null
@@ -1,262 +0,0 @@
-/*
- * Unix SMB/CIFS implementation.
- * Generate AFS tickets
- * Copyright (C) Volker Lendecke 2004
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "includes.h"
-
-#ifdef WITH_FAKE_KASERVER
-
-#define NO_ASN1_TYPEDEFS 1
-
-#include "system/filesys.h"
-
-#include <afs/param.h>
-#include <afs/stds.h>
-#include <afs/afs.h>
-#include <afs/auth.h>
-#include <afs/venus.h>
-#include <asm/unistd.h>
-#include <openssl/des.h>
-#include <sys/syscall.h>
-
-int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow)
-{
-/*
- return( syscall( SYS_afs_syscall, subcall, path, cmd, cmarg, follow));
-*/
- int errcode;
- int proc_afs_file;
- struct afsprocdata afs_syscall_data;
- afs_syscall_data.syscall = subcall;
- afs_syscall_data.param1 = (long)path;
- afs_syscall_data.param2 = cmd;
- afs_syscall_data.param3 = (long)cmarg;
- afs_syscall_data.param4 = follow;
- proc_afs_file = open(PROC_SYSCALL_FNAME, O_RDWR);
- if (proc_afs_file < 0)
- proc_afs_file = open(PROC_SYSCALL_ARLA_FNAME, O_RDWR);
- if (proc_afs_file < 0)
- return -1;
- errcode = ioctl(proc_afs_file, VIOC_SYSCALL, &afs_syscall_data);
- close(proc_afs_file);
- return errcode;
-}
-
-struct ClearToken {
- uint32 AuthHandle;
- char HandShakeKey[8];
- uint32 ViceId;
- uint32 BeginTimestamp;
- uint32 EndTimestamp;
-};
-
-static bool afs_decode_token(const char *string, char **cell,
- DATA_BLOB *ticket, struct ClearToken *ct)
-{
- DATA_BLOB blob;
- struct ClearToken result_ct;
- char *saveptr;
-
- char *s = SMB_STRDUP(string);
-
- char *t;
-
- if ((t = strtok_r(s, "\n", &saveptr)) == NULL) {
- DEBUG(10, ("strtok_r failed\n"));
- return false;
- }
-
- *cell = SMB_STRDUP(t);
-
- if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
- DEBUG(10, ("strtok_r failed\n"));
- return false;
- }
-
- if (sscanf(t, "%u", &result_ct.AuthHandle) != 1) {
- DEBUG(10, ("sscanf AuthHandle failed\n"));
- return false;
- }
-
- if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
- DEBUG(10, ("strtok_r failed\n"));
- return false;
- }
-
- blob = base64_decode_data_blob(t);
-
- if ( (blob.data == NULL) ||
- (blob.length != sizeof(result_ct.HandShakeKey) )) {
- DEBUG(10, ("invalid key: %x/%lu\n", (uint8_t)*blob.data,
- (unsigned long) blob.length));
- return false;
- }
-
- memcpy(result_ct.HandShakeKey, blob.data, blob.length);
-
- data_blob_free(&blob);
-
- if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
- DEBUG(10, ("strtok_r failed\n"));
- return false;
- }
-
- if (sscanf(t, "%u", &result_ct.ViceId) != 1) {
- DEBUG(10, ("sscanf ViceId failed\n"));
- return false;
- }
-
- if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
- DEBUG(10, ("strtok_r failed\n"));
- return false;
- }
-
- if (sscanf(t, "%u", &result_ct.BeginTimestamp) != 1) {
- DEBUG(10, ("sscanf BeginTimestamp failed\n"));
- return false;
- }
-
- if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
- DEBUG(10, ("strtok_r failed\n"));
- return false;
- }
-
- if (sscanf(t, "%u", &result_ct.EndTimestamp) != 1) {
- DEBUG(10, ("sscanf EndTimestamp failed\n"));
- return false;
- }
-
- if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
- DEBUG(10, ("strtok_r failed\n"));
- return false;
- }
-
- blob = base64_decode_data_blob(t);
-
- if (blob.data == NULL) {
- DEBUG(10, ("Could not get ticket\n"));
- return false;
- }
-
- *ticket = blob;
- *ct = result_ct;
-
- return true;
-}
-
-/*
- Put an AFS token into the Kernel so that it can authenticate against
- the AFS server. This assumes correct local uid settings.
-
- This is currently highly Linux and OpenAFS-specific. The correct API
- call for this would be ktc_SetToken. But to do that we would have to
- import a REALLY big bunch of libraries which I would currently like
- to avoid.
-*/
-
-static bool afs_settoken(const char *cell,
- const struct ClearToken *ctok,
- DATA_BLOB ticket)
-{
- int ret;
- struct {
- char *in, *out;
- uint16 in_size, out_size;
- } iob;
-
- char buf[1024];
- char *p = buf;
- int tmp;
-
- memcpy(p, &ticket.length, sizeof(uint32));
- p += sizeof(uint32);
- memcpy(p, ticket.data, ticket.length);
- p += ticket.length;
-
- tmp = sizeof(struct ClearToken);
- memcpy(p, &tmp, sizeof(uint32));
- p += sizeof(uint32);
- memcpy(p, ctok, tmp);
- p += tmp;
-
- tmp = 0;
-
- memcpy(p, &tmp, sizeof(uint32));
- p += sizeof(uint32);
-
- tmp = strlen(cell);
- if (tmp >= MAXKTCREALMLEN) {
- DEBUG(1, ("Realm too long\n"));
- return false;
- }
-
- strncpy(p, cell, tmp);
- p += tmp;
- *p = 0;
- p +=1;
-
- iob.in = buf;
- iob.in_size = PTR_DIFF(p,buf);
- iob.out = buf;
- iob.out_size = sizeof(buf);
-
-#if 0
- file_save("/tmp/ioctlbuf", iob.in, iob.in_size);
-#endif
-
- ret = afs_syscall(AFSCALL_PIOCTL, 0, VIOCSETTOK, (char *)&iob, 0);
-
- DEBUG(10, ("afs VIOCSETTOK returned %d\n", ret));
- return (ret == 0);
-}
-
-bool afs_settoken_str(const char *token_string)
-{
- DATA_BLOB ticket;
- struct ClearToken ct;
- bool result;
- char *cell;
-
- if (!afs_decode_token(token_string, &cell, &ticket, &ct))
- return false;
-
- if (geteuid() != sec_initial_uid())
- ct.ViceId = getuid();
-
- result = afs_settoken(cell, &ct, ticket);
-
- SAFE_FREE(cell);
- data_blob_free(&ticket);
-
- return result;
-}
-
-#else
-
-int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow)
-{
- errno = ENOSYS;
- return -1;
-}
-
-bool afs_settoken_str(const char *token_string)
-{
- return false;
-}
-
-#endif
diff --git a/source3/modules/vfs_afsacl.c b/source3/modules/vfs_afsacl.c
index 7300987..7a3d5bd 100644
--- a/source3/modules/vfs_afsacl.c
+++ b/source3/modules/vfs_afsacl.c
@@ -24,6 +24,7 @@
#include "../libcli/security/security.h"
#include "../libcli/security/dom_sid.h"
#include "passdb.h"
+#include "lib/afs/afs_settoken.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_VFS
diff --git a/source3/utils/net_afs.c b/source3/utils/net_afs.c
index 44e5193..6049a5c 100644
--- a/source3/utils/net_afs.c
+++ b/source3/utils/net_afs.c
@@ -23,6 +23,7 @@
#include "secrets.h"
#include "system/filesys.h"
#include "lib/afs/afs_funcs.h"
+#include "lib/afs/afs_settoken.h"
int net_afs_usage(struct net_context *c, int argc, const char **argv)
{
diff --git a/source3/wscript_build b/source3/wscript_build
index 1f1b750..5995003 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -468,10 +468,6 @@ bld.SAMBA3_SUBSYSTEM('LIBADS_PRINTER',
source='libads/ldap_printer.c',
deps='samba-util krb5samba')
-bld.SAMBA3_SUBSYSTEM('LIBAFS_SETTOKEN',
- source='lib/afs_settoken.c',
- deps='samba-util')
-
bld.SAMBA3_LIBRARY('smbconf',
source='''lib/smbconf/smbconf_init.c
lib/smbconf/smbconf_reg.c''',
--
1.9.1
>From b470808f7c78fb2e8b20fa7504dbcb4c91f056cf Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Wed, 16 Apr 2014 00:36:25 +0200
Subject: [PATCH 3/7] waf: add --with-fake-kaserver option
This option was not added during the transition from autoconf
to waf.
Bring it back so that the code can be used again.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9916
Signed-off-by: Christian Ambach <ambi at samba.org>
---
lib/afs/wscript_build | 2 +-
source3/wscript | 13 +++++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/lib/afs/wscript_build b/lib/afs/wscript_build
index 7337491..d584a17 100644
--- a/lib/afs/wscript_build
+++ b/lib/afs/wscript_build
@@ -2,7 +2,7 @@
bld.SAMBA3_SUBSYSTEM('LIBAFS',
source='afs_funcs.c',
- deps='samba-util LIBAFS_SETTOKEN')
+ deps='samba-util crypto LIBAFS_SETTOKEN')
bld.SAMBA3_SUBSYSTEM('LIBAFS_SETTOKEN',
source='afs_settoken.c',
diff --git a/source3/wscript b/source3/wscript
index 3b38d19..7c7add7 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -49,6 +49,9 @@ def set_options(opt):
opt.SAMBA3_ADD_OPTION('regedit', default=None)
+ opt.SAMBA3_ADD_OPTION('fake-kaserver',
+ help=("Include AFS fake-kaserver support"), default=False)
+
opt.add_option('--with-ctdb-dir',
help=("Directory under which ctdb is installed"),
action="store", dest='ctdb_dir', default=None)
@@ -1798,6 +1801,16 @@ main() {
else:
Logs.info("ncurses not available, not building regedit")
+ conf.CHECK_FUNCS_IN('DES_pcbc_encrypt', 'crypto')
+ if Options.options.with_fake_kaserver == True:
+ conf.CHECK_HEADERS('afs/param.h afs/stds.h', together=True)
+ conf.CHECK_HEADERS('afs/param.h afs/stds.h', together=True)
+ if (conf.CONFIG_SET('HAVE_AFS_PARAM_H') and conf.CONFIG_SET('HAVE_AFS_STDS_H') and conf.CONFIG_SET('HAVE_DES_PCBC_ENCRYPT')):
+ conf.DEFINE('WITH_FAKE_KASERVER', '1')
+ else:
+ conf.fatal('AFS headers not available, but --with-fake-kaserver was specified')
+
+
default_static_modules.extend(TO_LIST('''pdb_smbpasswd pdb_tdbsam pdb_wbc_sam
auth_sam auth_unix auth_winbind auth_wbc
--
1.9.1
>From a6e3fba05e25ec99e357be24964aff06ae64088c Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Wed, 23 Apr 2014 17:03:47 +0200
Subject: [PATCH 4/7] waf: fixup build with fake kaserver enabled
Signed-off-by: Christian Ambach <ambi at samba.org>
---
source3/utils/net_afs.c | 3 +++
source3/wscript_build | 1 +
2 files changed, 4 insertions(+)
diff --git a/source3/utils/net_afs.c b/source3/utils/net_afs.c
index 6049a5c..3668e3c 100644
--- a/source3/utils/net_afs.c
+++ b/source3/utils/net_afs.c
@@ -25,6 +25,8 @@
#include "lib/afs/afs_funcs.h"
#include "lib/afs/afs_settoken.h"
+#ifdef WITH_FAKE_KASERVER
+
int net_afs_usage(struct net_context *c, int argc, const char **argv)
{
d_printf(_(" net afs key filename\n"
@@ -120,3 +122,4 @@ int net_afs(struct net_context *c, int argc, const char **argv)
return net_run_function(c, argc, argv, "net afs", func);
}
+#endif /* WITH_FAKE_KASERVER */
diff --git a/source3/wscript_build b/source3/wscript_build
index 5995003..b1a25d3 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -1084,6 +1084,7 @@ bld.SAMBA3_BINARY('net',
utils/net_printing.c
utils/net_rpc_trust.c
utils/net_rpc_conf.c
+ utils/net_afs.c
registry/reg_parse.c
registry/reg_format.c
registry/reg_import.c
--
1.9.1
>From a9fd54b54a41424bbe30fdac88212c88f8758531 Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Wed, 23 Apr 2014 16:50:19 +0200
Subject: [PATCH 5/7] s4:heimdal fix build when a system des.h is around
heimdal's own des.h should be not be included with <> as there
might be an incompatible system des.h around
Signed-off-by: Christian Ambach <ambi at samba.org>
---
source4/heimdal/lib/hcrypto/evp-hcrypto.c | 2 +-
source4/heimdal/lib/hcrypto/rnd_keys.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/source4/heimdal/lib/hcrypto/evp-hcrypto.c b/source4/heimdal/lib/hcrypto/evp-hcrypto.c
index bf37b42..be74a9c 100644
--- a/source4/heimdal/lib/hcrypto/evp-hcrypto.c
+++ b/source4/heimdal/lib/hcrypto/evp-hcrypto.c
@@ -46,7 +46,7 @@
#include <krb5-types.h>
-#include <des.h>
+#include "des.h"
#include "camellia.h"
#include <aes.h>
diff --git a/source4/heimdal/lib/hcrypto/rnd_keys.c b/source4/heimdal/lib/hcrypto/rnd_keys.c
index 49c7634..6a3495b 100644
--- a/source4/heimdal/lib/hcrypto/rnd_keys.c
+++ b/source4/heimdal/lib/hcrypto/rnd_keys.c
@@ -41,7 +41,7 @@
#endif
#include <stdlib.h>
-#include <des.h>
+#include "des.h"
#include <rand.h>
#undef __attribute__
--
1.9.1
>From 6e9b81e727a4dc14d851582782f46f41e0b55eb6 Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Wed, 14 May 2014 15:39:44 +0200
Subject: [PATCH 6/7] vfs_afsacl: remove unused includes
* auth.h might cause collisions with the Heimdal headers
* we should not include afs/afs.h directly, see
https://bugs.launchpad.net/ubuntu/+source/openafs/+bug/1319336
http://rt.central.org/rt/Ticket/Display.html?id=131737
Signed-off-by: Christian Ambach <ambi at samba.org>
---
source3/modules/vfs_afsacl.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/source3/modules/vfs_afsacl.c b/source3/modules/vfs_afsacl.c
index 7a3d5bd..ecc436e 100644
--- a/source3/modules/vfs_afsacl.c
+++ b/source3/modules/vfs_afsacl.c
@@ -30,8 +30,7 @@
#define DBGC_CLASS DBGC_VFS
#include <afs/stds.h>
-#include <afs/afs.h>
-#include <afs/auth.h>
+#include <afs/afs_args.h>
#include <afs/venus.h>
#include <afs/prs_fs.h>
--
1.9.1
>From 87b86f671286fbaa98d655351605ee660dc2dc23 Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Sun, 25 May 2014 00:35:09 +0200
Subject: [PATCH 7/7] s3:vfs_afsacl fix compiler warnings
Signed-off-by: Christian Ambach <ambi at samba.org>
---
source3/modules/vfs_afsacl.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/source3/modules/vfs_afsacl.c b/source3/modules/vfs_afsacl.c
index ecc436e..a794e95 100644
--- a/source3/modules/vfs_afsacl.c
+++ b/source3/modules/vfs_afsacl.c
@@ -1038,7 +1038,6 @@ static NTSTATUS afsacl_get_nt_acl(struct vfs_handle_struct *handle,
struct afs_acl acl;
size_t sd_size;
struct smb_filename *smb_fname = NULL;
- NTSTATUS status;
DEBUG(5, ("afsacl_get_nt_acl: %s\n", name));
@@ -1063,7 +1062,7 @@ static NTSTATUS afsacl_get_nt_acl(struct vfs_handle_struct *handle,
return (sd_size != 0) ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
}
-NTSTATUS afsacl_fset_nt_acl(vfs_handle_struct *handle,
+static NTSTATUS afsacl_fset_nt_acl(vfs_handle_struct *handle,
files_struct *fsp,
uint32 security_info_sent,
const struct security_descriptor *psd)
--
1.9.1
More information about the samba-technical
mailing list