The branch, master has been updated via e7d1d8c nsswtich: Add negative tests for authentication with wbinfo via e202883 s3:libads: Remove obsolete smb_krb5_get_ntstatus_from_init_creds() via 21fbbfd idmap_rfc2307: Clarify the documentation a bit via d8a063b idmap_rfc2307: Slightly simplify idmap_rfc2307_initialize() via 7ff3ae7 idmap_tdb: Avoid a few casts from c0e196b s3:libsmb: Only print error message if kerberos use is forced
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit e7d1d8c49322a131e7ca1993f9956f0bddcaff3c Author: Andreas Schneider <a...@samba.org> Date: Mon Mar 20 12:22:44 2017 +0100 nsswtich: Add negative tests for authentication with wbinfo BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Uri Simchoni <u...@samba.org> Autobuild-User(master): Uri Simchoni <u...@samba.org> Autobuild-Date(master): Wed Mar 22 10:58:58 CET 2017 on sn-devel-144 commit e2028837b958618a66449a77ee628e4e176e521e Author: Andreas Schneider <a...@samba.org> Date: Tue Mar 21 09:57:30 2017 +0100 s3:libads: Remove obsolete smb_krb5_get_ntstatus_from_init_creds() There is no way we can get a better error code out of this. The original function called was krb5_get_init_creds_opt_get_error() which has been deprecated in 2008. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Uri Simchoni <u...@samba.org> commit 21fbbfded1cb46edf31d39f80d0faefb896065fa Author: Volker Lendecke <v...@samba.org> Date: Tue Mar 21 16:00:27 2017 +0100 idmap_rfc2307: Clarify the documentation a bit "bind_path" is a variable name internally used inside Samba. If you look at "man ldapsearch" from OpenLDAP for example, the more common term for this parameter is "search base". Adapt the documentation accordingly. Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Uri Simchoni <u...@samba.org> commit d8a063b4e64ae4325c4fc229927aaf8319fcbad0 Author: Volker Lendecke <v...@samba.org> Date: Tue Mar 21 15:52:37 2017 +0100 idmap_rfc2307: Slightly simplify idmap_rfc2307_initialize() Replace an "else" branch with an early "goto err" Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Uri Simchoni <u...@samba.org> commit 7ff3ae73741c42e8081b8fc242cddc4b1b436449 Author: Volker Lendecke <v...@samba.org> Date: Sun Jan 8 13:00:39 2017 +0000 idmap_tdb: Avoid a few casts The times of attempting to be C++ compatible are gone since C compilers can do very good warnings too. Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Uri Simchoni <u...@samba.org> ----------------------------------------------------------------------- Summary of changes: docs-xml/manpages/idmap_rfc2307.8.xml | 4 +- nsswitch/tests/test_wbinfo.sh | 4 + source3/libads/kerberos.c | 169 ---------------------------------- source3/winbindd/idmap_rfc2307.c | 26 +++--- source3/winbindd/idmap_tdb_common.c | 12 +-- 5 files changed, 21 insertions(+), 194 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/idmap_rfc2307.8.xml b/docs-xml/manpages/idmap_rfc2307.8.xml index 024415a..5785662 100644 --- a/docs-xml/manpages/idmap_rfc2307.8.xml +++ b/docs-xml/manpages/idmap_rfc2307.8.xml @@ -70,13 +70,13 @@ </varlistentry> <varlistentry> <term>bind_path_user</term> - <listitem><para>Specifies the bind path where + <listitem><para>Specifies the search base where user objects can be found in the LDAP server.</para></listitem> </varlistentry> <varlistentry> <term>bind_path_group</term> - <listitem><para>Specifies the bind path where + <listitem><para>Specifies the search base where group objects can be found in the LDAP server.</para></listitem> </varlistentry> diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh index 69cc437..cfe582d 100755 --- a/nsswitch/tests/test_wbinfo.sh +++ b/nsswitch/tests/test_wbinfo.sh @@ -254,6 +254,10 @@ testit "wbinfo -K against $TARGET with domain creds" $wbinfo --krb5ccname=$KRB5C testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=`expr $failed + 1` +testit_expect_failure "wbinfo -a against $TARGET with invalid password" $wbinfo -a "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1` + +testit_expect_failure "wbinfo -K against $TARGET with invalid password" $wbinfo -K "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1` + rm -f $KRB5CCNAME_PATH exit $failed diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index dcb268e..13c48ca 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -99,156 +99,6 @@ kerb_prompter(krb5_context ctx, void *data, return 0; } -static bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx, - DATA_BLOB *edata, - DATA_BLOB *edata_out) -{ - DATA_BLOB edata_contents; - ASN1_DATA *data; - int edata_type; - - if (!edata->length) { - return false; - } - - data = asn1_init(mem_ctx); - if (data == NULL) { - return false; - } - - if (!asn1_load(data, *edata)) goto err; - if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err; - if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err; - if (!asn1_read_Integer(data, &edata_type)) goto err; - - if (edata_type != KRB5_PADATA_PW_SALT) { - DEBUG(0,("edata is not of required type %d but of type %d\n", - KRB5_PADATA_PW_SALT, edata_type)); - goto err; - } - - if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err; - if (!asn1_read_OctetString(data, talloc_tos(), &edata_contents)) goto err; - if (!asn1_end_tag(data)) goto err; - if (!asn1_end_tag(data)) goto err; - if (!asn1_end_tag(data)) goto err; - asn1_free(data); - - *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length); - - data_blob_free(&edata_contents); - - return true; - - err: - - asn1_free(data); - return false; -} - - static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error, - NTSTATUS *nt_status) -{ - DATA_BLOB edata; - DATA_BLOB unwrapped_edata; - TALLOC_CTX *mem_ctx; - struct KRB5_EDATA_NTSTATUS parsed_edata; - enum ndr_err_code ndr_err; - -#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR - edata = data_blob(error->e_data->data, error->e_data->length); -#else - edata = data_blob(error->e_data.data, error->e_data.length); -#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */ - -#ifdef DEVELOPER - dump_data(10, edata.data, edata.length); -#endif /* DEVELOPER */ - - mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error"); - if (mem_ctx == NULL) { - data_blob_free(&edata); - return False; - } - - if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) { - data_blob_free(&edata); - TALLOC_FREE(mem_ctx); - return False; - } - - data_blob_free(&edata); - - ndr_err = ndr_pull_struct_blob_all(&unwrapped_edata, mem_ctx, - &parsed_edata, (ndr_pull_flags_fn_t)ndr_pull_KRB5_EDATA_NTSTATUS); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - data_blob_free(&unwrapped_edata); - TALLOC_FREE(mem_ctx); - return False; - } - - data_blob_free(&unwrapped_edata); - - if (nt_status) { - *nt_status = parsed_edata.ntstatus; - } - - TALLOC_FREE(mem_ctx); - - return True; -} - -static bool smb_krb5_get_ntstatus_from_init_creds(krb5_context ctx, - krb5_principal client, - krb5_get_init_creds_opt *opt, - NTSTATUS *nt_status) -{ - krb5_init_creds_context icc; - krb5_error_code code; -#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR - /* HEIMDAL */ - krb5_error error; -#else - krb5_error *error = NULL; -#endif - bool ok; - - code = krb5_init_creds_init(ctx, - client, - NULL, - NULL, - 0, - opt, - &icc); - if (code != 0) { - DBG_WARNING("krb5_init_creds_init failed with: %s\n", - error_message(code)); - return false; - } - - code = krb5_init_creds_get_error(ctx, - icc, - &error); - if (code != 0) { - DBG_WARNING("krb5_init_creds_get_error failed with: %s\n", - error_message(code)); - return false; - } - krb5_init_creds_free(ctx, icc); - -#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR - ok = smb_krb5_get_ntstatus_from_krb5_error(&error, nt_status); - - krb5_free_error_contents(ctx, &error); -#else - ok = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status); - - krb5_free_error(ctx, error); -#endif - - return ok; -} - /* simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL place in default cache location. @@ -356,31 +206,12 @@ int kerberos_kinit_password_ext(const char *principal, } out: if (ntstatus) { - - NTSTATUS status; - /* fast path */ if (code == 0) { *ntstatus = NT_STATUS_OK; goto cleanup; } - /* try to get ntstatus code out of krb5_error when we have it - * inside the krb5_get_init_creds_opt - gd */ - - if (opt != NULL) { - bool ok; - - ok = smb_krb5_get_ntstatus_from_init_creds(ctx, - me, - opt, - &status); - if (ok) { - *ntstatus = status; - goto cleanup; - } - } - /* fall back to self-made-mapping */ *ntstatus = krb5_to_nt_status(code); } diff --git a/source3/winbindd/idmap_rfc2307.c b/source3/winbindd/idmap_rfc2307.c index 340757a..8ee84f7 100644 --- a/source3/winbindd/idmap_rfc2307.c +++ b/source3/winbindd/idmap_rfc2307.c @@ -774,29 +774,27 @@ static NTSTATUS idmap_rfc2307_initialize(struct idmap_domain *domain) bind_path_user = idmap_config_const_string( domain->name, "bind_path_user", NULL); - if (bind_path_user) { - ctx->bind_path_user = talloc_strdup(ctx, bind_path_user); - if (ctx->bind_path_user == NULL) { - status = NT_STATUS_NO_MEMORY; - goto err; - } - } else { + if (bind_path_user == NULL) { status = NT_STATUS_INVALID_PARAMETER; goto err; } + ctx->bind_path_user = talloc_strdup(ctx, bind_path_user); + if (ctx->bind_path_user == NULL) { + status = NT_STATUS_NO_MEMORY; + goto err; + } bind_path_group = idmap_config_const_string( domain->name, "bind_path_group", NULL); - if (bind_path_group) { - ctx->bind_path_group = talloc_strdup(ctx, bind_path_group); - if (ctx->bind_path_group == NULL) { - status = NT_STATUS_NO_MEMORY; - goto err; - } - } else { + if (bind_path_group == NULL) { status = NT_STATUS_INVALID_PARAMETER; goto err; } + ctx->bind_path_group = talloc_strdup(ctx, bind_path_group); + if (ctx->bind_path_group == NULL) { + status = NT_STATUS_NO_MEMORY; + goto err; + } ldap_server = idmap_config_const_string( domain->name, "ldap_server", NULL); diff --git a/source3/winbindd/idmap_tdb_common.c b/source3/winbindd/idmap_tdb_common.c index 0d7e734..e873b60 100644 --- a/source3/winbindd/idmap_tdb_common.c +++ b/source3/winbindd/idmap_tdb_common.c @@ -51,11 +51,9 @@ static NTSTATUS idmap_tdb_common_allocate_id_action(struct db_context *db, void *private_data) { NTSTATUS ret; - struct idmap_tdb_common_allocate_id_context *state; + struct idmap_tdb_common_allocate_id_context *state = private_data; uint32_t hwm; - state = (struct idmap_tdb_common_allocate_id_context *)private_data; - ret = dbwrap_fetch_uint32_bystring(db, state->hwmkey, &hwm); if (!NT_STATUS_IS_OK(ret)) { ret = NT_STATUS_INTERNAL_DB_ERROR; @@ -180,11 +178,9 @@ static NTSTATUS idmap_tdb_common_set_mapping_action(struct db_context *db, { TDB_DATA data; NTSTATUS ret; - struct idmap_tdb_common_set_mapping_context *state; + struct idmap_tdb_common_set_mapping_context *state = private_data; TALLOC_CTX *tmp_ctx = talloc_stackframe(); - state = (struct idmap_tdb_common_set_mapping_context *)private_data; - DEBUG(10, ("Storing %s <-> %s map\n", state->ksidstr, state->kidstr)); /* check whether sid mapping is already present in db */ @@ -546,12 +542,10 @@ struct idmap_tdb_common_sids_to_unixids_context { static NTSTATUS idmap_tdb_common_sids_to_unixids_action(struct db_context *db, void *private_data) { - struct idmap_tdb_common_sids_to_unixids_context *state; + struct idmap_tdb_common_sids_to_unixids_context *state = private_data; int i, num_mapped = 0; NTSTATUS ret = NT_STATUS_OK; - state = (struct idmap_tdb_common_sids_to_unixids_context *)private_data; - DEBUG(10, ("idmap_tdb_common_sids_to_unixids: " " domain: [%s], allocate: %s\n", state->dom->name, state->allocate_unmapped ? "yes" : "no")); -- Samba Shared Repository