The branch, master has been updated via 116af0df4f7 s3:winbind: Use the canonical realm name to renew the credentials via 8bef8e3de9f s3:winbind: Create service principal inside add_ccache_to_list() via 2235a4aac4e lib:krb5_wrap: Add debug to ads_krb5_cli_get_ticket() via 28db1443750 s3:winbind: Improve debug message to print service in smb_krb5_renew_ticket() via 266d6ebc5d7 s3:winbind: Improve debug message to print the service in add_ccache_to_list() via 9409f1adc63 s3:winbind: Fix trailing whitespaces in winbindd_proto.h via b1056442fd3 s3:winbind: Fix trailing whitespaces and spaces before tabs in winbindd_cred_cache.c from 2ec93ac6f34 smbd: follow-up fix for "if close fails just log it, don't crash"
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 116af0df4f74aa450cbb77c79f8cac4bfc288631 Author: Samuel Cabrero <scabr...@samba.org> Date: Thu Jul 7 11:32:39 2022 +0200 s3:winbind: Use the canonical realm name to renew the credentials Consider the following AD topology where all trusts are parent-child trusts: ADOM.AFOREST.AD | ACHILD.ADOM.AFOREST.AD | AGRANDCHILD.ACHILD.ADOM.AFOREST.AD <-- Samba joined When logging into the Samba machine using pam_winbind with kerberos enabled with user ACHILD\user1, the ccache content is: Default principal: us...@achild.adom.aforest.ad Valid starting Expires Service principal 07/06/2022 16:09:23 07/06/2022 16:14:23 krbtgt/achild.adom.aforest...@achild.adom.aforest.ad renew until 07/13/2022 16:09:23 --> 07/06/2022 16:09:23 07/06/2022 16:14:23 krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad <-- NOTE this TGT ticket renew until 07/13/2022 16:09:23 07/06/2022 16:09:23 07/06/2022 16:14:23 SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD renew until 07/13/2022 16:09:23 But when logging in with user ADOM\user1, the ccache content is: Default principal: us...@adom.aforest.ad Valid starting Expires Service principal 07/06/2022 16:04:37 07/06/2022 16:09:37 krbtgt/adom.aforest...@adom.aforest.ad renew until 07/13/2022 16:04:37 07/06/2022 16:04:37 07/06/2022 16:09:37 SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD renew until 07/13/2022 16:04:37 MIT does not store the intermediate TGTs when there is more than one hop: ads_krb5_cli_get_ticket: Getting ticket for service [SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD] using creds from [FILE:/tmp/krb5cc_11105] and impersonating [(null)] Getting credentials us...@adom.aforest.ad -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD using ccache FILE:/tmp/krb5cc_11105 Starting with TGT for client realm: us...@adom.aforest.ad -> krbtgt/adom.aforest...@adom.aforest.ad Requesting TGT krbtgt/agrandchild.achild.adom.aforest...@adom.aforest.ad using TGT krbtgt/adom.aforest...@adom.aforest.ad Sending request to ADOM.AFOREST.AD Received answer from stream 192.168.101.32:88 TGS reply is for us...@adom.aforest.ad -> krbtgt/achild.adom.aforest...@adom.aforest.ad with session key rc4-hmac/D88B --> Received TGT for offpath realm ACHILD.ADOM.AFOREST.AD <-- NOTE this TGT ticket is not stored Requesting TGT krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad using TGT krbtgt/achild.adom.aforest...@adom.aforest.ad Sending request (1748 bytes) to ACHILD.ADOM.AFOREST.AD Received answer (1628 bytes) from stream 192.168.101.33:88 TGS reply is for us...@adom.aforest.ad -> krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad with session key rc4-hmac/D015 --> Received TGT for service realm: krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad <-- NOTE this TGT is not stored Requesting tickets for SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD, referrals on Sending request (1721 bytes) to AGRANDCHILD.ACHILD.ADOM.AFOREST.AD Received answer (1647 bytes) from stream 192.168.101.34:88 TGS reply is for us...@adom.aforest.ad -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD with session key aes256-cts/345A Received creds for desired service SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD Storing us...@adom.aforest.ad -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_11105 In the case of ACHILD\user1: ads_krb5_cli_get_ticket: Getting ticket for service [SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD] using creds from [FILE:/tmp/krb5cc_2000] and impersonating [(null)] Getting credentials us...@achild.adom.aforest.ad -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD using ccache FILE:/tmp/krb5cc_2000 Starting with TGT for client realm: us...@achild.adom.aforest.ad -> krbtgt/achild.adom.aforest...@achild.adom.aforest.ad Requesting TGT krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad using TGT krbtgt/achild.adom.aforest...@achild.adom.aforest.ad Sending request to ACHILD.ADOM.AFOREST.AD Received answer from stream 192.168.101.33:88 TGS reply is for us...@achild.adom.aforest.ad -> krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad with session key rc4-hmac/0F60 --> Storing us...@achild.adom.aforest.ad -> krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad in FILE:/tmp/krb5cc_2000 <-- NOTE this TGT is stored Received TGT for service realm: krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad Requesting tickets for SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD, referrals on Sending request (1745 bytes) to AGRANDCHILD.ACHILD.ADOM.AFOREST.AD Received answer (1675 bytes) from stream 192.168.101.34:88 TGS reply is for us...@achild.adom.aforest.ad -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD with session key aes256-cts/3576 Received creds for desired service SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD Storing us...@achild.adom.aforest.ad -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_2000 The result is that winbindd can't refresh the tickets for ADOM\user1 because the local realm is used to build the TGT service name. smb_krb5_renew_ticket: Using FILE:/tmp/krb5cc_11105 as ccache for client 'us...@adom.aforest.ad' and service 'krbtgt/agrandchild.achild.adom.aforest...@agrandchild.achild.adom.aforest.ad' Retrieving us...@adom.aforest.ad -> krbtgt/agrandchild.achild.adom.aforest...@adom.aforest.ad from FILE:/tmp/krb5cc_11105 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_11105) The canonical realm name must be used instead: smb_krb5_renew_ticket: Using FILE:/tmp/krb5cc_11105 as ccache for client 'us...@adom.aforest.ad' and service 'krbtgt/adom.aforest...@adom.aforest.ad' Retrieving us...@adom.aforest.ad -> krbtgt/adom.aforest...@adom.aforest.ad from FILE:/tmp/krb5cc_11105 with result: 0/Success Get cred via TGT krbtgt/adom.aforest...@adom.aforest.ad after requesting krbtgt/adom.aforest...@adom.aforest.ad (canonicalize off) Sending request to ADOM.AFOREST.AD Received answer from stream 192.168.101.32:88 TGS reply is for us...@adom.aforest.ad -> krbtgt/adom.aforest...@adom.aforest.ad with session key aes256-cts/8C7B Storing us...@adom.aforest.ad -> krbtgt/adom.aforest...@adom.aforest.ad in FILE:/tmp/krb5cc_11105 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 Signed-off-by: Samuel Cabrero <scabr...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Tue Jul 12 12:38:55 UTC 2022 on sn-devel-184 commit 8bef8e3de9fc96ff45319f80529e878977563f3a Author: Samuel Cabrero <scabr...@samba.org> Date: Thu Jul 7 11:22:05 2022 +0200 s3:winbind: Create service principal inside add_ccache_to_list() The function can build the service principal itself, there is no need to do it in the caller. This removes code duplication. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 Signed-off-by: Samuel Cabrero <scabr...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 2235a4aac4e879c0ffe462f9eed454c7792efc85 Author: Samuel Cabrero <scabr...@samba.org> Date: Thu Jul 7 12:33:15 2022 +0200 lib:krb5_wrap: Add debug to ads_krb5_cli_get_ticket() Signed-off-by: Samuel Cabrero <scabr...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 28db1443750b167909dbe09aaac1e28bcf95be50 Author: Samuel Cabrero <scabr...@suse.de> Date: Thu Jul 7 14:13:02 2022 +0200 s3:winbind: Improve debug message to print service in smb_krb5_renew_ticket() Signed-off-by: Samuel Cabrero <scabr...@suse.de> Reviewed-by: Andreas Schneider <a...@samba.org> commit 266d6ebc5d79d91753f6ef777e0bedcbc0d7193b Author: Samuel Cabrero <scabr...@samba.org> Date: Thu Jul 7 11:28:03 2022 +0200 s3:winbind: Improve debug message to print the service in add_ccache_to_list() Signed-off-by: Samuel Cabrero <scabr...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 9409f1adc63b53039ca26d5a85e67f9fe759789d Author: Samuel Cabrero <scabr...@samba.org> Date: Thu Jul 7 11:19:47 2022 +0200 s3:winbind: Fix trailing whitespaces in winbindd_proto.h Signed-off-by: Samuel Cabrero <scabr...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit b1056442fd3044501edeb7f8f4e8698e2b5ccc7c Author: Samuel Cabrero <scabr...@samba.org> Date: Thu Jul 7 11:18:42 2022 +0200 s3:winbind: Fix trailing whitespaces and spaces before tabs in winbindd_cred_cache.c Signed-off-by: Samuel Cabrero <scabr...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> ----------------------------------------------------------------------- Summary of changes: lib/krb5_wrap/krb5_samba.c | 7 ++++- source3/winbindd/winbindd_cred_cache.c | 51 +++++++++++++++++----------------- source3/winbindd/winbindd_pam.c | 15 ---------- source3/winbindd/winbindd_proto.h | 15 +++++----- 4 files changed, 39 insertions(+), 49 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index 57ffdc72780..2b9dc97a1bc 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -1084,7 +1084,8 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, goto done; } - DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string); + DBG_DEBUG("Using %s as ccache for client '%s' and service '%s'\n", + ccache_string, client_string, service_string); /* FIXME: we should not fall back to defaults */ ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache); @@ -3812,6 +3813,10 @@ int ads_krb5_cli_get_ticket(TALLOC_CTX *mem_ctx, ENCTYPE_NULL}; bool ok; + DBG_DEBUG("Getting ticket for service [%s] using creds from [%s] " + "and impersonating [%s]\n", + principal, ccname, impersonate_princ_s); + retval = smb_krb5_init_context_common(&context); if (retval != 0) { DBG_ERR("kerberos init context failed (%s)\n", diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c index 6c65db6a73f..bdc16041eee 100644 --- a/source3/winbindd/winbindd_cred_cache.c +++ b/source3/winbindd/winbindd_cred_cache.c @@ -127,7 +127,7 @@ static void krb5_ticket_refresh_handler(struct tevent_context *event_ctx, #ifdef HAVE_KRB5 /* Kinit again if we have the user password and we can't renew the old - * tgt anymore + * tgt anymore * NB * This happens when machine are put to sleep for a very long time. */ @@ -160,10 +160,10 @@ rekinit: * it, ignore error here */ ads_kdestroy(entry->ccname); - /* Don't break the ticket refresh chain: retry - * refreshing ticket sometime later when KDC is + /* Don't break the ticket refresh chain: retry + * refreshing ticket sometime later when KDC is * unreachable -- BoYang. More error code handling - * here? + * here? * */ if ((ret == KRB5_KDC_UNREACH) @@ -196,9 +196,9 @@ rekinit: #endif goto done; } else { - /* can this happen? + /* can this happen? * No cached credentials - * destroy ticket and refresh chain + * destroy ticket and refresh chain * */ ads_kdestroy(entry->ccname); TALLOC_FREE(entry->event); @@ -229,18 +229,18 @@ rekinit: /* evil rises here, we refresh ticket failed, * but the ticket might be expired. Therefore, - * When we refresh ticket failed, destory the + * When we refresh ticket failed, destory the * ticket */ ads_kdestroy(entry->ccname); /* avoid breaking the renewal chain: retry in * lp_winbind_cache_time() seconds when the KDC was not - * available right now. - * the return code can be KRB5_REALM_CANT_RESOLVE. + * available right now. + * the return code can be KRB5_REALM_CANT_RESOLVE. * More error code handling here? */ - if ((ret == KRB5_KDC_UNREACH) + if ((ret == KRB5_KDC_UNREACH) || (ret == KRB5_REALM_CANT_RESOLVE)) { #if defined(DEBUG_KRB5_TKT_RENEWAL) new_start = time(NULL) + 30; @@ -257,7 +257,7 @@ rekinit: /* This is evil, if the ticket was already expired. * renew ticket function returns KRB5KRB_AP_ERR_TKT_EXPIRED. - * But there is still a chance that we can rekinit it. + * But there is still a chance that we can rekinit it. * * This happens when user login in online mode, and then network * down or something cause winbind goes offline for a very long time, @@ -274,7 +274,7 @@ rekinit: } done: - /* in cases that ticket will be unrenewable soon, we don't try to renew ticket + /* in cases that ticket will be unrenewable soon, we don't try to renew ticket * but try to regain ticket if it is possible */ if (entry->renew_until && expire_time && (entry->renew_until <= expire_time)) { @@ -356,7 +356,7 @@ static void krb5_ticket_gain_handler(struct tevent_context *event_ctx, DEBUG(3,("krb5_ticket_gain_handler: " "could not kinit: %s\n", error_message(ret))); - /* evil. If we cannot do it, destroy any the __maybe__ + /* evil. If we cannot do it, destroy any the __maybe__ * __existing__ ticket */ ads_kdestroy(entry->ccname); goto retry_later; @@ -369,9 +369,9 @@ static void krb5_ticket_gain_handler(struct tevent_context *event_ctx, goto got_ticket; retry_later: - + #if defined(DEBUG_KRB5_TKT_RENEWAL) - t = timeval_set(time(NULL) + 30, 0); + t = timeval_set(time(NULL) + 30, 0); #else t = timeval_current_ofs(MAX(30, lp_winbind_cache_time()), 0); #endif @@ -493,7 +493,6 @@ bool ccache_entry_identical(const char *username, NTSTATUS add_ccache_to_list(const char *princ_name, const char *ccname, - const char *service, const char *username, const char *pass, const char *realm, @@ -613,12 +612,6 @@ NTSTATUS add_ccache_to_list(const char *princ_name, goto no_mem; } } - if (service) { - entry->service = talloc_strdup(entry, service); - if (!entry->service) { - goto no_mem; - } - } if (canon_principal != NULL) { entry->canon_principal = talloc_strdup(entry, canon_principal); if (entry->canon_principal == NULL) { @@ -642,6 +635,15 @@ NTSTATUS add_ccache_to_list(const char *princ_name, goto no_mem; } + entry->service = talloc_asprintf(entry, + "%s/%s@%s", + KRB5_TGS_NAME, + canon_realm, + canon_realm); + if (entry->service == NULL) { + goto no_mem; + } + entry->create_time = create_time; entry->renew_until = renew_until; entry->uid = uid; @@ -681,9 +683,8 @@ NTSTATUS add_ccache_to_list(const char *princ_name, DLIST_ADD(ccache_list, entry); - DEBUG(10,("add_ccache_to_list: " - "added ccache [%s] for user [%s] to the list\n", - ccname, username)); + DBG_DEBUG("Added ccache [%s] for user [%s] and service [%s]\n", + entry->ccname, entry->username, entry->service); if (entry->event) { /* diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 07835e9a263..1963163a865 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -730,7 +730,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, krb5_error_code krb5_ret; const char *cc = NULL; const char *principal_s = NULL; - const char *service = NULL; char *realm = NULL; fstring name_namespace, name_domain, name_user; time_t ticket_lifetime = 0; @@ -817,11 +816,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - service = talloc_asprintf(mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm); - if (service == NULL) { - return NT_STATUS_NO_MEMORY; - } - local_service = talloc_asprintf(mem_ctx, "%s$@%s", lp_netbios_name(), lp_realm()); if (local_service == NULL) { @@ -912,7 +906,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, result = add_ccache_to_list(principal_s, cc, - service, user, pass, realm, @@ -1285,7 +1278,6 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, const char *cc = NULL; char *realm = NULL; const char *principal_s = NULL; - const char *service = NULL; const char *user_ccache_file; if (domain->alt_name == NULL) { @@ -1325,12 +1317,6 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, goto out; } - service = talloc_asprintf(tmp_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm); - if (service == NULL) { - result = NT_STATUS_NO_MEMORY; - goto out; - } - if (user_ccache_file != NULL) { if (_krb5ccname != NULL) { @@ -1340,7 +1326,6 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, result = add_ccache_to_list(principal_s, cc, - service, user, pass, realm, diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 7c5f7ad91bb..6073baca36f 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -119,15 +119,15 @@ NTSTATUS wb_cache_trusted_domains(struct winbindd_domain *domain, struct netr_DomainTrustList *trusts); NTSTATUS wcache_cached_creds_exist(struct winbindd_domain *domain, const struct dom_sid *sid); -NTSTATUS wcache_get_creds(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, +NTSTATUS wcache_get_creds(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, const struct dom_sid *sid, const uint8_t **cached_nt_pass, const uint8_t **cached_salt); -NTSTATUS wcache_save_creds(struct winbindd_domain *domain, +NTSTATUS wcache_save_creds(struct winbindd_domain *domain, const struct dom_sid *sid, const uint8_t nt_pass[NT_HASH_LEN]); -void wcache_invalidate_samlogon(struct winbindd_domain *domain, +void wcache_invalidate_samlogon(struct winbindd_domain *domain, const struct dom_sid *user_sid); bool wcache_invalidate_cache(void); bool wcache_invalidate_cache_noinit(void); @@ -146,7 +146,7 @@ void cache_name2sid_trusted(struct winbindd_domain *domain, const char *name, enum lsa_SidType type, const struct dom_sid *sid); -void cache_name2sid(struct winbindd_domain *domain, +void cache_name2sid(struct winbindd_domain *domain, const char *domain_name, const char *name, enum lsa_SidType type, const struct dom_sid *sid); NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain, @@ -230,7 +230,6 @@ void ccache_remove_all_after_fork(void); void ccache_regain_all_now(void); NTSTATUS add_ccache_to_list(const char *princ_name, const char *ccname, - const char *service, const char *username, const char *password, const char *realm, @@ -259,8 +258,8 @@ NTSTATUS winbindd_get_creds(struct winbindd_domain *domain, const uint8_t **cached_nt_pass, const uint8_t **cred_salt); NTSTATUS winbindd_store_creds(struct winbindd_domain *domain, - const char *user, - const char *pass, + const char *user, + const char *pass, struct netr_SamInfo3 *info3); NTSTATUS winbindd_update_creds_by_info3(struct winbindd_domain *domain, const char *user, -- Samba Shared Repository