[PATCHSET] Samba AD with MIT Kerberos
Jeremy Allison
jra at samba.org
Wed Apr 26 16:56:29 UTC 2017
On Wed, Apr 26, 2017 at 12:14:42PM +0200, Andreas Schneider wrote:
> On Wednesday, 26 April 2017 11:08:47 CEST Andrew Bartlett wrote:
> > On Wed, 2017-04-26 at 08:21 +0200, Andreas Schneider via samba-
> >
> > technical wrote:
> > > On Tuesday, 25 April 2017 22:39:39 CEST Jeremy Allison wrote:
> > > > > Your autobuild on sn-devel-144 has succeeded after 244.0
> > > > > minutes.
> > > > >
> > > > > Please review.
> > > >
> > > > Just a few minor nits I've found so far.
> > >
> > > Thank you very much, updated patchset which addresses these things
> > > attached.
> >
> > Thanks for all your patience on this.
> >
> > Can we please get defaults into the smb.conf manpage for the new
> > parameters in the same way as we do for "lock directory"?
> >
> > (I did ask for this previously).
>
> Updated patchset attached.
Last few comments before I will push (honest :-).
patch 11 - MIT KRB5 based irpc service
PATCH 32 - s4-kdc: Add MIT Kerberos specific kpasswd code:
Both need reformat to < 80 columns (I can do this for
you if you like, I was planning to for the push then
I came across the comment below :-).
In [PATCH 48/51] s4-kdc: Implement mit_samba_get_repac():
+ krbtgt_skdc_entry =
+ talloc_get_type_abort(krbtgt->e_data,
+ struct samba_kdc_entry);
+
+ tmp_ctx = talloc_named(ctx, 0, "mit_samba_reget_pac context");
+ if (!tmp_ctx) {
+ return ENOMEM;
+ }
+
+ code = samba_krbtgt_is_in_db(krbtgt_skdc_entry,
+ &is_in_db,
+ &is_untrusted);
+ if (code != 0) {
+ goto done;
+ }
+
+ if (is_untrusted) {
+ if (client == NULL) {
+ return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+ }
+
All other returns are POSIX errno values. What does
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN map to here ?
Also, you've allocated tmp_ctx by this point, so
this error return should be a:
code = XXXX
goto done;
I would have fixed and pushed for you, but I realized
I don't know what the mapping for KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN -> errno
value should be.
In [PATCH 51/51] mit_samba: Fix principal lookup for cross domain referral
You delete the comment:
case SDB_ERR_WRONG_REALM:
- /*
- * If we have a wrong realm e.g. if we try get a cross forest
- * ticket, we return a ticket with the correct realm. The KDC
- * will detect this an return the appropriate return code.
- */
- ret = 0;
- break;
and then add lots of logic below. Can you add some comments
to the new logic, as I don't understand what it is doing
there, sorry (EREVIEWERTOOSTUPID :-).
Cheers,
Jeremy.
More information about the samba-technical
mailing list