[PATCHSET] Samba AD with MIT Kerberos

Jeremy Allison jra at samba.org
Wed Apr 26 16:56:29 UTC 2017 

On Wed, Apr 26, 2017 at 12:14:42PM +0200, Andreas Schneider wrote:
> On Wednesday, 26 April 2017 11:08:47 CEST Andrew Bartlett wrote:
> > On Wed, 2017-04-26 at 08:21 +0200, Andreas Schneider via samba-
> > 
> > technical wrote:
> > > On Tuesday, 25 April 2017 22:39:39 CEST Jeremy Allison wrote:
> > > > >     Your autobuild on sn-devel-144 has succeeded after 244.0
> > > > > minutes.
> > > > > 
> > > > > Please review.
> > > > 
> > > > Just a few minor nits I've found so far.
> > > 
> > > Thank you very much, updated patchset which addresses these things
> > > attached.
> > 
> > Thanks for all your patience on this.
> > 
> > Can we please get defaults into the smb.conf manpage for the new
> > parameters in the same way as we do for "lock directory"?
> > 
> > (I did ask for this previously).
> 
> Updated patchset attached.

Last few comments before I will push (honest :-).

patch 11 - MIT KRB5 based irpc service
PATCH 32 - s4-kdc: Add MIT Kerberos specific kpasswd code:

Both need reformat to < 80 columns (I can do this for
you if you like, I was planning to for the push then
I came across the comment below :-).

In [PATCH 48/51] s4-kdc: Implement mit_samba_get_repac():

+       krbtgt_skdc_entry =
+               talloc_get_type_abort(krbtgt->e_data,
+                                     struct samba_kdc_entry);
+
+       tmp_ctx = talloc_named(ctx, 0, "mit_samba_reget_pac context");
+       if (!tmp_ctx) {
+               return ENOMEM;
+       }
+
+       code = samba_krbtgt_is_in_db(krbtgt_skdc_entry,
+                                    &is_in_db,
+                                    &is_untrusted);
+       if (code != 0) {
+               goto done;
+       }
+
+       if (is_untrusted) {
+               if (client == NULL) {
+                       return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+               }
+

All other returns are POSIX errno values. What does
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN map to here ?

Also, you've allocated tmp_ctx by this point, so
this error return should be a:

code = XXXX
goto done;

I would have fixed and pushed for you, but I realized
I don't know what the mapping for KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN -> errno
value should be.

In [PATCH 51/51] mit_samba: Fix principal lookup for cross domain referral

You delete the comment:

       case SDB_ERR_WRONG_REALM:
-               /*
-                * If we have a wrong realm e.g. if we try get a cross forest
-                * ticket, we return a ticket with the correct realm. The KDC
-                * will detect this an return the appropriate return code.
-                */
-               ret = 0;
-               break;

and then add lots of logic below. Can you add some comments
to the new logic, as I don't understand what it is doing
there, sorry (EREVIEWERTOOSTUPID :-).

Cheers,

	Jeremy.

More information about the samba-technical mailing list