Author: metze Date: 2005-08-26 12:38:17 +0000 (Fri, 26 Aug 2005) New Revision: 9650
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9650 Log: [EMAIL PROTECTED] (orig r9643): tridge | 2005-08-26 13:36:28 +0200 fixed samsync code for the new dn explode semantics [EMAIL PROTECTED] (orig r9644): tridge | 2005-08-26 13:37:09 +0200 add LOCAL-PAC to the list of 'make test' tests [EMAIL PROTECTED] (orig r9645): tridge | 2005-08-26 13:37:52 +0200 fixed the ejs GetOptions() call to look at the first option passed (this is what broke --help) [EMAIL PROTECTED] (orig r9646): tridge | 2005-08-26 13:38:07 +0200 fixed error message [EMAIL PROTECTED] (orig r9647): tridge | 2005-08-26 13:42:21 +0200 saved_pac is binary data, so prevent any possible portability problems with signed chars [EMAIL PROTECTED] (orig r9648): tridge | 2005-08-26 13:52:35 +0200 this fixes the krb5 based login with the pac. The key to this whole saga was that the logon_time field in the pac must match the authtime field in the ticket we gave the client in the AS-REP (and thus also the authtime field in the ticket we get back in the TGS-REQ). Many thanks to Andrew Bartlett for his patience in showing me the basic ropes of all this code! This was a joint effort. [EMAIL PROTECTED] (orig r9649): tridge | 2005-08-26 14:02:47 +0200 missed a spot ..... Modified: branches/SOC/SAMBA_4_0/ branches/SOC/SAMBA_4_0/source/auth/kerberos/kerberos.h branches/SOC/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c branches/SOC/SAMBA_4_0/source/heimdal/kdc/kerberos5.c branches/SOC/SAMBA_4_0/source/kdc/pac-glue.c branches/SOC/SAMBA_4_0/source/kdc/pac-glue.h branches/SOC/SAMBA_4_0/source/libnet/libnet_samsync_ldb.c branches/SOC/SAMBA_4_0/source/script/tests/test_local.sh branches/SOC/SAMBA_4_0/source/scripting/ejs/smbcalls_options.c branches/SOC/SAMBA_4_0/source/setup/provision branches/SOC/SAMBA_4_0/source/torture/auth/pac.c Changeset: Property changes on: branches/SOC/SAMBA_4_0 ___________________________________________________________________ Name: svk:merge - 0c0555d6-39d7-0310-84fc-f1cc0bd64818:/branches/SAMBA_4_0:9638 d349723c-e9fc-0310-b8a8-fdedf1c27407:/local/SAMBA_4_0:5616 d349723c-e9fc-0310-b8a8-fdedf1c27407:/local/samba-SAMBA_4_0:5609 + 0c0555d6-39d7-0310-84fc-f1cc0bd64818:/branches/SAMBA_4_0:9649 d349723c-e9fc-0310-b8a8-fdedf1c27407:/local/SAMBA_4_0:5616 d349723c-e9fc-0310-b8a8-fdedf1c27407:/local/samba-SAMBA_4_0:5609 Modified: branches/SOC/SAMBA_4_0/source/auth/kerberos/kerberos.h =================================================================== --- branches/SOC/SAMBA_4_0/source/auth/kerberos/kerberos.h 2005-08-26 12:02:47 UTC (rev 9649) +++ branches/SOC/SAMBA_4_0/source/auth/kerberos/kerberos.h 2005-08-26 12:38:17 UTC (rev 9650) @@ -143,6 +143,7 @@ krb5_context context, krb5_keyblock *krbtgt_keyblock, krb5_keyblock *server_keyblock, + time_t tgs_authtime, DATA_BLOB *pac); krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx, Modified: branches/SOC/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c =================================================================== --- branches/SOC/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c 2005-08-26 12:02:47 UTC (rev 9649) +++ branches/SOC/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c 2005-08-26 12:38:17 UTC (rev 9650) @@ -385,6 +385,7 @@ krb5_context context, krb5_keyblock *krbtgt_keyblock, krb5_keyblock *service_keyblock, + time_t tgs_authtime, DATA_BLOB *pac) { NTSTATUS nt_status; @@ -478,8 +479,13 @@ LOGON_INFO->info3.base.last_logon = timeval_to_nttime(&tv); LOGON_NAME->account_name = server_info->account_name; - LOGON_NAME->logon_time = timeval_to_nttime(&tv); + /* + this logon_time field is absolutely critical. This is what + caused all our pac troubles :-) + */ + unix_to_nt_time(&LOGON_NAME->logon_time, tgs_authtime); + ret = kerberos_encode_pac(mem_ctx, pac_data, context, Modified: branches/SOC/SAMBA_4_0/source/heimdal/kdc/kerberos5.c =================================================================== --- branches/SOC/SAMBA_4_0/source/heimdal/kdc/kerberos5.c 2005-08-26 12:02:47 UTC (rev 9649) +++ branches/SOC/SAMBA_4_0/source/heimdal/kdc/kerberos5.c 2005-08-26 12:38:17 UTC (rev 9650) @@ -1597,6 +1597,7 @@ EncTicketPart *tgt, EncTicketPart *adtkt, AuthorizationData *auth_data, + krb5_ticket *tgs_ticket, hdb_entry *server, hdb_entry *client, krb5_principal client_principal, @@ -1774,6 +1775,7 @@ client->principal, tgtkey, ekey, + tgs_ticket->ticket.authtime, &pac); if (ret) { free_AuthorizationData(if_relevant); @@ -2357,6 +2359,7 @@ tgt, b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL, auth_data, + ticket, server, client, cp, Modified: branches/SOC/SAMBA_4_0/source/kdc/pac-glue.c =================================================================== --- branches/SOC/SAMBA_4_0/source/kdc/pac-glue.c 2005-08-26 12:02:47 UTC (rev 9649) +++ branches/SOC/SAMBA_4_0/source/kdc/pac-glue.c 2005-08-26 12:38:17 UTC (rev 9650) @@ -26,11 +26,12 @@ #include "kdc/pac-glue.h" /* Ensure we don't get this prototype wrong, as that could be painful */ krb5_error_code samba_get_pac(krb5_context context, - struct krb5_kdc_configuration *config, - krb5_principal client, - krb5_keyblock *krbtgt_keyblock, - krb5_keyblock *server_keyblock, - krb5_data *pac) + struct krb5_kdc_configuration *config, + krb5_principal client, + krb5_keyblock *krbtgt_keyblock, + krb5_keyblock *server_keyblock, + time_t tgs_authtime, + krb5_data *pac) { krb5_error_code ret; NTSTATUS nt_status; @@ -74,6 +75,7 @@ context, krbtgt_keyblock, server_keyblock, + tgs_authtime, &tmp_blob); if (ret) { Modified: branches/SOC/SAMBA_4_0/source/kdc/pac-glue.h =================================================================== --- branches/SOC/SAMBA_4_0/source/kdc/pac-glue.h 2005-08-26 12:02:47 UTC (rev 9649) +++ branches/SOC/SAMBA_4_0/source/kdc/pac-glue.h 2005-08-26 12:38:17 UTC (rev 9650) @@ -1,7 +1,8 @@ krb5_error_code samba_get_pac(krb5_context context, - struct krb5_kdc_configuration *config, - krb5_principal client, - krb5_keyblock *krbtgt_keyblock, - krb5_keyblock *server_keyblock, + struct krb5_kdc_configuration *config, + krb5_principal client, + krb5_keyblock *krbtgt_keyblock, + krb5_keyblock *server_keyblock, + time_t tgs_authtime, krb5_data *pac); Modified: branches/SOC/SAMBA_4_0/source/libnet/libnet_samsync_ldb.c =================================================================== --- branches/SOC/SAMBA_4_0/source/libnet/libnet_samsync_ldb.c 2005-08-26 12:02:47 UTC (rev 9649) +++ branches/SOC/SAMBA_4_0/source/libnet/libnet_samsync_ldb.c 2005-08-26 12:38:17 UTC (rev 9650) @@ -119,6 +119,8 @@ const char *domain_attrs[] = {"nETBIOSName", "nCName", NULL}; struct ldb_message **msgs_domain; int ret_domain; + char *base_dn; + ret_domain = gendb_search(state->sam_ldb, mem_ctx, NULL, &msgs_domain, domain_attrs, "(&(&(nETBIOSName=%s)(objectclass=crossRef))(ncName=*))", domain_name); @@ -130,24 +132,20 @@ return NT_STATUS_NO_SUCH_DOMAIN; } - state->base_dn[database] - = talloc_steal(state, samdb_result_string(msgs_domain[0], - "nCName", NULL)); - - state->dom_sid[database] - = talloc_steal(state, - samdb_search_dom_sid(state->sam_ldb, state, - state->base_dn[database], "objectSid", "dn=%s", - ldb_dn_linearize(mem_ctx, state->base_dn[database]))); + state->base_dn[database] = samdb_result_dn(state, msgs_domain[0], "nCName", NULL); + + base_dn = ldb_dn_linearize(mem_ctx, state->base_dn[database]); + + state->dom_sid[database] = samdb_search_dom_sid(state->sam_ldb, state, + state->base_dn[database], + "objectSid", "dn=%s", base_dn); } else if (database == SAM_DATABASE_BUILTIN) { - /* work out the builtin_dn - useful for so many calls its worth - fetching here */ - state->base_dn[database] - = talloc_steal(state, - samdb_search_string(state->sam_ldb, mem_ctx, NULL, - "dn", "objectClass=builtinDomain")); - state->dom_sid[database] - = dom_sid_parse_talloc(state, SID_BUILTIN); + /* work out the builtin_dn - useful for so many calls its worth + fetching here */ + const char *dnstring = samdb_search_string(state->sam_ldb, mem_ctx, NULL, + "dn", "objectClass=builtinDomain"); + state->base_dn[database] = ldb_dn_explode(state, dnstring); + state->dom_sid[database] = dom_sid_parse_talloc(state, SID_BUILTIN); } else { /* PRIVs DB */ return NT_STATUS_INVALID_PARAMETER; Modified: branches/SOC/SAMBA_4_0/source/script/tests/test_local.sh =================================================================== --- branches/SOC/SAMBA_4_0/source/script/tests/test_local.sh 2005-08-26 12:02:47 UTC (rev 9649) +++ branches/SOC/SAMBA_4_0/source/script/tests/test_local.sh 2005-08-26 12:38:17 UTC (rev 9650) @@ -1,6 +1,6 @@ #!/bin/sh -local_tests="LOCAL-NTLMSSP LOCAL-TALLOC LOCAL-MESSAGING LOCAL-IRPC LOCAL-BINDING LOCAL-IDTREE LOCAL-SOCKET" +local_tests="LOCAL-NTLMSSP LOCAL-TALLOC LOCAL-MESSAGING LOCAL-IRPC LOCAL-BINDING LOCAL-IDTREE LOCAL-SOCKET LOCAL-PAC" if [ $# -lt 0 ]; then cat <<EOF Modified: branches/SOC/SAMBA_4_0/source/scripting/ejs/smbcalls_options.c =================================================================== --- branches/SOC/SAMBA_4_0/source/scripting/ejs/smbcalls_options.c 2005-08-26 12:02:47 UTC (rev 9649) +++ branches/SOC/SAMBA_4_0/source/scripting/ejs/smbcalls_options.c 2005-08-26 12:38:17 UTC (rev 9650) @@ -82,7 +82,7 @@ } /* create the long_options array */ - for (i=2;i<argc;i++) { + for (i=1;i<argc;i++) { const char *optstr = mprToString(argv[i]); int t, opt_type = POPT_ARG_NONE; const char *s; Modified: branches/SOC/SAMBA_4_0/source/setup/provision =================================================================== --- branches/SOC/SAMBA_4_0/source/setup/provision 2005-08-26 12:02:47 UTC (rev 9649) +++ branches/SOC/SAMBA_4_0/source/setup/provision 2005-08-26 12:38:17 UTC (rev 9650) @@ -30,7 +30,7 @@ 'blank'); if (options == undefined) { - println("Failed to parse options: ", options.ERROR); + println("Failed to parse options"); return -1; } Modified: branches/SOC/SAMBA_4_0/source/torture/auth/pac.c =================================================================== --- branches/SOC/SAMBA_4_0/source/torture/auth/pac.c 2005-08-26 12:02:47 UTC (rev 9649) +++ branches/SOC/SAMBA_4_0/source/torture/auth/pac.c 2005-08-26 12:38:17 UTC (rev 9650) @@ -105,6 +105,7 @@ smb_krb5_context->krb5_context, &krbtgt_keyblock, &server_keyblock, + time(NULL), &tmp_blob); if (ret) { @@ -196,7 +197,7 @@ -- abartlet 2005-07-04 */ -static const char saved_pac[] = { +static const uint8_t saved_pac[] = { 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xd8, 0x01, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x20, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00,
