[Samba] Samba server with NFSV4/kerberos

Jeremy Allison jra at samba.org
Fri May 12 23:22:23 UTC 2017 

On Wed, May 10, 2017 at 01:43:18PM -0600, Orion Poplawski via samba wrote:
> > I have some code that does this I gave to a (large) user
> > site to test. It took a forwarded ticket from the Windows
> > client and saved it in the /tmp/krb5cc_XXXXX file so that
> > the NFS client redirector on Linux could use it.
> >
> > I got it to work in testing, but never got good feedback
> > from the users so didn't finish it up.
> >
> > I can dig it out again and forward port to 4.x if you
> > like ?
> >
> > Jeremy.
> 
> I would be very much interested in this if this is still around.

Here is the (horrible hack) I created. Appropriately
entitled "horrible hack". Won't apply to 4.x, and according
to Simo the correct way to do this is via gss_store_cred_into(),
so this code won't ever get upstream.

If you can make it work locally it might help you out though !

Jeremy.
-------------- next part --------------
From c31d9b45f0ccd23a7233e28a687957dec9c1e356 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn at samba.org>
Date: Wed, 23 Oct 2013 11:02:39 +0200
Subject: [PATCH 1/2] s3-smbd_shim: Add become_authenticated_pipe_user().

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 13d840ad2ff0db7320e0cbef86cd47872493292c)
---
 source3/include/proto.h |  5 ++++-
 source3/lib/smbd_shim.c | 18 ++++++++++++++++++
 source3/lib/smbd_shim.h |  2 ++
 source3/smbd/proto.h    |  4 ++--
 source3/smbd/server.c   |  2 ++
 source3/smbd/uid.c      |  4 ++--
 6 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index a42faf8..b2f718b 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1623,7 +1623,7 @@ bool ea_list_has_invalid_name(struct ea_list *ea_list);
 void become_root(void);
 void unbecome_root(void);
 
-/* The following definitions come from lib/dummysmbd.c */
+/* The following definitions come from lib/smbd_shim.c */
 
 int find_service(TALLOC_CTX *ctx, const char *service_in, char **p_service_out);
 void cancel_pending_lock_requests_by_fid(files_struct *fsp,
@@ -1633,6 +1633,9 @@ void send_stat_cache_delete_message(struct messaging_context *msg_ctx,
 				    const char *name);
 NTSTATUS can_delete_directory_fsp(files_struct *fsp);
 bool change_to_root_user(void);
+bool become_authenticated_pipe_user(struct auth_session_info *session_info);
+bool unbecome_authenticated_pipe_user(void);
+
 void contend_level2_oplocks_begin(files_struct *fsp,
 				  enum level2_contention_type type);
 void contend_level2_oplocks_end(files_struct *fsp,
diff --git a/source3/lib/smbd_shim.c b/source3/lib/smbd_shim.c
index d5ad577..1b5b4e6 100644
--- a/source3/lib/smbd_shim.c
+++ b/source3/lib/smbd_shim.c
@@ -58,6 +58,24 @@ bool change_to_root_user(void)
 	return false;
 }
 
+bool become_authenticated_pipe_user(struct auth_session_info *session_info)
+{
+	if (shim.become_authenticated_pipe_user) {
+		return shim.become_authenticated_pipe_user(session_info);
+	}
+
+	return false;
+}
+
+bool unbecome_authenticated_pipe_user(void)
+{
+	if (shim.unbecome_authenticated_pipe_user) {
+		return shim.unbecome_authenticated_pipe_user();
+	}
+
+	return false;
+}
+
 /**
  * The following two functions need to be called from inside the low-level BRL
  * code for oplocks correctness in smbd.  Since other utility binaries also
diff --git a/source3/lib/smbd_shim.h b/source3/lib/smbd_shim.h
index 1645837..f3da585 100644
--- a/source3/lib/smbd_shim.h
+++ b/source3/lib/smbd_shim.h
@@ -36,6 +36,8 @@ struct smbd_shim
 					       const char *name);
 
 	bool (*change_to_root_user)(void);
+	bool (*become_authenticated_pipe_user)(struct auth_session_info *session_info);
+	bool (*unbecome_authenticated_pipe_user)(void);
 
 	void (*contend_level2_oplocks_begin)(files_struct *fsp,
 					     enum level2_contention_type type);
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index 1e0d06d..af1fa9b 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -1103,8 +1103,8 @@ NTSTATUS check_user_share_access(connection_struct *conn,
 bool change_to_user(connection_struct *conn, uint64_t vuid);
 bool change_to_root_user(void);
 bool smbd_change_to_root_user(void);
-bool become_authenticated_pipe_user(struct auth_session_info *session_info);
-bool unbecome_authenticated_pipe_user(void);
+bool smbd_become_authenticated_pipe_user(struct auth_session_info *session_info);
+bool smbd_unbecome_authenticated_pipe_user(void);
 void become_root(void);
 void unbecome_root(void);
 void smbd_become_root(void);
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 1f553e7..126bdbf 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -1064,6 +1064,8 @@ extern void build_options(bool screen);
 		.cancel_pending_lock_requests_by_fid = smbd_cancel_pending_lock_requests_by_fid,
 		.send_stat_cache_delete_message = smbd_send_stat_cache_delete_message,
 		.change_to_root_user = smbd_change_to_root_user,
+		.become_authenticated_pipe_user = smbd_become_authenticated_pipe_user,
+		.unbecome_authenticated_pipe_user = smbd_unbecome_authenticated_pipe_user,
 
 		.contend_level2_oplocks_begin = smbd_contend_level2_oplocks_begin,
 		.contend_level2_oplocks_end = smbd_contend_level2_oplocks_end,
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index a795eef..5e09e6b 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -436,7 +436,7 @@ bool smbd_change_to_root_user(void)
  user. Doesn't modify current_user.
 ****************************************************************************/
 
-bool become_authenticated_pipe_user(struct auth_session_info *session_info)
+bool smbd_become_authenticated_pipe_user(struct auth_session_info *session_info)
 {
 	if (!push_sec_ctx())
 		return False;
@@ -455,7 +455,7 @@ bool become_authenticated_pipe_user(struct auth_session_info *session_info)
  current_user.
 ****************************************************************************/
 
-bool unbecome_authenticated_pipe_user(void)
+bool smbd_unbecome_authenticated_pipe_user(void)
 {
 	return pop_sec_ctx();
 }
-- 
1.9.1.423.g4596e3a


From a352136174a6a874c5ad4608f444fb71939ba520 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Fri, 14 Mar 2014 17:35:51 -0700
Subject: [PATCH 2/2] WARNING !!! Horrible hack for XXXXXXXXXXXXX to accept forwarded
 krb5 tickets in smbd.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/librpc/crypto/gse.c | 71 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 11a5457..2ec675d 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -1119,6 +1119,77 @@ static NTSTATUS gensec_gse_session_info(struct gensec_security *gensec_security,
 		return nt_status;
 	}
 
+	/* If delegated creds copy here... */
+	if (gse_ctx->gss_got_flags & GSS_C_DELEG_FLAG) {
+		krb5_context ctx = NULL;
+		krb5_error_code ret = 0;
+		krb5_ccache cc = NULL;
+		const char *ccache_name = NULL;
+		bool changed_user = false;
+
+		nt_status = NT_STATUS_OK;
+
+		DEBUG(10, ("delegated credentials supplied by client\n"));
+
+		/* JRA HORRIBLE HACK. */
+		initialize_krb5_error_table();
+		if ((ret = krb5_init_context(&ctx))) {
+			nt_status = NT_STATUS_NO_MEMORY;
+			goto out;
+		}
+
+		become_authenticated_pipe_user(session_info);
+		changed_user = true;
+
+		ccache_name = krb5_cc_default_name(ctx);
+		if (ccache_name == NULL) {
+			nt_status = NT_STATUS_NO_MEMORY;
+			goto out;
+		}
+
+		ret = krb5_cc_resolve(ctx, ccache_name, &cc);
+		if (ret) {
+			DEBUG(10, ("krb5_cc_resolve failed %s\n",
+				smb_get_krb5_error_message(ctx, ret, tmp_ctx)));
+			nt_status = krb5_to_nt_status(ret);
+			goto out;
+		}
+
+		DEBUG(10, ("Storing delegated credentials for uid %u in %s\n",
+			(unsigned int)geteuid(),
+			ccache_name));
+
+		maj_stat = gss_krb5_copy_ccache(&min_stat,
+					gse_ctx->delegated_cred_handle,
+					cc);
+		if (GSS_ERROR(maj_stat)) {
+			DEBUG(1, ("gss_krb5_copy_ccache failed: %s\n",
+				gse_errstr(tmp_ctx, maj_stat, min_stat)));
+			nt_status = krb5_to_nt_status(min_stat);
+			goto out;
+		}
+
+  out:
+
+		if (changed_user) {
+			unbecome_authenticated_pipe_user();
+		}
+		if (ctx) {
+			if (cc) {
+				krb5_cc_close(ctx, cc);
+			}
+			krb5_free_context(ctx);
+		}
+
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			talloc_free(tmp_ctx);
+			return nt_status;
+		}
+		/* END JRA HORRIBLE HACK. */
+	} else {
+		DEBUG(10, ("NO delegated credentials supplied by client\n"));
+        }
+
 	*_session_info = talloc_move(mem_ctx, &session_info);
 	talloc_free(tmp_ctx);
 
-- 
1.9.1.423.g4596e3a

More information about the samba mailing list