The branch, master has been updated
via a7036a9... librpc/ndr Remove unused macros
via a9d9447... s4:credentials Add hooks to extract a named Kerberos
credentials cache
from da1970c... s4:lsa open trusted domain also with dns name
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a7036a9e47382e738f6ebedf13719222950611d6
Author: Andrew Bartlett <[email protected]>
Date: Sat Feb 20 11:51:47 2010 +1100
librpc/ndr Remove unused macros
Since the change to the way we pull these OIDs from the wire, these
macros are unused.
Andrew Bartlett
commit a9d9447d5a448e13d4373c3c4b48f0edd49dc38a
Author: Andrew Bartlett <[email protected]>
Date: Sat Feb 20 11:44:41 2010 +1100
s4:credentials Add hooks to extract a named Kerberos credentials cache
This allows the integration of external tools that can't be linked
into C or python, but need to authenticate as the local machine
account.
The machineaccountccache script demonstrates this, and debugging has
been improved in cli_credentials_set_secrets() by passing back and
error string.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
librpc/ndr/ndr_drsuapi.c | 16 ----
source4/auth/credentials/credentials.h | 8 ++-
source4/auth/credentials/credentials_files.c | 92 ++++++++++++-----------
source4/auth/credentials/credentials_krb5.c | 56 ++++++++++-----
source4/auth/credentials/pycredentials.c | 63 ++++++++++++++++
source4/auth/credentials/pycredentials.h | 6 ++
source4/dsdb/samdb/ldb_modules/update_keytab.c | 3 +-
source4/dsdb/samdb/samdb.c | 4 +-
source4/scripting/bin/machineaccountccache | 30 ++++++++
testprogs/blackbox/test_kinit.sh | 7 ++-
10 files changed, 203 insertions(+), 82 deletions(-)
create mode 100755 source4/scripting/bin/machineaccountccache
Changeset truncated at 500 lines:
diff --git a/librpc/ndr/ndr_drsuapi.c b/librpc/ndr/ndr_drsuapi.c
index 17f2b7e..b91d5f7 100644
--- a/librpc/ndr/ndr_drsuapi.c
+++ b/librpc/ndr/ndr_drsuapi.c
@@ -66,22 +66,6 @@ void ndr_print_drsuapi_DsReplicaObjectListItemEx(struct
ndr_print *ndr, const ch
}
}
-#define _OID_PUSH_CHECK(call) do { \
- bool _status; \
- _status = call; \
- if (_status != true) { \
- return ndr_push_error(ndr, NDR_ERR_SUBCONTEXT, "OID Conversion
Error: %s\n", __location__); \
- } \
-} while (0)
-
-#define _OID_PULL_CHECK(call) do { \
- bool _status; \
- _status = call; \
- if (_status != true) { \
- return ndr_pull_error(ndr, NDR_ERR_SUBCONTEXT, "OID Conversion
Error: %s\n", __location__); \
- } \
-} while (0)
-
_PUBLIC_ void ndr_print_drsuapi_DsReplicaOID(struct ndr_print *ndr, const char
*name, const struct drsuapi_DsReplicaOID *r)
{
ndr_print_struct(ndr, name, "drsuapi_DsReplicaOID");
diff --git a/source4/auth/credentials/credentials.h
b/source4/auth/credentials/credentials.h
index 311cdc2..21a9c61 100644
--- a/source4/auth/credentials/credentials.h
+++ b/source4/auth/credentials/credentials.h
@@ -162,6 +162,11 @@ int cli_credentials_get_ccache(struct cli_credentials
*cred,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
struct ccache_container **ccc);
+int cli_credentials_get_named_ccache(struct cli_credentials *cred,
+ struct tevent_context *event_ctx,
+ struct loadparm_context *lp_ctx,
+ char *ccache_name,
+ struct ccache_container **ccc);
int cli_credentials_get_keytab(struct cli_credentials *cred,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
@@ -266,7 +271,8 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials
*cred,
struct loadparm_context *lp_ctx,
struct ldb_context *ldb,
const char *base,
- const char *filter);
+ const char *filter,
+ char **error_string);
int cli_credentials_get_kvno(struct cli_credentials *cred);
#endif /* __CREDENTIALS_H__ */
diff --git a/source4/auth/credentials/credentials_files.c
b/source4/auth/credentials/credentials_files.c
index 8036e48..6ddee9e 100644
--- a/source4/auth/credentials/credentials_files.c
+++ b/source4/auth/credentials/credentials_files.c
@@ -175,15 +175,16 @@ _PUBLIC_ bool cli_credentials_parse_file(struct
cli_credentials *cred, const cha
*/
_PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
struct tevent_context *event_ctx,
- struct loadparm_context *lp_ctx,
- struct ldb_context *ldb,
- const char *base,
- const char *filter)
+ struct loadparm_context *lp_ctx,
+ struct ldb_context *ldb,
+ const char *base,
+ const char *filter,
+ char **error_string)
{
TALLOC_CTX *mem_ctx;
int ldb_ret;
- struct ldb_message **msgs;
+ struct ldb_message *msg;
const char *attrs[] = {
"secret",
"priorSecret",
@@ -224,46 +225,43 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct
cli_credentials *cred,
if (!ldb) {
/* set anonymous as the fallback, if the machine
account won't work */
cli_credentials_set_anonymous(cred);
- DEBUG(1, ("Could not open secrets.ldb\n"));
+ *error_string = talloc_strdup(cred, "Could not open
secrets.ldb");
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
}
- /* search for the secret record */
- ldb_ret = gendb_search(ldb,
- mem_ctx, ldb_dn_new(mem_ctx, ldb, base),
- &msgs, attrs,
- "%s", filter);
- if (ldb_ret == 0) {
- DEBUG(5, ("(normal if no LDAP backend required) Could not find
entry to match filter: '%s' base: '%s'\n",
- filter, base));
- /* set anonymous as the fallback, if the machine account won't
work */
- cli_credentials_set_anonymous(cred);
- talloc_free(mem_ctx);
- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- } else if (ldb_ret != 1) {
- DEBUG(5, ("Found more than one (%d) entry to match filter: '%s'
base: '%s'\n",
- ldb_ret, filter, base));
+ ldb_ret = dsdb_search_one(ldb, ldb, &msg,
+ ldb_dn_new(mem_ctx, ldb, base),
+ LDB_SCOPE_SUBTREE,
+ attrs, 0, "%s", filter);
+
+ if (ldb_ret != LDB_SUCCESS) {
+ *error_string = talloc_asprintf(cred, "Could not find entry to
match filter: '%s' base: '%s': %s: %s\n",
+ filter, base ? base : "",
+ ldb_strerror(ldb_ret),
ldb_errstring(ldb));
/* set anonymous as the fallback, if the machine account won't
work */
cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
-
- password = ldb_msg_find_attr_as_string(msgs[0], "secret", NULL);
- old_password = ldb_msg_find_attr_as_string(msgs[0], "priorSecret",
NULL);
- machine_account = ldb_msg_find_attr_as_string(msgs[0],
"samAccountName", NULL);
+ password = ldb_msg_find_attr_as_string(msg, "secret", NULL);
+ old_password = ldb_msg_find_attr_as_string(msg, "priorSecret", NULL);
+
+ machine_account = ldb_msg_find_attr_as_string(msg, "samAccountName",
NULL);
if (!machine_account) {
- machine_account = ldb_msg_find_attr_as_string(msgs[0],
"servicePrincipalName", NULL);
+ machine_account = ldb_msg_find_attr_as_string(msg,
"servicePrincipalName", NULL);
if (!machine_account) {
- const char *ldap_bind_dn =
ldb_msg_find_attr_as_string(msgs[0], "ldapBindDn", NULL);
+ const char *ldap_bind_dn =
ldb_msg_find_attr_as_string(msg, "ldapBindDn", NULL);
if (!ldap_bind_dn) {
- DEBUG(1, ("Could not find 'samAccountName',
'servicePrincipalName' or 'ldapBindDn' in secrets record: filter: '%s' base:
'%s'\n",
- filter, base));
+ *error_string = talloc_asprintf(cred,
+ "Could not find
'samAccountName', "
+
"'servicePrincipalName' or "
+ "'ldapBindDn'
in secrets record: %s",
+
ldb_dn_get_linearized(msg->dn));
/* set anonymous as the fallback, if the
machine account won't work */
cli_credentials_set_anonymous(cred);
talloc_free(mem_ctx);
@@ -275,16 +273,16 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct
cli_credentials *cred,
}
}
- salt_principal = ldb_msg_find_attr_as_string(msgs[0], "saltPrincipal",
NULL);
+ salt_principal = ldb_msg_find_attr_as_string(msg, "saltPrincipal",
NULL);
cli_credentials_set_salt_principal(cred, salt_principal);
- sct = ldb_msg_find_attr_as_int(msgs[0], "secureChannelType", 0);
+ sct = ldb_msg_find_attr_as_int(msg, "secureChannelType", 0);
if (sct) {
cli_credentials_set_secure_channel_type(cred, sct);
}
if (!password) {
- const struct ldb_val *nt_password_hash =
ldb_msg_find_ldb_val(msgs[0], "unicodePwd");
+ const struct ldb_val *nt_password_hash =
ldb_msg_find_ldb_val(msg, "unicodePwd");
struct samr_Password hash;
ZERO_STRUCT(hash);
if (nt_password_hash) {
@@ -300,12 +298,12 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct
cli_credentials *cred,
}
- domain = ldb_msg_find_attr_as_string(msgs[0], "flatname", NULL);
+ domain = ldb_msg_find_attr_as_string(msg, "flatname", NULL);
if (domain) {
cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
}
- realm = ldb_msg_find_attr_as_string(msgs[0], "realm", NULL);
+ realm = ldb_msg_find_attr_as_string(msg, "realm", NULL);
if (realm) {
cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
}
@@ -314,16 +312,16 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct
cli_credentials *cred,
cli_credentials_set_username(cred, machine_account,
CRED_SPECIFIED);
}
- cli_credentials_set_kvno(cred, ldb_msg_find_attr_as_int(msgs[0],
"msDS-KeyVersionNumber", 0));
+ cli_credentials_set_kvno(cred, ldb_msg_find_attr_as_int(msg,
"msDS-KeyVersionNumber", 0));
/* If there was an external keytab specified by reference in
* the LDB, then use this. Otherwise we will make one up
* (chewing CPU time) from the password */
- keytab = ldb_msg_find_attr_as_string(msgs[0], "krb5Keytab", NULL);
+ keytab = ldb_msg_find_attr_as_string(msg, "krb5Keytab", NULL);
if (keytab) {
cli_credentials_set_keytab_name(cred, event_ctx, lp_ctx,
keytab, CRED_SPECIFIED);
} else {
- keytab = ldb_msg_find_attr_as_string(msgs[0], "privateKeytab",
NULL);
+ keytab = ldb_msg_find_attr_as_string(msg, "privateKeytab",
NULL);
if (keytab) {
keytab = talloc_asprintf(mem_ctx, "FILE:%s",
samdb_relative_path(ldb, mem_ctx, keytab));
if (keytab) {
@@ -347,6 +345,7 @@ _PUBLIC_ NTSTATUS
cli_credentials_set_machine_account(struct cli_credentials *cr
{
NTSTATUS status;
char *filter;
+ char *error_string;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
@@ -355,9 +354,10 @@ _PUBLIC_ NTSTATUS
cli_credentials_set_machine_account(struct cli_credentials *cr
cli_credentials_get_domain(cred));
status = cli_credentials_set_secrets(cred, event_context_find(cred),
lp_ctx, NULL,
SECRETS_PRIMARY_DOMAIN_DN,
- filter);
+ filter, &error_string);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Could not find machine account in secrets database:
%s", nt_errstr(status)));
+ DEBUG(1, ("Could not find machine account in secrets database:
%s: %s", nt_errstr(status), error_string));
+ talloc_free(error_string);
}
return status;
}
@@ -374,6 +374,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials
*cred,
{
NTSTATUS status;
char *filter;
+ char *error_string;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
@@ -382,10 +383,11 @@ NTSTATUS cli_credentials_set_krbtgt(struct
cli_credentials *cred,
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred));
status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
- SECRETS_PRINCIPALS_DN,
- filter);
+ SECRETS_PRINCIPALS_DN,
+ filter, &error_string);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Could not find krbtgt (master Kerberos) account in
secrets database: %s", nt_errstr(status)));
+ DEBUG(1, ("Could not find krbtgt (master Kerberos) account in
secrets database: %s: %s", nt_errstr(status), error_string));
+ talloc_free(error_string);
}
return status;
}
@@ -403,6 +405,7 @@ _PUBLIC_ NTSTATUS
cli_credentials_set_stored_principal(struct cli_credentials *c
{
NTSTATUS status;
char *filter;
+ char *error_string;
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
@@ -412,9 +415,10 @@ _PUBLIC_ NTSTATUS
cli_credentials_set_stored_principal(struct cli_credentials *c
cli_credentials_get_domain(cred),
serviceprincipal);
status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
- SECRETS_PRINCIPALS_DN, filter);
+ SECRETS_PRINCIPALS_DN, filter,
+ &error_string);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Could not find %s principal in secrets database:
%s", serviceprincipal, nt_errstr(status)));
+ DEBUG(1, ("Could not find %s principal in secrets database: %s:
%s", serviceprincipal, nt_errstr(status), error_string));
}
return status;
}
diff --git a/source4/auth/credentials/credentials_krb5.c
b/source4/auth/credentials/credentials_krb5.c
index efcca3e..b722901 100644
--- a/source4/auth/credentials/credentials_krb5.c
+++ b/source4/auth/credentials/credentials_krb5.c
@@ -40,7 +40,8 @@ _PUBLIC_ int cli_credentials_get_krb5_context(struct
cli_credentials *cred,
return 0;
}
- ret = smb_krb5_init_context(cred, event_ctx, lp_ctx,
&cred->smb_krb5_context);
+ ret = smb_krb5_init_context(cred, event_ctx, lp_ctx,
+ &cred->smb_krb5_context);
if (ret) {
cred->smb_krb5_context = NULL;
return ret;
@@ -203,23 +204,16 @@ _PUBLIC_ int cli_credentials_set_ccache(struct
cli_credentials *cred,
static int cli_credentials_new_ccache(struct cli_credentials *cred,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
+ char *ccache_name,
struct ccache_container **_ccc)
{
+ bool must_free_cc_name = false;
krb5_error_code ret;
struct ccache_container *ccc = talloc(cred, struct ccache_container);
- char *ccache_name;
if (!ccc) {
return ENOMEM;
}
- ccache_name = talloc_asprintf(ccc, "MEMORY:%p",
- ccc);
-
- if (!ccache_name) {
- talloc_free(ccc);
- return ENOMEM;
- }
-
ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx,
&ccc->smb_krb5_context);
if (ret) {
@@ -231,6 +225,17 @@ static int cli_credentials_new_ccache(struct
cli_credentials *cred,
return ENOMEM;
}
+ if (!ccache_name) {
+ must_free_cc_name = true;
+ ccache_name = talloc_asprintf(ccc, "MEMORY:%p",
+ ccc);
+
+ if (!ccache_name) {
+ talloc_free(ccc);
+ return ENOMEM;
+ }
+ }
+
ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, ccache_name,
&ccc->ccache);
if (ret) {
@@ -242,19 +247,26 @@ static int cli_credentials_new_ccache(struct
cli_credentials *cred,
return ret;
}
- talloc_set_destructor(ccc, free_mccache);
+ if (strncasecmp(ccache_name, "MEMORY:", 7) == 0) {
+ talloc_set_destructor(ccc, free_mccache);
+ } else {
+ talloc_set_destructor(ccc, free_dccache);
+ }
- talloc_free(ccache_name);
+ if (must_free_cc_name) {
+ talloc_free(ccache_name);
+ }
*_ccc = ccc;
return ret;
}
-_PUBLIC_ int cli_credentials_get_ccache(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
- struct loadparm_context *lp_ctx,
- struct ccache_container **ccc)
+_PUBLIC_ int cli_credentials_get_named_ccache(struct cli_credentials *cred,
+ struct tevent_context *event_ctx,
+ struct loadparm_context *lp_ctx,
+ char *ccache_name,
+ struct ccache_container **ccc)
{
krb5_error_code ret;
@@ -271,7 +283,7 @@ _PUBLIC_ int cli_credentials_get_ccache(struct
cli_credentials *cred,
return EINVAL;
}
- ret = cli_credentials_new_ccache(cred, event_ctx, lp_ctx, ccc);
+ ret = cli_credentials_new_ccache(cred, event_ctx, lp_ctx, ccache_name,
ccc);
if (ret) {
return ret;
}
@@ -295,6 +307,14 @@ _PUBLIC_ int cli_credentials_get_ccache(struct
cli_credentials *cred,
return ret;
}
+_PUBLIC_ int cli_credentials_get_ccache(struct cli_credentials *cred,
+ struct tevent_context *event_ctx,
+ struct loadparm_context *lp_ctx,
+ struct ccache_container **ccc)
+{
+ return cli_credentials_get_named_ccache(cred, event_ctx, lp_ctx, NULL,
ccc);
+}
+
void cli_credentials_invalidate_client_gss_creds(struct cli_credentials *cred,
enum credentials_obtained
obtained)
{
@@ -472,7 +492,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct
cli_credentials *cred,
return ENOMEM;
}
- ret = cli_credentials_new_ccache(cred, event_ctx, lp_ctx, &ccc);
+ ret = cli_credentials_new_ccache(cred, event_ctx, lp_ctx, NULL, &ccc);
if (ret != 0) {
return ret;
}
diff --git a/source4/auth/credentials/pycredentials.c
b/source4/auth/credentials/pycredentials.c
index 3c06ae9..002ecbc 100644
--- a/source4/auth/credentials/pycredentials.c
+++ b/source4/auth/credentials/pycredentials.c
@@ -24,6 +24,7 @@
#include "librpc/gen_ndr/samr.h" /* for struct samr_Password */
#include "libcli/util/pyerrors.h"
#include "param/pyparam.h"
+#include <tevent.h>
static PyObject *PyString_FromStringOrNULL(const char *str)
{
@@ -226,6 +227,54 @@ static PyObject
*py_creds_set_machine_account(py_talloc_Object *self, PyObject *
Py_RETURN_NONE;
}
+PyObject *PyCredentialCacheContainer_from_ccache_container(struct
ccache_container *ccc)
+{
+ PyCredentialCacheContainerObject *py_ret;
+
+ if (ccc == NULL) {
+ Py_RETURN_NONE;
+ }
+
+ py_ret = (PyCredentialCacheContainerObject
*)PyCredentialCacheContainer.tp_alloc(&PyCredentialCacheContainer, 0);
+ if (py_ret == NULL) {
+ PyErr_NoMemory();
+ return NULL;
+ }
+ py_ret->mem_ctx = talloc_new(NULL);
+ py_ret->ccc = talloc_reference(py_ret->mem_ctx, ccc);
+ return (PyObject *)py_ret;
+}
+
+
+static PyObject *py_creds_get_named_ccache(py_talloc_Object *self, PyObject
*args)
+{
+ PyObject *py_lp_ctx = Py_None;
+ char *ccache_name;
+ struct loadparm_context *lp_ctx;
+ struct ccache_container *ccc;
+ struct tevent_context *event_ctx;
+ int ret;
+
+ if (!PyArg_ParseTuple(args, "|Os", &py_lp_ctx, &ccache_name))
+ return NULL;
+
+ lp_ctx = lp_from_py_object(py_lp_ctx);
+ if (lp_ctx == NULL)
+ return NULL;
+
+ event_ctx = tevent_context_init(NULL);
+
+ ret =
cli_credentials_get_named_ccache(PyCredentials_AsCliCredentials(self),
event_ctx, lp_ctx, ccache_name, &ccc);
+ if (ret == 0) {
+ talloc_steal(ccc, event_ctx);
+ return PyCredentialCacheContainer_from_ccache_container(ccc);
+ } else {
+ talloc_free(event_ctx);
+ return NULL;
+ }
+
+}
+
static PyMethodDef py_creds_methods[] = {
{ "get_username", (PyCFunction)py_creds_get_username, METH_NOARGS,
"S.get_username() -> username\nObtain username." },
@@ -282,6 +331,7 @@ static PyMethodDef py_creds_methods[] = {
NULL },
{ "guess", (PyCFunction)py_creds_guess, METH_VARARGS, NULL },
{ "set_machine_account", (PyCFunction)py_creds_set_machine_account,
METH_VARARGS, NULL },
+ { "get_named_ccache", (PyCFunction)py_creds_get_named_ccache,
METH_VARARGS, NULL },
{ NULL }
};
@@ -294,6 +344,14 @@ PyTypeObject PyCredentials = {
.tp_methods = py_creds_methods,
};
+
+PyTypeObject PyCredentialCacheContainer = {
+ .tp_name = "CredentialCacheContainer",
+ .tp_basicsize = sizeof(py_talloc_Object),
+ .tp_dealloc = py_talloc_dealloc,
+ .tp_flags = Py_TPFLAGS_DEFAULT,
+};
+
void initcredentials(void)
{
PyObject *m;
@@ -301,6 +359,9 @@ void initcredentials(void)
if (PyType_Ready(&PyCredentials) < 0)
return;
+ if (PyType_Ready(&PyCredentialCacheContainer) < 0)
+ return;
+
m = Py_InitModule3("credentials", NULL, "Credentials management.");
if (m == NULL)
return;
@@ -311,4 +372,6 @@ void initcredentials(void)
Py_INCREF(&PyCredentials);
PyModule_AddObject(m, "Credentials", (PyObject *)&PyCredentials);
+ Py_INCREF(&PyCredentialCacheContainer);
+ PyModule_AddObject(m, "CredentialCacheContainer", (PyObject
*)&PyCredentialCacheContainer);
}
diff --git a/source4/auth/credentials/pycredentials.h
b/source4/auth/credentials/pycredentials.h
index 1889248..b1040c6 100644
--
Samba Shared Repository
