[PATCH] Add back --with-fake-kaserver option to the build
Christian Ambach
ambi at samba.org
Wed May 14 08:32:28 MDT 2014
Hi list,
here is an updated patchset that now allows building against OpenAFS 1.6.
Please review so Bug 9916 can be closed.
Cheers,
Christian
Am 27.04.14 21:51, schrieb Christian Ambach:
> Hi list,
>
> during the transition to waf, the AFS fake kaserver configuration option
> was not migrated and so this feature got lost in 4.1 (in 4.0, it was
> still available via the autoconf-based build).
> The attached patchset brings back the option. Once it gets reviewed, I
> can backport it to 4.1 so we close this gap (that is properly the last
> piece that was missing from waf when comparing it to the autoconf build).
-------------- next part --------------
From a20282f89009cf2e711d9a9a5935e6258ed6819d Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Sun, 13 Apr 2014 13:18:37 +0200
Subject: [PATCH 01/12] s3:lib/util move util_sec to common lib
we need some of the code in util_sec for wbinfo that lives in the toplevel
nsswitch directory, so move the util_sec.c file to the top-level lib directory
Signed-off-by: Christian Ambach <ambi at samba.org>
---
lib/util/util_sec.c | 553 +++++++++++++++++++++++++++++++++++++++++++++
lib/util/util_sec.h | 45 ++++
lib/util/wscript_build | 2 +-
source3/include/includes.h | 1 +
source3/include/proto.h | 24 --
source3/lib/util_sec.c | 553 ---------------------------------------------
source3/wscript | 12 +-
source3/wscript_build | 2 +-
8 files changed, 607 insertions(+), 585 deletions(-)
create mode 100644 lib/util/util_sec.c
create mode 100644 lib/util/util_sec.h
delete mode 100644 source3/lib/util_sec.c
diff --git a/lib/util/util_sec.c b/lib/util/util_sec.c
new file mode 100644
index 0000000..9ccd04e
--- /dev/null
+++ b/lib/util/util_sec.c
@@ -0,0 +1,553 @@
+/*
+ Unix SMB/CIFS implementation.
+ Copyright (C) Jeremy Allison 1998.
+ rewritten for version 2.0.6 by Tridge
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef AUTOCONF_TEST
+#include "includes.h"
+#include "system/passwd.h" /* uid_wrapper */
+#include "../lib/util/setid.h"
+
+#else
+/* we are running this code in autoconf test mode to see which type of setuid
+ function works */
+#if defined(HAVE_UNISTD_H)
+#include <unistd.h>
+#endif
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <errno.h>
+
+#ifdef HAVE_SYS_PRIV_H
+#include <sys/priv.h>
+#endif
+#ifdef HAVE_SYS_ID_H
+#include <sys/id.h>
+#endif
+
+#define DEBUG(x, y) printf y
+#define smb_panic(x) exit(1)
+#define bool int
+#endif
+
+/* are we running as non-root? This is used by the regresison test code,
+ and potentially also for sites that want non-root smbd */
+static uid_t initial_uid;
+static gid_t initial_gid;
+
+/****************************************************************************
+remember what uid we got started as - this allows us to run correctly
+as non-root while catching trapdoor systems
+****************************************************************************/
+
+void sec_init(void)
+{
+ static int initialized;
+
+ if (!initialized) {
+ initial_uid = geteuid();
+ initial_gid = getegid();
+ initialized = 1;
+ }
+}
+
+/****************************************************************************
+some code (eg. winbindd) needs to know what uid we started as
+****************************************************************************/
+uid_t sec_initial_uid(void)
+{
+ return initial_uid;
+}
+
+/****************************************************************************
+some code (eg. winbindd, profiling shm) needs to know what gid we started as
+****************************************************************************/
+gid_t sec_initial_gid(void)
+{
+ return initial_gid;
+}
+
+/**
+ * @brief Check if we are running in root mode.
+ *
+ * @return If we samba root privileges it returns true, false otehrwise.
+ */
+bool root_mode(void)
+{
+ uid_t euid;
+
+ euid = geteuid();
+
+#ifndef AUTOCONF_TEST
+ if (uid_wrapper_enabled()) {
+ return (euid == initial_uid || euid == (uid_t)0);
+ }
+#endif
+
+ return (initial_uid == euid);
+}
+
+/****************************************************************************
+are we running in non-root mode?
+****************************************************************************/
+bool non_root_mode(void)
+{
+ return (initial_uid != (uid_t)0);
+}
+
+/****************************************************************************
+abort if we haven't set the uid correctly
+****************************************************************************/
+static void assert_uid(uid_t ruid, uid_t euid)
+{
+ if ((euid != (uid_t)-1 && geteuid() != euid) ||
+ (ruid != (uid_t)-1 && getuid() != ruid)) {
+ if (!non_root_mode()) {
+ DEBUG(0,("Failed to set uid privileges to (%d,%d) now set to (%d,%d)\n",
+ (int)ruid, (int)euid,
+ (int)getuid(), (int)geteuid()));
+ smb_panic("failed to set uid\n");
+ exit(1);
+ }
+ }
+}
+
+/****************************************************************************
+abort if we haven't set the gid correctly
+****************************************************************************/
+static void assert_gid(gid_t rgid, gid_t egid)
+{
+ if ((egid != (gid_t)-1 && getegid() != egid) ||
+ (rgid != (gid_t)-1 && getgid() != rgid)) {
+ if (!non_root_mode()) {
+ DEBUG(0,("Failed to set gid privileges to (%d,%d) now set to (%d,%d) uid=(%d,%d)\n",
+ (int)rgid, (int)egid,
+ (int)getgid(), (int)getegid(),
+ (int)getuid(), (int)geteuid()));
+ smb_panic("failed to set gid\n");
+ exit(1);
+ }
+ }
+}
+
+/****************************************************************************
+ Gain root privilege before doing something.
+ We want to end up with ruid==euid==0
+****************************************************************************/
+void gain_root_privilege(void)
+{
+#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
+ samba_setresuid(0,0,0);
+#endif
+
+#if USE_SETEUID
+ samba_seteuid(0);
+#endif
+
+#if USE_SETREUID
+ samba_setreuid(0, 0);
+#endif
+
+#if USE_SETUIDX
+ samba_setuidx(ID_EFFECTIVE, 0);
+ samba_setuidx(ID_REAL, 0);
+#endif
+
+ /* this is needed on some systems */
+ samba_setuid(0);
+
+ assert_uid(0, 0);
+}
+
+
+/****************************************************************************
+ Ensure our real and effective groups are zero.
+ we want to end up with rgid==egid==0
+****************************************************************************/
+void gain_root_group_privilege(void)
+{
+#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
+ samba_setresgid(0,0,0);
+#endif
+
+#if USE_SETREUID
+ samba_setregid(0,0);
+#endif
+
+#if USE_SETEUID
+ samba_setegid(0);
+#endif
+
+#if USE_SETUIDX
+ samba_setgidx(ID_EFFECTIVE, 0);
+ samba_setgidx(ID_REAL, 0);
+#endif
+
+ samba_setgid(0);
+
+ assert_gid(0, 0);
+}
+
+
+/****************************************************************************
+ Set effective uid, and possibly the real uid too.
+ We want to end up with either:
+
+ ruid==uid and euid==uid
+
+ or
+
+ ruid==0 and euid==uid
+
+ depending on what the local OS will allow us to regain root from.
+****************************************************************************/
+void set_effective_uid(uid_t uid)
+{
+#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
+ /* Set the effective as well as the real uid. */
+ if (samba_setresuid(uid,uid,-1) == -1) {
+ if (errno == EAGAIN) {
+ DEBUG(0, ("samba_setresuid failed with EAGAIN. uid(%d) "
+ "might be over its NPROC limit\n",
+ (int)uid));
+ }
+ }
+#endif
+
+#if USE_SETREUID
+ samba_setreuid(-1,uid);
+#endif
+
+#if USE_SETEUID
+ samba_seteuid(uid);
+#endif
+
+#if USE_SETUIDX
+ samba_setuidx(ID_EFFECTIVE, uid);
+#endif
+
+ assert_uid(-1, uid);
+}
+
+/****************************************************************************
+ Set *only* the effective gid.
+ we want to end up with rgid==0 and egid==gid
+****************************************************************************/
+void set_effective_gid(gid_t gid)
+{
+#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
+ samba_setresgid(-1,gid,-1);
+#endif
+
+#if USE_SETREUID
+ samba_setregid(-1,gid);
+#endif
+
+#if USE_SETEUID
+ samba_setegid(gid);
+#endif
+
+#if USE_SETUIDX
+ samba_setgidx(ID_EFFECTIVE, gid);
+#endif
+
+ assert_gid(-1, gid);
+}
+
+static uid_t saved_euid, saved_ruid;
+static gid_t saved_egid, saved_rgid;
+
+/****************************************************************************
+ save the real and effective uid for later restoration. Used by the quotas
+ code
+****************************************************************************/
+void save_re_uid(void)
+{
+ saved_ruid = getuid();
+ saved_euid = geteuid();
+}
+
+
+/****************************************************************************
+ and restore them!
+****************************************************************************/
+
+void restore_re_uid_fromroot(void)
+{
+#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
+ samba_setresuid(saved_ruid, saved_euid, -1);
+#elif USE_SETREUID
+ samba_setreuid(saved_ruid, -1);
+ samba_setreuid(-1,saved_euid);
+#elif USE_SETUIDX
+ samba_setuidx(ID_REAL, saved_ruid);
+ samba_setuidx(ID_EFFECTIVE, saved_euid);
+#else
+ set_effective_uid(saved_euid);
+ if (getuid() != saved_ruid)
+ samba_setuid(saved_ruid);
+ set_effective_uid(saved_euid);
+#endif
+
+ assert_uid(saved_ruid, saved_euid);
+}
+
+void restore_re_uid(void)
+{
+ set_effective_uid(0);
+ restore_re_uid_fromroot();
+}
+
+/****************************************************************************
+ save the real and effective gid for later restoration. Used by the
+ getgroups code
+****************************************************************************/
+void save_re_gid(void)
+{
+ saved_rgid = getgid();
+ saved_egid = getegid();
+}
+
+/****************************************************************************
+ and restore them!
+****************************************************************************/
+void restore_re_gid(void)
+{
+#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
+ samba_setresgid(saved_rgid, saved_egid, -1);
+#elif USE_SETREUID
+ samba_setregid(saved_rgid, -1);
+ samba_setregid(-1,saved_egid);
+#elif USE_SETUIDX
+ samba_setgidx(ID_REAL, saved_rgid);
+ samba_setgidx(ID_EFFECTIVE, saved_egid);
+#else
+ set_effective_gid(saved_egid);
+ if (getgid() != saved_rgid)
+ samba_setgid(saved_rgid);
+ set_effective_gid(saved_egid);
+#endif
+
+ assert_gid(saved_rgid, saved_egid);
+}
+
+
+/****************************************************************************
+ set the real AND effective uid to the current effective uid in a way that
+ allows root to be regained.
+ This is only possible on some platforms.
+****************************************************************************/
+int set_re_uid(void)
+{
+ uid_t uid = geteuid();
+
+#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
+ samba_setresuid(uid, uid, -1);
+#endif
+
+#if USE_SETREUID
+ samba_setreuid(0, 0);
+ samba_setreuid(uid, -1);
+ samba_setreuid(-1, uid);
+#endif
+
+#if USE_SETEUID
+ /* can't be done */
+ return -1;
+#endif
+
+#if USE_SETUIDX
+ /* can't be done */
+ return -1;
+#endif
+
+ assert_uid(uid, uid);
+ return 0;
+}
+
+
+/****************************************************************************
+ Become the specified uid and gid - permanently !
+ there should be no way back if possible
+****************************************************************************/
+void become_user_permanently(uid_t uid, gid_t gid)
+{
+ /*
+ * First - gain root privilege. We do this to ensure
+ * we can lose it again.
+ */
+
+ gain_root_privilege();
+ gain_root_group_privilege();
+
+#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
+ samba_setresgid(gid,gid,gid);
+ samba_setgid(gid);
+ samba_setresuid(uid,uid,uid);
+ samba_setuid(uid);
+#endif
+
+#if USE_SETREUID
+ samba_setregid(gid,gid);
+ samba_setgid(gid);
+ samba_setreuid(uid,uid);
+ samba_setuid(uid);
+#endif
+
+#if USE_SETEUID
+ samba_setegid(gid);
+ samba_setgid(gid);
+ samba_setuid(uid);
+ samba_seteuid(uid);
+ samba_setuid(uid);
+#endif
+
+#if USE_SETUIDX
+ samba_setgidx(ID_REAL, gid);
+ samba_setgidx(ID_EFFECTIVE, gid);
+ samba_setgid(gid);
+ samba_setuidx(ID_REAL, uid);
+ samba_setuidx(ID_EFFECTIVE, uid);
+ samba_setuid(uid);
+#endif
+
+ assert_uid(uid, uid);
+ assert_gid(gid, gid);
+}
+
+/**********************************************************
+ Function to set thread specific credentials. Leave
+ saved-set uid/gid alone.Must be thread-safe code.
+**********************************************************/
+
+int set_thread_credentials(uid_t uid,
+ gid_t gid,
+ size_t setlen,
+ const gid_t *gidset)
+{
+#if defined(USE_LINUX_THREAD_CREDENTIALS)
+ /*
+ * With Linux thread-specific credentials
+ * we know we have setresuid/setresgid
+ * available.
+ */
+
+ /* Become root. */
+ /* Set ru=0, eu=0 */
+ if (samba_setresuid(0, 0, -1) != 0) {
+ return -1;
+ }
+ /* Set our primary gid. */
+ /* Set rg=gid, eg=gid */
+ if (samba_setresgid(gid, gid, -1) != 0) {
+ return -1;
+ }
+ /* Set extra groups list. */
+ if (samba_setgroups(setlen, gidset) != 0) {
+ return -1;
+ }
+ /* Become the requested user. */
+ /* Set ru=uid, eu=uid */
+ if (samba_setresuid(uid, uid, -1) != 0) {
+ return -1;
+ }
+ if (geteuid() != uid || getuid() != uid ||
+ getegid() != gid || getgid() != gid) {
+ smb_panic("set_thread_credentials failed\n");
+ return -1;
+ }
+ return 0;
+#else
+ errno = ENOSYS;
+ return -1;
+#endif
+}
+
+#ifdef AUTOCONF_TEST
+
+/****************************************************************************
+this function just checks that we don't get ENOSYS back
+****************************************************************************/
+static int have_syscall(void)
+{
+ errno = 0;
+
+#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
+ samba_setresuid(-1,-1,-1);
+#endif
+
+#if USE_SETREUID
+ samba_setreuid(-1,-1);
+#endif
+
+#if USE_SETEUID
+ samba_seteuid(-1);
+#endif
+
+#if USE_SETUIDX
+ samba_setuidx(ID_EFFECTIVE, -1);
+#endif
+
+ if (errno == ENOSYS) return -1;
+
+ return 0;
+}
+
+main()
+{
+ if (getuid() != 0) {
+#if (defined(AIX) && defined(USE_SETREUID))
+ /* setreuid is badly broken on AIX 4.1, we avoid it completely */
+ fprintf(stderr,"avoiding possibly broken setreuid\n");
+ exit(1);
+#endif
+
+ /* if not running as root then at least check to see if we get ENOSYS - this
+ handles Linux 2.0.x with glibc 2.1 */
+ fprintf(stderr,"not running as root: checking for ENOSYS\n");
+ exit(have_syscall());
+ }
+
+ gain_root_privilege();
+ gain_root_group_privilege();
+ set_effective_gid(1);
+ set_effective_uid(1);
+ save_re_uid();
+ restore_re_uid();
+ gain_root_privilege();
+ gain_root_group_privilege();
+ become_user_permanently(1, 1);
+ samba_setuid(0);
+ if (getuid() == 0) {
+ fprintf(stderr,"uid not set permanently\n");
+ exit(1);
+ }
+
+ printf("OK\n");
+
+ exit(0);
+}
+#endif
+
+/****************************************************************************
+Check if we are setuid root. Used in libsmb and smbpasswd paranoia checks.
+****************************************************************************/
+bool is_setuid_root(void)
+{
+ return (geteuid() == (uid_t)0) && (getuid() != (uid_t)0);
+}
diff --git a/lib/util/util_sec.h b/lib/util/util_sec.h
new file mode 100644
index 0000000..afbf9c8
--- /dev/null
+++ b/lib/util/util_sec.h
@@ -0,0 +1,45 @@
+/*
+ Unix SMB/CIFS implementation.
+ Copyright (C) Jeremy Allison 1998.
+ rewritten for version 2.0.6 by Tridge
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef LIB_UTIL_SEC_H
+#define LIB_UTIL_SEC_H 1
+
+void sec_init(void);
+uid_t sec_initial_uid(void);
+gid_t sec_initial_gid(void);
+bool root_mode(void);
+bool non_root_mode(void);
+void gain_root_privilege(void);
+void gain_root_group_privilege(void);
+void set_effective_uid(uid_t uid);
+void set_effective_gid(gid_t gid);
+void save_re_uid(void);
+void restore_re_uid_fromroot(void);
+void restore_re_uid(void);
+void save_re_gid(void);
+void restore_re_gid(void);
+int set_re_uid(void);
+void become_user_permanently(uid_t uid, gid_t gid);
+int set_thread_credentials(uid_t uid,
+ gid_t gid,
+ size_t setlen,
+ const gid_t *gidset);
+bool is_setuid_root(void);
+
+#endif
diff --git a/lib/util/wscript_build b/lib/util/wscript_build
index fe2c183..0e6d12e 100755
--- a/lib/util/wscript_build
+++ b/lib/util/wscript_build
@@ -8,7 +8,7 @@ bld.SAMBA_LIBRARY('samba-util',
util_strlist.c util_paths.c idtree.c debug.c fault.c base64.c
util_str.c util_str_common.c substitute.c ms_fnmatch.c
server_id.c dprintf.c parmlist.c bitmap.c pidfile.c
- tevent_debug.c util_process.c''',
+ tevent_debug.c util_process.c util_sec.c''',
deps='DYNCONFIG',
public_deps='talloc tevent execinfo pthread LIBCRYPTO charset util_setid systemd-daemon',
public_headers='debug.h attr.h byteorder.h data_blob.h memory.h safe_string.h time.h talloc_stack.h xfile.h dlinklist.h samba_util.h string_wrappers.h',
diff --git a/source3/include/includes.h b/source3/include/includes.h
index de44fd2..967c52b 100644
--- a/source3/include/includes.h
+++ b/source3/include/includes.h
@@ -398,6 +398,7 @@ typedef char fstring[FSTRING_LEN];
/* samba_setXXid functions. */
#include "../lib/util/setid.h"
+#include "../lib/util/util_sec.h"
/***** prototypes *****/
#ifndef NO_PROTO_H
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 356bf91..a59a2c2 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -506,30 +506,6 @@ NTSTATUS merge_nt_token(TALLOC_CTX *mem_ctx,
struct security_token **token_out);
bool token_sid_in_ace(const struct security_token *token, const struct security_ace *ace);
-/* The following definitions come from lib/util_sec.c */
-
-void sec_init(void);
-uid_t sec_initial_uid(void);
-gid_t sec_initial_gid(void);
-bool root_mode(void);
-bool non_root_mode(void);
-void gain_root_privilege(void);
-void gain_root_group_privilege(void);
-void set_effective_uid(uid_t uid);
-void set_effective_gid(gid_t gid);
-void save_re_uid(void);
-void restore_re_uid_fromroot(void);
-void restore_re_uid(void);
-void save_re_gid(void);
-void restore_re_gid(void);
-int set_re_uid(void);
-void become_user_permanently(uid_t uid, gid_t gid);
-int set_thread_credentials(uid_t uid,
- gid_t gid,
- size_t setlen,
- const gid_t *gidset);
-bool is_setuid_root(void) ;
-
/* The following definitions come from lib/util_sid.c */
char *sid_to_fstring(fstring sidstr_out, const struct dom_sid *sid);
diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c
deleted file mode 100644
index 9ccd04e..0000000
--- a/source3/lib/util_sec.c
+++ /dev/null
@@ -1,553 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- Copyright (C) Jeremy Allison 1998.
- rewritten for version 2.0.6 by Tridge
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#ifndef AUTOCONF_TEST
-#include "includes.h"
-#include "system/passwd.h" /* uid_wrapper */
-#include "../lib/util/setid.h"
-
-#else
-/* we are running this code in autoconf test mode to see which type of setuid
- function works */
-#if defined(HAVE_UNISTD_H)
-#include <unistd.h>
-#endif
-#include <stdlib.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <errno.h>
-
-#ifdef HAVE_SYS_PRIV_H
-#include <sys/priv.h>
-#endif
-#ifdef HAVE_SYS_ID_H
-#include <sys/id.h>
-#endif
-
-#define DEBUG(x, y) printf y
-#define smb_panic(x) exit(1)
-#define bool int
-#endif
-
-/* are we running as non-root? This is used by the regresison test code,
- and potentially also for sites that want non-root smbd */
-static uid_t initial_uid;
-static gid_t initial_gid;
-
-/****************************************************************************
-remember what uid we got started as - this allows us to run correctly
-as non-root while catching trapdoor systems
-****************************************************************************/
-
-void sec_init(void)
-{
- static int initialized;
-
- if (!initialized) {
- initial_uid = geteuid();
- initial_gid = getegid();
- initialized = 1;
- }
-}
-
-/****************************************************************************
-some code (eg. winbindd) needs to know what uid we started as
-****************************************************************************/
-uid_t sec_initial_uid(void)
-{
- return initial_uid;
-}
-
-/****************************************************************************
-some code (eg. winbindd, profiling shm) needs to know what gid we started as
-****************************************************************************/
-gid_t sec_initial_gid(void)
-{
- return initial_gid;
-}
-
-/**
- * @brief Check if we are running in root mode.
- *
- * @return If we samba root privileges it returns true, false otehrwise.
- */
-bool root_mode(void)
-{
- uid_t euid;
-
- euid = geteuid();
-
-#ifndef AUTOCONF_TEST
- if (uid_wrapper_enabled()) {
- return (euid == initial_uid || euid == (uid_t)0);
- }
-#endif
-
- return (initial_uid == euid);
-}
-
-/****************************************************************************
-are we running in non-root mode?
-****************************************************************************/
-bool non_root_mode(void)
-{
- return (initial_uid != (uid_t)0);
-}
-
-/****************************************************************************
-abort if we haven't set the uid correctly
-****************************************************************************/
-static void assert_uid(uid_t ruid, uid_t euid)
-{
- if ((euid != (uid_t)-1 && geteuid() != euid) ||
- (ruid != (uid_t)-1 && getuid() != ruid)) {
- if (!non_root_mode()) {
- DEBUG(0,("Failed to set uid privileges to (%d,%d) now set to (%d,%d)\n",
- (int)ruid, (int)euid,
- (int)getuid(), (int)geteuid()));
- smb_panic("failed to set uid\n");
- exit(1);
- }
- }
-}
-
-/****************************************************************************
-abort if we haven't set the gid correctly
-****************************************************************************/
-static void assert_gid(gid_t rgid, gid_t egid)
-{
- if ((egid != (gid_t)-1 && getegid() != egid) ||
- (rgid != (gid_t)-1 && getgid() != rgid)) {
- if (!non_root_mode()) {
- DEBUG(0,("Failed to set gid privileges to (%d,%d) now set to (%d,%d) uid=(%d,%d)\n",
- (int)rgid, (int)egid,
- (int)getgid(), (int)getegid(),
- (int)getuid(), (int)geteuid()));
- smb_panic("failed to set gid\n");
- exit(1);
- }
- }
-}
-
-/****************************************************************************
- Gain root privilege before doing something.
- We want to end up with ruid==euid==0
-****************************************************************************/
-void gain_root_privilege(void)
-{
-#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
- samba_setresuid(0,0,0);
-#endif
-
-#if USE_SETEUID
- samba_seteuid(0);
-#endif
-
-#if USE_SETREUID
- samba_setreuid(0, 0);
-#endif
-
-#if USE_SETUIDX
- samba_setuidx(ID_EFFECTIVE, 0);
- samba_setuidx(ID_REAL, 0);
-#endif
-
- /* this is needed on some systems */
- samba_setuid(0);
-
- assert_uid(0, 0);
-}
-
-
-/****************************************************************************
- Ensure our real and effective groups are zero.
- we want to end up with rgid==egid==0
-****************************************************************************/
-void gain_root_group_privilege(void)
-{
-#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
- samba_setresgid(0,0,0);
-#endif
-
-#if USE_SETREUID
- samba_setregid(0,0);
-#endif
-
-#if USE_SETEUID
- samba_setegid(0);
-#endif
-
-#if USE_SETUIDX
- samba_setgidx(ID_EFFECTIVE, 0);
- samba_setgidx(ID_REAL, 0);
-#endif
-
- samba_setgid(0);
-
- assert_gid(0, 0);
-}
-
-
-/****************************************************************************
- Set effective uid, and possibly the real uid too.
- We want to end up with either:
-
- ruid==uid and euid==uid
-
- or
-
- ruid==0 and euid==uid
-
- depending on what the local OS will allow us to regain root from.
-****************************************************************************/
-void set_effective_uid(uid_t uid)
-{
-#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
- /* Set the effective as well as the real uid. */
- if (samba_setresuid(uid,uid,-1) == -1) {
- if (errno == EAGAIN) {
- DEBUG(0, ("samba_setresuid failed with EAGAIN. uid(%d) "
- "might be over its NPROC limit\n",
- (int)uid));
- }
- }
-#endif
-
-#if USE_SETREUID
- samba_setreuid(-1,uid);
-#endif
-
-#if USE_SETEUID
- samba_seteuid(uid);
-#endif
-
-#if USE_SETUIDX
- samba_setuidx(ID_EFFECTIVE, uid);
-#endif
-
- assert_uid(-1, uid);
-}
-
-/****************************************************************************
- Set *only* the effective gid.
- we want to end up with rgid==0 and egid==gid
-****************************************************************************/
-void set_effective_gid(gid_t gid)
-{
-#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
- samba_setresgid(-1,gid,-1);
-#endif
-
-#if USE_SETREUID
- samba_setregid(-1,gid);
-#endif
-
-#if USE_SETEUID
- samba_setegid(gid);
-#endif
-
-#if USE_SETUIDX
- samba_setgidx(ID_EFFECTIVE, gid);
-#endif
-
- assert_gid(-1, gid);
-}
-
-static uid_t saved_euid, saved_ruid;
-static gid_t saved_egid, saved_rgid;
-
-/****************************************************************************
- save the real and effective uid for later restoration. Used by the quotas
- code
-****************************************************************************/
-void save_re_uid(void)
-{
- saved_ruid = getuid();
- saved_euid = geteuid();
-}
-
-
-/****************************************************************************
- and restore them!
-****************************************************************************/
-
-void restore_re_uid_fromroot(void)
-{
-#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
- samba_setresuid(saved_ruid, saved_euid, -1);
-#elif USE_SETREUID
- samba_setreuid(saved_ruid, -1);
- samba_setreuid(-1,saved_euid);
-#elif USE_SETUIDX
- samba_setuidx(ID_REAL, saved_ruid);
- samba_setuidx(ID_EFFECTIVE, saved_euid);
-#else
- set_effective_uid(saved_euid);
- if (getuid() != saved_ruid)
- samba_setuid(saved_ruid);
- set_effective_uid(saved_euid);
-#endif
-
- assert_uid(saved_ruid, saved_euid);
-}
-
-void restore_re_uid(void)
-{
- set_effective_uid(0);
- restore_re_uid_fromroot();
-}
-
-/****************************************************************************
- save the real and effective gid for later restoration. Used by the
- getgroups code
-****************************************************************************/
-void save_re_gid(void)
-{
- saved_rgid = getgid();
- saved_egid = getegid();
-}
-
-/****************************************************************************
- and restore them!
-****************************************************************************/
-void restore_re_gid(void)
-{
-#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
- samba_setresgid(saved_rgid, saved_egid, -1);
-#elif USE_SETREUID
- samba_setregid(saved_rgid, -1);
- samba_setregid(-1,saved_egid);
-#elif USE_SETUIDX
- samba_setgidx(ID_REAL, saved_rgid);
- samba_setgidx(ID_EFFECTIVE, saved_egid);
-#else
- set_effective_gid(saved_egid);
- if (getgid() != saved_rgid)
- samba_setgid(saved_rgid);
- set_effective_gid(saved_egid);
-#endif
-
- assert_gid(saved_rgid, saved_egid);
-}
-
-
-/****************************************************************************
- set the real AND effective uid to the current effective uid in a way that
- allows root to be regained.
- This is only possible on some platforms.
-****************************************************************************/
-int set_re_uid(void)
-{
- uid_t uid = geteuid();
-
-#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
- samba_setresuid(uid, uid, -1);
-#endif
-
-#if USE_SETREUID
- samba_setreuid(0, 0);
- samba_setreuid(uid, -1);
- samba_setreuid(-1, uid);
-#endif
-
-#if USE_SETEUID
- /* can't be done */
- return -1;
-#endif
-
-#if USE_SETUIDX
- /* can't be done */
- return -1;
-#endif
-
- assert_uid(uid, uid);
- return 0;
-}
-
-
-/****************************************************************************
- Become the specified uid and gid - permanently !
- there should be no way back if possible
-****************************************************************************/
-void become_user_permanently(uid_t uid, gid_t gid)
-{
- /*
- * First - gain root privilege. We do this to ensure
- * we can lose it again.
- */
-
- gain_root_privilege();
- gain_root_group_privilege();
-
-#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
- samba_setresgid(gid,gid,gid);
- samba_setgid(gid);
- samba_setresuid(uid,uid,uid);
- samba_setuid(uid);
-#endif
-
-#if USE_SETREUID
- samba_setregid(gid,gid);
- samba_setgid(gid);
- samba_setreuid(uid,uid);
- samba_setuid(uid);
-#endif
-
-#if USE_SETEUID
- samba_setegid(gid);
- samba_setgid(gid);
- samba_setuid(uid);
- samba_seteuid(uid);
- samba_setuid(uid);
-#endif
-
-#if USE_SETUIDX
- samba_setgidx(ID_REAL, gid);
- samba_setgidx(ID_EFFECTIVE, gid);
- samba_setgid(gid);
- samba_setuidx(ID_REAL, uid);
- samba_setuidx(ID_EFFECTIVE, uid);
- samba_setuid(uid);
-#endif
-
- assert_uid(uid, uid);
- assert_gid(gid, gid);
-}
-
-/**********************************************************
- Function to set thread specific credentials. Leave
- saved-set uid/gid alone.Must be thread-safe code.
-**********************************************************/
-
-int set_thread_credentials(uid_t uid,
- gid_t gid,
- size_t setlen,
- const gid_t *gidset)
-{
-#if defined(USE_LINUX_THREAD_CREDENTIALS)
- /*
- * With Linux thread-specific credentials
- * we know we have setresuid/setresgid
- * available.
- */
-
- /* Become root. */
- /* Set ru=0, eu=0 */
- if (samba_setresuid(0, 0, -1) != 0) {
- return -1;
- }
- /* Set our primary gid. */
- /* Set rg=gid, eg=gid */
- if (samba_setresgid(gid, gid, -1) != 0) {
- return -1;
- }
- /* Set extra groups list. */
- if (samba_setgroups(setlen, gidset) != 0) {
- return -1;
- }
- /* Become the requested user. */
- /* Set ru=uid, eu=uid */
- if (samba_setresuid(uid, uid, -1) != 0) {
- return -1;
- }
- if (geteuid() != uid || getuid() != uid ||
- getegid() != gid || getgid() != gid) {
- smb_panic("set_thread_credentials failed\n");
- return -1;
- }
- return 0;
-#else
- errno = ENOSYS;
- return -1;
-#endif
-}
-
-#ifdef AUTOCONF_TEST
-
-/****************************************************************************
-this function just checks that we don't get ENOSYS back
-****************************************************************************/
-static int have_syscall(void)
-{
- errno = 0;
-
-#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
- samba_setresuid(-1,-1,-1);
-#endif
-
-#if USE_SETREUID
- samba_setreuid(-1,-1);
-#endif
-
-#if USE_SETEUID
- samba_seteuid(-1);
-#endif
-
-#if USE_SETUIDX
- samba_setuidx(ID_EFFECTIVE, -1);
-#endif
-
- if (errno == ENOSYS) return -1;
-
- return 0;
-}
-
-main()
-{
- if (getuid() != 0) {
-#if (defined(AIX) && defined(USE_SETREUID))
- /* setreuid is badly broken on AIX 4.1, we avoid it completely */
- fprintf(stderr,"avoiding possibly broken setreuid\n");
- exit(1);
-#endif
-
- /* if not running as root then at least check to see if we get ENOSYS - this
- handles Linux 2.0.x with glibc 2.1 */
- fprintf(stderr,"not running as root: checking for ENOSYS\n");
- exit(have_syscall());
- }
-
- gain_root_privilege();
- gain_root_group_privilege();
- set_effective_gid(1);
- set_effective_uid(1);
- save_re_uid();
- restore_re_uid();
- gain_root_privilege();
- gain_root_group_privilege();
- become_user_permanently(1, 1);
- samba_setuid(0);
- if (getuid() == 0) {
- fprintf(stderr,"uid not set permanently\n");
- exit(1);
- }
-
- printf("OK\n");
-
- exit(0);
-}
-#endif
-
-/****************************************************************************
-Check if we are setuid root. Used in libsmb and smbpasswd paranoia checks.
-****************************************************************************/
-bool is_setuid_root(void)
-{
- return (geteuid() == (uid_t)0) && (getuid() != (uid_t)0);
-}
diff --git a/source3/wscript b/source3/wscript
index 2bca8fa..d945240 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -966,7 +966,7 @@ syscall(SYS_setgroups32, 0, NULL);
#define USE_LINUX_THREAD_CREDENTIALS 1
#define USE_LINUX_32BIT_SYSCALLS 1
#include "../lib/util/setid.c"
- #include "./lib/util_sec.c"
+ #include "../lib/util/util_sec.c"
''',
'USE_LINUX_THREAD_CREDENTIALS',
addmain=False,
@@ -977,7 +977,7 @@ syscall(SYS_setgroups32, 0, NULL);
#define AUTOCONF_TEST 1
#define USE_LINUX_THREAD_CREDENTIALS 1
#include "../lib/util/setid.c"
- #include "./lib/util_sec.c"
+ #include "../lib/util/util_sec.c"
''',
'USE_LINUX_THREAD_CREDENTIALS',
addmain=False,
@@ -988,7 +988,7 @@ syscall(SYS_setgroups32, 0, NULL);
#define AUTOCONF_TEST 1
#define USE_SETREUID 1
#include "../lib/util/setid.c"
- #include "./lib/util_sec.c"
+ #include "../lib/util/util_sec.c"
''',
'USE_SETREUID',
addmain=False,
@@ -999,7 +999,7 @@ syscall(SYS_setgroups32, 0, NULL);
#define AUTOCONF_TEST 1
#define USE_SETRESUID 1
#include "../lib/util/setid.c"
- #include "./lib/util_sec.c"
+ #include "../lib/util/util_sec.c"
''',
'USE_SETRESUID',
addmain=False,
@@ -1010,7 +1010,7 @@ syscall(SYS_setgroups32, 0, NULL);
#define AUTOCONF_TEST 1
#define USE_SETEUID 1
#include "../lib/util/setid.c"
- #include "./lib/util_sec.c"
+ #include "../lib/util/util_sec.c"
''',
'USE_SETEUID',
addmain=False,
@@ -1021,7 +1021,7 @@ syscall(SYS_setgroups32, 0, NULL);
#define AUTOCONF_TEST 1
#define USE_SETUIDX 1
#include "../lib/util/setid.c"
- #include "./lib/util_sec.c"
+ #include "../lib/util/util_sec.c"
''',
'USE_SETUIDX',
addmain=False,
diff --git a/source3/wscript_build b/source3/wscript_build
index f13aa63..369fa24 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -772,7 +772,7 @@ bld.SAMBA3_SUBSYSTEM('tdb-wrap3',
deps='talloc samba3-util')
bld.SAMBA3_LIBRARY('samba3-util',
- source='''lib/util_sec.c lib/util_str.c lib/adt_tree.c lib/util_malloc.c lib/memcache.c lib/namearray.c lib/file_id.c''',
+ source='''lib/util_str.c lib/adt_tree.c lib/util_malloc.c lib/memcache.c lib/namearray.c lib/file_id.c''',
deps='samba-util charset',
private_library=True)
--
1.8.3.2
From cb7872a1595a2777eea854573be509d2581626b8 Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Sun, 13 Apr 2014 13:22:34 +0200
Subject: [PATCH 02/12] lib/util: whitespace cleanup
Signed-off-by: Christian Ambach <ambi at samba.org>
---
lib/util/util_sec.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/lib/util/util_sec.c b/lib/util/util_sec.c
index 9ccd04e..859b103 100644
--- a/lib/util/util_sec.c
+++ b/lib/util/util_sec.c
@@ -146,15 +146,15 @@ static void assert_gid(gid_t rgid, gid_t egid)
}
/****************************************************************************
- Gain root privilege before doing something.
+ Gain root privilege before doing something.
We want to end up with ruid==euid==0
****************************************************************************/
void gain_root_privilege(void)
-{
+{
#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
samba_setresuid(0,0,0);
#endif
-
+
#if USE_SETEUID
samba_seteuid(0);
#endif
@@ -207,7 +207,7 @@ void gain_root_group_privilege(void)
/****************************************************************************
Set effective uid, and possibly the real uid too.
We want to end up with either:
-
+
ruid==uid and euid==uid
or
@@ -219,7 +219,7 @@ void gain_root_group_privilege(void)
void set_effective_uid(uid_t uid)
{
#if defined(USE_SETRESUID) || defined(USE_LINUX_THREAD_CREDENTIALS)
- /* Set the effective as well as the real uid. */
+ /* Set the effective as well as the real uid. */
if (samba_setresuid(uid,uid,-1) == -1) {
if (errno == EAGAIN) {
DEBUG(0, ("samba_setresuid failed with EAGAIN. uid(%d) "
@@ -314,7 +314,7 @@ void restore_re_uid(void)
}
/****************************************************************************
- save the real and effective gid for later restoration. Used by the
+ save the real and effective gid for later restoration. Used by the
getgroups code
****************************************************************************/
void save_re_gid(void)
@@ -425,7 +425,7 @@ void become_user_permanently(uid_t uid, gid_t gid)
samba_setuidx(ID_EFFECTIVE, uid);
samba_setuid(uid);
#endif
-
+
assert_uid(uid, uid);
assert_gid(gid, gid);
}
@@ -504,22 +504,22 @@ static int have_syscall(void)
#endif
if (errno == ENOSYS) return -1;
-
+
return 0;
}
main()
{
- if (getuid() != 0) {
+ if (getuid() != 0) {
#if (defined(AIX) && defined(USE_SETREUID))
/* setreuid is badly broken on AIX 4.1, we avoid it completely */
- fprintf(stderr,"avoiding possibly broken setreuid\n");
+ fprintf(stderr,"avoiding possibly broken setreuid\n");
exit(1);
#endif
/* if not running as root then at least check to see if we get ENOSYS - this
handles Linux 2.0.x with glibc 2.1 */
- fprintf(stderr,"not running as root: checking for ENOSYS\n");
+ fprintf(stderr,"not running as root: checking for ENOSYS\n");
exit(have_syscall());
}
@@ -547,7 +547,7 @@ main()
/****************************************************************************
Check if we are setuid root. Used in libsmb and smbpasswd paranoia checks.
****************************************************************************/
-bool is_setuid_root(void)
+bool is_setuid_root(void)
{
return (geteuid() == (uid_t)0) && (getuid() != (uid_t)0);
}
--
1.8.3.2
From 9776dbd3248939f86a272c4926702bbaaae7465a Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Mon, 14 Apr 2014 22:11:12 +0200
Subject: [PATCH 03/12] s3:lib/afs move afs.c to common lib dir
some of the code in afs.c is needed by wbinfo that lives in the toplevel
nsswitch directory, so move the afs.c file to a new top-level lib/afs
directory. Use the name afs_funcs to avoid collisions with the afs.h
header from OpenAFS
Signed-off-by: Christian Ambach <ambi at samba.org>
---
lib/afs/afs_funcs.c | 310 ++++++++++++++++++++++++++++++++++++++++
lib/afs/afs_funcs.h | 42 ++++++
lib/afs/wscript_build | 6 +
source3/include/proto.h | 6 -
source3/lib/afs.c | 309 ---------------------------------------
source3/utils/net_afs.c | 1 +
source3/winbindd/winbindd_pam.c | 1 +
source3/wscript_build | 4 -
wscript_build | 1 +
9 files changed, 361 insertions(+), 319 deletions(-)
create mode 100644 lib/afs/afs_funcs.c
create mode 100644 lib/afs/afs_funcs.h
create mode 100644 lib/afs/wscript_build
delete mode 100644 source3/lib/afs.c
diff --git a/lib/afs/afs_funcs.c b/lib/afs/afs_funcs.c
new file mode 100644
index 0000000..674e770
--- /dev/null
+++ b/lib/afs/afs_funcs.c
@@ -0,0 +1,310 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Generate AFS tickets
+ * Copyright (C) Volker Lendecke 2003
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "lib/afs/afs_funcs.h"
+
+#ifdef WITH_FAKE_KASERVER
+
+#define NO_ASN1_TYPEDEFS 1
+
+#include "secrets.h"
+#include "passdb.h"
+#include "auth.h"
+#include "../librpc/gen_ndr/ndr_netlogon.h"
+
+#include <afs/param.h>
+#include <afs/stds.h>
+#include <afs/afs.h>
+#include <afs/auth.h>
+#include <afs/venus.h>
+#include <asm/unistd.h>
+#include <openssl/des.h>
+
+struct ClearToken {
+ uint32 AuthHandle;
+ char HandShakeKey[8];
+ uint32 ViceId;
+ uint32 BeginTimestamp;
+ uint32 EndTimestamp;
+};
+
+static char *afs_encode_token(const char *cell, const DATA_BLOB ticket,
+ const struct ClearToken *ct)
+{
+ char *base64_ticket;
+ char *result = NULL;
+
+ DATA_BLOB key = data_blob(ct->HandShakeKey, 8);
+ char *base64_key;
+ TALLOC_CTX *mem_ctx;
+
+ mem_ctx = talloc_stackframe();
+ if (mem_ctx == NULL)
+ goto done;
+
+ base64_ticket = base64_encode_data_blob(mem_ctx, ticket);
+ if (base64_ticket == NULL)
+ goto done;
+
+ base64_key = base64_encode_data_blob(mem_ctx, key);
+ if (base64_key == NULL)
+ goto done;
+
+ asprintf(&result, "%s\n%u\n%s\n%u\n%u\n%u\n%s\n", cell,
+ ct->AuthHandle, base64_key, ct->ViceId, ct->BeginTimestamp,
+ ct->EndTimestamp, base64_ticket);
+
+ DEBUG(10, ("Got ticket string:\n%s\n", result));
+
+done:
+ TALLOC_FREE(mem_ctx);
+
+ return result;
+}
+
+/* Create a ClearToken and an encrypted ticket. ClearToken has not yet the
+ * ViceId set, this should be set by the caller. */
+
+static bool afs_createtoken(const char *username, const char *cell,
+ DATA_BLOB *ticket, struct ClearToken *ct)
+{
+ fstring clear_ticket;
+ char *p = clear_ticket;
+ uint32 len;
+ uint32 now;
+
+ struct afs_key key;
+ des_key_schedule key_schedule;
+
+ if (!secrets_init())
+ return false;
+
+ if (!secrets_fetch_afs_key(cell, &key)) {
+ DEBUG(1, ("Could not fetch AFS service key\n"));
+ return false;
+ }
+
+ ct->AuthHandle = key.kvno;
+
+ /* Build the ticket. This is going to be encrypted, so in our
+ way we fill in ct while we still have the unencrypted
+ form. */
+
+ p = clear_ticket;
+
+ /* The byte-order */
+ *p = 1;
+ p += 1;
+
+ /* "Alice", the client username */
+ strncpy(p, username, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+ p += strlen(p)+1;
+ strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+ p += strlen(p)+1;
+ strncpy(p, cell, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+ p += strlen(p)+1;
+
+ /* Alice's network layer address. At least Openafs-1.2.10
+ ignores this, so we fill in a dummy value here. */
+ SIVAL(p, 0, 0);
+ p += 4;
+
+ /* We need to create a session key */
+ generate_random_buffer((uint8_t *)p, 8);
+
+ /* Our client code needs the the key in the clear, it does not
+ know the server-key ... */
+ memcpy(ct->HandShakeKey, p, 8);
+
+ p += 8;
+
+ /* This is a kerberos 4 life time. The life time is expressed
+ * in units of 5 minute intervals up to 38400 seconds, after
+ * that a table is used up to lifetime 0xBF. Values between
+ * 0xC0 and 0xFF is undefined. 0xFF is defined to be the
+ * infinite time that never expire.
+ *
+ * So here we cheat and use the infinite time */
+ *p = 255;
+ p += 1;
+
+ /* Ticket creation time */
+ now = time(NULL);
+ SIVAL(p, 0, now);
+ ct->BeginTimestamp = now;
+
+ if(lp_afs_token_lifetime() == 0)
+ ct->EndTimestamp = NEVERDATE;
+ else
+ ct->EndTimestamp = now + lp_afs_token_lifetime();
+
+ if (((ct->EndTimestamp - ct->BeginTimestamp) & 1) == 1) {
+ ct->BeginTimestamp += 1; /* Lifetime must be even */
+ }
+ p += 4;
+
+ /* And here comes Bob's name and instance, in this case the
+ AFS server. */
+ strncpy(p, "afs", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+ p += strlen(p)+1;
+ strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+ p += strlen(p)+1;
+
+ /* And zero-pad to a multiple of 8 bytes */
+ len = PTR_DIFF(p, clear_ticket);
+ if (len & 7) {
+ uint32 extra_space = 8-(len & 7);
+ memset(p, 0, extra_space);
+ p+=extra_space;
+ }
+ len = PTR_DIFF(p, clear_ticket);
+
+ des_key_sched((const_des_cblock *)key.key, key_schedule);
+ des_pcbc_encrypt((const unsigned char*) clear_ticket,
+ (unsigned char*) clear_ticket,
+ len, key_schedule, (C_Block *)key.key, 1);
+
+ ZERO_STRUCT(key);
+
+ *ticket = data_blob(clear_ticket, len);
+
+ return true;
+}
+
+char *afs_createtoken_str(const char *username, const char *cell)
+{
+ DATA_BLOB ticket;
+ struct ClearToken ct;
+ char *result;
+
+ if (!afs_createtoken(username, cell, &ticket, &ct))
+ return NULL;
+
+ result = afs_encode_token(cell, ticket, &ct);
+
+ data_blob_free(&ticket);
+
+ return result;
+}
+
+/*
+ This routine takes a radical approach completely bypassing the
+ Kerberos idea of security and using AFS simply as an intelligent
+ file backend. Samba has persuaded itself somehow that the user is
+ actually correctly identified and then we create a ticket that the
+ AFS server hopefully accepts using its KeyFile that the admin has
+ kindly stored to our secrets.tdb.
+
+ Thanks to the book "Network Security -- PRIVATE Communication in a
+ PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner
+ Kerberos 4 tickets are not really hard to construct.
+
+ For the comments "Alice" is the User to be auth'ed, and "Bob" is the
+ AFS server. */
+
+bool afs_login(connection_struct *conn)
+{
+ DATA_BLOB ticket;
+ char *afs_username = NULL;
+ char *cell = NULL;
+ bool result;
+ char *ticket_str = NULL;
+ const struct dom_sid *user_sid;
+ TALLOC_CTX *ctx = talloc_tos();
+
+ struct ClearToken ct;
+
+ afs_username = talloc_strdup(ctx,
+ lp_afs_username_map());
+ if (!afs_username) {
+ return false;
+ }
+
+ afs_username = talloc_sub_advanced(ctx,
+ lp_servicename(ctx, SNUM(conn)),
+ conn->session_info->unix_info->unix_name,
+ conn->connectpath,
+ conn->session_info->unix_token->gid,
+ conn->session_info->unix_info->sanitized_username,
+ conn->session_info->info->domain_name,
+ afs_username);
+ if (!afs_username) {
+ return false;
+ }
+
+ user_sid = &conn->session_info->security_token->sids[0];
+ afs_username = talloc_string_sub(talloc_tos(),
+ afs_username,
+ "%s",
+ sid_string_tos(user_sid));
+ if (!afs_username) {
+ return false;
+ }
+
+ /* The pts command always generates completely lower-case user
+ * names. */
+ if (!strlower_m(afs_username)) {
+ return false;
+ }
+
+ cell = strchr(afs_username, '@');
+
+ if (cell == NULL) {
+ DEBUG(1, ("AFS username doesn't contain a @, "
+ "could not find cell\n"));
+ return false;
+ }
+
+ *cell = '\0';
+ cell += 1;
+
+ DEBUG(10, ("Trying to log into AFS for user %s@%s\n",
+ afs_username, cell));
+
+ if (!afs_createtoken(afs_username, cell, &ticket, &ct))
+ return false;
+
+ /* For which Unix-UID do we want to set the token? */
+ ct.ViceId = getuid();
+
+ ticket_str = afs_encode_token(cell, ticket, &ct);
+
+ result = afs_settoken_str(ticket_str);
+
+ SAFE_FREE(ticket_str);
+
+ data_blob_free(&ticket);
+
+ return result;
+}
+
+#else
+
+bool afs_login(connection_struct *conn)
+{
+ return true;
+}
+
+char *afs_createtoken_str(const char *username, const char *cell)
+{
+ return NULL;
+}
+
+#endif /* WITH_FAKE_KASERVER */
diff --git a/lib/afs/afs_funcs.h b/lib/afs/afs_funcs.h
new file mode 100644
index 0000000..95e916b
--- /dev/null
+++ b/lib/afs/afs_funcs.h
@@ -0,0 +1,42 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Generate AFS tickets
+ * Copyright (C) Volker Lendecke 2003
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef LIB_AFS_AFS_FUNCS_H
+#define LIB_AFS_AFS_FUNCS_H 1
+
+char *afs_createtoken_str(const char *username, const char *cell);
+
+/*
+ This routine takes a radical approach completely bypassing the
+ Kerberos idea of security and using AFS simply as an intelligent
+ file backend. Samba has persuaded itself somehow that the user is
+ actually correctly identified and then we create a ticket that the
+ AFS server hopefully accepts using its KeyFile that the admin has
+ kindly stored to our secrets.tdb.
+
+ Thanks to the book "Network Security -- PRIVATE Communication in a
+ PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner
+ Kerberos 4 tickets are not really hard to construct.
+
+ For the comments "Alice" is the User to be auth'ed, and "Bob" is the
+ AFS server. */
+
+bool afs_login(connection_struct *conn);
+
+#endif
diff --git a/lib/afs/wscript_build b/lib/afs/wscript_build
new file mode 100644
index 0000000..45d8be5
--- /dev/null
+++ b/lib/afs/wscript_build
@@ -0,0 +1,6 @@
+#!/usr/bin/env python
+
+bld.SAMBA3_SUBSYSTEM('LIBAFS',
+ source='afs_funcs.c',
+ deps='samba-util LIBAFS_SETTOKEN')
+
diff --git a/source3/include/proto.h b/source3/include/proto.h
index a59a2c2..db5b51e 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -35,12 +35,6 @@ bool allow_access(const char **deny_list,
/* The following definitions come from lib/adt_tree.c */
-
-/* The following definitions come from lib/afs.c */
-
-char *afs_createtoken_str(const char *username, const char *cell);
-bool afs_login(connection_struct *conn);
-
/* The following definitions come from lib/afs_settoken.c */
int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow);
diff --git a/source3/lib/afs.c b/source3/lib/afs.c
deleted file mode 100644
index 2d77526..0000000
--- a/source3/lib/afs.c
+++ /dev/null
@@ -1,309 +0,0 @@
-/*
- * Unix SMB/CIFS implementation.
- * Generate AFS tickets
- * Copyright (C) Volker Lendecke 2003
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "includes.h"
-
-#ifdef WITH_FAKE_KASERVER
-
-#define NO_ASN1_TYPEDEFS 1
-
-#include "secrets.h"
-#include "passdb.h"
-#include "auth.h"
-#include "../librpc/gen_ndr/ndr_netlogon.h"
-
-#include <afs/param.h>
-#include <afs/stds.h>
-#include <afs/afs.h>
-#include <afs/auth.h>
-#include <afs/venus.h>
-#include <asm/unistd.h>
-#include <openssl/des.h>
-
-struct ClearToken {
- uint32 AuthHandle;
- char HandShakeKey[8];
- uint32 ViceId;
- uint32 BeginTimestamp;
- uint32 EndTimestamp;
-};
-
-static char *afs_encode_token(const char *cell, const DATA_BLOB ticket,
- const struct ClearToken *ct)
-{
- char *base64_ticket;
- char *result = NULL;
-
- DATA_BLOB key = data_blob(ct->HandShakeKey, 8);
- char *base64_key;
- TALLOC_CTX *mem_ctx;
-
- mem_ctx = talloc_stackframe();
- if (mem_ctx == NULL)
- goto done;
-
- base64_ticket = base64_encode_data_blob(mem_ctx, ticket);
- if (base64_ticket == NULL)
- goto done;
-
- base64_key = base64_encode_data_blob(mem_ctx, key);
- if (base64_key == NULL)
- goto done;
-
- asprintf(&result, "%s\n%u\n%s\n%u\n%u\n%u\n%s\n", cell,
- ct->AuthHandle, base64_key, ct->ViceId, ct->BeginTimestamp,
- ct->EndTimestamp, base64_ticket);
-
- DEBUG(10, ("Got ticket string:\n%s\n", result));
-
-done:
- TALLOC_FREE(mem_ctx);
-
- return result;
-}
-
-/* Create a ClearToken and an encrypted ticket. ClearToken has not yet the
- * ViceId set, this should be set by the caller. */
-
-static bool afs_createtoken(const char *username, const char *cell,
- DATA_BLOB *ticket, struct ClearToken *ct)
-{
- fstring clear_ticket;
- char *p = clear_ticket;
- uint32 len;
- uint32 now;
-
- struct afs_key key;
- des_key_schedule key_schedule;
-
- if (!secrets_init())
- return false;
-
- if (!secrets_fetch_afs_key(cell, &key)) {
- DEBUG(1, ("Could not fetch AFS service key\n"));
- return false;
- }
-
- ct->AuthHandle = key.kvno;
-
- /* Build the ticket. This is going to be encrypted, so in our
- way we fill in ct while we still have the unencrypted
- form. */
-
- p = clear_ticket;
-
- /* The byte-order */
- *p = 1;
- p += 1;
-
- /* "Alice", the client username */
- strncpy(p, username, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
- p += strlen(p)+1;
- strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
- p += strlen(p)+1;
- strncpy(p, cell, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
- p += strlen(p)+1;
-
- /* Alice's network layer address. At least Openafs-1.2.10
- ignores this, so we fill in a dummy value here. */
- SIVAL(p, 0, 0);
- p += 4;
-
- /* We need to create a session key */
- generate_random_buffer((uint8_t *)p, 8);
-
- /* Our client code needs the the key in the clear, it does not
- know the server-key ... */
- memcpy(ct->HandShakeKey, p, 8);
-
- p += 8;
-
- /* This is a kerberos 4 life time. The life time is expressed
- * in units of 5 minute intervals up to 38400 seconds, after
- * that a table is used up to lifetime 0xBF. Values between
- * 0xC0 and 0xFF is undefined. 0xFF is defined to be the
- * infinite time that never expire.
- *
- * So here we cheat and use the infinite time */
- *p = 255;
- p += 1;
-
- /* Ticket creation time */
- now = time(NULL);
- SIVAL(p, 0, now);
- ct->BeginTimestamp = now;
-
- if(lp_afs_token_lifetime() == 0)
- ct->EndTimestamp = NEVERDATE;
- else
- ct->EndTimestamp = now + lp_afs_token_lifetime();
-
- if (((ct->EndTimestamp - ct->BeginTimestamp) & 1) == 1) {
- ct->BeginTimestamp += 1; /* Lifetime must be even */
- }
- p += 4;
-
- /* And here comes Bob's name and instance, in this case the
- AFS server. */
- strncpy(p, "afs", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
- p += strlen(p)+1;
- strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
- p += strlen(p)+1;
-
- /* And zero-pad to a multiple of 8 bytes */
- len = PTR_DIFF(p, clear_ticket);
- if (len & 7) {
- uint32 extra_space = 8-(len & 7);
- memset(p, 0, extra_space);
- p+=extra_space;
- }
- len = PTR_DIFF(p, clear_ticket);
-
- des_key_sched((const_des_cblock *)key.key, key_schedule);
- des_pcbc_encrypt((const unsigned char*) clear_ticket,
- (unsigned char*) clear_ticket,
- len, key_schedule, (C_Block *)key.key, 1);
-
- ZERO_STRUCT(key);
-
- *ticket = data_blob(clear_ticket, len);
-
- return true;
-}
-
-char *afs_createtoken_str(const char *username, const char *cell)
-{
- DATA_BLOB ticket;
- struct ClearToken ct;
- char *result;
-
- if (!afs_createtoken(username, cell, &ticket, &ct))
- return NULL;
-
- result = afs_encode_token(cell, ticket, &ct);
-
- data_blob_free(&ticket);
-
- return result;
-}
-
-/*
- This routine takes a radical approach completely bypassing the
- Kerberos idea of security and using AFS simply as an intelligent
- file backend. Samba has persuaded itself somehow that the user is
- actually correctly identified and then we create a ticket that the
- AFS server hopefully accepts using its KeyFile that the admin has
- kindly stored to our secrets.tdb.
-
- Thanks to the book "Network Security -- PRIVATE Communication in a
- PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner
- Kerberos 4 tickets are not really hard to construct.
-
- For the comments "Alice" is the User to be auth'ed, and "Bob" is the
- AFS server. */
-
-bool afs_login(connection_struct *conn)
-{
- DATA_BLOB ticket;
- char *afs_username = NULL;
- char *cell = NULL;
- bool result;
- char *ticket_str = NULL;
- const struct dom_sid *user_sid;
- TALLOC_CTX *ctx = talloc_tos();
-
- struct ClearToken ct;
-
- afs_username = talloc_strdup(ctx,
- lp_afs_username_map());
- if (!afs_username) {
- return false;
- }
-
- afs_username = talloc_sub_advanced(ctx,
- lp_servicename(ctx, SNUM(conn)),
- conn->session_info->unix_info->unix_name,
- conn->connectpath,
- conn->session_info->unix_token->gid,
- conn->session_info->unix_info->sanitized_username,
- conn->session_info->info->domain_name,
- afs_username);
- if (!afs_username) {
- return false;
- }
-
- user_sid = &conn->session_info->security_token->sids[0];
- afs_username = talloc_string_sub(talloc_tos(),
- afs_username,
- "%s",
- sid_string_tos(user_sid));
- if (!afs_username) {
- return false;
- }
-
- /* The pts command always generates completely lower-case user
- * names. */
- if (!strlower_m(afs_username)) {
- return false;
- }
-
- cell = strchr(afs_username, '@');
-
- if (cell == NULL) {
- DEBUG(1, ("AFS username doesn't contain a @, "
- "could not find cell\n"));
- return false;
- }
-
- *cell = '\0';
- cell += 1;
-
- DEBUG(10, ("Trying to log into AFS for user %s@%s\n",
- afs_username, cell));
-
- if (!afs_createtoken(afs_username, cell, &ticket, &ct))
- return false;
-
- /* For which Unix-UID do we want to set the token? */
- ct.ViceId = getuid();
-
- ticket_str = afs_encode_token(cell, ticket, &ct);
-
- result = afs_settoken_str(ticket_str);
-
- SAFE_FREE(ticket_str);
-
- data_blob_free(&ticket);
-
- return result;
-}
-
-#else
-
-bool afs_login(connection_struct *conn)
-{
- return true;
-}
-
-char *afs_createtoken_str(const char *username, const char *cell)
-{
- return NULL;
-}
-
-#endif /* WITH_FAKE_KASERVER */
diff --git a/source3/utils/net_afs.c b/source3/utils/net_afs.c
index 3c7f282..44e5193 100644
--- a/source3/utils/net_afs.c
+++ b/source3/utils/net_afs.c
@@ -22,6 +22,7 @@
#include "utils/net_afs.h"
#include "secrets.h"
#include "system/filesys.h"
+#include "lib/afs/afs_funcs.h"
int net_afs_usage(struct net_context *c, int argc, const char **argv)
{
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 415dc79..65f27df 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -41,6 +41,7 @@
#include "auth/kerberos/pac_utils.h"
#include "auth/gensec/gensec.h"
#include "librpc/crypto/gse_krb5.h"
+#include "lib/afs/afs_funcs.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
diff --git a/source3/wscript_build b/source3/wscript_build
index 369fa24..4ac5a6d 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -471,10 +471,6 @@ bld.SAMBA3_SUBSYSTEM('LIBAFS_SETTOKEN',
source='lib/afs_settoken.c',
deps='samba-util')
-bld.SAMBA3_SUBSYSTEM('LIBAFS',
- source='lib/afs.c',
- deps='samba-util LIBAFS_SETTOKEN')
-
bld.SAMBA3_LIBRARY('smbconf',
source='''lib/smbconf/smbconf_init.c
lib/smbconf/smbconf_reg.c''',
diff --git a/wscript_build b/wscript_build
index 9228d15..59ba354 100644
--- a/wscript_build
+++ b/wscript_build
@@ -74,6 +74,7 @@ bld.RECURSE('lib/uid_wrapper')
bld.RECURSE('lib/popt')
bld.RECURSE('lib/iniparser/src')
bld.RECURSE('source4/lib/stream')
+bld.RECURSE('lib/afs')
bld.RECURSE('lib/util')
bld.RECURSE('lib/tdb_wrap')
bld.RECURSE('lib/tdr')
--
1.8.3.2
From 72fe3dcfb115e7d0716a86c1c74a196e8450518e Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Mon, 14 Apr 2014 22:35:21 +0200
Subject: [PATCH 04/12] s3:lib/afs move afs_settoken.c to common lib dir
Signed-off-by: Christian Ambach <ambi at samba.org>
---
lib/afs/afs_settoken.c | 263 +++++++++++++++++++++++++++++++++++++++++++++
lib/afs/afs_settoken.h | 21 ++++
lib/afs/wscript_build | 4 +
nsswitch/wbinfo.c | 1 +
source3/include/proto.h | 5 -
source3/lib/afs_settoken.c | 262 --------------------------------------------
source3/utils/net_afs.c | 1 +
source3/wscript_build | 4 -
8 files changed, 290 insertions(+), 271 deletions(-)
create mode 100644 lib/afs/afs_settoken.c
create mode 100644 lib/afs/afs_settoken.h
delete mode 100644 source3/lib/afs_settoken.c
diff --git a/lib/afs/afs_settoken.c b/lib/afs/afs_settoken.c
new file mode 100644
index 0000000..18ad302
--- /dev/null
+++ b/lib/afs/afs_settoken.c
@@ -0,0 +1,263 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Generate AFS tickets
+ * Copyright (C) Volker Lendecke 2004
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "lib/afs/afs_settoken.h"
+
+#ifdef WITH_FAKE_KASERVER
+
+#define NO_ASN1_TYPEDEFS 1
+
+#include "system/filesys.h"
+
+#include <afs/param.h>
+#include <afs/stds.h>
+#include <afs/afs.h>
+#include <afs/auth.h>
+#include <afs/venus.h>
+#include <asm/unistd.h>
+#include <openssl/des.h>
+#include <sys/syscall.h>
+
+int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow)
+{
+/*
+ return( syscall( SYS_afs_syscall, subcall, path, cmd, cmarg, follow));
+*/
+ int errcode;
+ int proc_afs_file;
+ struct afsprocdata afs_syscall_data;
+ afs_syscall_data.syscall = subcall;
+ afs_syscall_data.param1 = (long)path;
+ afs_syscall_data.param2 = cmd;
+ afs_syscall_data.param3 = (long)cmarg;
+ afs_syscall_data.param4 = follow;
+ proc_afs_file = open(PROC_SYSCALL_FNAME, O_RDWR);
+ if (proc_afs_file < 0)
+ proc_afs_file = open(PROC_SYSCALL_ARLA_FNAME, O_RDWR);
+ if (proc_afs_file < 0)
+ return -1;
+ errcode = ioctl(proc_afs_file, VIOC_SYSCALL, &afs_syscall_data);
+ close(proc_afs_file);
+ return errcode;
+}
+
+struct ClearToken {
+ uint32 AuthHandle;
+ char HandShakeKey[8];
+ uint32 ViceId;
+ uint32 BeginTimestamp;
+ uint32 EndTimestamp;
+};
+
+static bool afs_decode_token(const char *string, char **cell,
+ DATA_BLOB *ticket, struct ClearToken *ct)
+{
+ DATA_BLOB blob;
+ struct ClearToken result_ct;
+ char *saveptr;
+
+ char *s = SMB_STRDUP(string);
+
+ char *t;
+
+ if ((t = strtok_r(s, "\n", &saveptr)) == NULL) {
+ DEBUG(10, ("strtok_r failed\n"));
+ return false;
+ }
+
+ *cell = SMB_STRDUP(t);
+
+ if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+ DEBUG(10, ("strtok_r failed\n"));
+ return false;
+ }
+
+ if (sscanf(t, "%u", &result_ct.AuthHandle) != 1) {
+ DEBUG(10, ("sscanf AuthHandle failed\n"));
+ return false;
+ }
+
+ if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+ DEBUG(10, ("strtok_r failed\n"));
+ return false;
+ }
+
+ blob = base64_decode_data_blob(t);
+
+ if ( (blob.data == NULL) ||
+ (blob.length != sizeof(result_ct.HandShakeKey) )) {
+ DEBUG(10, ("invalid key: %x/%lu\n", (uint8_t)*blob.data,
+ (unsigned long) blob.length));
+ return false;
+ }
+
+ memcpy(result_ct.HandShakeKey, blob.data, blob.length);
+
+ data_blob_free(&blob);
+
+ if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+ DEBUG(10, ("strtok_r failed\n"));
+ return false;
+ }
+
+ if (sscanf(t, "%u", &result_ct.ViceId) != 1) {
+ DEBUG(10, ("sscanf ViceId failed\n"));
+ return false;
+ }
+
+ if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+ DEBUG(10, ("strtok_r failed\n"));
+ return false;
+ }
+
+ if (sscanf(t, "%u", &result_ct.BeginTimestamp) != 1) {
+ DEBUG(10, ("sscanf BeginTimestamp failed\n"));
+ return false;
+ }
+
+ if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+ DEBUG(10, ("strtok_r failed\n"));
+ return false;
+ }
+
+ if (sscanf(t, "%u", &result_ct.EndTimestamp) != 1) {
+ DEBUG(10, ("sscanf EndTimestamp failed\n"));
+ return false;
+ }
+
+ if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+ DEBUG(10, ("strtok_r failed\n"));
+ return false;
+ }
+
+ blob = base64_decode_data_blob(t);
+
+ if (blob.data == NULL) {
+ DEBUG(10, ("Could not get ticket\n"));
+ return false;
+ }
+
+ *ticket = blob;
+ *ct = result_ct;
+
+ return true;
+}
+
+/*
+ Put an AFS token into the Kernel so that it can authenticate against
+ the AFS server. This assumes correct local uid settings.
+
+ This is currently highly Linux and OpenAFS-specific. The correct API
+ call for this would be ktc_SetToken. But to do that we would have to
+ import a REALLY big bunch of libraries which I would currently like
+ to avoid.
+*/
+
+static bool afs_settoken(const char *cell,
+ const struct ClearToken *ctok,
+ DATA_BLOB ticket)
+{
+ int ret;
+ struct {
+ char *in, *out;
+ uint16 in_size, out_size;
+ } iob;
+
+ char buf[1024];
+ char *p = buf;
+ int tmp;
+
+ memcpy(p, &ticket.length, sizeof(uint32));
+ p += sizeof(uint32);
+ memcpy(p, ticket.data, ticket.length);
+ p += ticket.length;
+
+ tmp = sizeof(struct ClearToken);
+ memcpy(p, &tmp, sizeof(uint32));
+ p += sizeof(uint32);
+ memcpy(p, ctok, tmp);
+ p += tmp;
+
+ tmp = 0;
+
+ memcpy(p, &tmp, sizeof(uint32));
+ p += sizeof(uint32);
+
+ tmp = strlen(cell);
+ if (tmp >= MAXKTCREALMLEN) {
+ DEBUG(1, ("Realm too long\n"));
+ return false;
+ }
+
+ strncpy(p, cell, tmp);
+ p += tmp;
+ *p = 0;
+ p +=1;
+
+ iob.in = buf;
+ iob.in_size = PTR_DIFF(p,buf);
+ iob.out = buf;
+ iob.out_size = sizeof(buf);
+
+#if 0
+ file_save("/tmp/ioctlbuf", iob.in, iob.in_size);
+#endif
+
+ ret = afs_syscall(AFSCALL_PIOCTL, 0, VIOCSETTOK, (char *)&iob, 0);
+
+ DEBUG(10, ("afs VIOCSETTOK returned %d\n", ret));
+ return (ret == 0);
+}
+
+bool afs_settoken_str(const char *token_string)
+{
+ DATA_BLOB ticket;
+ struct ClearToken ct;
+ bool result;
+ char *cell;
+
+ if (!afs_decode_token(token_string, &cell, &ticket, &ct))
+ return false;
+
+ if (geteuid() != sec_initial_uid())
+ ct.ViceId = getuid();
+
+ result = afs_settoken(cell, &ct, ticket);
+
+ SAFE_FREE(cell);
+ data_blob_free(&ticket);
+
+ return result;
+}
+
+#else
+
+int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
+bool afs_settoken_str(const char *token_string)
+{
+ return false;
+}
+
+#endif
diff --git a/lib/afs/afs_settoken.h b/lib/afs/afs_settoken.h
new file mode 100644
index 0000000..d6cc462
--- /dev/null
+++ b/lib/afs/afs_settoken.h
@@ -0,0 +1,21 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Generate AFS tickets
+ * Copyright (C) Volker Lendecke 2004
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow);
+bool afs_settoken_str(const char *token_string);
diff --git a/lib/afs/wscript_build b/lib/afs/wscript_build
index 45d8be5..7337491 100644
--- a/lib/afs/wscript_build
+++ b/lib/afs/wscript_build
@@ -4,3 +4,7 @@ bld.SAMBA3_SUBSYSTEM('LIBAFS',
source='afs_funcs.c',
deps='samba-util LIBAFS_SETTOKEN')
+bld.SAMBA3_SUBSYSTEM('LIBAFS_SETTOKEN',
+ source='afs_settoken.c',
+ deps='samba-util')
+
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index bc25a17..a3e6451 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -27,6 +27,7 @@
#include "lib/popt/popt.h"
#include "../libcli/auth/libcli_auth.h"
#include "lib/cmdline/popt_common.h"
+#include "lib/afs/afs_settoken.h"
#ifdef DBGC_CLASS
#undef DBGC_CLASS
diff --git a/source3/include/proto.h b/source3/include/proto.h
index db5b51e..15d9f0c 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -35,11 +35,6 @@ bool allow_access(const char **deny_list,
/* The following definitions come from lib/adt_tree.c */
-/* The following definitions come from lib/afs_settoken.c */
-
-int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow);
-bool afs_settoken_str(const char *token_string);
-
/* The following definitions come from lib/audit.c */
const char *audit_category_str(uint32 category);
diff --git a/source3/lib/afs_settoken.c b/source3/lib/afs_settoken.c
deleted file mode 100644
index 7aff55f..0000000
--- a/source3/lib/afs_settoken.c
+++ /dev/null
@@ -1,262 +0,0 @@
-/*
- * Unix SMB/CIFS implementation.
- * Generate AFS tickets
- * Copyright (C) Volker Lendecke 2004
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "includes.h"
-
-#ifdef WITH_FAKE_KASERVER
-
-#define NO_ASN1_TYPEDEFS 1
-
-#include "system/filesys.h"
-
-#include <afs/param.h>
-#include <afs/stds.h>
-#include <afs/afs.h>
-#include <afs/auth.h>
-#include <afs/venus.h>
-#include <asm/unistd.h>
-#include <openssl/des.h>
-#include <sys/syscall.h>
-
-int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow)
-{
-/*
- return( syscall( SYS_afs_syscall, subcall, path, cmd, cmarg, follow));
-*/
- int errcode;
- int proc_afs_file;
- struct afsprocdata afs_syscall_data;
- afs_syscall_data.syscall = subcall;
- afs_syscall_data.param1 = (long)path;
- afs_syscall_data.param2 = cmd;
- afs_syscall_data.param3 = (long)cmarg;
- afs_syscall_data.param4 = follow;
- proc_afs_file = open(PROC_SYSCALL_FNAME, O_RDWR);
- if (proc_afs_file < 0)
- proc_afs_file = open(PROC_SYSCALL_ARLA_FNAME, O_RDWR);
- if (proc_afs_file < 0)
- return -1;
- errcode = ioctl(proc_afs_file, VIOC_SYSCALL, &afs_syscall_data);
- close(proc_afs_file);
- return errcode;
-}
-
-struct ClearToken {
- uint32 AuthHandle;
- char HandShakeKey[8];
- uint32 ViceId;
- uint32 BeginTimestamp;
- uint32 EndTimestamp;
-};
-
-static bool afs_decode_token(const char *string, char **cell,
- DATA_BLOB *ticket, struct ClearToken *ct)
-{
- DATA_BLOB blob;
- struct ClearToken result_ct;
- char *saveptr;
-
- char *s = SMB_STRDUP(string);
-
- char *t;
-
- if ((t = strtok_r(s, "\n", &saveptr)) == NULL) {
- DEBUG(10, ("strtok_r failed\n"));
- return false;
- }
-
- *cell = SMB_STRDUP(t);
-
- if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
- DEBUG(10, ("strtok_r failed\n"));
- return false;
- }
-
- if (sscanf(t, "%u", &result_ct.AuthHandle) != 1) {
- DEBUG(10, ("sscanf AuthHandle failed\n"));
- return false;
- }
-
- if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
- DEBUG(10, ("strtok_r failed\n"));
- return false;
- }
-
- blob = base64_decode_data_blob(t);
-
- if ( (blob.data == NULL) ||
- (blob.length != sizeof(result_ct.HandShakeKey) )) {
- DEBUG(10, ("invalid key: %x/%lu\n", (uint8_t)*blob.data,
- (unsigned long) blob.length));
- return false;
- }
-
- memcpy(result_ct.HandShakeKey, blob.data, blob.length);
-
- data_blob_free(&blob);
-
- if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
- DEBUG(10, ("strtok_r failed\n"));
- return false;
- }
-
- if (sscanf(t, "%u", &result_ct.ViceId) != 1) {
- DEBUG(10, ("sscanf ViceId failed\n"));
- return false;
- }
-
- if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
- DEBUG(10, ("strtok_r failed\n"));
- return false;
- }
-
- if (sscanf(t, "%u", &result_ct.BeginTimestamp) != 1) {
- DEBUG(10, ("sscanf BeginTimestamp failed\n"));
- return false;
- }
-
- if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
- DEBUG(10, ("strtok_r failed\n"));
- return false;
- }
-
- if (sscanf(t, "%u", &result_ct.EndTimestamp) != 1) {
- DEBUG(10, ("sscanf EndTimestamp failed\n"));
- return false;
- }
-
- if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
- DEBUG(10, ("strtok_r failed\n"));
- return false;
- }
-
- blob = base64_decode_data_blob(t);
-
- if (blob.data == NULL) {
- DEBUG(10, ("Could not get ticket\n"));
- return false;
- }
-
- *ticket = blob;
- *ct = result_ct;
-
- return true;
-}
-
-/*
- Put an AFS token into the Kernel so that it can authenticate against
- the AFS server. This assumes correct local uid settings.
-
- This is currently highly Linux and OpenAFS-specific. The correct API
- call for this would be ktc_SetToken. But to do that we would have to
- import a REALLY big bunch of libraries which I would currently like
- to avoid.
-*/
-
-static bool afs_settoken(const char *cell,
- const struct ClearToken *ctok,
- DATA_BLOB ticket)
-{
- int ret;
- struct {
- char *in, *out;
- uint16 in_size, out_size;
- } iob;
-
- char buf[1024];
- char *p = buf;
- int tmp;
-
- memcpy(p, &ticket.length, sizeof(uint32));
- p += sizeof(uint32);
- memcpy(p, ticket.data, ticket.length);
- p += ticket.length;
-
- tmp = sizeof(struct ClearToken);
- memcpy(p, &tmp, sizeof(uint32));
- p += sizeof(uint32);
- memcpy(p, ctok, tmp);
- p += tmp;
-
- tmp = 0;
-
- memcpy(p, &tmp, sizeof(uint32));
- p += sizeof(uint32);
-
- tmp = strlen(cell);
- if (tmp >= MAXKTCREALMLEN) {
- DEBUG(1, ("Realm too long\n"));
- return false;
- }
-
- strncpy(p, cell, tmp);
- p += tmp;
- *p = 0;
- p +=1;
-
- iob.in = buf;
- iob.in_size = PTR_DIFF(p,buf);
- iob.out = buf;
- iob.out_size = sizeof(buf);
-
-#if 0
- file_save("/tmp/ioctlbuf", iob.in, iob.in_size);
-#endif
-
- ret = afs_syscall(AFSCALL_PIOCTL, 0, VIOCSETTOK, (char *)&iob, 0);
-
- DEBUG(10, ("afs VIOCSETTOK returned %d\n", ret));
- return (ret == 0);
-}
-
-bool afs_settoken_str(const char *token_string)
-{
- DATA_BLOB ticket;
- struct ClearToken ct;
- bool result;
- char *cell;
-
- if (!afs_decode_token(token_string, &cell, &ticket, &ct))
- return false;
-
- if (geteuid() != sec_initial_uid())
- ct.ViceId = getuid();
-
- result = afs_settoken(cell, &ct, ticket);
-
- SAFE_FREE(cell);
- data_blob_free(&ticket);
-
- return result;
-}
-
-#else
-
-int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow)
-{
- errno = ENOSYS;
- return -1;
-}
-
-bool afs_settoken_str(const char *token_string)
-{
- return false;
-}
-
-#endif
diff --git a/source3/utils/net_afs.c b/source3/utils/net_afs.c
index 44e5193..6049a5c 100644
--- a/source3/utils/net_afs.c
+++ b/source3/utils/net_afs.c
@@ -23,6 +23,7 @@
#include "secrets.h"
#include "system/filesys.h"
#include "lib/afs/afs_funcs.h"
+#include "lib/afs/afs_settoken.h"
int net_afs_usage(struct net_context *c, int argc, const char **argv)
{
diff --git a/source3/wscript_build b/source3/wscript_build
index 4ac5a6d..34f71f9 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -467,10 +467,6 @@ bld.SAMBA3_SUBSYSTEM('LIBADS_PRINTER',
source='libads/ldap_printer.c',
deps='samba-util krb5samba')
-bld.SAMBA3_SUBSYSTEM('LIBAFS_SETTOKEN',
- source='lib/afs_settoken.c',
- deps='samba-util')
-
bld.SAMBA3_LIBRARY('smbconf',
source='''lib/smbconf/smbconf_init.c
lib/smbconf/smbconf_reg.c''',
--
1.8.3.2
From 5ccc9b6030e4e4dc0087ed2bf7329f65c460ab2d Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Mon, 14 Apr 2014 22:37:26 +0200
Subject: [PATCH 05/12] lib/afs: whitespace cleanup
Signed-off-by: Christian Ambach <ambi at samba.org>
---
lib/afs/afs_settoken.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/lib/afs/afs_settoken.c b/lib/afs/afs_settoken.c
index 18ad302..9a795ff 100644
--- a/lib/afs/afs_settoken.c
+++ b/lib/afs/afs_settoken.c
@@ -1,4 +1,4 @@
-/*
+/*
* Unix SMB/CIFS implementation.
* Generate AFS tickets
* Copyright (C) Volker Lendecke 2004
@@ -7,12 +7,12 @@
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
- *
+ *
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
@@ -93,7 +93,7 @@ static bool afs_decode_token(const char *string, char **cell,
DEBUG(10, ("sscanf AuthHandle failed\n"));
return false;
}
-
+
if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
DEBUG(10, ("strtok_r failed\n"));
return false;
@@ -121,7 +121,7 @@ static bool afs_decode_token(const char *string, char **cell,
DEBUG(10, ("sscanf ViceId failed\n"));
return false;
}
-
+
if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
DEBUG(10, ("strtok_r failed\n"));
return false;
@@ -131,7 +131,7 @@ static bool afs_decode_token(const char *string, char **cell,
DEBUG(10, ("sscanf BeginTimestamp failed\n"));
return false;
}
-
+
if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
DEBUG(10, ("strtok_r failed\n"));
return false;
@@ -141,7 +141,7 @@ static bool afs_decode_token(const char *string, char **cell,
DEBUG(10, ("sscanf EndTimestamp failed\n"));
return false;
}
-
+
if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
DEBUG(10, ("strtok_r failed\n"));
return false;
@@ -167,7 +167,7 @@ static bool afs_decode_token(const char *string, char **cell,
This is currently highly Linux and OpenAFS-specific. The correct API
call for this would be ktc_SetToken. But to do that we would have to
import a REALLY big bunch of libraries which I would currently like
- to avoid.
+ to avoid.
*/
static bool afs_settoken(const char *cell,
--
1.8.3.2
From 07ab68a3df77883f802b44366327d4579a881f6d Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Wed, 16 Apr 2014 00:36:25 +0200
Subject: [PATCH 06/12] waf: add --with-fake-kaserver option
This option was not added during the transition from autoconf
to waf.
Bring it back so that the code can be used again.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9916
Signed-off-by: Christian Ambach <ambi at samba.org>
---
lib/afs/wscript_build | 2 +-
source3/wscript | 13 +++++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/lib/afs/wscript_build b/lib/afs/wscript_build
index 7337491..d584a17 100644
--- a/lib/afs/wscript_build
+++ b/lib/afs/wscript_build
@@ -2,7 +2,7 @@
bld.SAMBA3_SUBSYSTEM('LIBAFS',
source='afs_funcs.c',
- deps='samba-util LIBAFS_SETTOKEN')
+ deps='samba-util crypto LIBAFS_SETTOKEN')
bld.SAMBA3_SUBSYSTEM('LIBAFS_SETTOKEN',
source='afs_settoken.c',
diff --git a/source3/wscript b/source3/wscript
index d945240..90aab7f 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -49,6 +49,9 @@ def set_options(opt):
opt.SAMBA3_ADD_OPTION('regedit', default=None)
+ opt.SAMBA3_ADD_OPTION('fake-kaserver',
+ help=("Include AFS fake-kaserver support"), default=False)
+
opt.add_option('--with-ctdb-dir',
help=("Directory under which ctdb is installed"),
action="store", dest='ctdb_dir', default=None)
@@ -1827,6 +1830,16 @@ main() {
else:
Logs.info("ncurses not available, not building regedit")
+ conf.CHECK_FUNCS_IN('DES_pcbc_encrypt', 'crypto')
+ if Options.options.with_fake_kaserver == True:
+ conf.CHECK_HEADERS('afs/param.h afs/stds.h afs.h', together=True)
+ conf.CHECK_HEADERS('afs/param.h afs/stds.h afs/afs.h', together=True)
+ if (conf.CONFIG_SET('HAVE_AFS_AFS_H') or conf.CONFIG_SET('HAVE_AFS_H')) and conf.CONFIG_SET('HAVE_DES_PCBC_ENCRYPT'):
+ conf.DEFINE('WITH_FAKE_KASERVER', '1')
+ else:
+ conf.fatal('AFS headers not available, but --with-fake-kaserver was specified')
+
+
default_static_modules.extend(TO_LIST('''pdb_smbpasswd pdb_tdbsam pdb_wbc_sam
auth_sam auth_unix auth_winbind auth_wbc
--
1.8.3.2
From e28a3b78b8c2a37e0acacc7da4fc9bb594278a62 Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Wed, 23 Apr 2014 17:03:47 +0200
Subject: [PATCH 07/12] waf: fixup build with fake kaserver enabled
Signed-off-by: Christian Ambach <ambi at samba.org>
---
source3/utils/net_afs.c | 3 +++
source3/wscript_build | 1 +
2 files changed, 4 insertions(+)
diff --git a/source3/utils/net_afs.c b/source3/utils/net_afs.c
index 6049a5c..3668e3c 100644
--- a/source3/utils/net_afs.c
+++ b/source3/utils/net_afs.c
@@ -25,6 +25,8 @@
#include "lib/afs/afs_funcs.h"
#include "lib/afs/afs_settoken.h"
+#ifdef WITH_FAKE_KASERVER
+
int net_afs_usage(struct net_context *c, int argc, const char **argv)
{
d_printf(_(" net afs key filename\n"
@@ -120,3 +122,4 @@ int net_afs(struct net_context *c, int argc, const char **argv)
return net_run_function(c, argc, argv, "net afs", func);
}
+#endif /* WITH_FAKE_KASERVER */
diff --git a/source3/wscript_build b/source3/wscript_build
index 34f71f9..64751bb 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -1083,6 +1083,7 @@ bld.SAMBA3_BINARY('net',
utils/net_printing.c
utils/net_rpc_trust.c
utils/net_rpc_conf.c
+ utils/net_afs.c
registry/reg_parse.c
registry/reg_format.c
registry/reg_import.c
--
1.8.3.2
From b3e7d22456f0f37285b61c479dc4ae923165d332 Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Wed, 23 Apr 2014 16:50:19 +0200
Subject: [PATCH 08/12] s4:heimdal fix build when a system des.h is around
heimdal's own des.h should be not be included with <> as there
might be an incompatible system des.h around
Signed-off-by: Christian Ambach <ambi at samba.org>
---
source4/heimdal/lib/hcrypto/evp-hcrypto.c | 2 +-
source4/heimdal/lib/hcrypto/rnd_keys.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/source4/heimdal/lib/hcrypto/evp-hcrypto.c b/source4/heimdal/lib/hcrypto/evp-hcrypto.c
index bf37b42..be74a9c 100644
--- a/source4/heimdal/lib/hcrypto/evp-hcrypto.c
+++ b/source4/heimdal/lib/hcrypto/evp-hcrypto.c
@@ -46,7 +46,7 @@
#include <krb5-types.h>
-#include <des.h>
+#include "des.h"
#include "camellia.h"
#include <aes.h>
diff --git a/source4/heimdal/lib/hcrypto/rnd_keys.c b/source4/heimdal/lib/hcrypto/rnd_keys.c
index 49c7634..6a3495b 100644
--- a/source4/heimdal/lib/hcrypto/rnd_keys.c
+++ b/source4/heimdal/lib/hcrypto/rnd_keys.c
@@ -41,7 +41,7 @@
#endif
#include <stdlib.h>
-#include <des.h>
+#include "des.h"
#include <rand.h>
#undef __attribute__
--
1.8.3.2
From c92ba0af8fb740299f66e215b288d74fbb5c9c79 Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Wed, 14 May 2014 15:39:44 +0200
Subject: [PATCH 09/12] vfs_afsacl: remove unused include
which might cause collisions with the Heimdal headers
---
source3/modules/vfs_afsacl.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/source3/modules/vfs_afsacl.c b/source3/modules/vfs_afsacl.c
index 7300987..a53cf9f 100644
--- a/source3/modules/vfs_afsacl.c
+++ b/source3/modules/vfs_afsacl.c
@@ -30,7 +30,6 @@
#include <afs/stds.h>
#include <afs/afs.h>
-#include <afs/auth.h>
#include <afs/venus.h>
#include <afs/prs_fs.h>
--
1.8.3.2
From afd8881e2241eeb619700fb1715e5e87d2169c43 Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Wed, 14 May 2014 15:46:36 +0200
Subject: [PATCH 10/12] lib/afs/afs_funcs fix build with OpenAFS 1.6
we should not include afs/afs.h directly, see
https://bugs.launchpad.net/ubuntu/+source/openafs/+bug/1319336
http://rt.central.org/rt/Ticket/Display.html?id=131737
Signed-off-by: Christian Ambach <ambi at samba.org>
---
lib/afs/afs_funcs.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/lib/afs/afs_funcs.c b/lib/afs/afs_funcs.c
index 674e770..316bb1b 100644
--- a/lib/afs/afs_funcs.c
+++ b/lib/afs/afs_funcs.c
@@ -31,7 +31,6 @@
#include <afs/param.h>
#include <afs/stds.h>
-#include <afs/afs.h>
#include <afs/auth.h>
#include <afs/venus.h>
#include <asm/unistd.h>
--
1.8.3.2
From 20367ecdde0df033b49df148b964a978f9a09057 Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Wed, 14 May 2014 15:47:08 +0200
Subject: [PATCH 11/12] lib/afs/afs_settoken fix build with OpenAFS 1.6
we should not include afs/afs.h directly, see
https://bugs.launchpad.net/ubuntu/+source/openafs/+bug/1319336
http://rt.central.org/rt/Ticket/Display.html?id=131737
Signed-off-by: Christian Ambach <ambi at samba.org>
---
lib/afs/afs_settoken.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/afs/afs_settoken.c b/lib/afs/afs_settoken.c
index 9a795ff..7bbede5 100644
--- a/lib/afs/afs_settoken.c
+++ b/lib/afs/afs_settoken.c
@@ -28,7 +28,7 @@
#include <afs/param.h>
#include <afs/stds.h>
-#include <afs/afs.h>
+#include <afs/afs_args.h>
#include <afs/auth.h>
#include <afs/venus.h>
#include <asm/unistd.h>
--
1.8.3.2
From 80098ee8f60c44f82f75c82b4b0bc7d7b72bd70a Mon Sep 17 00:00:00 2001
From: Christian Ambach <ambi at samba.org>
Date: Wed, 14 May 2014 15:47:51 +0200
Subject: [PATCH 12/12] vfs_afsacl fix build with OpenAFS 1.6
we should not include afs/afs.h directly, see
https://bugs.launchpad.net/ubuntu/+source/openafs/+bug/1319336
http://rt.central.org/rt/Ticket/Display.html?id=131737
Signed-off-by: Christian Ambach <ambi at samba.org>
---
source3/modules/vfs_afsacl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/modules/vfs_afsacl.c b/source3/modules/vfs_afsacl.c
index a53cf9f..7528a7e 100644
--- a/source3/modules/vfs_afsacl.c
+++ b/source3/modules/vfs_afsacl.c
@@ -29,7 +29,7 @@
#define DBGC_CLASS DBGC_VFS
#include <afs/stds.h>
-#include <afs/afs.h>
+#include <afs/afs_args.h>
#include <afs/venus.h>
#include <afs/prs_fs.h>
--
1.8.3.2
More information about the samba-technical
mailing list