Integrate kerberos tracing
swen
swen at linux.ibm.com
Wed Dec 5 13:29:20 UTC 2018
Hi Metze,
On Tue, 2018-12-04 at 10:21 +0100, Stefan Metzmacher via samba-
technical wrote:
> Hi Swen,
>
> We already have something similar in smb_krb5_init_context() for
> Heimdal. Can you also add the tracing for MIT there?
>
> I'm not sure, but I think it might be nicer to then use
> smb_krb5_init_context() instead of the raw krb5_init_context()
> so that we can't forget KRB5_TRACE_SET().
> What does others think about that?
> If we decide to use krb5_init_context() + KRB5_TRACE_SET() please
> make sure it also works for Heimdal.
>
I have checked the existing code and have modified my code to the
direction you suggested.
Not 100% though.
I did integrate the MIT tracing to a common location
smb_krb5_init_context_basic() but couldn't move everything
to krb5_init_context.c .
That would have required an addtl. dependency of
libkrb5samba to authkrb5 which in turn depends on krb5samba.
So circular dependency.
Therefore, I decided to move smb_krb5_init_context_basic() along with
the callback to krb5_wrapper and that would work.
Please have a look at the attached patch-set and let me know what you
think.
Cheers Swen
-------------- next part --------------
From 4a8d04b83cc6312e001b595dd2c8623eb23b46b4 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at linux.ibm.com>
Date: Wed, 5 Dec 2018 10:29:44 +0100
Subject: [PATCH 01/10] Add MIT kerberos tracing capability
HEIMDAL kerberos offers already tracing via a logging facility
through smb_krb5_init_context().
MIT kerberos offers to register a callback via krb5_set_trace_callback
with which tracing information can be routed to a common logging facility.
This is now integrated into smb_krb5_init_context_basic() offering
the same functionality for both kerberos fragrances.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
lib/krb5_wrap/krb5_samba.c | 86 +++++++++++++++++++++++
lib/krb5_wrap/krb5_samba.h | 3 +
source4/auth/kerberos/krb5_init_context.c | 71 -------------------
source4/auth/kerberos/krb5_init_context.h | 5 --
4 files changed, 89 insertions(+), 76 deletions(-)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index b2425109d3a..672b1bb07bb 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -3571,6 +3571,92 @@ failed:
return retval;
}
+#ifdef SAMBA4_USES_HEIMDAL
+static void smb_krb5_debug_wrapper(const char *timestr, const char *msg, void *private_data)
+{
+ DEBUGC(DBGC_KERBEROS, 3, ("Kerberos: %s\n", msg));
+}
+#else /* MITKRB5 tracing callback */
+void smb_krb5_trace_cb(krb5_context ctx,
+ const krb5_trace_info *info,
+ void *data)
+{
+ if (info != NULL) {
+ DBGC_DEBUG(DBGC_KERBEROS, "%s\n", info->message);
+ }
+}
+#endif
+
+krb5_error_code
+smb_krb5_init_context_basic(TALLOC_CTX *tmp_ctx,
+ struct loadparm_context *lp_ctx,
+ krb5_context *_krb5_context)
+{
+ krb5_error_code ret;
+#ifdef SAMBA4_USES_HEIMDAL
+ char **config_files;
+ const char *config_file, *realm;
+#endif
+ krb5_context krb5_ctx;
+
+ initialize_krb5_error_table();
+
+ ret = krb5_init_context(&krb5_ctx);
+ if (ret) {
+ DEBUG(1,("krb5_init_context failed (%s)\n",
+ error_message(ret)));
+ return ret;
+ }
+
+ /* The MIT Kerberos build relies on using the system krb5.conf file.
+ * If you really want to use another file please set KRB5_CONFIG
+ * accordingly. */
+#ifdef SAMBA4_USES_HEIMDAL
+ config_file = lpcfg_config_path(tmp_ctx, lp_ctx, "krb5.conf");
+ if (!config_file) {
+ krb5_free_context(krb5_ctx);
+ return ENOMEM;
+ }
+
+ /* Use our local krb5.conf file by default */
+ ret = krb5_prepend_config_files_default(config_file, &config_files);
+ if (ret) {
+ DEBUG(1,("krb5_prepend_config_files_default failed (%s)\n",
+ smb_get_krb5_error_message(krb5_ctx, ret, tmp_ctx)));
+ krb5_free_context(krb5_ctx);
+ return ret;
+ }
+
+ ret = krb5_set_config_files(krb5_ctx, config_files);
+ krb5_free_config_files(config_files);
+ if (ret) {
+ DEBUG(1,("krb5_set_config_files failed (%s)\n",
+ smb_get_krb5_error_message(krb5_ctx, ret, tmp_ctx)));
+ krb5_free_context(krb5_ctx);
+ return ret;
+ }
+
+ realm = lpcfg_realm(lp_ctx);
+ if (realm != NULL) {
+ ret = krb5_set_default_realm(krb5_ctx, realm);
+ if (ret) {
+ DEBUG(1,("krb5_set_default_realm failed (%s)\n",
+ smb_get_krb5_error_message(krb5_ctx, ret, tmp_ctx)));
+ krb5_free_context(krb5_ctx);
+ return ret;
+ }
+ }
+#else /* MITKRB5 tracing */
+ ret = krb5_set_trace_callback(krb5_ctx, smb_krb5_trace_cb, NULL);
+ if (ret) {
+ DBG_ERR("Failed to set MIT kerberos trace callback! (%s)\n",
+ error_message(ret));
+ }
+#endif
+ *_krb5_context = krb5_ctx;
+ return 0;
+}
+
#else /* HAVE_KRB5 */
/* This saves a few linking headaches */
int ads_krb5_cli_get_ticket(TALLOC_CTX *mem_ctx,
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 4d0148fd047..f1cf78f9acb 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -142,6 +142,9 @@ krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
krb5_context context,
krb5_const_principal principal,
char **unix_name);
+krb5_error_code smb_krb5_init_context_basic(TALLOC_CTX *tmp_ctx,
+ struct loadparm_context *lp_ctx,
+ krb5_context *_krb5_context);
krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc);
diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c
index 5e771a87cc5..8d52640b60c 100644
--- a/source4/auth/kerberos/krb5_init_context.c
+++ b/source4/auth/kerberos/krb5_init_context.c
@@ -74,13 +74,6 @@ static void smb_krb5_debug_close(void *private_data) {
}
#endif
-#ifdef SAMBA4_USES_HEIMDAL
-static void smb_krb5_debug_wrapper(const char *timestr, const char *msg, void *private_data)
-{
- DEBUGC(DBGC_KERBEROS, 3, ("Kerberos: %s\n", msg));
-}
-#endif
-
#ifdef SAMBA4_USES_HEIMDAL
/*
handle recv events on a smb_krb5 socket
@@ -466,70 +459,6 @@ krb5_error_code smb_krb5_send_and_recv_func_forced(krb5_context context,
}
#endif
-krb5_error_code
-smb_krb5_init_context_basic(TALLOC_CTX *tmp_ctx,
- struct loadparm_context *lp_ctx,
- krb5_context *_krb5_context)
-{
- krb5_error_code ret;
-#ifdef SAMBA4_USES_HEIMDAL
- char **config_files;
- const char *config_file, *realm;
-#endif
- krb5_context krb5_ctx;
-
- initialize_krb5_error_table();
-
- ret = krb5_init_context(&krb5_ctx);
- if (ret) {
- DEBUG(1,("krb5_init_context failed (%s)\n",
- error_message(ret)));
- return ret;
- }
-
- /* The MIT Kerberos build relies on using the system krb5.conf file.
- * If you really want to use another file please set KRB5_CONFIG
- * accordingly. */
-#ifdef SAMBA4_USES_HEIMDAL
- config_file = lpcfg_config_path(tmp_ctx, lp_ctx, "krb5.conf");
- if (!config_file) {
- krb5_free_context(krb5_ctx);
- return ENOMEM;
- }
-
- /* Use our local krb5.conf file by default */
- ret = krb5_prepend_config_files_default(config_file, &config_files);
- if (ret) {
- DEBUG(1,("krb5_prepend_config_files_default failed (%s)\n",
- smb_get_krb5_error_message(krb5_ctx, ret, tmp_ctx)));
- krb5_free_context(krb5_ctx);
- return ret;
- }
-
- ret = krb5_set_config_files(krb5_ctx, config_files);
- krb5_free_config_files(config_files);
- if (ret) {
- DEBUG(1,("krb5_set_config_files failed (%s)\n",
- smb_get_krb5_error_message(krb5_ctx, ret, tmp_ctx)));
- krb5_free_context(krb5_ctx);
- return ret;
- }
-
- realm = lpcfg_realm(lp_ctx);
- if (realm != NULL) {
- ret = krb5_set_default_realm(krb5_ctx, realm);
- if (ret) {
- DEBUG(1,("krb5_set_default_realm failed (%s)\n",
- smb_get_krb5_error_message(krb5_ctx, ret, tmp_ctx)));
- krb5_free_context(krb5_ctx);
- return ret;
- }
- }
-#endif
- *_krb5_context = krb5_ctx;
- return 0;
-}
-
krb5_error_code smb_krb5_init_context(void *parent_ctx,
struct loadparm_context *lp_ctx,
struct smb_krb5_context **smb_krb5_context)
diff --git a/source4/auth/kerberos/krb5_init_context.h b/source4/auth/kerberos/krb5_init_context.h
index 6c997c5fa56..7c83566a0c6 100644
--- a/source4/auth/kerberos/krb5_init_context.h
+++ b/source4/auth/kerberos/krb5_init_context.h
@@ -29,11 +29,6 @@ struct smb_krb5_context {
struct tevent_context;
struct loadparm_context;
-krb5_error_code
-smb_krb5_init_context_basic(TALLOC_CTX *tmp_ctx,
- struct loadparm_context *lp_ctx,
- krb5_context *_krb5_context);
-
krb5_error_code smb_krb5_init_context(void *parent_ctx,
struct loadparm_context *lp_ctx,
struct smb_krb5_context **smb_krb5_context);
--
2.17.2
From 196856003811ba29b9203271df85b019fba43425 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at linux.ibm.com>
Date: Wed, 5 Dec 2018 11:03:33 +0100
Subject: [PATCH 02/10] lib: Add kerberos tracing
Add krb5 tracing to samba krb5 wrapper.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
lib/krb5_wrap/krb5_samba.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 672b1bb07bb..4ce3a209e2f 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -932,9 +932,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
ZERO_STRUCT(creds);
ZERO_STRUCT(creds_in);
- initialize_krb5_error_table();
- ret = krb5_init_context(&context);
+ ret = smb_krb5_init_context_basic(NULL, NULL, &context);
if (ret) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(ret));
goto done;
}
@@ -2880,8 +2881,10 @@ char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
krb5_error_code kerr;
krb5_context ctx = NULL;
- initialize_krb5_error_table();
- if (krb5_init_context(&ctx)) {
+ kerr = smb_krb5_init_context_basic(NULL, NULL, &ctx);
+ if (kerr) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(kerr));
return NULL;
}
@@ -3502,11 +3505,10 @@ int ads_krb5_cli_get_ticket(TALLOC_CTX *mem_ctx,
ENCTYPE_NULL};
bool ok;
- initialize_krb5_error_table();
- retval = krb5_init_context(&context);
+ retval = smb_krb5_init_context_basic(NULL, NULL, &context);
if (retval != 0) {
- DBG_WARNING("krb5_init_context failed (%s)\n",
- error_message(retval));
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(retval));
goto failed;
}
--
2.17.2
From c768a63bc98c24af130cdc75821f4d70e8493646 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at linux.ibm.com>
Date: Wed, 5 Dec 2018 11:06:20 +0100
Subject: [PATCH 03/10] client: Add kerberos tracing
Replace kerberos context initialization from
raw krb5_init_context() to smb_krb5_init_context_basic()
which is adding common tracing as well.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
source3/client/smbspool.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 58ce6c56177..c3da0f8b8a1 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -516,8 +516,10 @@ static bool kerberos_ccache_is_valid(void) {
krb5_ccache ccache = NULL;
krb5_error_code code;
- code = krb5_init_context(&ctx);
+ code = smb_krb5_init_context_basic(NULL, NULL, &ctx);
if (code != 0) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(code));
return false;
}
--
2.17.2
From 4bc4ca42e68c32d91e878eb867487cb9ffbaf1d8 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at linux.ibm.com>
Date: Wed, 5 Dec 2018 11:16:42 +0100
Subject: [PATCH 04/10] libads: Add kerberos tracing
Replace kerberos context initialization from
raw krb5_init_context() to smb_krb5_init_context_basic()
which is adding common tracing as well.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
source3/libads/kerberos.c | 17 ++++++++++-------
source3/libads/kerberos_keytab.c | 28 ++++++++++++----------------
source3/libads/krb5_setpw.c | 12 ++++++------
source3/libads/sasl.c | 4 +++-
4 files changed, 31 insertions(+), 30 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 43b6a1debb4..588ac54bf96 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -128,9 +128,12 @@ int kerberos_kinit_password_ext(const char *principal,
ZERO_STRUCT(my_creds);
- initialize_krb5_error_table();
- if ((code = krb5_init_context(&ctx)))
- goto out;
+ code = smb_krb5_init_context_basic(NULL, NULL, &ctx);
+ if (code) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(code));
+ return code;
+ }
if (time_offset != 0) {
krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
@@ -244,10 +247,10 @@ int ads_kdestroy(const char *cc_name)
krb5_context ctx = NULL;
krb5_ccache cc = NULL;
- initialize_krb5_error_table();
- if ((code = krb5_init_context (&ctx))) {
- DEBUG(3, ("ads_kdestroy: kdb5_init_context failed: %s\n",
- error_message(code)));
+ code = smb_krb5_init_context_basic(NULL, NULL, &ctx);
+ if (code) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(code));
return code;
}
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 792dc999e6c..512d902838a 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -259,11 +259,10 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
TALLOC_CTX *tmpctx = NULL;
int i;
- initialize_krb5_error_table();
- ret = krb5_init_context(&context);
+ ret = smb_krb5_init_context_basic(NULL, NULL, &context);
if (ret) {
- DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
- error_message(ret)));
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(ret));
return -1;
}
@@ -436,11 +435,10 @@ int ads_keytab_flush(ADS_STRUCT *ads)
krb5_kvno kvno;
ADS_STATUS aderr;
- initialize_krb5_error_table();
- ret = krb5_init_context(&context);
+ ret = smb_krb5_init_context_basic(NULL, NULL, &context);
if (ret) {
- DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
- error_message(ret)));
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(ret));
return ret;
}
@@ -570,11 +568,10 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
memset(princ_s, '\0', sizeof(princ_s));
- initialize_krb5_error_table();
- ret = krb5_init_context(&context);
+ ret = smb_krb5_init_context_basic(NULL, NULL, &context);
if (ret) {
- DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
- error_message(ret)));
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(ret));
goto done;
}
@@ -774,11 +771,10 @@ int ads_keytab_list(const char *keytab_name)
ZERO_STRUCT(kt_entry);
ZERO_STRUCT(cursor);
- initialize_krb5_error_table();
- ret = krb5_init_context(&context);
+ ret = smb_krb5_init_context_basic(NULL, NULL, &context);
if (ret) {
- DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
- error_message(ret)));
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(ret));
return ret;
}
diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index a4a781963a3..bfd9e0a4579 100644
--- a/source3/libads/krb5_setpw.c
+++ b/source3/libads/krb5_setpw.c
@@ -69,10 +69,10 @@ ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *principal,
krb5_data result_code_string = { 0 };
krb5_data result_string = { 0 };
- initialize_krb5_error_table();
- ret = krb5_init_context(&context);
+ ret = smb_krb5_init_context_basic(NULL, NULL, &context);
if (ret) {
- DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(ret));
return ADS_ERROR_KRB5(ret);
}
@@ -177,10 +177,10 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
krb5_data result_string = { 0 };
smb_krb5_addresses *addr = NULL;
- initialize_krb5_error_table();
- ret = krb5_init_context(&context);
+ ret = smb_krb5_init_context_basic(NULL, NULL, &context);
if (ret) {
- DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(ret));
return ADS_ERROR_KRB5(ret);
}
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 7f7b790810c..bbbf7b04980 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -366,8 +366,10 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred)
return ADS_SUCCESS;
}
- kerr = krb5_init_context(&kctx);
+ kerr = smb_krb5_init_context_basic(NULL, NULL, &kctx);
if (kerr) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(kerr));
return ADS_ERROR_KRB5(kerr);
}
--
2.17.2
From da787669523136b31f19f025840e5a0c33b1431e Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at linux.ibm.com>
Date: Wed, 5 Dec 2018 11:35:42 +0100
Subject: [PATCH 05/10] libnet: Add kerberos tracing
Replace kerberos context initialization from
raw krb5_init_context() to smb_krb5_init_context_basic()
which is adding common tracing as well.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
source3/libnet/libnet_keytab.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/source3/libnet/libnet_keytab.c b/source3/libnet/libnet_keytab.c
index c76e7b298cf..9eb68cc6aa5 100644
--- a/source3/libnet/libnet_keytab.c
+++ b/source3/libnet/libnet_keytab.c
@@ -74,11 +74,10 @@ krb5_error_code libnet_keytab_init(TALLOC_CTX *mem_ctx,
talloc_set_destructor(r, keytab_close);
- initialize_krb5_error_table();
- ret = krb5_init_context(&context);
+ ret = smb_krb5_init_context_basic(NULL, NULL, &context);
if (ret) {
- DEBUG(1,("keytab_init: could not krb5_init_context: %s\n",
- error_message(ret)));
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(ret));
return ret;
}
--
2.17.2
From 589198e1f8eb3ffde82c8e1e4f5237760cb69d74 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at linux.ibm.com>
Date: Wed, 5 Dec 2018 11:38:44 +0100
Subject: [PATCH 06/10] librpc: Add kerberos tracing
Replace kerberos context initialization from
raw krb5_init_context() to smb_krb5_init_context_basic()
which is adding common tracing as well.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
source3/librpc/crypto/gse.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 2c00ea9bbcb..5446a5a152b 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -206,12 +206,10 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
gse_ctx->gss_want_flags |= add_gss_c_flags;
/* Initialize Kerberos Context */
- initialize_krb5_error_table();
-
- k5ret = krb5_init_context(&gse_ctx->k5ctx);
+ k5ret = smb_krb5_init_context_basic(NULL, NULL, &gse_ctx->k5ctx);
if (k5ret) {
- DEBUG(0, ("Failed to initialize kerberos context! (%s)\n",
- error_message(k5ret)));
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(k5ret));
status = NT_STATUS_INTERNAL_ERROR;
goto err_out;
}
--
2.17.2
From 1e200eea1cb3f15ade0470404b077184cfebd51e Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at linux.ibm.com>
Date: Wed, 5 Dec 2018 11:41:47 +0100
Subject: [PATCH 07/10] passdb: Add kerberos tracing
Replace kerberos context initialization from
raw krb5_init_context() to smb_krb5_init_context_basic()
which is adding common tracing as well.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
source3/passdb/machine_account_secrets.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index b816b3aa7f8..21c15a531b6 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -1083,9 +1083,10 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor
goto no_kerberos;
}
- initialize_krb5_error_table();
- krb5_ret = krb5_init_context(&krb5_ctx);
- if (krb5_ret != 0) {
+ krb5_ret = smb_krb5_init_context_basic(NULL, NULL, &krb5_ctx);
+ if (krb5_ret) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(krb5_ret));
TALLOC_FREE(keys);
return krb5_ret;
}
--
2.17.2
From ef4412f78d158fc87672f5d4be603944d0204783 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at linux.ibm.com>
Date: Wed, 5 Dec 2018 11:44:24 +0100
Subject: [PATCH 08/10] utils: Add kerberos tracing
Replace kerberos context initialization from
raw krb5_init_context() to smb_krb5_init_context_basic()
which is adding common tracing as well.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
source3/utils/net_lookup.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/source3/utils/net_lookup.c b/source3/utils/net_lookup.c
index 140f9900795..0a2218ae21c 100644
--- a/source3/utils/net_lookup.c
+++ b/source3/utils/net_lookup.c
@@ -286,11 +286,10 @@ static int net_lookup_kdc(struct net_context *c, int argc, const char **argv)
int i;
NTSTATUS status;
- initialize_krb5_error_table();
- rc = krb5_init_context(&ctx);
+ rc = smb_krb5_init_context_basic(NULL, NULL, &ctx);
if (rc) {
- DEBUG(1,("krb5_init_context failed (%s)\n",
- error_message(rc)));
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(rc));
return -1;
}
--
2.17.2
From 33c7e58e009cc624e9b63fcfec1689091c9b82df Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at linux.ibm.com>
Date: Wed, 5 Dec 2018 11:46:46 +0100
Subject: [PATCH 09/10] winbindd: Add kerberos tracing
Replace kerberos context initialization from
raw krb5_init_context() to smb_krb5_init_context_basic()
which is adding common tracing as well.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
source3/winbindd/winbindd_pam.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index b7eb17556a4..80f9f864db2 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2889,10 +2889,10 @@ static NTSTATUS extract_pac_vrfy_sigs(TALLOC_CTX *mem_ctx, DATA_BLOB pac_blob,
ZERO_STRUCT(entry);
ZERO_STRUCT(cursor);
- k5ret = krb5_init_context(&krbctx);
+ k5ret = smb_krb5_init_context_basic(NULL, NULL, &krbctx);
if (k5ret) {
- DEBUG(1, ("Failed to initialize kerberos context: %s\n",
- error_message(k5ret)));
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(k5ret));
status = krb5_to_nt_status(k5ret);
goto out;
}
--
2.17.2
From b844e9e0ab49a725ba6a02e4e6551af60809ebe3 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at linux.ibm.com>
Date: Wed, 5 Dec 2018 11:55:09 +0100
Subject: [PATCH 10/10] s4: Add kerberos tracing
Replace kerberos context initialization from
raw krb5_init_context() to smb_krb5_init_context_basic()
which is adding common tracing as well.
Signed-off-by: Swen Schillig <swen at linux.ibm.com>
---
source4/kdc/ktutil.c | 6 +++---
source4/kdc/sdb_to_kdb.c | 4 +++-
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/source4/kdc/ktutil.c b/source4/kdc/ktutil.c
index bc263c5b29b..0127a31795b 100644
--- a/source4/kdc/ktutil.c
+++ b/source4/kdc/ktutil.c
@@ -59,10 +59,10 @@ int main (int argc, char **argv)
keytab_name = argv[1];
- initialize_krb5_error_table();
-
- ret = krb5_init_context(&context);
+ ret = smb_krb5_init_context_basic(NULL, NULL, &context);
if (ret) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(ret));
smb_krb5_err(mem_ctx, context, 1, ret, "krb5_context");
}
diff --git a/source4/kdc/sdb_to_kdb.c b/source4/kdc/sdb_to_kdb.c
index 74d882738f8..649ea516eff 100644
--- a/source4/kdc/sdb_to_kdb.c
+++ b/source4/kdc/sdb_to_kdb.c
@@ -327,8 +327,10 @@ static int samba_kdc_kdb_entry_destructor(struct samba_kdc_entry *p)
entry_ex->e_data = NULL;
}
- ret = krb5_init_context(&context);
+ ret = smb_krb5_init_context_basic(NULL, NULL, &context);
if (ret) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(ret));
return ret;
}
--
2.17.2
More information about the samba-technical
mailing list