[Samba] Samba server with NFSV4/kerberos
Jeremy Allison
jra at samba.org
Fri May 12 23:22:23 UTC 2017
On Wed, May 10, 2017 at 01:43:18PM -0600, Orion Poplawski via samba wrote:
> > I have some code that does this I gave to a (large) user
> > site to test. It took a forwarded ticket from the Windows
> > client and saved it in the /tmp/krb5cc_XXXXX file so that
> > the NFS client redirector on Linux could use it.
> >
> > I got it to work in testing, but never got good feedback
> > from the users so didn't finish it up.
> >
> > I can dig it out again and forward port to 4.x if you
> > like ?
> >
> > Jeremy.
>
> I would be very much interested in this if this is still around.
Here is the (horrible hack) I created. Appropriately
entitled "horrible hack". Won't apply to 4.x, and according
to Simo the correct way to do this is via gss_store_cred_into(),
so this code won't ever get upstream.
If you can make it work locally it might help you out though !
Jeremy.
-------------- next part --------------
From c31d9b45f0ccd23a7233e28a687957dec9c1e356 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn at samba.org>
Date: Wed, 23 Oct 2013 11:02:39 +0200
Subject: [PATCH 1/2] s3-smbd_shim: Add become_authenticated_pipe_user().
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 13d840ad2ff0db7320e0cbef86cd47872493292c)
---
source3/include/proto.h | 5 ++++-
source3/lib/smbd_shim.c | 18 ++++++++++++++++++
source3/lib/smbd_shim.h | 2 ++
source3/smbd/proto.h | 4 ++--
source3/smbd/server.c | 2 ++
source3/smbd/uid.c | 4 ++--
6 files changed, 30 insertions(+), 5 deletions(-)
diff --git a/source3/include/proto.h b/source3/include/proto.h
index a42faf8..b2f718b 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1623,7 +1623,7 @@ bool ea_list_has_invalid_name(struct ea_list *ea_list);
void become_root(void);
void unbecome_root(void);
-/* The following definitions come from lib/dummysmbd.c */
+/* The following definitions come from lib/smbd_shim.c */
int find_service(TALLOC_CTX *ctx, const char *service_in, char **p_service_out);
void cancel_pending_lock_requests_by_fid(files_struct *fsp,
@@ -1633,6 +1633,9 @@ void send_stat_cache_delete_message(struct messaging_context *msg_ctx,
const char *name);
NTSTATUS can_delete_directory_fsp(files_struct *fsp);
bool change_to_root_user(void);
+bool become_authenticated_pipe_user(struct auth_session_info *session_info);
+bool unbecome_authenticated_pipe_user(void);
+
void contend_level2_oplocks_begin(files_struct *fsp,
enum level2_contention_type type);
void contend_level2_oplocks_end(files_struct *fsp,
diff --git a/source3/lib/smbd_shim.c b/source3/lib/smbd_shim.c
index d5ad577..1b5b4e6 100644
--- a/source3/lib/smbd_shim.c
+++ b/source3/lib/smbd_shim.c
@@ -58,6 +58,24 @@ bool change_to_root_user(void)
return false;
}
+bool become_authenticated_pipe_user(struct auth_session_info *session_info)
+{
+ if (shim.become_authenticated_pipe_user) {
+ return shim.become_authenticated_pipe_user(session_info);
+ }
+
+ return false;
+}
+
+bool unbecome_authenticated_pipe_user(void)
+{
+ if (shim.unbecome_authenticated_pipe_user) {
+ return shim.unbecome_authenticated_pipe_user();
+ }
+
+ return false;
+}
+
/**
* The following two functions need to be called from inside the low-level BRL
* code for oplocks correctness in smbd. Since other utility binaries also
diff --git a/source3/lib/smbd_shim.h b/source3/lib/smbd_shim.h
index 1645837..f3da585 100644
--- a/source3/lib/smbd_shim.h
+++ b/source3/lib/smbd_shim.h
@@ -36,6 +36,8 @@ struct smbd_shim
const char *name);
bool (*change_to_root_user)(void);
+ bool (*become_authenticated_pipe_user)(struct auth_session_info *session_info);
+ bool (*unbecome_authenticated_pipe_user)(void);
void (*contend_level2_oplocks_begin)(files_struct *fsp,
enum level2_contention_type type);
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 1e0d06d..af1fa9b 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -1103,8 +1103,8 @@ NTSTATUS check_user_share_access(connection_struct *conn,
bool change_to_user(connection_struct *conn, uint64_t vuid);
bool change_to_root_user(void);
bool smbd_change_to_root_user(void);
-bool become_authenticated_pipe_user(struct auth_session_info *session_info);
-bool unbecome_authenticated_pipe_user(void);
+bool smbd_become_authenticated_pipe_user(struct auth_session_info *session_info);
+bool smbd_unbecome_authenticated_pipe_user(void);
void become_root(void);
void unbecome_root(void);
void smbd_become_root(void);
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 1f553e7..126bdbf 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -1064,6 +1064,8 @@ extern void build_options(bool screen);
.cancel_pending_lock_requests_by_fid = smbd_cancel_pending_lock_requests_by_fid,
.send_stat_cache_delete_message = smbd_send_stat_cache_delete_message,
.change_to_root_user = smbd_change_to_root_user,
+ .become_authenticated_pipe_user = smbd_become_authenticated_pipe_user,
+ .unbecome_authenticated_pipe_user = smbd_unbecome_authenticated_pipe_user,
.contend_level2_oplocks_begin = smbd_contend_level2_oplocks_begin,
.contend_level2_oplocks_end = smbd_contend_level2_oplocks_end,
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index a795eef..5e09e6b 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -436,7 +436,7 @@ bool smbd_change_to_root_user(void)
user. Doesn't modify current_user.
****************************************************************************/
-bool become_authenticated_pipe_user(struct auth_session_info *session_info)
+bool smbd_become_authenticated_pipe_user(struct auth_session_info *session_info)
{
if (!push_sec_ctx())
return False;
@@ -455,7 +455,7 @@ bool become_authenticated_pipe_user(struct auth_session_info *session_info)
current_user.
****************************************************************************/
-bool unbecome_authenticated_pipe_user(void)
+bool smbd_unbecome_authenticated_pipe_user(void)
{
return pop_sec_ctx();
}
--
1.9.1.423.g4596e3a
From a352136174a6a874c5ad4608f444fb71939ba520 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Fri, 14 Mar 2014 17:35:51 -0700
Subject: [PATCH 2/2] WARNING !!! Horrible hack for XXXXXXXXXXXXX to accept forwarded
krb5 tickets in smbd.
Signed-off-by: Jeremy Allison <jra at samba.org>
---
source3/librpc/crypto/gse.c | 71 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 71 insertions(+)
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 11a5457..2ec675d 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -1119,6 +1119,77 @@ static NTSTATUS gensec_gse_session_info(struct gensec_security *gensec_security,
return nt_status;
}
+ /* If delegated creds copy here... */
+ if (gse_ctx->gss_got_flags & GSS_C_DELEG_FLAG) {
+ krb5_context ctx = NULL;
+ krb5_error_code ret = 0;
+ krb5_ccache cc = NULL;
+ const char *ccache_name = NULL;
+ bool changed_user = false;
+
+ nt_status = NT_STATUS_OK;
+
+ DEBUG(10, ("delegated credentials supplied by client\n"));
+
+ /* JRA HORRIBLE HACK. */
+ initialize_krb5_error_table();
+ if ((ret = krb5_init_context(&ctx))) {
+ nt_status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ become_authenticated_pipe_user(session_info);
+ changed_user = true;
+
+ ccache_name = krb5_cc_default_name(ctx);
+ if (ccache_name == NULL) {
+ nt_status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ ret = krb5_cc_resolve(ctx, ccache_name, &cc);
+ if (ret) {
+ DEBUG(10, ("krb5_cc_resolve failed %s\n",
+ smb_get_krb5_error_message(ctx, ret, tmp_ctx)));
+ nt_status = krb5_to_nt_status(ret);
+ goto out;
+ }
+
+ DEBUG(10, ("Storing delegated credentials for uid %u in %s\n",
+ (unsigned int)geteuid(),
+ ccache_name));
+
+ maj_stat = gss_krb5_copy_ccache(&min_stat,
+ gse_ctx->delegated_cred_handle,
+ cc);
+ if (GSS_ERROR(maj_stat)) {
+ DEBUG(1, ("gss_krb5_copy_ccache failed: %s\n",
+ gse_errstr(tmp_ctx, maj_stat, min_stat)));
+ nt_status = krb5_to_nt_status(min_stat);
+ goto out;
+ }
+
+ out:
+
+ if (changed_user) {
+ unbecome_authenticated_pipe_user();
+ }
+ if (ctx) {
+ if (cc) {
+ krb5_cc_close(ctx, cc);
+ }
+ krb5_free_context(ctx);
+ }
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return nt_status;
+ }
+ /* END JRA HORRIBLE HACK. */
+ } else {
+ DEBUG(10, ("NO delegated credentials supplied by client\n"));
+ }
+
*_session_info = talloc_move(mem_ctx, &session_info);
talloc_free(tmp_ctx);
--
1.9.1.423.g4596e3a
More information about the samba
mailing list