Love Hörnquist Åstrand a écrit :
26 maj 2008 kl. 08.27 skrev Guillaume Rousse:
Hello list(s).
I'm having a crash as soon as I attempt to change my password when
smbk5pwd is activating. strace shows an unresolved symbol in
smbk5pwd.so: _kadm5_free_keys
Heimdal source code shows this function is defined in libkadm5srv.so
(/usr/lib/libkadm5srv.so.8.0.1) for heimdal 1.1. But this seems to be
a private symbol, as objdump -T doesn't list it. Looking at heimdal
Makefile.am, it seems a special configuration file is used
(lib/krb5/version-script.map) to filter exported symbols, if linker
support the use of -Wl,--version-script option. I couldn't find any
description of this option.
Is this possible smbk5pwd author would have by mistake used a private
function, only working because he build heimdal on a host whose linker
doesn't support --version-script option ?
I'm using heimdal 1.1 and openldap 2.4.8 on mandriva linux.
I unexported the function since there was no function that returned key
set-data.
Same goes for _kadm5_set_keys() that also is an internal function.
Since 1.0 you can use hdb_generate_key_set_password and hdb_free_keys to
generate the key data.
I tried this approach (patch attached).
Converting _kadm5_free_keys to hdb_free_keys is trivial, as the former
is just a wrapper over the second.
However, converting _kadm5_set_keys to hdb_generate_key_set_password is
much more difficult. I first tried to inline all code from
_kadm5_set_keys in smbk5pwd.c. However, gcc complains about "request for
member ‘context’ in something not a structure or union" because it
doesn't have any clue about the nature of kadm_context, which is a void
ponter for smbk5pwd. Trying to cast it as a kadm5_server_context pointer
fails, as this seems also to be a private heimdal structure...
Given my lack of C knowledge, I'm a bit stuck there.
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
--- smbk5pwd.c~ 2008-02-12 00:34:15.000000000 +0100
+++ smbk5pwd.c 2008-05-27 10:59:32.000000000 +0200
@@ -368,6 +368,8 @@
struct berval *keys;
int kvno, i;
Attribute *a;
+ Key *local_keys;
+ size_t local_num_keys;
if ( !SMBK5PWD_DO_KRB5( pi ) ) break;
@@ -396,7 +398,27 @@
op->o_log_prefix, e->e_name.bv_val, 0 );
}
- ret = _kadm5_set_keys(kadm_context, &ent, qpw->rs_new.bv_val);
+ /* _kadm5_set_keys is a private function, inline its code here
*/
+ ret = hdb_generate_key_set_password(kadm_context->context,
+ ent.principal, qpw->rs_new.bv_val,
+ &local_keys, &local_num_keys);
+ if (ret != 0)
+ break;
+
+ hdb_free_keys(kadm_context->context, ent.keys.len,
ent.keys.val);
+ ent.keys.val = local_keys;
+ ent.keys.len = local_num_keys;
+
+ hdb_entry_set_pw_change_time(kadm_context->context, &ent, 0);
+
+ if (krb5_config_get_bool_default(kadm_context->context, NULL,
FALSE,
+ "kadmin", "save-password", NULL)) {
+ ret = hdb_entry_set_password(kadm_context->context,
+ kadm_context->db, &ent, qpw->rs_new.bv_val);
+ if (ret != 0)
+ break;
+ }
+
hdb_seal_keys(context, db, &ent);
krb5_free_principal( context, ent.principal );
@@ -415,7 +437,7 @@
}
BER_BVZERO( &keys[i] );
- _kadm5_free_keys(kadm_context, ent.keys.len, ent.keys.val);
+ hdb_free_keys(kadm_context, ent.keys.len, ent.keys.val);
if ( i != ent.keys.len ) {
ber_bvarray_free( keys );
