The branch, master has been updated
via 9c8badc s3-net: add a new "net ads kerberos pac save" tool.
via 9e01f3c s3-net: modify the current "net ads kerberos pac" command.
via a8c2807 s3-kerberos: let kerberos_return_pac() return a PAC
container.
via 1270e35 s3-kerberos: return a full PAC in kerberos_return_pac().
via 35a1ed2 s3-net: allow to provide custom local_service in "net ads
kerberos pac".
via 9725a86 s3-net: change the way impersonation principals are used in
"net ads kerberos pac".
via baed403 auth/kerberos: fix a typo.
via 932490a s3-libads: pass down local_service to kerberos_return_pac().
from 41d8d99 CVE-2013-6442: s3:smbcacls - ensure we don't lose an
existing ACL when setting owner or group owner.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9c8badc2a5c4d74b887cad57f98c145fbb9bfa6d
Author: Günther Deschner <[email protected]>
Date: Tue Mar 11 18:16:40 2014 +0100
s3-net: add a new "net ads kerberos pac save" tool.
Use "filename=string" to define a file where to save the unencrypted PAC to.
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Autobuild-User(master): Günther Deschner <[email protected]>
Autobuild-Date(master): Wed Mar 12 13:02:59 CET 2014 on sn-devel-104
commit 9e01f3cbc4752539128e5452f567ff2e73c3ec9d
Author: Günther Deschner <[email protected]>
Date: Tue Mar 11 18:14:39 2014 +0100
s3-net: modify the current "net ads kerberos pac" command.
Rename it to "net ads kerberos pac dump" and add a "type=num" option to
allow
dumping of individial pac buffer types. Ommitting type= or using type=0 will
dump the whole PAC structure on stdout.
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit a8c2807a26d2f1ff094ed7ea5724c0394f79b888
Author: Günther Deschner <[email protected]>
Date: Tue Mar 11 18:07:11 2014 +0100
s3-kerberos: let kerberos_return_pac() return a PAC container.
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 1270e35ba70a4e4881512d375c767023512f67bd
Author: Günther Deschner <[email protected]>
Date: Fri Feb 21 18:56:04 2014 +0100
s3-kerberos: return a full PAC in kerberos_return_pac().
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 35a1ed22f65473fabb2f4846f6d2b50da1847f6a
Author: Günther Deschner <[email protected]>
Date: Tue Mar 11 16:34:36 2014 +0100
s3-net: allow to provide custom local_service in "net ads kerberos pac".
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 9725a86e60bb6ef6e912621e81acc955ae2f70a8
Author: Günther Deschner <[email protected]>
Date: Mon Mar 10 15:11:18 2014 +0100
s3-net: change the way impersonation principals are used in "net ads
kerberos pac".
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit baed403983a5bb2e728249443fdfc9167a87f526
Author: Günther Deschner <[email protected]>
Date: Mon Mar 3 12:14:51 2014 +0100
auth/kerberos: fix a typo.
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 932490ae08578c37523e00e537017603ee00ce7c
Author: Günther Deschner <[email protected]>
Date: Fri Jan 17 14:29:03 2014 +0100
s3-libads: pass down local_service to kerberos_return_pac().
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
auth/kerberos/kerberos_pac.c | 2 +-
source3/libads/authdata.c | 47 +++++++----
source3/libads/kerberos_proto.h | 10 ++-
source3/utils/net_ads.c | 183 +++++++++++++++++++++++++++++++++------
source3/winbindd/winbindd_pam.c | 37 ++++++++-
5 files changed, 233 insertions(+), 46 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 81f7f21..8f55c8f 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -79,7 +79,7 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
}
/**
-* @brief Decode a blob containing a NDR envoded PAC structure
+* @brief Decode a blob containing a NDR encoded PAC structure
*
* @param mem_ctx - The memory context
* @param pac_data_blob - The data blob containing the NDR encoded data
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 801e551..276408d 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -52,7 +52,8 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context
*auth_ctx,
struct auth_session_info **session_info)
{
TALLOC_CTX *tmp_ctx;
- struct PAC_LOGON_INFO *logon_info = NULL;
+ struct PAC_DATA *pac_data = NULL;
+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
tmp_ctx = talloc_new(mem_ctx);
@@ -61,16 +62,34 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context
*auth_ctx,
}
if (pac_blob) {
- status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
- NULL, NULL, 0, &logon_info);
+ status = kerberos_decode_pac(tmp_ctx,
+ *pac_blob,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ 0,
+ &pac_data);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
}
- talloc_set_name_const(logon_info, "struct PAC_LOGON_INFO");
+ pac_data_ctr = talloc(mem_ctx, struct PAC_DATA_CTR);
+ if (pac_data_ctr == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ talloc_set_name_const(pac_data_ctr, "struct PAC_DATA_CTR");
+
+ pac_data_ctr->pac_data = talloc_steal(pac_data_ctr, pac_data);
+ pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,
+ pac_blob->data,
+ pac_blob->length);
+
+ auth_ctx->private_data = talloc_steal(auth_ctx, pac_data_ctr);
- auth_ctx->private_data = talloc_steal(auth_ctx, logon_info);
*session_info = talloc_zero(mem_ctx, struct auth_session_info);
if (!*session_info) {
status = NT_STATUS_NO_MEMORY;
@@ -101,13 +120,13 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
bool add_netbios_addr,
time_t renewable_time,
const char *impersonate_princ_s,
- struct PAC_LOGON_INFO **_logon_info)
+ const char *local_service,
+ struct PAC_DATA_CTR **_pac_data_ctr)
{
krb5_error_code ret;
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
const char *auth_princ = NULL;
- const char *local_service = NULL;
const char *cc = "MEMORY:kerberos_return_pac";
struct auth_session_info *session_info;
struct gensec_security *gensec_server_context;
@@ -116,7 +135,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
size_t idx = 0;
struct auth4_context *auth_context;
struct loadparm_context *lp_ctx;
- struct PAC_LOGON_INFO *logon_info = NULL;
+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
@@ -141,10 +160,6 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
}
NT_STATUS_HAVE_NO_MEMORY(auth_princ);
- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
- lp_netbios_name(), lp_realm());
- NT_STATUS_HAVE_NO_MEMORY(local_service);
-
ret = kerberos_kinit_password_ext(auth_princ,
pass,
time_offset,
@@ -276,15 +291,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
goto out;
}
- logon_info =
talloc_get_type_abort(gensec_server_context->auth_context->private_data,
- struct PAC_LOGON_INFO);
- if (logon_info == NULL) {
+ pac_data_ctr =
talloc_get_type_abort(gensec_server_context->auth_context->private_data,
+ struct PAC_DATA_CTR);
+ if (pac_data_ctr == NULL) {
DEBUG(1,("no PAC\n"));
status = NT_STATUS_INVALID_PARAMETER;
goto out;
}
- *_logon_info = talloc_move(mem_ctx, &logon_info);
+ *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
out:
talloc_free(tmp_ctx);
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index 2559634..3d0ad4b 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -32,7 +32,12 @@
#include "system/kerberos.h"
-struct PAC_LOGON_INFO;
+struct PAC_DATA;
+
+struct PAC_DATA_CTR {
+ DATA_BLOB pac_blob;
+ struct PAC_DATA *pac_data;
+};
#include "libads/ads_status.h"
@@ -77,7 +82,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
bool add_netbios_addr,
time_t renewable_time,
const char *impersonate_princ_s,
- struct PAC_LOGON_INFO **logon_info);
+ const char *local_service,
+ struct PAC_DATA_CTR **pac_data_ctr);
/* The following definitions come from libads/krb5_setpw.c */
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 89eebf3..8b8e719 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2597,35 +2597,41 @@ static int net_ads_kerberos_renew(struct net_context
*c, int argc, const char **
return ret;
}
-static int net_ads_kerberos_pac(struct net_context *c, int argc, const char
**argv)
+static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const
char **argv,
+ struct PAC_DATA_CTR **pac_data_ctr)
{
- struct PAC_LOGON_INFO *info = NULL;
- TALLOC_CTX *mem_ctx = NULL;
NTSTATUS status;
int ret = -1;
const char *impersonate_princ_s = NULL;
+ const char *local_service = NULL;
+ int i;
- if (c->display_usage) {
- d_printf( "%s\n"
- "net ads kerberos pac [impersonation_principal]\n"
- " %s\n",
- _("Usage:"),
- _("Dump the Kerberos PAC"));
- return 0;
- }
-
- mem_ctx = talloc_init("net_ads_kerberos_pac");
- if (!mem_ctx) {
- goto out;
+ for (i=0; i<argc; i++) {
+ if (strnequal(argv[i], "impersonate", strlen("impersonate"))) {
+ impersonate_princ_s = get_string_param(argv[i]);
+ if (impersonate_princ_s == NULL) {
+ return -1;
+ }
+ }
+ if (strnequal(argv[i], "local_service",
strlen("local_service"))) {
+ local_service = get_string_param(argv[i]);
+ if (local_service == NULL) {
+ return -1;
+ }
+ }
}
- if (argc > 0) {
- impersonate_princ_s = argv[0];
+ if (local_service == NULL) {
+ local_service = talloc_asprintf(c, "%s$@%s",
+ lp_netbios_name(), lp_realm());
+ if (local_service == NULL) {
+ goto out;
+ }
}
c->opt_password = net_prompt_pass(c, c->opt_user_name);
- status = kerberos_return_pac(mem_ctx,
+ status = kerberos_return_pac(c,
c->opt_user_name,
c->opt_password,
0,
@@ -2636,25 +2642,150 @@ static int net_ads_kerberos_pac(struct net_context *c,
int argc, const char **ar
true,
2592000, /* one month */
impersonate_princ_s,
- &info);
+ local_service,
+ pac_data_ctr);
if (!NT_STATUS_IS_OK(status)) {
d_printf(_("failed to query kerberos PAC: %s\n"),
nt_errstr(status));
goto out;
}
- if (info) {
- const char *s;
- s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
- d_printf(_("The Pac: %s\n"), s);
- }
-
ret = 0;
out:
- TALLOC_FREE(mem_ctx);
return ret;
}
+static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const
char **argv)
+{
+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
+ int i;
+ int ret = -1;
+ enum PAC_TYPE type = 0;
+
+ if (c->display_usage) {
+ d_printf( "%s\n"
+ "net ads kerberos pac dump [impersonate=string]
[local_service=string] [pac_buffer_type=int]\n"
+ " %s\n",
+ _("Usage:"),
+ _("Dump the Kerberos PAC"));
+ return -1;
+ }
+
+ for (i=0; i<argc; i++) {
+ if (strnequal(argv[i], "pac_buffer_type",
strlen("pac_buffer_type"))) {
+ type = get_int_param(argv[i]);
+ }
+ }
+
+ ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr);
+ if (ret) {
+ return ret;
+ }
+
+ if (type == 0) {
+
+ char *s = NULL;
+
+ s = NDR_PRINT_STRUCT_STRING(c, PAC_DATA,
+ pac_data_ctr->pac_data);
+ if (s != NULL) {
+ d_printf(_("The Pac: %s\n"), s);
+ talloc_free(s);
+ }
+
+ return 0;
+ }
+
+ for (i=0; i < pac_data_ctr->pac_data->num_buffers; i++) {
+
+ char *s = NULL;
+
+ if (pac_data_ctr->pac_data->buffers[i].type != type) {
+ continue;
+ }
+
+ s = NDR_PRINT_UNION_STRING(c, PAC_INFO, type,
+ pac_data_ctr->pac_data->buffers[i].info);
+ if (s != NULL) {
+ d_printf(_("The Pac: %s\n"), s);
+ talloc_free(s);
+ }
+ break;
+ }
+
+ return 0;
+}
+
+static int net_ads_kerberos_pac_save(struct net_context *c, int argc, const
char **argv)
+{
+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
+ char *filename = NULL;
+ int ret = -1;
+ int i;
+
+ if (c->display_usage) {
+ d_printf( "%s\n"
+ "net ads kerberos pac save [impersonate=string]
[local_service=string] [filename=string]\n"
+ " %s\n",
+ _("Usage:"),
+ _("Save the Kerberos PAC"));
+ return -1;
+ }
+
+ for (i=0; i<argc; i++) {
+ if (strnequal(argv[i], "filename", strlen("filename"))) {
+ filename = get_string_param(argv[i]);
+ if (filename == NULL) {
+ return -1;
+ }
+ }
+ }
+
+ ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr);
+ if (ret) {
+ return ret;
+ }
+
+ if (filename == NULL) {
+ d_printf(_("please define \"filename=<filename>\" to save the
PAC\n"));
+ return -1;
+ }
+
+ /* save the raw format */
+ if (!file_save(filename, pac_data_ctr->pac_blob.data,
pac_data_ctr->pac_blob.length)) {
+ d_printf(_("failed to save PAC in %s\n"), filename);
+ return -1;
+ }
+
+ return 0;
+}
+
+static int net_ads_kerberos_pac(struct net_context *c, int argc, const char
**argv)
+{
+ struct functable func[] = {
+ {
+ "dump",
+ net_ads_kerberos_pac_dump,
+ NET_TRANSPORT_ADS,
+ N_("Dump Kerberos PAC"),
+ N_("net ads kerberos pac dump\n"
+ " Dump a Kerberos PAC to stdout")
+ },
+ {
+ "save",
+ net_ads_kerberos_pac_save,
+ NET_TRANSPORT_ADS,
+ N_("Save Kerberos PAC"),
+ N_("net ads kerberos pac save\n"
+ " Save a Kerberos PAC in a file")
+ },
+
+ {NULL, NULL, 0, NULL, NULL}
+ };
+
+ return net_run_function(c, argc, argv, "net ads kerberos pac", func);
+}
+
static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char
**argv)
{
TALLOC_CTX *mem_ctx = NULL;
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 3f3ec70..b41291e 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -576,6 +576,10 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX
*mem_ctx,
time_t time_offset = 0;
const char *user_ccache_file;
struct PAC_LOGON_INFO *logon_info = NULL;
+ struct PAC_DATA *pac_data = NULL;
+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
+ const char *local_service;
+ int i;
*info3 = NULL;
@@ -632,6 +636,13 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX
*mem_ctx,
return NT_STATUS_NO_MEMORY;
}
+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
+ lp_netbios_name(), lp_realm());
+ if (local_service == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+
/* if this is a user ccache, we need to act as the user to let the krb5
* library handle the chown, etc. */
@@ -653,7 +664,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX
*mem_ctx,
true,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
NULL,
- &logon_info);
+ local_service,
+ &pac_data_ctr);
if (user_ccache_file != NULL) {
gain_root_privilege();
}
@@ -664,6 +676,29 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX
*mem_ctx,
goto failed;
}
+ if (pac_data_ctr == NULL) {
+ goto failed;
+ }
+
+ pac_data = pac_data_ctr->pac_data;
+ if (pac_data == NULL) {
+ goto failed;
+ }
+
+ for (i=0; i < pac_data->num_buffers; i++) {
+
+ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
+ continue;
+ }
+
+ logon_info = pac_data->buffers[i].info->logon_info.info;
+ if (!logon_info) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ break;
+ }
+
*info3 = &logon_info->info3;
DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of
%s\n",
--
Samba Shared Repository
