The branch, master has been updated via c07a54b torture: Fix the usage of the MEMORY credential cache. via a9bcc86 kdc-db-glue: Remove unused code. via b21b2d5 kdc-db-glue: Do not allocate memory for the principal via aa1431e kdc-db-glue: Fix memory cleanup to avoid crashes. via 6ada266 kdc-db-glue: Fix function format of samba_kdc_message2entry() via b9072d9 kdc-db-glue: Fix a NULL pointer dereference. via 13cd1d5 s4-kdc/db_glue: bad idea to free parent mem_ctx when sub function got a failure. via 6d6712f s4-kdc/pac_glue: only include required headers. via c5965c4 s4-kdc/pac_glue: use ENCTYPE_ARCFOUR_HMAC just like in db_glue. via e49802a s4-kdc/db-glue: use krb5_copy_data_contents in samba_kdc_message2entry_keys(). via 51191bd s4-kdc/pac_glue: use krb5_copy_data_contents in samba_make_krb5_pac(). via c5eb9b3 s4-kdc/db_glue: use KRB5_PW_SALT instead of hdb type. via 683ba8a s4-kdc/db_glue: use smb_krb5_principal_get_type() to access private members via 3ee26c4 s4-kdc/db_glue: use KRB5_KEY_TYPE to access private key members. via 0163c94 s4-kdc/db_glue: use time_t directly instead of KerberosTime. via 668f1e9 s4-kdc/db_glue: use krb5_principal_get_comp_string() to access members of private structs. via 75602bf s4-kdc/db_glue: use krb5_princ_size() instead of inspecting private structs. via 10a06fc s4-kdc/db_glue: use smb_krb5_principal_get_realm(). via 8b2cada s4:kdc/db-glue: pass a valid principal from samba_kdc_seq() to samba_kdc_message2entry() via 463be9f s4-kdc/db_glue: use smb_krb5_principal_set_realm(). via b705ec9 s4-kdc/db_glue: use krb5_copy_principal(). via 7296f1b s4-kdc/db_glue: use smb_krb5_make_principal(). via 2b29bfe s4-kdc/db_glue: use smb_krb5_keyblock_init_contents(). via 07edd10 s4-kdc/db_glue: no need to include kdc/kdc-glue.h header here. via 2f6cdbb s4-kdc/db_glue: no need to NULL entry_ex->entry.generation. via b74413b s4-kdc/db_glue: remove unused hdb_entry_ex from samba_kdc_seq(). via d823885 s4-kdc/db_glue: fix Debug messages. via 9713734 s4-kdc/pac-glue: use kerberos_free_data_contents(). via 1e9e40e s4-libnet: only build python_dckeytab when heimdal is available. via ad0fd58 s4-rpc_server: only build backup_key rpc service when Heimdal is available. via 2ad3dcc s4-dsdb/samdb: use abstract functions for MIT compatibility. via d86f7b9 s3-winbind: Correct debug message for starting winbind. via 8a5db7d dlz_bind9: Fix keytab location. via 10a135a YouCompleteMe: Add missing path. from 1fc1dfe s4:torture/libnetapi: remove allow_warnings=True
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit c07a54b2941c0d5dc69eb435405daddac1b994bf Author: Andreas Schneider <a...@samba.org> Date: Thu Feb 26 17:03:44 2015 +0100 torture: Fix the usage of the MEMORY credential cache. Pair-Programmed-With: Guenther Deschner <g...@samba.org> Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andreas Schneider <a...@samba.org> Signed-off-by: Guenther Deschner <g...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Sat Mar 21 02:03:34 CET 2015 on sn-devel-104 commit a9bcc86504971e6c30d782364f912e95eff2e93f Author: Andreas Schneider <a...@samba.org> Date: Wed Feb 25 11:57:23 2015 +0100 kdc-db-glue: Remove unused code. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit b21b2d596ebc0a11b3f8c19de0498cc8c0783655 Author: Andreas Schneider <a...@samba.org> Date: Wed Feb 25 11:56:34 2015 +0100 kdc-db-glue: Do not allocate memory for the principal The function we are calling already allocate memory. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit aa1431e53febdeb80d2c93f6e330fbaedb607ba3 Author: Andreas Schneider <a...@samba.org> Date: Wed Feb 25 11:55:43 2015 +0100 kdc-db-glue: Fix memory cleanup to avoid crashes. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 6ada266dcf8e6e33a5f58afc0568db540b7430cc Author: Andreas Schneider <a...@samba.org> Date: Wed Feb 25 11:54:52 2015 +0100 kdc-db-glue: Fix function format of samba_kdc_message2entry() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit b9072d974131de613949e368ada5e5d754375007 Author: Andreas Schneider <a...@samba.org> Date: Wed Feb 25 11:52:45 2015 +0100 kdc-db-glue: Fix a NULL pointer dereference. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 13cd1d5c58668313fd26aa00406bcfad1fccf256 Author: Günther Deschner <g...@samba.org> Date: Tue Feb 10 14:38:22 2015 +0100 s4-kdc/db_glue: bad idea to free parent mem_ctx when sub function got a failure. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 6d6712fdde2b82d20f8c395110efa0706324ad71 Author: Günther Deschner <g...@samba.org> Date: Thu May 8 15:49:17 2014 +0200 s4-kdc/pac_glue: only include required headers. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit c5965c41aec216fc91f6dcd412911f43b77b0a81 Author: Günther Deschner <g...@samba.org> Date: Thu May 8 15:20:59 2014 +0200 s4-kdc/pac_glue: use ENCTYPE_ARCFOUR_HMAC just like in db_glue. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit e49802a02df6b624e4667e1ca375e5cb57df3fa9 Author: Günther Deschner <g...@samba.org> Date: Mon May 12 17:45:26 2014 +0200 s4-kdc/db-glue: use krb5_copy_data_contents in samba_kdc_message2entry_keys(). Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 51191bd9d80124bbaa9a865893bf4aa0936c2fb6 Author: Günther Deschner <g...@samba.org> Date: Mon May 12 17:45:14 2014 +0200 s4-kdc/pac_glue: use krb5_copy_data_contents in samba_make_krb5_pac(). Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit c5eb9b388ec666678afdf63dae793aa8e9c87388 Author: Günther Deschner <g...@samba.org> Date: Thu May 8 14:32:47 2014 +0200 s4-kdc/db_glue: use KRB5_PW_SALT instead of hdb type. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 683ba8a09db46f9fa936e6c2e3323ce232ef686d Author: Günther Deschner <g...@samba.org> Date: Thu May 8 12:21:43 2014 +0200 s4-kdc/db_glue: use smb_krb5_principal_get_type() to access private members Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 3ee26c43b935591f77857cb5178b07fa02d21b09 Author: Günther Deschner <g...@samba.org> Date: Thu May 8 10:50:21 2014 +0200 s4-kdc/db_glue: use KRB5_KEY_TYPE to access private key members. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 0163c9403e83fb37ef5a75921e77759ac800835a Author: Günther Deschner <g...@samba.org> Date: Thu May 8 10:49:00 2014 +0200 s4-kdc/db_glue: use time_t directly instead of KerberosTime. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 668f1e9ab02070217cc710b654a197f5f35f8e59 Author: Günther Deschner <g...@samba.org> Date: Thu May 8 10:44:09 2014 +0200 s4-kdc/db_glue: use krb5_principal_get_comp_string() to access members of private structs. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 75602bf1aed68026c61260442f1095b5a8940436 Author: Günther Deschner <g...@samba.org> Date: Thu May 8 10:25:07 2014 +0200 s4-kdc/db_glue: use krb5_princ_size() instead of inspecting private structs. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 10a06fcd55c314d87c378b561bb7b57c756428ad Author: Günther Deschner <g...@samba.org> Date: Thu May 8 10:10:49 2014 +0200 s4-kdc/db_glue: use smb_krb5_principal_get_realm(). Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 8b2cada705644dd398b0eed73c43b53483f00f71 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Mar 20 15:29:30 2015 +0100 s4:kdc/db-glue: pass a valid principal from samba_kdc_seq() to samba_kdc_message2entry() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 463be9f676b93c39f5fed3e3b8903bfb21d9c380 Author: Günther Deschner <g...@samba.org> Date: Thu May 8 10:09:17 2014 +0200 s4-kdc/db_glue: use smb_krb5_principal_set_realm(). Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit b705ec95d4907f3f887b36963950fe0f18807273 Author: Günther Deschner <g...@samba.org> Date: Wed May 7 17:14:14 2014 +0200 s4-kdc/db_glue: use krb5_copy_principal(). Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 7296f1b2f5a9bb9287aaee2f57469371d2bf5679 Author: Günther Deschner <g...@samba.org> Date: Wed May 7 16:47:52 2014 +0200 s4-kdc/db_glue: use smb_krb5_make_principal(). Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 2b29bfe62adbd2900646be08758c842ffa885004 Author: Günther Deschner <g...@samba.org> Date: Wed May 7 16:46:31 2014 +0200 s4-kdc/db_glue: use smb_krb5_keyblock_init_contents(). Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 07edd10ba5a3b11684da81eb910aa42fcd3d327c Author: Günther Deschner <g...@samba.org> Date: Wed May 7 19:58:39 2014 +0200 s4-kdc/db_glue: no need to include kdc/kdc-glue.h header here. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 2f6cdbbb90c8a8d3972734b51f2db49c0631b54c Author: Günther Deschner <g...@samba.org> Date: Wed May 7 16:56:06 2014 +0200 s4-kdc/db_glue: no need to NULL entry_ex->entry.generation. The whole entry_ex->entry struct is initialized already. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit b74413b3394ac2f1ea602659c0f71e1f483a477f Author: Günther Deschner <g...@samba.org> Date: Wed May 7 16:37:25 2014 +0200 s4-kdc/db_glue: remove unused hdb_entry_ex from samba_kdc_seq(). Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit d82388501fcf8b80686504318738d2830b9fffcf Author: Günther Deschner <g...@samba.org> Date: Wed May 7 16:11:51 2014 +0200 s4-kdc/db_glue: fix Debug messages. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 97137347f3d73b5dd8785a66514c24055c4f18ef Author: Günther Deschner <g...@samba.org> Date: Wed May 7 11:50:52 2014 +0200 s4-kdc/pac-glue: use kerberos_free_data_contents(). Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 1e9e40e1d6317eb7e83a0ba6f7617aafc893ca4c Author: Günther Deschner <g...@samba.org> Date: Wed Apr 30 01:19:53 2014 +0200 s4-libnet: only build python_dckeytab when heimdal is available. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit ad0fd589724d5dead6a7ba4c123d37ec61ec7b84 Author: Günther Deschner <g...@samba.org> Date: Fri Apr 25 15:21:17 2014 +0200 s4-rpc_server: only build backup_key rpc service when Heimdal is available. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 2ad3dcc7cf688de515aeeff707b16ed7066f5cb0 Author: Günther Deschner <g...@samba.org> Date: Fri Apr 25 14:17:10 2014 +0200 s4-dsdb/samdb: use abstract functions for MIT compatibility. This involves switching to krb5_data, smb_krb5_get_pw_salt and smb_krb5_create_key_from_string. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Pair-Programmed-With: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit d86f7b9dafc58fa663d9430e16a6e90bd7455e1d Author: Andreas Schneider <a...@samba.org> Date: Tue Jan 27 16:32:48 2015 +0100 s3-winbind: Correct debug message for starting winbind. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 8a5db7d2f4936b54bf0ab8d36f54804cd463f967 Author: Andreas Schneider <a...@samba.org> Date: Thu Feb 26 18:17:18 2015 +0100 dlz_bind9: Fix keytab location. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 10a135a3d7a87778c3202e1c09a3f5e4c5882ab6 Author: Andreas Schneider <a...@samba.org> Date: Thu Feb 26 17:10:28 2015 +0100 YouCompleteMe: Add missing path. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: .ycm_extra_conf.py | 1 + source4/dns_server/dlz_bind9.c | 2 +- source4/dsdb/samdb/ldb_modules/password_hash.c | 59 +++--- source4/kdc/db-glue.c | 247 ++++++++++++++----------- source4/kdc/pac-glue.c | 35 ++-- source4/libnet/wscript_build | 2 +- source4/rpc_server/wscript_build | 3 +- source4/torture/rpc/remote_pac.c | 84 ++++++--- source4/winbind/winbindd.c | 2 +- 9 files changed, 260 insertions(+), 175 deletions(-) Changeset truncated at 500 lines: diff --git a/.ycm_extra_conf.py b/.ycm_extra_conf.py index fa75e22..e581561 100644 --- a/.ycm_extra_conf.py +++ b/.ycm_extra_conf.py @@ -141,6 +141,7 @@ flags = [ '-Ibin/default/source3/include', '-Ibin/default/source3/librpc/gen_ndr', '-Ibin/default/source3/param', +'-Ibin/default/source4', '-Ibin/default/source4/auth', '-Ibin/default/source4/auth/gensec', '-Ibin/default/source4/auth/kerberos', diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c index 8c7192f..7a76fe5 100644 --- a/source4/dns_server/dlz_bind9.c +++ b/source4/dns_server/dlz_bind9.c @@ -1304,7 +1304,7 @@ _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const cli_credentials_set_krb5_context(server_credentials, state->smb_krb5_ctx); cli_credentials_set_conf(server_credentials, state->lp); - keytab_name = talloc_asprintf(tmp_ctx, "file:%s/dns.keytab", + keytab_name = talloc_asprintf(tmp_ctx, "FILE:%s/dns.keytab", lpcfg_private_dir(state->lp)); ret = cli_credentials_set_keytab_name(server_credentials, state->lp, keytab_name, CRED_SPECIFIED); diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index d304038..e266307 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -647,7 +647,7 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) struct ldb_context *ldb; krb5_error_code krb5_ret; krb5_principal salt_principal; - krb5_salt salt; + krb5_data salt; krb5_keyblock key; krb5_data cleartext_data; @@ -721,7 +721,7 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) /* * create salt from salt_principal */ - krb5_ret = krb5_get_pw_salt(io->smb_krb5_context->krb5_context, + krb5_ret = smb_krb5_get_pw_salt(io->smb_krb5_context->krb5_context, salt_principal, &salt); krb5_free_principal(io->smb_krb5_context->krb5_context, salt_principal); if (krb5_ret) { @@ -734,24 +734,26 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) } /* create a talloc copy */ io->g.salt = talloc_strndup(io->ac, - (char *)salt.saltvalue.data, - salt.saltvalue.length); - krb5_free_salt(io->smb_krb5_context->krb5_context, salt); + (char *)salt.data, + salt.length); + kerberos_free_data_contents(io->smb_krb5_context->krb5_context, &salt); if (!io->g.salt) { return ldb_oom(ldb); } - salt.saltvalue.data = discard_const(io->g.salt); - salt.saltvalue.length = strlen(io->g.salt); + /* now use the talloced copy of the salt */ + salt.data = discard_const(io->g.salt); + salt.length = strlen(io->g.salt); /* * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of * the salt and the cleartext password */ - krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context, - ENCTYPE_AES256_CTS_HMAC_SHA1_96, - cleartext_data, - salt, - &key); + krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context, + NULL, + &salt, + &cleartext_data, + ENCTYPE_AES256_CTS_HMAC_SHA1_96, + &key); if (krb5_ret) { ldb_asprintf_errstring(ldb, "setup_kerberos_keys: " @@ -772,11 +774,12 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) * create ENCTYPE_AES128_CTS_HMAC_SHA1_96 key out of * the salt and the cleartext password */ - krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context, - ENCTYPE_AES128_CTS_HMAC_SHA1_96, - cleartext_data, - salt, - &key); + krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context, + NULL, + &salt, + &cleartext_data, + ENCTYPE_AES128_CTS_HMAC_SHA1_96, + &key); if (krb5_ret) { ldb_asprintf_errstring(ldb, "setup_kerberos_keys: " @@ -797,11 +800,12 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) * create ENCTYPE_DES_CBC_MD5 key out of * the salt and the cleartext password */ - krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context, - ENCTYPE_DES_CBC_MD5, - cleartext_data, - salt, - &key); + krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context, + NULL, + &salt, + &cleartext_data, + ENCTYPE_DES_CBC_MD5, + &key); if (krb5_ret) { ldb_asprintf_errstring(ldb, "setup_kerberos_keys: " @@ -822,11 +826,12 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) * create ENCTYPE_DES_CBC_CRC key out of * the salt and the cleartext password */ - krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context, - ENCTYPE_DES_CBC_CRC, - cleartext_data, - salt, - &key); + krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context, + NULL, + &salt, + &cleartext_data, + ENCTYPE_DES_CBC_CRC, + &key); if (krb5_ret) { ldb_asprintf_errstring(ldb, "setup_kerberos_keys: " diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index bc82482..d60b602 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -34,7 +34,6 @@ #include "auth/kerberos/kerberos.h" #include <hdb.h> #include "kdc/samba_kdc.h" -#include "kdc/kdc-glue.h" #include "kdc/db-glue.h" #define SAMBA_KVNO_GET_KRBTGT(kvno) \ @@ -67,7 +66,7 @@ static const char *trust_attrs[] = { }; -static KerberosTime ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, const char *attr, KerberosTime default_val) +static time_t ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, const char *attr, time_t default_val) { const char *tmp; const char *gentime; @@ -189,9 +188,12 @@ static HDBFlags uf2HDBFlags(krb5_context context, uint32_t userAccountControl, e static int samba_kdc_entry_destructor(struct samba_kdc_entry *p) { - hdb_entry_ex *entry_ex = p->entry_ex; - free_hdb_entry(&entry_ex->entry); - return 0; + if (p->entry_ex != NULL) { + hdb_entry_ex *entry_ex = p->entry_ex; + free_hdb_entry(&entry_ex->entry); + } + + return 0; } static void samba_kdc_free_entry(krb5_context context, hdb_entry_ex *entry_ex) @@ -398,10 +400,11 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, key.mkvno = 0; key.salt = NULL; /* No salt for this enc type */ - ret = krb5_keyblock_init(context, - ENCTYPE_ARCFOUR_HMAC, - hash->hash, sizeof(hash->hash), - &key.key); + ret = smb_krb5_keyblock_init_contents(context, + ENCTYPE_ARCFOUR_HMAC, + hash->hash, + sizeof(hash->hash), + &key.key); if (ret) { goto out; } @@ -434,9 +437,11 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, goto out; } - key.salt->type = hdb_pw_salt; + key.salt->type = KRB5_PW_SALT; - ret = krb5_data_copy(&key.salt->salt, salt.data, salt.length); + ret = krb5_copy_data_contents(&key.salt->salt, + salt.data, + salt.length); if (ret) { free(key.salt); key.salt = NULL; @@ -446,11 +451,11 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, /* TODO: maybe pass the iteration_count somehow... */ - ret = krb5_keyblock_init(context, - pkb4->keys[i].keytype, - pkb4->keys[i].value->data, - pkb4->keys[i].value->length, - &key.key); + ret = smb_krb5_keyblock_init_contents(context, + pkb4->keys[i].keytype, + pkb4->keys[i].value->data, + pkb4->keys[i].value->length, + &key.key); if (ret == KRB5_PROG_ETYPE_NOSUPP) { DEBUG(2,("Unsupported keytype ignored - type %u\n", pkb4->keys[i].keytype)); @@ -493,9 +498,11 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, goto out; } - key.salt->type = hdb_pw_salt; + key.salt->type = KRB5_PW_SALT; - ret = krb5_data_copy(&key.salt->salt, salt.data, salt.length); + ret = krb5_copy_data_contents(&key.salt->salt, + salt.data, + salt.length); if (ret) { free(key.salt); key.salt = NULL; @@ -503,11 +510,11 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, } } - ret = krb5_keyblock_init(context, - pkb3->keys[i].keytype, - pkb3->keys[i].value->data, - pkb3->keys[i].value->length, - &key.key); + ret = smb_krb5_keyblock_init_contents(context, + pkb3->keys[i].keytype, + pkb3->keys[i].value->data, + pkb3->keys[i].value->length, + &key.key); if (ret) { if (key.salt) { free_Salt(key.salt); @@ -538,7 +545,8 @@ out: */ static krb5_error_code samba_kdc_message2entry(krb5_context context, struct samba_kdc_db_context *kdc_db_ctx, - TALLOC_CTX *mem_ctx, krb5_const_principal principal, + TALLOC_CTX *mem_ctx, + krb5_const_principal principal, enum samba_kdc_ent_type ent_type, unsigned flags, struct ldb_dn *realm_dn, @@ -580,9 +588,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, is_computer = TRUE; } - memset(entry_ex, 0, sizeof(*entry_ex)); + ZERO_STRUCTP(entry_ex); - p = talloc(mem_ctx, struct samba_kdc_entry); + p = talloc_zero(mem_ctx, struct samba_kdc_entry); if (!p) { ret = ENOMEM; goto out; @@ -638,7 +646,6 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, * fixed UPPER case realm, but the as-sent username */ - entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal))); if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) { if (flags & (HDB_F_CANON)) { /* @@ -646,9 +653,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, * both realm values in the principal are set * to the upper case, canonical realm */ - ret = krb5_make_principal(context, &entry_ex->entry.principal, - lpcfg_realm(lp_ctx), "krbtgt", - lpcfg_realm(lp_ctx), NULL); + ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, + lpcfg_realm(lp_ctx), "krbtgt", + lpcfg_realm(lp_ctx), NULL); if (ret) { krb5_clear_error_message(context); goto out; @@ -664,7 +671,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, * this appears to be required regardless of * the canonicalize flag from the client */ - ret = krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx)); + ret = smb_krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx)); if (ret) { krb5_clear_error_message(context); goto out; @@ -672,7 +679,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, } } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { - ret = krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); + ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); if (ret) { krb5_clear_error_message(context); goto out; @@ -683,7 +690,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, * packet, and has a different meaning between AS-REQ * and TGS-REQ. We only change the principal in the AS-REQ case */ - ret = krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); + ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); if (ret) { krb5_clear_error_message(context); goto out; @@ -695,7 +702,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, goto out; } - if (krb5_principal_get_type(context, principal) != KRB5_NT_ENTERPRISE_PRINCIPAL) { + if (smb_krb5_principal_get_type(context, principal) != KRB5_NT_ENTERPRISE_PRINCIPAL) { /* While we have copied the client principal, tests * show that Win2k3 returns the 'corrected' realm, not * the client-specified realm. This code attempts to @@ -703,7 +710,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, * we determine from our records */ /* this has to be with malloc() */ - ret = krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx)); + ret = smb_krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx)); if (ret) { krb5_clear_error_message(context); goto out; @@ -746,9 +753,10 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, /* use 'whenCreated' */ entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0); /* use 'kadmin' for now (needed by mit_samba) */ - ret = krb5_make_principal(context, - &entry_ex->entry.created_by.principal, - lpcfg_realm(lp_ctx), "kadmin", NULL); + + ret = smb_krb5_make_principal(context, + &entry_ex->entry.created_by.principal, + lpcfg_realm(lp_ctx), "kadmin", NULL); if (ret) { krb5_clear_error_message(context); goto out; @@ -764,9 +772,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, /* use 'whenChanged' */ entry_ex->entry.modified_by->time = ldb_msg_find_krb5time_ldap_time(msg, "whenChanged", 0); /* use 'kadmin' for now (needed by mit_samba) */ - ret = krb5_make_principal(context, - &entry_ex->entry.modified_by->principal, - lpcfg_realm(lp_ctx), "kadmin", NULL); + ret = smb_krb5_make_principal(context, + &entry_ex->entry.modified_by->principal, + lpcfg_realm(lp_ctx), "kadmin", NULL); if (ret) { krb5_clear_error_message(context); goto out; @@ -784,23 +792,34 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, } if (rid == DOMAIN_RID_KRBTGT) { + char *realm = NULL; + entry_ex->entry.valid_end = NULL; entry_ex->entry.pw_end = NULL; entry_ex->entry.flags.invalid = 0; entry_ex->entry.flags.server = 1; + realm = smb_krb5_principal_get_realm(context, principal); + if (realm == NULL) { + ret = ENOMEM; + goto out; + } + /* Don't mark all requests for the krbtgt/realm as * 'change password', as otherwise we could get into * trouble, and not enforce the password expirty. * Instead, only do it when request is for the kpasswd service */ if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER - && principal->name.name_string.len == 2 - && (strcmp(principal->name.name_string.val[0], "kadmin") == 0) - && (strcmp(principal->name.name_string.val[1], "changepw") == 0) - && lpcfg_is_my_domain_or_realm(lp_ctx, principal->realm)) { + && krb5_princ_size(context, principal) == 2 + && (strcmp(krb5_principal_get_comp_string(context, principal, 0), "kadmin") == 0) + && (strcmp(krb5_principal_get_comp_string(context, principal, 1), "changepw") == 0) + && lpcfg_is_my_domain_or_realm(lp_ctx, realm)) { entry_ex->entry.flags.change_pw = 1; } + + SAFE_FREE(realm); + entry_ex->entry.flags.client = 0; entry_ex->entry.flags.forwardable = 1; entry_ex->entry.flags.ok_as_delegate = 1; @@ -884,8 +903,6 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, *entry_ex->entry.max_renew = kdc_db_ctx->policy.renewal_lifetime; - entry_ex->entry.generation = NULL; - /* Get keys from the db */ ret = samba_kdc_message2entry_keys(context, kdc_db_ctx, p, msg, rid, is_rodc, userAccountControl, @@ -909,7 +926,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, goto out; } for (i=0; i < entry_ex->entry.etypes->len; i++) { - entry_ex->entry.etypes->val[i] = entry_ex->entry.keys.val[i].key.keytype; + entry_ex->entry.etypes->val[i] = KRB5_KEY_TYPE(&entry_ex->entry.keys.val[i].key); } @@ -919,6 +936,7 @@ out: if (ret != 0) { /* This doesn't free ent itself, that is for the eventual caller to do */ hdb_free_entry(context, entry_ex); + ZERO_STRUCTP(entry_ex); } else { talloc_steal(kdc_db_ctx, entry_ex->ctx); } @@ -1012,22 +1030,15 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, /* use 'whenCreated' */ entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0); /* use 'kadmin' for now (needed by mit_samba) */ - ret = krb5_make_principal(context, - &entry_ex->entry.created_by.principal, - realm, "kadmin", NULL); + ret = smb_krb5_make_principal(context, + &entry_ex->entry.created_by.principal, + realm, "kadmin", NULL); if (ret) { krb5_clear_error_message(context); goto out; } - entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal))); - if (entry_ex->entry.principal == NULL) { - krb5_clear_error_message(context); - ret = ENOMEM; - goto out; - } - - ret = copy_Principal(principal, entry_ex->entry.principal); + ret = krb5_copy_principal(context, principal, &entry_ex->entry.principal); if (ret) { krb5_clear_error_message(context); goto out; @@ -1041,7 +1052,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, * we determine from our records */ - ret = krb5_principal_set_realm(context, entry_ex->entry.principal, realm); + ret = smb_krb5_principal_set_realm(context, entry_ex->entry.principal, realm); if (ret) { krb5_clear_error_message(context); goto out; @@ -1213,11 +1224,11 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, if (password_hash != NULL) { Key key = {}; - ret = krb5_keyblock_init(context, - ENCTYPE_ARCFOUR_HMAC, - password_hash->hash, - sizeof(password_hash->hash), - &key.key); + ret = smb_krb5_keyblock_init_contents(context, + ENCTYPE_ARCFOUR_HMAC, + password_hash->hash, + sizeof(password_hash->hash), + &key.key); if (ret != 0) { goto out; } @@ -1238,8 +1249,6 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, entry_ex->entry.max_renew = NULL; - entry_ex->entry.generation = NULL; - entry_ex->entry.etypes = malloc(sizeof(*(entry_ex->entry.etypes))); if (entry_ex->entry.etypes == NULL) { krb5_clear_error_message(context); @@ -1254,7 +1263,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, goto out; } for (i=0; i < entry_ex->entry.etypes->len; i++) { - entry_ex->entry.etypes->val[i] = entry_ex->entry.keys.val[i].key.keytype; -- Samba Shared Repository