Integrate kerberos tracing
swen
swen at linux.ibm.com
Tue Dec 4 08:42:19 UTC 2018
Hi Ralph,
On Tue, 2018-12-04 at 09:36 +0100, Ralph Böhme wrote:
> Hi Swen,
>
> On Tue, Dec 04, 2018 at 09:26:59AM +0100, swen via samba-technical
> wrote:
> > This is actually a resend from Nov. 26th with one small but
> > important
> > addition.
> >
> > It now includes an option for 'configure' with which the feature
> > can be
> > selected.
> >
> > This patch set is using krb5_set_trace_callback from the kerberos
> > API
> > to provide inline tracing information.
> >
> > The feature itself must be enabled at compile time by defining
> > HAVE_KRB5_TRACING, the default is to NOT have tracing compiled in.
> > As mentioned above, this can be done/enabled now by specifiying the
> > configuration option --with-krb5-tracing.
> >
> > If compiled in, the trace information will only be logged if
> > logging is
> > set to DEBUG level.
> >
> > Beside the introduction of the feature (patch 1) the inclusion for
> > each
> > area is handled by tiny seperate patches (patch 2 - 10).
> > If wanted, that could be condensed to one, but I remember that some
> > prefer it that way.
> > The last patch (patch 11) contains now the changes to the wscript,
> > offering the configuration switch.
> >
> > The entire patch set passed the GitLab test suit and a merge
> > request is
> > created as well.
> >
> > https://gitlab.com/samba-team/samba/merge_requests/123
> >
> > Please review, comment and maybe push if happy.
>
> ENOPATCH. :)
I though it would be easier to review on GitLab, but yeah you're right,
should have added the patchset here as well (see attachment).
Cheers Swen
-------------- next part --------------
From 82fb1199f5a3d8399a1776ef56f1bd049bb11cc3 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 01/11] Add kerberos trace callback
Define macro which provides and configures a kerberos
tracing callback. To have this feature included
HAVE_KRB5_TRACING has to be defined at compile time.
The default is to have it disabled.
At run-time, kerberos tracing is logged if the
log-level is set to DEBUG.
Signed-off-by: Swen Schillig <swen at linux.com>
---
lib/krb5_wrap/krb5_samba.c | 10 ++++++++++
lib/krb5_wrap/krb5_samba.h | 19 +++++++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index b2425109d3a..2069b932f33 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -129,6 +129,16 @@ const krb5_data *krb5_princ_component(krb5_context context,
}
#endif
+#ifdef HAVE_KRB5_TRACING
+void smb_krb5_trace_cb(krb5_context ctx,
+ const krb5_trace_info *info,
+ void *data)
+{
+ if (info != NULL) {
+ DBG_DEBUG("%s\n", info->message);
+ }
+}
+#endif
/**********************************************************
* WRAPPING FUNCTIONS
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 4d0148fd047..2f5b1ba1f9f 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -111,6 +111,19 @@ typedef struct {
#error krb5_keytab_entry has no key or keyblock member
#endif /* HAVE_KRB5_KEYTAB_ENTRY_KEY */
+/* krb5 tracing */
+#ifdef HAVE_KRB5_TRACING
+#define KRB5_TRACE_SET(__ctx) \
+ ({int __ret = krb5_set_trace_callback(__ctx, smb_krb5_trace_cb, NULL);\
+ if (__ret) {\
+ DBG_ERR("Failed to set kerberos trace callback! (%s)\n",\
+ error_message(__ret));\
+ } \
+ })
+#else
+#define KRB5_TRACE_SET(__ctx)
+#endif
+
/* work around broken krb5.h on sles9 */
#ifdef SIZEOF_LONG
#undef SIZEOF_LONG
@@ -162,6 +175,12 @@ void krb5_free_unparsed_name(krb5_context ctx, char *val);
#endif
/* Samba wrapper functions for krb5 functionality. */
+#ifdef HAVE_KRB5_TRACING
+void smb_krb5_trace_cb(krb5_context ctx,
+ const krb5_trace_info *info,
+ void *data);
+#endif
+
bool smb_krb5_sockaddr_to_kaddr(struct sockaddr_storage *paddr,
krb5_address *pkaddr);
--
2.17.2
From 20ee4e361a485ab5ac98fd893fafaa0b325bae53 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 02/11] lib: Add kerberos tracing
Add krb5 tracing macro to samba krb5 wrapper.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
lib/krb5_wrap/krb5_samba.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 2069b932f33..8869ed7c456 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -948,6 +948,8 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
goto done;
}
+ KRB5_TRACE_SET(context);
+
if (!ccache_string) {
ccache_string = krb5_cc_default_name(context);
}
@@ -2895,6 +2897,8 @@ char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
return NULL;
}
+ KRB5_TRACE_SET(ctx);
+
kerr = krb5_get_host_realm(ctx, hostname, &realm_list);
if (kerr == KRB5_ERR_HOST_REALM_UNKNOWN) {
realm_list = NULL;
@@ -3520,6 +3524,8 @@ int ads_krb5_cli_get_ticket(TALLOC_CTX *mem_ctx,
goto failed;
}
+ KRB5_TRACE_SET(context);
+
if (time_offset != 0) {
krb5_set_real_time(context, time(NULL) + time_offset, 0);
}
--
2.17.2
From 745b7123eb6f1f9514c7e2ff9eaf0d60b6c0300b Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 03/11] client: Add kerberos tracing
Add krb5 tracing macro to smbspool.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
source3/client/smbspool.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 58ce6c56177..5c1b7db7fa0 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -28,6 +28,7 @@
#include "system/kerberos.h"
#include "libsmb/libsmb.h"
#include "lib/param/param.h"
+#include "lib/krb5_wrap/krb5_samba.h"
/*
* Starting with CUPS 1.3, Kerberos support is provided by cupsd including
@@ -521,6 +522,8 @@ static bool kerberos_ccache_is_valid(void) {
return false;
}
+ KRB5_TRACE_SET(ctx);
+
ccache_name = krb5_cc_default_name(ctx);
if (ccache_name == NULL) {
krb5_free_context(ctx);
--
2.17.2
From 8b0b9aea4c007509232727b747a467f2339a371b Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 04/11] libads: Add kerberos tracing
Add krb5 tracing macro.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
source3/libads/kerberos.c | 4 ++++
source3/libads/kerberos_keytab.c | 8 ++++++++
source3/libads/krb5_setpw.c | 4 ++++
source3/libads/sasl.c | 2 ++
4 files changed, 18 insertions(+)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 43b6a1debb4..0fb4e6796a0 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -132,6 +132,8 @@ int kerberos_kinit_password_ext(const char *principal,
if ((code = krb5_init_context(&ctx)))
goto out;
+ KRB5_TRACE_SET(ctx);
+
if (time_offset != 0) {
krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
}
@@ -251,6 +253,8 @@ int ads_kdestroy(const char *cc_name)
return code;
}
+ KRB5_TRACE_SET(ctx);
+
if (!cc_name) {
if ((code = krb5_cc_default(ctx, &cc))) {
krb5_free_context(ctx);
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 792dc999e6c..4b813a225ca 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -267,6 +267,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
return -1;
}
+ KRB5_TRACE_SET(context);
+
ret = ads_keytab_open(context, &keytab);
if (ret != 0) {
goto out;
@@ -444,6 +446,8 @@ int ads_keytab_flush(ADS_STRUCT *ads)
return ret;
}
+ KRB5_TRACE_SET(context);
+
ret = ads_keytab_open(context, &keytab);
if (ret != 0) {
goto out;
@@ -578,6 +582,8 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
goto done;
}
+ KRB5_TRACE_SET(context);
+
machine_name = talloc_strdup(frame, lp_netbios_name());
if (!machine_name) {
ret = -1;
@@ -782,6 +788,8 @@ int ads_keytab_list(const char *keytab_name)
return ret;
}
+ KRB5_TRACE_SET(context);
+
if (keytab_name == NULL) {
#ifdef HAVE_ADS
ret = ads_keytab_open(context, &keytab);
diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index a4a781963a3..74ee96445a3 100644
--- a/source3/libads/krb5_setpw.c
+++ b/source3/libads/krb5_setpw.c
@@ -76,6 +76,8 @@ ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *principal,
return ADS_ERROR_KRB5(ret);
}
+ KRB5_TRACE_SET(context);
+
if (principal) {
ret = smb_krb5_parse_name(context, principal, &princ);
if (ret) {
@@ -184,6 +186,8 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
return ADS_ERROR_KRB5(ret);
}
+ KRB5_TRACE_SET(context);
+
if ((ret = smb_krb5_parse_name(context, principal,
&princ))) {
krb5_free_context(context);
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 7f7b790810c..7d0daaf432d 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -371,6 +371,8 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred)
return ADS_ERROR_KRB5(kerr);
}
+ KRB5_TRACE_SET(kctx);
+
kerr = krb5_cc_resolve(kctx, ads->auth.ccache_name, &kccache);
if (kerr) {
status = ADS_ERROR_KRB5(kerr);
--
2.17.2
From 4950e6b6475a2dc29e0aec289103360aa7458aa3 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 05/11] libnet: Add kerberos tracing
Add krb5 tracing macro.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
source3/libnet/libnet_keytab.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/libnet/libnet_keytab.c b/source3/libnet/libnet_keytab.c
index c76e7b298cf..ee91e7aaf06 100644
--- a/source3/libnet/libnet_keytab.c
+++ b/source3/libnet/libnet_keytab.c
@@ -82,6 +82,8 @@ krb5_error_code libnet_keytab_init(TALLOC_CTX *mem_ctx,
return ret;
}
+ KRB5_TRACE_SET(context);
+
ret = smb_krb5_kt_open_relative(context,
keytab_name,
true, /* write_access */
--
2.17.2
From 8dc2dc3d0e927316c1d5a0160e44b1f7d42b21df Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 06/11] librpc: Add kerberos tracing
Add krb5 tracing macro.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
source3/librpc/crypto/gse.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 2c00ea9bbcb..38015daa03e 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -216,6 +216,8 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
goto err_out;
}
+ KRB5_TRACE_SET(gse_ctx->k5ctx);
+
if (!ccache_name) {
ccache_name = krb5_cc_default_name(gse_ctx->k5ctx);
}
--
2.17.2
From 73223163c13fdf32fb9dbacc414d3e5d985058e0 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 07/11] passdb: Add kerberos tracing
Add krb5 tracing macro.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
source3/passdb/machine_account_secrets.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index b816b3aa7f8..d4817fed7de 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -1090,6 +1090,8 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor
return krb5_ret;
}
+ KRB5_TRACE_SET(krb5_ctx);
+
krb5_ret = smb_krb5_salt_principal2data(krb5_ctx, salt_principal,
p, &salt_data);
if (krb5_ret != 0) {
--
2.17.2
From d509a46b12eaf63bf778e28767b1a3c3abaa5be7 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 08/11] utils: Add kerberos tracing
Add krb5 tracing macro.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
source3/utils/net_lookup.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/utils/net_lookup.c b/source3/utils/net_lookup.c
index 140f9900795..02203819048 100644
--- a/source3/utils/net_lookup.c
+++ b/source3/utils/net_lookup.c
@@ -294,6 +294,8 @@ static int net_lookup_kdc(struct net_context *c, int argc, const char **argv)
return -1;
}
+ KRB5_TRACE_SET(ctx);
+
if (argc > 0) {
realm = argv[0];
} else if (lp_realm() && *lp_realm()) {
--
2.17.2
From 698b1005caeeb211dd1baf0449ea89e0fe1137d1 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 09/11] winbindd: Add kerberos tracing
Add krb5 tracing macro.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
source3/winbindd/winbindd_pam.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index b7eb17556a4..4c732423710 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2897,6 +2897,8 @@ static NTSTATUS extract_pac_vrfy_sigs(TALLOC_CTX *mem_ctx, DATA_BLOB pac_blob,
goto out;
}
+ KRB5_TRACE_SET(krbctx);
+
k5ret = gse_krb5_get_server_keytab(krbctx, &keytab);
if (k5ret) {
DEBUG(1, ("Failed to get keytab: %s\n",
--
2.17.2
From 6d19bfb546772dfbb82fc0b0e38d7fd4cd8125d5 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 10/11] s4: Add kerberos tracing
Add krb5 tracing macro.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
source4/auth/kerberos/krb5_init_context.c | 2 ++
source4/kdc/ktutil.c | 2 ++
source4/kdc/sdb_to_kdb.c | 2 ++
3 files changed, 6 insertions(+)
diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c
index 5e771a87cc5..ab5b2f550e4 100644
--- a/source4/auth/kerberos/krb5_init_context.c
+++ b/source4/auth/kerberos/krb5_init_context.c
@@ -487,6 +487,8 @@ smb_krb5_init_context_basic(TALLOC_CTX *tmp_ctx,
return ret;
}
+ KRB5_TRACE_SET(krb5_ctx);
+
/* The MIT Kerberos build relies on using the system krb5.conf file.
* If you really want to use another file please set KRB5_CONFIG
* accordingly. */
diff --git a/source4/kdc/ktutil.c b/source4/kdc/ktutil.c
index bc263c5b29b..ef7b354c8ed 100644
--- a/source4/kdc/ktutil.c
+++ b/source4/kdc/ktutil.c
@@ -66,6 +66,8 @@ int main (int argc, char **argv)
smb_krb5_err(mem_ctx, context, 1, ret, "krb5_context");
}
+ KRB5_TRACE_SET(context);
+
ret = smb_krb5_kt_open_relative(context, keytab_name, false, &keytab);
if (ret) {
smb_krb5_err(mem_ctx, context, 1, ret, "open keytab");
diff --git a/source4/kdc/sdb_to_kdb.c b/source4/kdc/sdb_to_kdb.c
index 74d882738f8..5b7659abe46 100644
--- a/source4/kdc/sdb_to_kdb.c
+++ b/source4/kdc/sdb_to_kdb.c
@@ -332,6 +332,8 @@ static int samba_kdc_kdb_entry_destructor(struct samba_kdc_entry *p)
return ret;
}
+ KRB5_TRACE_SET(context);
+
krb5_db_free_principal(context, entry_ex);
krb5_free_context(context);
--
2.17.2
From 09cab0b19aefbfc71f6041ff0632eec01c422e55 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at linux.ibm.com>
Date: Tue, 27 Nov 2018 08:50:41 +0100
Subject: [PATCH 11/11] waf: Add configuration option for kerberos tracing
Add the configuration option --with-krb5-tracing as a configuration option.
The default is False and the inclusion requires the --with-system-mitkrb5 option set.
Having this option set is defining HAVE_KRB5_TRACING as a CFLAG and will therefore
include the code paths of the kerberos tracing.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
wscript | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/wscript b/wscript
index c06a2e38a87..eac7c33c9a9 100644
--- a/wscript
+++ b/wscript
@@ -63,6 +63,14 @@ def options(opt):
dest='with_experimental_mit_ad_dc',
default=False)
+ opt.add_option('--with-krb5-tracing',
+ help=('build Samba with kerberos tracing. ' +
+ 'Tracing will be logged if log-level is set to DEBUG. ' +
+ 'Requires --with-system-mitkrb5'),
+ action='store_true',
+ dest='with_krb5_tracing',
+ default=False)
+
opt.add_option('--with-system-mitkdc',
help=('Specify the path to the krb5kdc binary from MIT Kerberos'),
type="string",
@@ -125,6 +133,9 @@ def configure(conf):
conf.DEFINE('_SAMBA_BUILD_', version.MAJOR, add_to_cflags=True)
conf.DEFINE('HAVE_CONFIG_H', 1, add_to_cflags=True)
+ if Options.options.with_krb5_tracing:
+ conf.ADD_CFLAGS('-DHAVE_KRB5_TRACING')
+
if Options.options.developer:
conf.ADD_CFLAGS('-DDEVELOPER -DDEBUG_PASSWORD')
conf.env.DEVELOPER = True
@@ -232,6 +243,11 @@ def configure(conf):
conf.PROCESS_SEPARATE_RULE('system_mitkrb5')
+ if Options.options.with_krb5_tracing:
+ if not (Options.options.with_system_mitkrb5 or Options.options.with_system_heimdalkrb5):
+ raise Errors.WafError('--with-krb5-tracing requires ' +
+ '--with-system-mitkrb5')
+
if not (Options.options.without_ad_dc or Options.options.with_system_mitkrb5):
conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1)
--
2.17.2
More information about the samba-technical
mailing list