now with patches :-)
On Thu, Jun 07, 2012 at 12:07:13PM +0200, Sumit Bose wrote:
> Hi,
> 
> this patch fixes https://fedorahosted.org/freeipa/ticket/2513 and as a
> consequence makes https://fedorahosted.org/freeipa/ticket/2516 obsolete.
> 
> This first patch is just a minor cleanup which is not related to the
> ticket. The second make create_keys() a public function so the it can be
> called by the ipasam plugin as well. Finally the third patch removes the
> kadmin.local call and calls the KEYTAB_SET_OID extented operation
> instead.
> 
> bye,
> Sumit
From adf2c4145587b5505a74beb9f3b0893781ae3119 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 20 Dec 2011 13:56:00 +0100
Subject: [PATCH] ipasam: remove unused struct elements

---
 daemons/ipa-sam/ipa_sam.c |   11 -----------
 1 Datei geändert, 11 Zeilen entfernt(-)

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 
3e88050670c5d2bc760d9de0806f9ea1a164c0d3..2627025a8f2f757ca62c58b541c002f46e7c3be1
 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -182,17 +182,6 @@ do { \
 #define HAS_KRB_TICKET_POLICY_AUX (1<<9)
 
 struct ipasam_privates {
-       NTSTATUS (*ldapsam_add_sam_account)(struct pdb_methods *,
-                                           struct samu *sampass);
-       NTSTATUS (*ldapsam_update_sam_account)(struct pdb_methods *,
-                                              struct samu *sampass);
-       NTSTATUS (*ldapsam_create_user)(struct pdb_methods *my_methods,
-                                       TALLOC_CTX *tmp_ctx, const char *name,
-                                       uint32_t acb_info, uint32_t *rid);
-       NTSTATUS (*ldapsam_create_dom_group)(struct pdb_methods *my_methods,
-                                            TALLOC_CTX *tmp_ctx,
-                                            const char *name,
-                                            uint32_t *rid);
        char *realm;
        char *base_dn;
        char *trust_dn;
-- 
1.7.10.2

From 2f2e777838c1258e45e6185f99ec9806163e5dc7 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 13 Mar 2012 10:29:00 +0100
Subject: [PATCH] Move some krb5 keys related functions from ipa-client to
 util

---
 ipa-client/ipa-getkeytab.c |  381 +-------------------------------------------
 util/ipa_krb5.c            |  362 +++++++++++++++++++++++++++++++++++++++++
 util/ipa_krb5.h            |   36 +++++
 3 Dateien geändert, 403 Zeilen hinzugefügt(+), 376 Zeilen entfernt(-)

diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
index 
7d7b971769cccece5dfe36934f6c73e5986df877..ca6e63413d64060afb802b1e807920ffaac2bb31
 100644
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -41,30 +41,6 @@
 #include "ipa_krb5.h"
 #include "ipa-client-common.h"
 
-/* Salt types */
-#define NO_SALT                        -1
-#define KRB5_KDB_SALTTYPE_NORMAL        0
-#define KRB5_KDB_SALTTYPE_V4            1
-#define KRB5_KDB_SALTTYPE_NOREALM       2
-#define KRB5_KDB_SALTTYPE_ONLYREALM     3
-#define KRB5_KDB_SALTTYPE_SPECIAL       4
-#define KRB5_KDB_SALTTYPE_AFS3          5
-
-#define KEYTAB_SET_OID "2.16.840.1.113730.3.8.10.1"
-#define KEYTAB_RET_OID "2.16.840.1.113730.3.8.10.2"
-
-struct krb_key_salt {
-    krb5_enctype enctype;
-    krb5_int32 salttype;
-    krb5_keyblock key;
-    krb5_data salt;
-};
-
-struct keys_container {
-    krb5_int32 nkeys;
-    struct krb_key_salt *ksdata;
-};
-
 static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void 
*sit)
 {
        sasl_interact_t *in = NULL;
@@ -122,357 +98,6 @@ static int ldap_sasl_interact(LDAP *ld, unsigned flags, 
void *priv_data, void *s
        return ret;
 }
 
-static void free_keys_contents(krb5_context krbctx, struct keys_container 
*keys)
-{
-    struct krb_key_salt *ksdata;
-    int i;
-
-    ksdata = keys->ksdata;
-    for (i = 0; i < keys->nkeys; i++) {
-        krb5_free_keyblock_contents(krbctx, &ksdata[i].key);
-        krb5_free_data_contents(krbctx, &ksdata[i].salt);
-    }
-    free(ksdata);
-
-    keys->ksdata = NULL;
-    keys->nkeys = 0;
-}
-
-/* Determines Encryption and Salt types,
- * allocates key_salt data storage,
- * filters out equivalent encodings,
- * returns 0 if no enctypes available, >0 if enctypes are available */
-static int prep_ksdata(krb5_context krbctx, const char *str,
-                       struct keys_container *keys)
-{
-    struct krb_key_salt *ksdata;
-    krb5_error_code krberr;
-    int n, i, j, nkeys;
-
-    if (str == NULL) {
-        krb5_enctype *ktypes;
-
-        krberr = krb5_get_permitted_enctypes(krbctx, &ktypes);
-        if (krberr) {
-            fprintf(stderr, _("No system preferred enctypes ?!\n"));
-            return 0;
-        }
-
-        for (n = 0; ktypes[n]; n++) /* count */ ;
-
-        ksdata = calloc(n + 1, sizeof(struct krb_key_salt));
-        if (NULL == ksdata) {
-            fprintf(stderr, _("Out of memory!?\n"));
-            return 0;
-        }
-
-        for (i = 0; i < n; i++) {
-            ksdata[i].enctype = ktypes[i];
-            ksdata[i].salttype = KRB5_KDB_SALTTYPE_NORMAL;
-        }
-
-        ipa_krb5_free_ktypes(krbctx, ktypes);
-
-        nkeys = i;
-
-    } else {
-        char *tmp, *t, *p, *q;
-
-        t = tmp = strdup(str);
-        if (!tmp) {
-            fprintf(stderr, _("Out of memory\n"));
-            return 0;
-        }
-
-        /* count */
-        n = 0;
-        while ((p = strchr(t, ','))) {
-            t = p+1;
-            n++;
-        }
-        n++; /* count the last one that is 0 terminated instead */
-
-        /* at the end we will have at most n entries + 1 terminating */
-        ksdata = calloc(n + 1, sizeof(struct krb_key_salt));
-        if (!ksdata) {
-            fprintf(stderr, _("Out of memory\n"));
-            return 0;
-        }
-
-        for (i = 0, j = 0, t = tmp; i < n; i++) {
-
-            p = strchr(t, ',');
-            if (p) *p = '\0';
-
-            q = strchr(t, ':');
-            if (q) *q++ = '\0';
-
-            krberr = krb5_string_to_enctype(t, &ksdata[j].enctype);
-            if (krberr != 0) {
-                fprintf(stderr,
-                        _("Warning unrecognized encryption type: [%s]\n"), t);
-                if (p) t = p + 1;
-                continue;
-            }
-            if (p) t = p + 1;
-
-            if (!q) {
-                ksdata[j].salttype = KRB5_KDB_SALTTYPE_NORMAL;
-                j++;
-                continue;
-            }
-
-            krberr = krb5_string_to_salttype(q, &ksdata[j].salttype);
-            if (krberr != 0) {
-                fprintf(stderr,
-                        _("Warning unrecognized salt type: [%s]\n"), q);
-                continue;
-            }
-
-            j++;
-        }
-
-        nkeys = j;
-
-        free(tmp);
-    }
-
-    /* Check we don't already have a key with a similar encoding,
-     * it would just produce redundant data and this is what the
-     * MIT code do anyway */
-
-    for (i = 0, n = 0; i < nkeys; i++ ) {
-        krb5_boolean similar = 0;
-
-        for (j = 0; j < i; j++) {
-            krberr = krb5_c_enctype_compare(krbctx,
-                                            ksdata[j].enctype,
-                                            ksdata[i].enctype,
-                                            &similar);
-            if (krberr) {
-                free_keys_contents(krbctx, keys);
-                free(ksdata);
-                fprintf(stderr, _("Enctype comparison failed!\n"));
-                return 0;
-            }
-            if (similar &&
-                (ksdata[j].salttype == ksdata[i].salttype)) {
-                break;
-            }
-        }
-        if (j < i) {
-            /* redundant encoding, remove it, and shift others */
-            int x;
-            for (x = i; x < nkeys-1; x++) {
-                ksdata[x].enctype = ksdata[x+1].enctype;
-                ksdata[x].salttype = ksdata[x+1].salttype;
-            }
-            continue;
-        }
-        /* count only confirmed enc/salt tuples */
-        n++;
-    }
-
-    keys->nkeys = n;
-    keys->ksdata = ksdata;
-
-    return n;
-}
-
-static int create_keys(krb5_context krbctx,
-                       krb5_principal princ,
-                       char *password,
-                       const char *enctypes_string,
-                       struct keys_container *keys)
-{
-    struct krb_key_salt *ksdata;
-    krb5_error_code krberr;
-    krb5_data key_password;
-    krb5_data *realm = NULL;
-    int i, nkeys;
-    int ret;
-
-    ret = prep_ksdata(krbctx, enctypes_string, keys);
-    if (ret == 0) return 0;
-
-    ksdata = keys->ksdata;
-    nkeys = keys->nkeys;
-
-    if (password) {
-        key_password.data = password;
-        key_password.length = strlen(password);
-
-        realm = krb5_princ_realm(krbctx, princ);
-    }
-
-    for (i = 0; i < nkeys; i++) {
-        krb5_data *salt;
-
-        if (!password) {
-            /* cool, random keys */
-            krberr = krb5_c_make_random_key(krbctx,
-                                            ksdata[i].enctype,
-                                            &ksdata[i].key);
-            if (krberr) {
-                fprintf(stderr, _("Failed to create random key!\n"));
-                return 0;
-            }
-            /* set the salt to NO_SALT as the key was random */
-            ksdata[i].salttype = NO_SALT;
-            continue;
-        }
-
-        /* Make keys using password and required salt */
-        switch (ksdata[i].salttype) {
-        case KRB5_KDB_SALTTYPE_ONLYREALM:
-            krberr = krb5_copy_data(krbctx, realm, &salt);
-            if (krberr) {
-                fprintf(stderr, _("Failed to create key!\n"));
-                return 0;
-            }
-
-            ksdata[i].salt.length = salt->length;
-            ksdata[i].salt.data = malloc(salt->length);
-            if (!ksdata[i].salt.data) {
-                fprintf(stderr, _("Out of memory!\n"));
-                return 0;
-            }
-            memcpy(ksdata[i].salt.data, salt->data, salt->length);
-            krb5_free_data(krbctx, salt);
-            break;
-
-        case KRB5_KDB_SALTTYPE_NOREALM:
-            krberr = ipa_krb5_principal2salt_norealm(krbctx, princ, 
&ksdata[i].salt);
-            if (krberr) {
-                fprintf(stderr, _("Failed to create key!\n"));
-                return 0;
-            }
-            break;
-
-        case KRB5_KDB_SALTTYPE_NORMAL:
-            krberr = krb5_principal2salt(krbctx, princ, &ksdata[i].salt);
-            if (krberr) {
-                fprintf(stderr, _("Failed to create key!\n"));
-                return 0;
-            }
-            break;
-
-        /* no KRB5_KDB_SALTTYPE_V4, we do not support krb v4 */
-
-        case KRB5_KDB_SALTTYPE_AFS3:
-            /* Comment from MIT sources:
-             * * Why do we do this? Well, the afs_mit_string_to_key
-             * * needs to use strlen, and the realm is not NULL
-             * * terminated....
-             */
-            ksdata[i].salt.data = (char *)malloc(realm->length + 1);
-            if (NULL == ksdata[i].salt.data) {
-                fprintf(stderr, _("Out of memory!\n"));
-                return 0;
-            }
-            memcpy((char *)ksdata[i].salt.data,
-                   (char *)realm->data, realm->length);
-            ksdata[i].salt.data[realm->length] = '\0';
-            /* AFS uses a special length (UGLY) */
-            ksdata[i].salt.length = SALT_TYPE_AFS_LENGTH;
-            break;
-
-        default:
-            fprintf(stderr, _("Bad or unsupported salt type (%d)!\n"),
-                ksdata[i].salttype);
-            return 0;
-        }
-
-        krberr = krb5_c_string_to_key(krbctx,
-                                      ksdata[i].enctype,
-                                      &key_password,
-                                      &ksdata[i].salt,
-                                      &ksdata[i].key);
-        if (krberr) {
-            fprintf(stderr, _("Failed to create key!\n"));
-            return 0;
-        }
-
-        /* set back salt length to real value if AFS3 */
-        if (ksdata[i].salttype == KRB5_KDB_SALTTYPE_AFS3) {
-            ksdata[i].salt.length = realm->length;
-        }
-    }
-
-    return nkeys;
-}
-
-static struct berval *create_key_control(struct keys_container *keys,
-                                         const char *principalName)
-{
-    struct krb_key_salt *ksdata;
-    struct berval *bval;
-    BerElement *be;
-    int ret, i;
-
-    be = ber_alloc_t(LBER_USE_DER);
-    if (!be) {
-        return NULL;
-    }
-
-    ret = ber_printf(be, "{s{", principalName);
-    if (ret == -1) {
-        ber_free(be, 1);
-        return NULL;
-    }
-
-    ksdata = keys->ksdata;
-    for (i = 0; i < keys->nkeys; i++) {
-
-        /* we set only the EncryptionKey and salt, no s2kparams */
-
-        ret = ber_printf(be, "{t[{t[i]t[o]}]",
-                 (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0),
-                 (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0),
-                 (ber_int_t)ksdata[i].enctype,
-                 (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1),
-                 (char *)ksdata[i].key.contents, 
(ber_len_t)ksdata[i].key.length);
-
-        if (ret == -1) {
-            ber_free(be, 1);
-            return NULL;
-        }
-
-        if (ksdata[i].salttype == NO_SALT) {
-            ret = ber_printf(be, "}");
-            continue;
-        }
-
-        /* we have to pass a salt structure */
-        ret = ber_printf(be, "t[{t[i]t[o]}]}",
-                 (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1),
-                 (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0),
-                 (ber_int_t)ksdata[i].salttype,
-                 (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1),
-                 (char *)ksdata[i].salt.data, 
(ber_len_t)ksdata[i].salt.length);
-
-        if (ret == -1) {
-            ber_free(be, 1);
-            return NULL;
-        }
-    }
-
-    ret = ber_printf(be, "}}");
-    if (ret == -1) {
-        ber_free(be, 1);
-        return NULL;
-    }
-
-    ret = ber_flatten(be, &bval);
-    if (ret == -1) {
-        ber_free(be, 1);
-        return NULL;
-    }
-
-    ber_free(be, 1);
-    return bval;
-}
-
 int filter_keys(krb5_context krbctx, struct keys_container *keys,
                 ber_int_t *enctypes)
 {
@@ -854,6 +479,7 @@ int main(int argc, const char *argv[])
        krb5_keytab kt;
        int kvno;
        int i, ret;
+       char *err_msg;
 
     ret = init_gettext();
     if (ret) {
@@ -955,8 +581,11 @@ int main(int argc, const char *argv[])
        }
 
        /* create key material */
-       ret = create_keys(krbctx, sprinc, password, enctypes_string, &keys);
+       ret = create_keys(krbctx, sprinc, password, enctypes_string, &keys, 
&err_msg);
        if (!ret) {
+               if (err_msg != NULL) {
+                       fprintf(stderr, "%s", err_msg);
+               }
                fprintf(stderr, _("Failed to create key material\n"));
                exit(8);
        }
diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
index 
0e82b2380baa5a93ffab1f3eccc8b0597b4ebb83..0240c079ecd38271e5dbb36ec8c6a091001cfce7
 100644
--- a/util/ipa_krb5.c
+++ b/util/ipa_krb5.c
@@ -26,6 +26,9 @@
 #include <lber.h>
 #include <errno.h>
 
+#include <libintl.h>
+#define _(STRING) gettext(STRING)
+
 #include "ipa_krb5.h"
 
 /* Salt types */
@@ -530,3 +533,362 @@ krb5_error_code filter_key_salt_tuples(krb5_context 
context,
     return 0;
 }
 
+struct berval *create_key_control(struct keys_container *keys,
+                                  const char *principalName)
+{
+    struct krb_key_salt *ksdata;
+    struct berval *bval;
+    BerElement *be;
+    int ret, i;
+
+    be = ber_alloc_t(LBER_USE_DER);
+    if (!be) {
+        return NULL;
+    }
+
+    ret = ber_printf(be, "{s{", principalName);
+    if (ret == -1) {
+        ber_free(be, 1);
+        return NULL;
+    }
+
+    ksdata = keys->ksdata;
+    for (i = 0; i < keys->nkeys; i++) {
+
+        /* we set only the EncryptionKey and salt, no s2kparams */
+
+        ret = ber_printf(be, "{t[{t[i]t[o]}]",
+                 (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0),
+                 (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0),
+                 (ber_int_t)ksdata[i].enctype,
+                 (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1),
+                 (char *)ksdata[i].key.contents, 
(ber_len_t)ksdata[i].key.length);
+
+        if (ret == -1) {
+            ber_free(be, 1);
+            return NULL;
+        }
+
+        if (ksdata[i].salttype == NO_SALT) {
+            ret = ber_printf(be, "}");
+            continue;
+        }
+
+        /* we have to pass a salt structure */
+        ret = ber_printf(be, "t[{t[i]t[o]}]}",
+                 (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1),
+                 (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0),
+                 (ber_int_t)ksdata[i].salttype,
+                 (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1),
+                 (char *)ksdata[i].salt.data, 
(ber_len_t)ksdata[i].salt.length);
+
+        if (ret == -1) {
+            ber_free(be, 1);
+            return NULL;
+        }
+    }
+
+    ret = ber_printf(be, "}}");
+    if (ret == -1) {
+        ber_free(be, 1);
+        return NULL;
+    }
+
+    ret = ber_flatten(be, &bval);
+    if (ret == -1) {
+        ber_free(be, 1);
+        return NULL;
+    }
+
+    ber_free(be, 1);
+    return bval;
+}
+
+void free_keys_contents(krb5_context krbctx, struct keys_container *keys)
+{
+    struct krb_key_salt *ksdata;
+    int i;
+
+    ksdata = keys->ksdata;
+    for (i = 0; i < keys->nkeys; i++) {
+        krb5_free_keyblock_contents(krbctx, &ksdata[i].key);
+        krb5_free_data_contents(krbctx, &ksdata[i].salt);
+    }
+    free(ksdata);
+
+    keys->ksdata = NULL;
+    keys->nkeys = 0;
+}
+
+/* Determines Encryption and Salt types,
+ * allocates key_salt data storage,
+ * filters out equivalent encodings,
+ * returns 0 if no enctypes available, >0 if enctypes are available */
+static int prep_ksdata(krb5_context krbctx, const char *str,
+                       struct keys_container *keys,
+                       char **err_msg)
+{
+    struct krb_key_salt *ksdata;
+    krb5_error_code krberr;
+    int n, i, j, nkeys;
+
+    *err_msg = NULL;
+
+    if (str == NULL) {
+        krb5_enctype *ktypes;
+
+        krberr = krb5_get_permitted_enctypes(krbctx, &ktypes);
+        if (krberr) {
+            *err_msg = _("No system preferred enctypes ?!\n");
+            return 0;
+        }
+
+        for (n = 0; ktypes[n]; n++) /* count */ ;
+
+        ksdata = calloc(n + 1, sizeof(struct krb_key_salt));
+        if (NULL == ksdata) {
+            *err_msg = _("Out of memory!?\n");
+            return 0;
+        }
+
+        for (i = 0; i < n; i++) {
+            ksdata[i].enctype = ktypes[i];
+            ksdata[i].salttype = KRB5_KDB_SALTTYPE_NORMAL;
+        }
+
+        ipa_krb5_free_ktypes(krbctx, ktypes);
+
+        nkeys = i;
+
+    } else {
+        char *tmp, *t, *p, *q;
+
+        t = tmp = strdup(str);
+        if (!tmp) {
+            *err_msg = _("Out of memory\n");
+            return 0;
+        }
+
+        /* count */
+        n = 0;
+        while ((p = strchr(t, ','))) {
+            t = p+1;
+            n++;
+        }
+        n++; /* count the last one that is 0 terminated instead */
+
+        /* at the end we will have at most n entries + 1 terminating */
+        ksdata = calloc(n + 1, sizeof(struct krb_key_salt));
+        if (!ksdata) {
+            *err_msg = _("Out of memory\n");
+            return 0;
+        }
+
+        for (i = 0, j = 0, t = tmp; i < n; i++) {
+
+            p = strchr(t, ',');
+            if (p) *p = '\0';
+
+            q = strchr(t, ':');
+            if (q) *q++ = '\0';
+
+            krberr = krb5_string_to_enctype(t, &ksdata[j].enctype);
+            if (krberr != 0) {
+                *err_msg = _("Warning unrecognized encryption type.\n");
+                if (p) t = p + 1;
+                continue;
+            }
+            if (p) t = p + 1;
+
+            if (!q) {
+                ksdata[j].salttype = KRB5_KDB_SALTTYPE_NORMAL;
+                j++;
+                continue;
+            }
+
+            krberr = krb5_string_to_salttype(q, &ksdata[j].salttype);
+            if (krberr != 0) {
+                *err_msg = _("Warning unrecognized salt type.\n");
+                continue;
+            }
+
+            j++;
+        }
+
+        nkeys = j;
+
+        free(tmp);
+    }
+
+    /* Check we don't already have a key with a similar encoding,
+     * it would just produce redundant data and this is what the
+     * MIT code do anyway */
+
+    for (i = 0, n = 0; i < nkeys; i++ ) {
+        krb5_boolean similar = 0;
+
+        for (j = 0; j < i; j++) {
+            krberr = krb5_c_enctype_compare(krbctx,
+                                            ksdata[j].enctype,
+                                            ksdata[i].enctype,
+                                            &similar);
+            if (krberr) {
+                free_keys_contents(krbctx, keys);
+                free(ksdata);
+                *err_msg = _("Enctype comparison failed!\n");
+                return 0;
+            }
+            if (similar &&
+                (ksdata[j].salttype == ksdata[i].salttype)) {
+                break;
+            }
+        }
+        if (j < i) {
+            /* redundant encoding, remove it, and shift others */
+            int x;
+            for (x = i; x < nkeys-1; x++) {
+                ksdata[x].enctype = ksdata[x+1].enctype;
+                ksdata[x].salttype = ksdata[x+1].salttype;
+            }
+            continue;
+        }
+        /* count only confirmed enc/salt tuples */
+        n++;
+    }
+
+    keys->nkeys = n;
+    keys->ksdata = ksdata;
+
+    return n;
+}
+
+int create_keys(krb5_context krbctx,
+                krb5_principal princ,
+                char *password,
+                const char *enctypes_string,
+                struct keys_container *keys,
+                char **err_msg)
+{
+    struct krb_key_salt *ksdata;
+    krb5_error_code krberr;
+    krb5_data key_password;
+    krb5_data *realm = NULL;
+    int i, nkeys;
+    int ret;
+
+    *err_msg = NULL;
+
+    ret = prep_ksdata(krbctx, enctypes_string, keys, err_msg);
+    if (ret == 0) return 0;
+
+    ksdata = keys->ksdata;
+    nkeys = keys->nkeys;
+
+    if (password) {
+        key_password.data = password;
+        key_password.length = strlen(password);
+
+        realm = krb5_princ_realm(krbctx, princ);
+    }
+
+    for (i = 0; i < nkeys; i++) {
+        krb5_data *salt;
+
+        if (!password) {
+            /* cool, random keys */
+            krberr = krb5_c_make_random_key(krbctx,
+                                            ksdata[i].enctype,
+                                            &ksdata[i].key);
+            if (krberr) {
+                *err_msg = _("Failed to create random key!\n");
+                return 0;
+            }
+            /* set the salt to NO_SALT as the key was random */
+            ksdata[i].salttype = NO_SALT;
+            continue;
+        }
+
+        /* Make keys using password and required salt */
+        switch (ksdata[i].salttype) {
+        case KRB5_KDB_SALTTYPE_ONLYREALM:
+            krberr = krb5_copy_data(krbctx, realm, &salt);
+            if (krberr) {
+                *err_msg = _("Failed to create key!\n");
+                return 0;
+            }
+
+            ksdata[i].salt.length = salt->length;
+            ksdata[i].salt.data = malloc(salt->length);
+            if (!ksdata[i].salt.data) {
+                *err_msg = _("Out of memory!\n");
+                return 0;
+            }
+            memcpy(ksdata[i].salt.data, salt->data, salt->length);
+            krb5_free_data(krbctx, salt);
+            break;
+
+        case KRB5_KDB_SALTTYPE_NOREALM:
+            krberr = ipa_krb5_principal2salt_norealm(krbctx, princ,
+                                                     &ksdata[i].salt);
+            if (krberr) {
+                *err_msg = _("Failed to create key!\n");
+                return 0;
+            }
+            break;
+
+        case KRB5_KDB_SALTTYPE_NORMAL:
+            krberr = krb5_principal2salt(krbctx, princ, &ksdata[i].salt);
+            if (krberr) {
+                *err_msg = _("Failed to create key!\n");
+                return 0;
+            }
+            break;
+
+        /* no KRB5_KDB_SALTTYPE_V4, we do not support krb v4 */
+
+        case KRB5_KDB_SALTTYPE_AFS3:
+            /* Comment from MIT sources:
+             * * Why do we do this? Well, the afs_mit_string_to_key
+             * * needs to use strlen, and the realm is not NULL
+             * * terminated....
+             */
+            ksdata[i].salt.data = (char *)malloc(realm->length + 1);
+            if (NULL == ksdata[i].salt.data) {
+                *err_msg = _("Out of memory!\n");
+                return 0;
+            }
+            memcpy((char *)ksdata[i].salt.data,
+                   (char *)realm->data, realm->length);
+            ksdata[i].salt.data[realm->length] = '\0';
+            /* AFS uses a special length (UGLY) */
+            ksdata[i].salt.length = SALT_TYPE_AFS_LENGTH;
+            break;
+
+        default:
+            *err_msg = _("Bad or unsupported salt type.\n");
+/* FIXME:
+            fprintf(stderr, _("Bad or unsupported salt type (%d)!\n"),
+                ksdata[i].salttype);
+*/
+            return 0;
+        }
+
+        krberr = krb5_c_string_to_key(krbctx,
+                                      ksdata[i].enctype,
+                                      &key_password,
+                                      &ksdata[i].salt,
+                                      &ksdata[i].key);
+        if (krberr) {
+            *err_msg = _("Failed to create key!\n");
+            return 0;
+        }
+
+        /* set back salt length to real value if AFS3 */
+        if (ksdata[i].salttype == KRB5_KDB_SALTTYPE_AFS3) {
+            ksdata[i].salt.length = realm->length;
+        }
+    }
+
+    return nkeys;
+}
+
diff --git a/util/ipa_krb5.h b/util/ipa_krb5.h
index 
f0513d109d2db9233cfc9b2dc3a6ab421587167a..97ffc47b5017507cd58e130755cfe050a287b30c
 100644
--- a/util/ipa_krb5.h
+++ b/util/ipa_krb5.h
@@ -4,6 +4,30 @@
 #include <krb5/krb5.h>
 #include <kdb.h>
 
+struct krb_key_salt {
+    krb5_enctype enctype;
+    krb5_int32 salttype;
+    krb5_keyblock key;
+    krb5_data salt;
+};
+
+struct keys_container {
+    krb5_int32 nkeys;
+    struct krb_key_salt *ksdata;
+};
+
+/* Salt types */
+#define NO_SALT                        -1
+#define KRB5_KDB_SALTTYPE_NORMAL        0
+#define KRB5_KDB_SALTTYPE_V4            1
+#define KRB5_KDB_SALTTYPE_NOREALM       2
+#define KRB5_KDB_SALTTYPE_ONLYREALM     3
+#define KRB5_KDB_SALTTYPE_SPECIAL       4
+#define KRB5_KDB_SALTTYPE_AFS3          5
+
+#define KEYTAB_SET_OID "2.16.840.1.113730.3.8.10.1"
+#define KEYTAB_RET_OID "2.16.840.1.113730.3.8.10.2"
+
 void
 ipa_krb5_free_ktypes(krb5_context context, krb5_enctype *val);
 
@@ -36,4 +60,16 @@ krb5_error_code filter_key_salt_tuples(krb5_context context,
                                        krb5_key_salt_tuple *req, int n_req,
                                        krb5_key_salt_tuple *supp, int n_supp,
                                        krb5_key_salt_tuple **res, int *n_res);
+
+void free_keys_contents(krb5_context krbctx, struct keys_container *keys);
+
+struct berval *create_key_control(struct keys_container *keys,
+                                  const char *principalName);
+
+int create_keys(krb5_context krbctx,
+                krb5_principal princ,
+                char *password,
+                const char *enctypes_string,
+                struct keys_container *keys,
+                char **err_msg);
 #endif /* __IPA_KRB5_H_ */
-- 
1.7.10.2

From 73eaf78c31bf5e228ba50ce51fc8857454fb4f17 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 13 Mar 2012 14:06:02 +0100
Subject: [PATCH] Use exop instead of kadmin.local

---
 daemons/ipa-sam/Makefile.am      |    6 +++
 daemons/ipa-sam/ipa_sam.c        |  101 ++++++++++++++++++++++++++++----------
 install/updates/60-trusts.update |    4 ++
 3 Dateien geändert, 84 Zeilen hinzugefügt(+), 27 Zeilen entfernt(-)

diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am
index 
b5b9b0b75b276ac14b01ce35bae63af539e596fc..275cce629385b1719544a7832a00e9ee6664b739
 100644
--- a/daemons/ipa-sam/Makefile.am
+++ b/daemons/ipa-sam/Makefile.am
@@ -7,6 +7,9 @@ SAMBA40EXTRA_LIBS = $(SAMBA40EXTRA_LIBPATH)     \
                        -lsmbconf               \
                        $(NULL)
 
+KRB5_UTIL_DIR=../../util
+KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c
+
 INCLUDES =                                             \
        -I.                                             \
        -I$(srcdir)                                     \
@@ -18,6 +21,7 @@ INCLUDES =                                            \
        -DDATADIR=\""$(datadir)"\"                      \
        -DLDAPIDIR=\""$(localstatedir)/run"\"           \
        -DHAVE_LDAP                                     \
+       -I $(KRB5_UTIL_DIR)                             \
        $(AM_CFLAGS)                                    \
        $(LDAP_CFLAGS)                                  \
        $(KRB5_CFLAGS)                                  \
@@ -34,6 +38,7 @@ plugin_LTLIBRARIES =          \
 
 ipasam_la_SOURCES =            \
        ipa_sam.c               \
+       $(KRB5_UTIL_SRCS)       \
        $(NULL)
 
 ipasam_la_LDFLAGS =            \
@@ -43,6 +48,7 @@ ipasam_la_LDFLAGS =           \
 
 ipasam_la_LIBADD =             \
        $(LDAP_LIBS)            \
+       $(KRB5_LIBS)            \
        $(TALLOC_LIBS)          \
        $(SAMBAUTIL_LIBS)       \
        $(NDR_LIBS)             \
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 
2627025a8f2f757ca62c58b541c002f46e7c3be1..851df8c62f0ffb159610ce0ac311463233eea497
 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -9,6 +9,7 @@
 #include <pwd.h>
 #include <errno.h>
 #include <ldap.h>
+#include <krb5/krb5.h>
 
 #include <talloc.h>
 
@@ -28,17 +29,7 @@
 
 #include <sasl/sasl.h>
 #include <krb5/krb5.h>
-#include <time.h>
-
-/* TODO: remove if smbrunsecret() is removed */
-typedef struct connection_structi {} connection_struct;
-struct current_user {
-       connection_struct *conn;
-       uint16_t vuid;
-       struct security_unix_token ut;
-       struct security_token *nt_user_token;
-};
-extern struct current_user current_user;
+#include "ipa_krb5.h"
 
 /* from drsblobs.h */
 struct AuthInfoNone {
@@ -104,7 +95,6 @@ char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct 
dom_sid *sid); /* avai
 char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so 
*/
 bool is_null_sid(const struct dom_sid *sid); /* available in libsecurity.so */
 bool strnequal(const char *s1,const char *s2,size_t n); /* available in 
libutil_str.so */
-int smbrunsecret(const char *cmd, const char *secret); /* available in 
libsmbconf.so */
 bool trim_char(char *s,char cfront,char cback); /* available in libutil_str.so 
*/
 bool sid_peek_check_rid(const struct dom_sid *exp_dom_sid, const struct 
dom_sid *sid, uint32_t *rid); /* available in libsecurity.so */
 char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in 
libsmbconf.so */
@@ -1382,6 +1372,76 @@ static bool search_krb_princ(struct ldapsam_privates 
*ldap_state,
        return true;
 }
 
+static int set_cross_realm_pw(struct ldapsam_privates *ldap_state,
+                             TALLOC_CTX *mem_ctx,
+                             const char *princ, const char *pwd,
+                             const char *base_dn)
+{
+       int ret;
+       krb5_error_code krberr;
+       krb5_context krbctx;
+       krb5_principal service_princ;
+       struct keys_container keys;
+       char *err_msg;
+       struct berval *reqdata = NULL;
+       struct berval *retdata = NULL;
+        char *retoid;
+
+       krberr = krb5_init_context(&krbctx);
+       if (krberr != 0) {
+               DEBUG(1, ("krb5_init_context failed.\n"));
+               ret = krberr;
+               goto done;
+       }
+
+       krberr = krb5_parse_name(krbctx, princ, &service_princ);
+       if (krberr != 0) {
+               DEBUG(1, ("Invalid Service Principal Name [%s]\n", princ));
+               ret = krberr;
+               goto done;
+       }
+
+       ret = create_keys(krbctx, service_princ, discard_const(pwd), NULL, 
&keys, &err_msg);
+       if (!ret) {
+               if (err_msg != NULL) {
+                       DEBUG(1, ("create_keys returned [%s]\n", err_msg));
+               }
+               goto done;
+       }
+
+       reqdata = create_key_control(&keys, princ);
+       if (reqdata == NULL) {
+               DEBUG(1, ("Failed to create reqdata!\n"));
+               ret= ENOMEM;
+               goto done;
+       }
+
+       ret = smbldap_extended_operation(ldap_state->smbldap_state,
+                                        KEYTAB_SET_OID, reqdata, NULL, NULL,
+                                        &retoid, &retdata);
+       if (ret != LDAP_SUCCESS) {
+               DEBUG(1, ("smbldap_extended_operation failed!\n"));
+               goto done;
+       }
+
+       /* So far we do not care abot the result */
+       ldap_memfree(retoid);
+       if (retdata != NULL) {
+               ber_bvfree(retdata);
+       }
+
+       ret = 0;
+done:
+       if (reqdata != NULL) {
+           ber_bvfree(reqdata);
+       }
+       free_keys_contents(krbctx, &keys);
+       krb5_free_principal(krbctx, service_princ);
+       krb5_free_context(krbctx);
+
+       return ret;
+}
+
 static bool set_krb_princ(struct ldapsam_privates *ldap_state,
                          TALLOC_CTX *mem_ctx,
                          const char *princ, const char *pwd,
@@ -1450,22 +1510,9 @@ static bool set_krb_princ(struct ldapsam_privates 
*ldap_state,
                return false;
        }
 
-       /* TODO: Call the appropriate expo if ipasam is part of the FreeIPA
-        * source tree */
-       inp = talloc_asprintf(mem_ctx, "change_password -pw %s %s", pwd, princ);
-       if (inp == NULL) {
-               return false;
-       }
-
-       uid_t save_uid = current_user.ut.uid;
-       gid_t save_gid = current_user.ut.gid;
-       current_user.ut.uid = 0;
-       current_user.ut.gid = 0;
-       ret = smbrunsecret("kadmin.local", inp);
-       current_user.ut.uid = save_uid;
-       current_user.ut.gid = save_gid;
+       ret = set_cross_realm_pw(ldap_state, mem_ctx, princ, pwd, base_dn);
        if (ret != 0) {
-               DEBUG(1, ("calling kadmin.local failed.\n"));
+               DEBUG(1, ("set_cross_realm_pw failed.\n"));
                return false;
        }
 
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index 
cfd1ad7e5f83bd64c5934d270090754bbe9e9e36..a05f89cc83e3683b5d2deab59fdb930486a20e86
 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -60,3 +60,7 @@ add:aci: '(target = "ldap:///cn=trusts,$SUFFIX";)(targetattr = 
"ipaNTTrustType ||
 # Samba user should be able to read NT passwords to authenticate
 dn: $SUFFIX
 add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals 
can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust 
agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
+
+# Samba user should be able to create cross domain principals
+dn: cn=trusts,$SUFFIX
+add:aci: '(target = "ldap:///cn=trusts,$SUFFIX";)(targetattr = 
"krbPrincipalName || krbLastPwdChange || krbTicketFlags || krbLoginFailedCount 
|| krbExtraData || krbPrincipalKey")(version 3.0;acl "Allow trust system user 
to create cross domain principals"; allow (read,write,add,delete) 
groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
-- 
1.7.10.2

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to