The branch, master has been updated
via fba69f4 selftest: Run krb5.kdc test against users with a UPN
via 52526ee torture-krb5: Check for UPN hanlding in krb5.kdc.canon test
via c1819f5 kdc: Correctly return the krbtgt/realm@REALM principal from
our KDC
via 157539c torture-krb5: Move checking of server and client names to
krb5.kdc.canon
via 9d7719b torture-krb5: Move test of
krb5_get_init_creds_opt_set_win2k to krb5.kdc.canon
via 62905cd torture-krb5: Split the expected behaviour of the RODC up
via 89b868f torture-kdc: Skip the request-pac behaviour for now against
an RODC
via d0751b5 torture-krb5: Add comments
via 69fb2a7 kdc: Add TODO to remind us where we need to hook for RODC
to get secrets
via 9fc3f1e kdc: Fix Samba's KDC to only change the principal in the
right cases
via 170ee30 torture-krb5: Add tests for combinations of enterprise,
cannon, and different input principals
via 03d07ed torture: Extend krb5.kdc test to confirm correct RODC proxy
behaviour
via c128056 sefltest: Add test for enterprise UPN in a different domain
via 86021a0 kdc: Fix enterpise principal name handling
via 891c4c6 heimdal: Ensure that HDB_ERR_NOT_FOUND_HERE, critical for
the RODC, is not overwritten
via da4ac71 heimdal: Really bug in KDC handling of enterprise princs
via fe99c42 heimdal: Fix bug in KDC handling of enterprise principals
via a07598d torture: Extend KDC test to cover more options and modes
via 672ade3 torture: Decode expected packets and test KDC behaviour for
wrong passwords
via fc84d35 torture: Additionally run testsuite for krb5 and KDC
behaviour against all the DC envs
via ff240c8 torture: Additionally run testsuite for krb5 and KDC
behaviour with unprivileged accounts
via 378bb04 torture: Run new testsuite for krb5 and KDC behaviour with
machine account also
via 9a0aa6f torture: Start a new testsuite for krb5 and KDC behaviour
from 7afff0c s3-pam_smbpass: Correctly initialize variables.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit fba69f4a89bedaf799b3a3c78cde43f4f1d1aba3
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Jan 23 17:19:41 2015 +1300
selftest: Run krb5.kdc test against users with a UPN
This tests both a UPN in our own realm, and a UPN with a non-realm suffix.
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Fri Jan 23 08:10:07 CET 2015 on sn-devel-104
commit 52526ee26555daff27cb11ca2f444c2534a4d8f2
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Jan 23 16:43:48 2015 +1300
torture-krb5: Check for UPN hanlding in krb5.kdc.canon test
This allows us to confirm correct behaviour when a UPN is in use,
particularly
with the canonicalize flag and with enterprise principal names
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit c1819f5fd1eb690326a1fc547422544f5c834558
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Jan 23 16:41:50 2015 +1300
kdc: Correctly return the krbtgt/realm@REALM principal from our KDC
This needs to vary depending on if the client requested the canonicalize
flag
This was found by our new krb5.kdc test
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 157539c5ad9b819e43dceee6bb47d2027de1d982
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Jan 23 14:28:56 2015 +1300
torture-krb5: Move checking of server and client names to krb5.kdc.canon
This keeps this test in one place, rather than duplicated between krb5.kdc
and krb5.kdc.canon
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 9d7719b62ba0453b7c4e4b8a4c2062dc55ac4abd
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Jan 23 14:38:51 2015 +1300
torture-krb5: Move test of krb5_get_init_creds_opt_set_win2k to
krb5.kdc.canon
This allows the impact of this to be verified with the other options we are
setting
This also removes duplication in the kdc.c testsuite.
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 62905cd6d21d457a54faa2a14e9713dcf280dbe5
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Jan 23 14:28:28 2015 +1300
torture-krb5: Split the expected behaviour of the RODC up
The expectations of the cached accounts are different to those of the RODC
in general.
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 89b868f67761fbcf1319229c2f09502bdf16086e
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Jan 23 14:09:33 2015 +1300
torture-kdc: Skip the request-pac behaviour for now against an RODC
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit d0751b576363a25ca67f485651b206677bf1d4b8
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Jan 23 14:07:41 2015 +1300
torture-krb5: Add comments
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 69fb2a7616fe3b67312904075fdb691b7fa510bb
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Jan 23 17:39:45 2015 +1300
kdc: Add TODO to remind us where we need to hook for RODC to get secrets
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 9fc3f1e3d6854f399e2b2322b8ab1a714353ba12
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jan 22 14:11:52 2015 +1300
kdc: Fix Samba's KDC to only change the principal in the right cases
If we are set to canonicalize, we get back the fixed UPPER
case realm, and the real username (ie matching LDAP
samAccountName)
Otherwise, if we are set to enterprise, we
get back the whole principal as-sent
Finally, if we are not set to canonicalize, we get back the
fixed UPPER case realm, but the as-sent username
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 170ee3071b7b51af0b6a89b7abf944ec3b08c014
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Jan 21 17:27:09 2015 +1300
torture-krb5: Add tests for combinations of enterprise, cannon, and
different input principals
This combinational test confirms the interactions between a number of
differnet
kerberos flags and principal types.
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
commit 03d07ed58bb4ebad41260a35f8952a18c8cf3e6d
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Jan 21 15:57:40 2015 +1300
torture: Extend krb5.kdc test to confirm correct RODC proxy behaviour
The RODC should answer some requests locally, and others it should defer to
the main DC.
We can tell which KDC we talk do by the KVNO of the encrypted parts that
are returned
to the KDC.
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit c1280569a97be772549debbecb374c53a6cdf796
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Dec 18 17:23:43 2014 +1300
sefltest: Add test for enterprise UPN in a different domain
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 86021a081fa7973d00ac3665296ffcfc9e834fb0
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Dec 17 17:02:53 2014 +1300
kdc: Fix enterpise principal name handling
Based on a patch by Samuel Cabrero <scabr...@zentyal.com>
This ensures we write the correct (implict, samAccountName) based UPN into
the ticket, rather than the userPrincipalName, which will have a different
realm.
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
commit 891c4c6a403cc0904c37caaf500bb3a4e3a646c7
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Jan 21 11:45:45 2015 +1300
heimdal: Ensure that HDB_ERR_NOT_FOUND_HERE, critical for the RODC, is not
overwritten
This change ensures that our RODC will correctly proxy when asked to provide
a ticket for a service or user where the keys are not on this RODC.
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit da4ac71eaba84fa6227b7d9f3adb204003ceaa70
Author: Nicolas Williams <n...@cryptonector.com>
Date: Wed Dec 17 16:57:40 2014 +1300
heimdal: Really bug in KDC handling of enterprise princs
The value of this commit to Samba is to continue to match Heimdal's
upstream code in this area. Because we set
HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL
there is no runtime difference.
(commit message by Andrew Bartlett)
Cherry-pick of Heimdal commit 9aa7883ff2efb3e0a60016c9090c577acfd0779f
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Garming Sam <garm...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit fe99c420b21933e0dc11a5c4193e9af4cbfc574e
Author: Nicolas Williams <n...@cryptonector.com>
Date: Wed Dec 17 16:55:34 2014 +1300
heimdal: Fix bug in KDC handling of enterprise principals
The useful change in Samba from this commit is that we gain
validation of the enterprise principal name.
(commit message by Andrew Bartlett)
Cherry-pick of Heimdal commit c76ec8ec6a507a6f34ca80c11e5297146acff83f
Reviewed-by: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a07598db9cefcad4accd9e189c748a5bed630cf6
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Jan 6 13:24:04 2015 +1300
torture: Extend KDC test to cover more options and modes
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 672ade3876877ad30e4367f0cd01e660b0def8cd
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Jan 5 17:48:50 2015 +1300
torture: Decode expected packets and test KDC behaviour for wrong passwords
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit fc84d35c4eaf50ca8139b1210201be12d89a0b3e
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Jan 5 16:48:08 2015 +1300
torture: Additionally run testsuite for krb5 and KDC behaviour against all
the DC envs
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit ff240c84e471fb6e83f663fef6b0ec7f257832e2
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Jan 5 16:32:23 2015 +1300
torture: Additionally run testsuite for krb5 and KDC behaviour with
unprivileged accounts
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 378bb04835a377699a8ff254c0ec633ac63a41de
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Jan 5 16:07:42 2015 +1300
torture: Run new testsuite for krb5 and KDC behaviour with machine account
also
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 9a0aa6f6f7217399eaac34aa8ac82b49d953175a
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Jan 5 14:54:45 2015 +1300
torture: Start a new testsuite for krb5 and KDC behaviour
Pair-programmed-with: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
selftest/knownfail | 4 +
selftest/target/Samba.pm | 8 +-
selftest/target/Samba4.pm | 54 +++
source4/auth/kerberos/krb5_init_context.c | 123 +++++--
source4/auth/kerberos/krb5_init_context.h | 6 +
source4/heimdal/kdc/misc.c | 87 +++--
source4/kdc/db-glue.c | 120 ++++---
source4/kdc/hdb-samba4.c | 2 +-
source4/selftest/tests.py | 22 ++
source4/torture/krb5/kdc-canon.c | 541 ++++++++++++++++++++++++++++++
source4/torture/krb5/kdc.c | 442 ++++++++++++++++++++++++
source4/torture/krb5/wscript_build | 11 +
source4/torture/wscript_build | 1 +
testprogs/blackbox/test_kinit.sh | 23 +-
14 files changed, 1322 insertions(+), 122 deletions(-)
create mode 100644 source4/torture/krb5/kdc-canon.c
create mode 100644 source4/torture/krb5/kdc.c
create mode 100644 source4/torture/krb5/wscript_build
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail b/selftest/knownfail
index af7e7fd..5fc05a0 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -296,3 +296,7 @@
^samba.blackbox.wbinfo\(s3member:local\).wbinfo -G check for sane
mapping\(s3member:local\)
^samba.ntlm_auth.\(dc:local\).ntlm_auth against winbindd with failed
require-membership-of
^samba.ntlm_auth.\(dc:local\).ntlm_auth with NTLMSSP gss-spnego-client and
gss-spnego server against winbind with failed require-membership-of
+#
+# Differences in our KDC compared to windows
+#
+^samba4.krb5.kdc .*.as-req-pac-request # We should reply to a request for a
PAC over UDP with KRB5KRB_ERR_RESPONSE_TOO_BIG unconditionally
\ No newline at end of file
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index ccc63f3..2b7343d 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -124,7 +124,8 @@ sub mk_krb5_conf($$)
sub mk_realms_stanza($$$$)
{
my ($realm, $dnsname, $domain, $kdc_ipv4) = @_;
-
+ my $lc_domain = lc($domain);
+
my $realms_stanza = "
$realm = {
kdc = $kdc_ipv4:88
@@ -141,6 +142,11 @@ sub mk_realms_stanza($$$$)
admin_server = $kdc_ipv4:88
default_domain = $dnsname
}
+ $lc_domain = {
+ kdc = $kdc_ipv4:88
+ admin_server = $kdc_ipv4:88
+ default_domain = $dnsname
+ }
";
return $realms_stanza;
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 5918894..91db4f8 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -814,6 +814,49 @@ sub provision_raw_step2($$$)
return undef;
}
+ my $samba_tool_cmd = Samba::bindir_path($self, "samba-tool")
+ . " user add --configfile=$ctx->{smb_conf} testallowed
$ctx->{password}";
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to add testallowed user: \n$samba_tool_cmd\n");
+ return undef;
+ }
+
+ my $ldbmodify = Samba::bindir_path($self, "ldbmodify");
+ my $base_dn = "DC=".join(",DC=", split(/\./, $ctx->{realm}));
+ my $user_dn = "cn=testallowed,cn=users,$base_dn";
+ open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
+ print LDIF "dn: $user_dn
+changetype: modify
+replace: userPrincipalName
+userPrincipalName: testallowed_upn\@$ctx->{realm}
+-
+";
+ close(LDIF);
+
+ $samba_tool_cmd = Samba::bindir_path($self, "samba-tool")
+ . " user add --configfile=$ctx->{smb_conf} testdenied
$ctx->{password}";
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to add testdenied user: \n$samba_tool_cmd\n");
+ return undef;
+ }
+
+ my $user_dn = "cn=testdenied,cn=users,$base_dn";
+ open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
+ print LDIF "dn: $user_dn
+changetype: modify
+replace: userPrincipalName
+userPrincipalName: testdenied_upn\@$ctx->{realm}.upn
+-
+";
+ close(LDIF);
+
+ $samba_tool_cmd = Samba::bindir_path($self, "samba-tool")
+ . " group addmembers --configfile=$ctx->{smb_conf} 'Allowed RODC
Password Replication Group' testallowed";
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to add testallowed user to 'Allowed RODC Password
Replication Group': \n$samba_tool_cmd\n");
+ return undef;
+ }
+
return $ret;
}
@@ -1586,6 +1629,17 @@ sub provision_rodc($$$)
return undef;
}
+ # This ensures deterministic behaviour for tests that want to have the
testallowed
+ # user password verified on the RODC
+ $cmd = "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "$samba_tool rodc preload testallowed $ret->{CONFIGURATION}";
+ $cmd .= " --server=$dcvars->{DC_SERVER}";
+
+ unless (system($cmd) == 0) {
+ warn("RODC join failed\n$cmd");
+ return undef;
+ }
+
# we overwrite the kdc after the RODC join
# so that use the RODC as kdc and test
# the proxy code
diff --git a/source4/auth/kerberos/krb5_init_context.c
b/source4/auth/kerberos/krb5_init_context.c
index 4404b67..e8a1a6c 100644
--- a/source4/auth/kerberos/krb5_init_context.c
+++ b/source4/auth/kerberos/krb5_init_context.c
@@ -210,46 +210,31 @@ static void smb_krb5_socket_handler(struct tevent_context
*ev, struct tevent_fd
}
}
-krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
- void *data,
- krb5_krbhst_info *hi,
- time_t timeout,
- const krb5_data *send_buf,
- krb5_data *recv_buf)
+static krb5_error_code smb_krb5_send_and_recv_func_int(krb5_context context,
+ struct tevent_context
*ev,
+ krb5_krbhst_info *hi,
+ struct addrinfo *ai,
+ krb5_send_to_kdc_func
func,
+ void *data,
+ time_t timeout,
+ const krb5_data
*send_buf,
+ krb5_data *recv_buf)
{
krb5_error_code ret;
NTSTATUS status;
const char *name;
- struct addrinfo *ai, *a;
+ struct addrinfo *a;
struct smb_krb5_socket *smb_krb5;
DATA_BLOB send_blob;
- struct tevent_context *ev;
TALLOC_CTX *tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) {
return ENOMEM;
}
- if (!data) {
- /* If no event context was available, then create one for this
loop */
- ev = samba_tevent_context_init(tmp_ctx);
- if (!ev) {
- talloc_free(tmp_ctx);
- return ENOMEM;
- }
- } else {
- ev = talloc_get_type_abort(data, struct tevent_context);
- }
-
send_blob = data_blob_const(send_buf->data, send_buf->length);
- ret = krb5_krbhst_get_addrinfo(context, hi, &ai);
- if (ret) {
- talloc_free(tmp_ctx);
- return ret;
- }
-
for (a = ai; a; a = a->ai_next) {
struct socket_address *remote_addr;
smb_krb5 = talloc(tmp_ctx, struct smb_krb5_socket);
@@ -359,18 +344,20 @@ krb5_error_code smb_krb5_send_and_recv_func(krb5_context
context,
return EINVAL;
}
- /* After each and every event loop, reset the
- * send_to_kdc pointers to what they were when
- * we entered this loop. That way, if a
- * nested event has invalidated them, we put
- * it back before we return to the heimdal
- * code */
- ret = krb5_set_send_to_kdc_func(context,
-
smb_krb5_send_and_recv_func,
- data);
- if (ret != 0) {
- talloc_free(tmp_ctx);
- return ret;
+ if (func) {
+ /* After each and every event loop, reset the
+ * send_to_kdc pointers to what they were when
+ * we entered this loop. That way, if a
+ * nested event has invalidated them, we put
+ * it back before we return to the heimdal
+ * code */
+ ret = krb5_set_send_to_kdc_func(context,
+ func,
+ data);
+ if (ret != 0) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
}
}
if (NT_STATUS_EQUAL(smb_krb5->status, NT_STATUS_IO_TIMEOUT)) {
@@ -407,6 +394,68 @@ krb5_error_code smb_krb5_send_and_recv_func(krb5_context
context,
}
return KRB5_KDC_UNREACH;
}
+
+krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
+ void *data,
+ krb5_krbhst_info *hi,
+ time_t timeout,
+ const krb5_data *send_buf,
+ krb5_data *recv_buf)
+{
+ krb5_error_code ret;
+ struct addrinfo *ai;
+
+ struct tevent_context *ev;
+ TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) {
+ return ENOMEM;
+ }
+
+ if (!data) {
+ /* If no event context was available, then create one for this
loop */
+ ev = samba_tevent_context_init(tmp_ctx);
+ if (!ev) {
+ talloc_free(tmp_ctx);
+ return ENOMEM;
+ }
+ } else {
+ ev = talloc_get_type_abort(data, struct tevent_context);
+ }
+
+ ret = krb5_krbhst_get_addrinfo(context, hi, &ai);
+ if (ret) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+ return smb_krb5_send_and_recv_func_int(context, ev, hi, ai,
smb_krb5_send_and_recv_func, data, timeout, send_buf, recv_buf);
+}
+
+krb5_error_code smb_krb5_send_and_recv_func_forced(krb5_context context,
+ void *data, /* struct
addrinfo */
+ krb5_krbhst_info *hi,
+ time_t timeout,
+ const krb5_data *send_buf,
+ krb5_data *recv_buf)
+{
+ struct addrinfo *ai = data;
+
+ struct tevent_context *ev;
+ TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) {
+ return ENOMEM;
+ }
+
+ /* If no event context was available, then create one for this loop */
+ ev = samba_tevent_context_init(tmp_ctx);
+ if (!ev) {
+ talloc_free(tmp_ctx);
+ return ENOMEM;
+ }
+
+ /* No need to pass in send_and_recv functions, we won't nest on this
private event loop */
+ return smb_krb5_send_and_recv_func_int(context, ev, hi, ai, NULL, NULL,
+ timeout, send_buf, recv_buf);
+}
#endif
krb5_error_code
diff --git a/source4/auth/kerberos/krb5_init_context.h
b/source4/auth/kerberos/krb5_init_context.h
index 3c32069..6c997c5 100644
--- a/source4/auth/kerberos/krb5_init_context.h
+++ b/source4/auth/kerberos/krb5_init_context.h
@@ -45,6 +45,12 @@ krb5_error_code smb_krb5_send_and_recv_func(krb5_context
context,
time_t timeout,
const krb5_data *send_buf,
krb5_data *recv_buf);
+krb5_error_code smb_krb5_send_and_recv_func_forced(krb5_context context,
+ void *data, /* struct
addrinfo */
+ krb5_krbhst_info *hi,
+ time_t timeout,
+ const krb5_data *send_buf,
+ krb5_data *recv_buf);
krb5_error_code smb_krb5_context_set_event_ctx(struct smb_krb5_context
*smb_krb5_context,
struct tevent_context *ev,
struct tevent_context
**previous_ev);
diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c
index 1b2c440..4ef5439 100644
--- a/source4/heimdal/kdc/misc.c
+++ b/source4/heimdal/kdc/misc.c
@@ -48,41 +48,36 @@ _kdc_db_fetch(krb5_context context,
krb5_error_code ret = HDB_ERR_NOENTRY;
int i;
unsigned kvno = 0;
+ krb5_principal enterprise_principal = NULL;
+ krb5_const_principal princ;
+
+ *h = NULL;
if (kvno_ptr) {
kvno = *kvno_ptr;
flags |= HDB_F_KVNO_SPECIFIED;
}
- ent = calloc (1, sizeof (*ent));
- if (ent == NULL) {
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
- return ENOMEM;
+ ent = calloc(1, sizeof (*ent));
+ if (ent == NULL)
+ return krb5_enomem(context);
+
+ if (principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ if (principal->name.name_string.len != 1) {
+ ret = KRB5_PARSE_MALFORMED;
+ krb5_set_error_message(context, ret,
+ "malformed request: "
+ "enterprise name with %d name components",
+ principal->name.name_string.len);
+ goto out;
+ }
+ ret = krb5_parse_name(context, principal->name.name_string.val[0],
+ &enterprise_principal);
+ if (ret)
+ goto out;
}
- for(i = 0; i < config->num_db; i++) {
- krb5_principal enterprise_principal = NULL;
- if (!(config->db[i]->hdb_capability_flags &
HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL)
- && principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
- if (principal->name.name_string.len != 1) {
- ret = KRB5_PARSE_MALFORMED;
- krb5_set_error_message(context, ret,
- "malformed request: "
- "enterprise name with %d name
components",
- principal->name.name_string.len);
- free(ent);
- return ret;
- }
- ret = krb5_parse_name(context, principal->name.name_string.val[0],
- &enterprise_principal);
- if (ret) {
- free(ent);
- return ret;
- }
-
- principal = enterprise_principal;
- }
-
+ for (i = 0; i < config->num_db; i++) {
ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0);
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
@@ -91,26 +86,48 @@ _kdc_db_fetch(krb5_context context,
continue;
}
+ princ = principal;
+ if (!(config->db[i]->hdb_capability_flags &
HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL) && enterprise_principal)
+ princ = enterprise_principal;
+
ret = config->db[i]->hdb_fetch_kvno(context,
config->db[i],
- principal,
+ princ,
flags | HDB_F_DECRYPT,
kvno,
ent);
-
- krb5_free_principal(context, enterprise_principal);
-
config->db[i]->hdb_close(context, config->db[i]);
- if(ret == 0) {
+
+ switch (ret) {
+ case 0:
if (db)
*db = config->db[i];
*h = ent;
- return 0;
+ ent = NULL;
+ goto out;
+
+ case HDB_ERR_NOENTRY:
+ /* Check the other databases */
+ continue;
+
+ default:
+ /*
+ * This is really important, because errors like
+ * HDB_ERR_NOT_FOUND_HERE (used to indicate to Samba that
+ * the RODC on which this code is running does not have
+ * the key we need, and so a proxy to the KDC is required)
+ * have specific meaning, and need to be propogated up.
+ */
+ goto out;
}
}
+
+ if (ret == HDB_ERR_NOENTRY) {
+ krb5_set_error_message(context, ret, "no such entry found in hdb");
+ }
+out:
+ krb5_free_principal(context, enterprise_principal);
free(ent);
- krb5_set_error_message(context, ret,
- "no such entry found in hdb");
return ret;
}
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 37e2f9e..042abe6 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -374,6 +374,7 @@ static krb5_error_code
samba_kdc_message2entry_keys(krb5_context context,
if (allocated_keys == 0) {
if (kdc_db_ctx->rodc) {
/* We are on an RODC, but don't have keys for this
account. Signal this to the caller */
+ /* TODO: We need to call a generalised version of
auth_sam_trigger_repl_secret from here */
return HDB_ERR_NOT_FOUND_HERE;
}
@@ -625,8 +626,52 @@ static krb5_error_code
samba_kdc_message2entry(krb5_context context,
userAccountControl |= msDS_User_Account_Control_Computed;
}
+ /*
+ * If we are set to canonicalize, we get back the fixed UPPER
+ * case realm, and the real username (ie matching LDAP
+ * samAccountName)
+ *
+ * Otherwise, if we are set to enterprise, we
+ * get back the whole principal as-sent
+ *
+ * Finally, if we are not set to canonicalize, we get back the
+ * fixed UPPER case realm, but the as-sent username
+ */
+
entry_ex->entry.principal =
malloc(sizeof(*(entry_ex->entry.principal)));
- if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
+ if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) {
+ ret = krb5_copy_principal(context, principal,
&entry_ex->entry.principal);
+ if (ret) {
+ return ret;
+ }
+
+ /*
+ * Windows seems to canonicalize the principal
+ * in a TGS REP even if the client did not specify
+ * the canonicalize flag.
+ */
+ if (flags & (HDB_F_CANON|HDB_F_FOR_TGS_REQ)) {
+ /* When requested to do so, ensure that the
+ * both realm values in the principal are set
+ * to the upper case, canonical realm */
+
free(entry_ex->entry.principal->name.name_string.val[1]);
+ entry_ex->entry.principal->name.name_string.val[1] =
strdup(lpcfg_realm(lp_ctx));
+ if
(!entry_ex->entry.principal->name.name_string.val[1]) {
+ ret = ENOMEM;
+ krb5_set_error_message(context, ret,
"samba_kdc_fetch: strdup() failed!");
+ return ret;
+ }
+ }
+ /*
+ * this has to be with malloc(), and appears to be
+ * required regardless of the canonicalize flag from
+ * the client
+ */
+ krb5_principal_set_realm(context, entry_ex->entry.principal,
lpcfg_realm(lp_ctx));
+
+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
+ krb5_make_principal(context, &entry_ex->entry.principal,
lpcfg_realm(lp_ctx), samAccountName, NULL);
+ } else if (flags & HDB_F_CANON) {
krb5_make_principal(context, &entry_ex->entry.principal,
lpcfg_realm(lp_ctx), samAccountName, NULL);
} else {
ret = copy_Principal(principal, entry_ex->entry.principal);
@@ -635,14 +680,16 @@ static krb5_error_code
samba_kdc_message2entry(krb5_context context,
goto out;
}
- /* While we have copied the client principal, tests
- * show that Win2k3 returns the 'corrected' realm, not
- * the client-specified realm. This code attempts to
- * replace the client principal's realm with the one
- * we determine from our records */
-
- /* this has to be with malloc() */
- krb5_principal_set_realm(context, entry_ex->entry.principal,
lpcfg_realm(lp_ctx));
+ if (principal->name.name_type != KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ /* While we have copied the client principal, tests
+ * show that Win2k3 returns the 'corrected' realm, not
+ * the client-specified realm. This code attempts to
+ * replace the client principal's realm with the one
+ * we determine from our records */
--
Samba Shared Repository
