[PATCH] Add kerberos tracing.
swen
swen at linux.ibm.com
Mon Nov 26 14:03:05 UTC 2018
This patch set is using krb5_set_trace_callback from the kerberos API
to provide inline tracing information, if wanted.
The feature itself must be enabled at compile time by defining
HAVE_KRB5_TRACING, the default is to NOT have tracing compiled in.
If compiled in, the trace information will only be logged if logging is
set to DEBUG level.
Beside the introduction of the feature (patch 1) the inclusion for each
area is handled by tiny seperate patches (patch 2 - 10).
If wanted, that could be condensed to one, but I remember that some
prefer it that way.
Please review and push if happy.
Cheers Swen
-------------- next part --------------
From 9bb790a8a38a57131ce34d0ccf9d453c92026d66 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 01/10] Add kerberos trace callback
Define macro which provides and configures a kerberos
tracing callback. To have this feature included
HAVE_KRB5_TRACING has to be defined at compile time.
The default is to have it disabled.
At run-time, kerberos tracing will logged if the
logging is set to DEBUG level.
Signed-off-by: Swen Schillig <swen at vnet.ibm.com>
---
lib/krb5_wrap/krb5_samba.c | 10 ++++++++++
lib/krb5_wrap/krb5_samba.h | 19 +++++++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index a6ff97640ca..b66eae92b67 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -129,6 +129,16 @@ const krb5_data *krb5_princ_component(krb5_context context,
}
#endif
+#ifdef HAVE_KRB5_TRACING
+void smb_krb5_trace_cb(krb5_context ctx,
+ const krb5_trace_info *info,
+ void *data)
+{
+ if (info != NULL) {
+ DBG_DEBUG("%s\n", info->message);
+ }
+}
+#endif
/**********************************************************
* WRAPPING FUNCTIONS
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 8305c1f77af..940da3c4994 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -111,6 +111,19 @@ typedef struct {
#error krb5_keytab_entry has no key or keyblock member
#endif /* HAVE_KRB5_KEYTAB_ENTRY_KEY */
+/* krb5 tracing */
+#ifdef HAVE_KRB5_TRACING
+#define KRB5_TRACE_SET(__ctx) \
+ ({int __ret = krb5_set_trace_callback(__ctx, smb_krb5_trace_cb, NULL);\
+ if (__ret) {\
+ DBG_ERR("Failed to set kerberos trace callback! (%s)\n",\
+ error_message(__ret));\
+ } \
+ })
+#else
+#define KRB5_TRACE_SET(__ctx)
+#endif
+
/* work around broken krb5.h on sles9 */
#ifdef SIZEOF_LONG
#undef SIZEOF_LONG
@@ -162,6 +175,12 @@ void krb5_free_unparsed_name(krb5_context ctx, char *val);
#endif
/* Samba wrapper functions for krb5 functionality. */
+#ifdef HAVE_KRB5_TRACING
+void smb_krb5_trace_cb(krb5_context ctx,
+ const krb5_trace_info *info,
+ void *data);
+#endif
+
bool smb_krb5_sockaddr_to_kaddr(struct sockaddr_storage *paddr,
krb5_address *pkaddr);
--
2.17.2
From dc4e68520251b493e6f3f76b665336730554f29b Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 02/10] lib: Add kerberos tracing
Add krb5 tracing macro to samba krb5 wrapper.
Signed-off-by: Swen Schillig <swen at vnet.ibm.com>
---
lib/krb5_wrap/krb5_samba.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index b66eae92b67..6961d5472b4 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -948,6 +948,8 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
goto done;
}
+ KRB5_TRACE_SET(context);
+
if (!ccache_string) {
ccache_string = krb5_cc_default_name(context);
}
@@ -2894,6 +2896,8 @@ char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
return NULL;
}
+ KRB5_TRACE_SET(ctx);
+
kerr = krb5_get_host_realm(ctx, hostname, &realm_list);
if (kerr == KRB5_ERR_HOST_REALM_UNKNOWN) {
realm_list = NULL;
@@ -3519,6 +3523,8 @@ int ads_krb5_cli_get_ticket(TALLOC_CTX *mem_ctx,
goto failed;
}
+ KRB5_TRACE_SET(context);
+
if (time_offset != 0) {
krb5_set_real_time(context, time(NULL) + time_offset, 0);
}
--
2.17.2
From fdc6cdeee3c74e2a90fde83800e214c5825e3a05 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 03/10] client: Add kerberos tracng
Add krb5 tracing macro to smbspool.
Signed-off-by: Swen Schillig <swen at vnet.ibm.com>
---
source3/client/smbspool.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 58ce6c56177..5c1b7db7fa0 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -28,6 +28,7 @@
#include "system/kerberos.h"
#include "libsmb/libsmb.h"
#include "lib/param/param.h"
+#include "lib/krb5_wrap/krb5_samba.h"
/*
* Starting with CUPS 1.3, Kerberos support is provided by cupsd including
@@ -521,6 +522,8 @@ static bool kerberos_ccache_is_valid(void) {
return false;
}
+ KRB5_TRACE_SET(ctx);
+
ccache_name = krb5_cc_default_name(ctx);
if (ccache_name == NULL) {
krb5_free_context(ctx);
--
2.17.2
From 34133bbf7d6545b14786744763050fd089cd247c Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 04/10] libads: Add kerberos tracing
Add krb5 tracing macro.
Signed-off-by: Swen Schillig <swen at vnet.ibm.com>
---
source3/libads/kerberos.c | 4 ++++
source3/libads/kerberos_keytab.c | 8 ++++++++
source3/libads/krb5_setpw.c | 4 ++++
source3/libads/sasl.c | 2 ++
4 files changed, 18 insertions(+)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 58f38cdc55d..e6cc2a6fee8 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -131,6 +131,8 @@ int kerberos_kinit_password_ext(const char *principal,
if ((code = krb5_init_context(&ctx)))
goto out;
+ KRB5_TRACE_SET(ctx);
+
if (time_offset != 0) {
krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
}
@@ -250,6 +252,8 @@ int ads_kdestroy(const char *cc_name)
return code;
}
+ KRB5_TRACE_SET(ctx);
+
if (!cc_name) {
if ((code = krb5_cc_default(ctx, &cc))) {
krb5_free_context(ctx);
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 792dc999e6c..4b813a225ca 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -267,6 +267,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
return -1;
}
+ KRB5_TRACE_SET(context);
+
ret = ads_keytab_open(context, &keytab);
if (ret != 0) {
goto out;
@@ -444,6 +446,8 @@ int ads_keytab_flush(ADS_STRUCT *ads)
return ret;
}
+ KRB5_TRACE_SET(context);
+
ret = ads_keytab_open(context, &keytab);
if (ret != 0) {
goto out;
@@ -578,6 +582,8 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
goto done;
}
+ KRB5_TRACE_SET(context);
+
machine_name = talloc_strdup(frame, lp_netbios_name());
if (!machine_name) {
ret = -1;
@@ -782,6 +788,8 @@ int ads_keytab_list(const char *keytab_name)
return ret;
}
+ KRB5_TRACE_SET(context);
+
if (keytab_name == NULL) {
#ifdef HAVE_ADS
ret = ads_keytab_open(context, &keytab);
diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index 94dd8eefc92..343b0960fdd 100644
--- a/source3/libads/krb5_setpw.c
+++ b/source3/libads/krb5_setpw.c
@@ -76,6 +76,8 @@ ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *principal,
return ADS_ERROR_KRB5(ret);
}
+ KRB5_TRACE_SET(context);
+
if (principal) {
ret = smb_krb5_parse_name(context, principal, &princ);
if (ret) {
@@ -184,6 +186,8 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
return ADS_ERROR_KRB5(ret);
}
+ KRB5_TRACE_SET(context);
+
if ((ret = smb_krb5_parse_name(context, principal,
&princ))) {
krb5_free_context(context);
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 7f7b790810c..7d0daaf432d 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -371,6 +371,8 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred)
return ADS_ERROR_KRB5(kerr);
}
+ KRB5_TRACE_SET(kctx);
+
kerr = krb5_cc_resolve(kctx, ads->auth.ccache_name, &kccache);
if (kerr) {
status = ADS_ERROR_KRB5(kerr);
--
2.17.2
From 03ef4d88bb7cf44d24fa33afc9f56da7bf7c9662 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 05/10] libnet: Add kerberos tracing
Add krb5 tracing macro.
Signed-off-by: Swen Schillig <swen at vnet.ibm.com>
---
source3/libnet/libnet_keytab.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/libnet/libnet_keytab.c b/source3/libnet/libnet_keytab.c
index c76e7b298cf..ee91e7aaf06 100644
--- a/source3/libnet/libnet_keytab.c
+++ b/source3/libnet/libnet_keytab.c
@@ -82,6 +82,8 @@ krb5_error_code libnet_keytab_init(TALLOC_CTX *mem_ctx,
return ret;
}
+ KRB5_TRACE_SET(context);
+
ret = smb_krb5_kt_open_relative(context,
keytab_name,
true, /* write_access */
--
2.17.2
From 12127c59690fda94c2359f815fb42648e8a69e8d Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 06/10] librpc: Add kerberos tracing
Add krb5 tracing macro.
Signed-off-by: Swen Schillig <swen at vnet.ibm.com>
---
source3/librpc/crypto/gse.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 2c00ea9bbcb..38015daa03e 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -216,6 +216,8 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
goto err_out;
}
+ KRB5_TRACE_SET(gse_ctx->k5ctx);
+
if (!ccache_name) {
ccache_name = krb5_cc_default_name(gse_ctx->k5ctx);
}
--
2.17.2
From 0a9ae2621172f167428917f69866922d02c4032f Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 07/10] passdb: Add kerberos tracing
Add krb5 tracing macro.
Signed-off-by: Swen Schillig <swen at vnet.ibm.com>
---
source3/passdb/machine_account_secrets.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index d8ffcaa7fb6..c1eb28ea03f 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -1089,6 +1089,8 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor
return krb5_ret;
}
+ KRB5_TRACE_SET(krb5_ctx);
+
krb5_ret = smb_krb5_salt_principal2data(krb5_ctx, salt_principal,
p, &salt_data);
if (krb5_ret != 0) {
--
2.17.2
From cf5f9fd3f8f1c9cdae8542676be40322861561b0 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 08/10] utils: Add kerberos tracing
Add krb5 tracing macro.
Signed-off-by: Swen Schillig <swen at vnet.ibm.com>
---
source3/utils/net_lookup.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/utils/net_lookup.c b/source3/utils/net_lookup.c
index 140f9900795..02203819048 100644
--- a/source3/utils/net_lookup.c
+++ b/source3/utils/net_lookup.c
@@ -294,6 +294,8 @@ static int net_lookup_kdc(struct net_context *c, int argc, const char **argv)
return -1;
}
+ KRB5_TRACE_SET(ctx);
+
if (argc > 0) {
realm = argv[0];
} else if (lp_realm() && *lp_realm()) {
--
2.17.2
From c19e61373dc49aa6ab007c9f7d2b6c3b090bea92 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 09/10] winbindd: Add kerberos tracing
Add krb5 tracing macro.
Signed-off-by: Swen Schillig <swen at vnet.ibm.com>
---
source3/winbindd/winbindd_pam.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index a02926decb2..3cf132c5d49 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2900,6 +2900,8 @@ static NTSTATUS extract_pac_vrfy_sigs(TALLOC_CTX *mem_ctx, DATA_BLOB pac_blob,
goto out;
}
+ KRB5_TRACE_SET(krbctx);
+
k5ret = gse_krb5_get_server_keytab(krbctx, &keytab);
if (k5ret) {
DEBUG(1, ("Failed to get keytab: %s\n",
--
2.17.2
From 703b8464aa5616a7da54df8e42ca7711fd508168 Mon Sep 17 00:00:00 2001
From: Swen Schillig <swen at vnet.ibm.com>
Date: Fri, 16 Nov 2018 16:01:02 +0100
Subject: [PATCH 10/10] s4: Add kerberos tracing
Add krb5 tracing macro.
Signed-off-by: Swen Schillig <swen at vnet.ibm.com>
---
source4/auth/kerberos/krb5_init_context.c | 2 ++
source4/kdc/ktutil.c | 2 ++
source4/kdc/sdb_to_kdb.c | 2 ++
3 files changed, 6 insertions(+)
diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c
index 5e771a87cc5..ab5b2f550e4 100644
--- a/source4/auth/kerberos/krb5_init_context.c
+++ b/source4/auth/kerberos/krb5_init_context.c
@@ -487,6 +487,8 @@ smb_krb5_init_context_basic(TALLOC_CTX *tmp_ctx,
return ret;
}
+ KRB5_TRACE_SET(krb5_ctx);
+
/* The MIT Kerberos build relies on using the system krb5.conf file.
* If you really want to use another file please set KRB5_CONFIG
* accordingly. */
diff --git a/source4/kdc/ktutil.c b/source4/kdc/ktutil.c
index bc263c5b29b..ef7b354c8ed 100644
--- a/source4/kdc/ktutil.c
+++ b/source4/kdc/ktutil.c
@@ -66,6 +66,8 @@ int main (int argc, char **argv)
smb_krb5_err(mem_ctx, context, 1, ret, "krb5_context");
}
+ KRB5_TRACE_SET(context);
+
ret = smb_krb5_kt_open_relative(context, keytab_name, false, &keytab);
if (ret) {
smb_krb5_err(mem_ctx, context, 1, ret, "open keytab");
diff --git a/source4/kdc/sdb_to_kdb.c b/source4/kdc/sdb_to_kdb.c
index 74d882738f8..5b7659abe46 100644
--- a/source4/kdc/sdb_to_kdb.c
+++ b/source4/kdc/sdb_to_kdb.c
@@ -332,6 +332,8 @@ static int samba_kdc_kdb_entry_destructor(struct samba_kdc_entry *p)
return ret;
}
+ KRB5_TRACE_SET(context);
+
krb5_db_free_principal(context, entry_ex);
krb5_free_context(context);
--
2.17.2
More information about the samba-technical
mailing list