The branch, master has been updated
via 116af0df4f7 s3:winbind: Use the canonical realm name to renew the
credentials
via 8bef8e3de9f s3:winbind: Create service principal inside
add_ccache_to_list()
via 2235a4aac4e lib:krb5_wrap: Add debug to ads_krb5_cli_get_ticket()
via 28db1443750 s3:winbind: Improve debug message to print service in
smb_krb5_renew_ticket()
via 266d6ebc5d7 s3:winbind: Improve debug message to print the service
in add_ccache_to_list()
via 9409f1adc63 s3:winbind: Fix trailing whitespaces in winbindd_proto.h
via b1056442fd3 s3:winbind: Fix trailing whitespaces and spaces before
tabs in winbindd_cred_cache.c
from 2ec93ac6f34 smbd: follow-up fix for "if close fails just log it,
don't crash"
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 116af0df4f74aa450cbb77c79f8cac4bfc288631
Author: Samuel Cabrero <scabr...@samba.org>
Date: Thu Jul 7 11:32:39 2022 +0200
s3:winbind: Use the canonical realm name to renew the credentials
Consider the following AD topology where all trusts are parent-child
trusts:
ADOM.AFOREST.AD
|
ACHILD.ADOM.AFOREST.AD
|
AGRANDCHILD.ACHILD.ADOM.AFOREST.AD <-- Samba joined
When logging into the Samba machine using pam_winbind with kerberos enabled
with user ACHILD\user1, the ccache content is:
Default principal: us...@achild.adom.aforest.ad
Valid starting Expires Service principal
07/06/2022 16:09:23 07/06/2022 16:14:23
krbtgt/achild.adom.aforest...@achild.adom.aforest.ad
renew until 07/13/2022 16:09:23
--> 07/06/2022 16:09:23 07/06/2022 16:14:23
krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad <-- NOTE this
TGT ticket
renew until 07/13/2022 16:09:23
07/06/2022 16:09:23 07/06/2022 16:14:23
SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
renew until 07/13/2022 16:09:23
But when logging in with user ADOM\user1, the ccache content is:
Default principal: us...@adom.aforest.ad
Valid starting Expires Service principal
07/06/2022 16:04:37 07/06/2022 16:09:37
krbtgt/adom.aforest...@adom.aforest.ad
renew until 07/13/2022 16:04:37
07/06/2022 16:04:37 07/06/2022 16:09:37
SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
renew until 07/13/2022 16:04:37
MIT does not store the intermediate TGTs when there is more than one hop:
ads_krb5_cli_get_ticket: Getting ticket for service
[SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD] using creds from
[FILE:/tmp/krb5cc_11105] and impersonating [(null)]
Getting credentials us...@adom.aforest.ad ->
SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD using ccache FILE:/tmp/krb5cc_11105
Starting with TGT for client realm: us...@adom.aforest.ad ->
krbtgt/adom.aforest...@adom.aforest.ad
Requesting TGT
krbtgt/agrandchild.achild.adom.aforest...@adom.aforest.ad using TGT
krbtgt/adom.aforest...@adom.aforest.ad
Sending request to ADOM.AFOREST.AD
Received answer from stream 192.168.101.32:88
TGS reply is for us...@adom.aforest.ad ->
krbtgt/achild.adom.aforest...@adom.aforest.ad with session key rc4-hmac/D88B
--> Received TGT for offpath realm ACHILD.ADOM.AFOREST.AD <-- NOTE this TGT
ticket is not stored
Requesting TGT
krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad using TGT
krbtgt/achild.adom.aforest...@adom.aforest.ad
Sending request (1748 bytes) to ACHILD.ADOM.AFOREST.AD
Received answer (1628 bytes) from stream 192.168.101.33:88
TGS reply is for us...@adom.aforest.ad ->
krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad with session
key rc4-hmac/D015
--> Received TGT for service realm:
krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad <-- NOTE this
TGT is not stored
Requesting tickets for SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD,
referrals on
Sending request (1721 bytes) to AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
Received answer (1647 bytes) from stream 192.168.101.34:88
TGS reply is for us...@adom.aforest.ad ->
SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD with session key aes256-cts/345A
Received creds for desired service
SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
Storing us...@adom.aforest.ad ->
SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_11105
In the case of ACHILD\user1:
ads_krb5_cli_get_ticket: Getting ticket for service
[SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD] using creds from
[FILE:/tmp/krb5cc_2000] and impersonating [(null)]
Getting credentials us...@achild.adom.aforest.ad ->
SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD using ccache FILE:/tmp/krb5cc_2000
Starting with TGT for client realm: us...@achild.adom.aforest.ad ->
krbtgt/achild.adom.aforest...@achild.adom.aforest.ad
Requesting TGT
krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad using TGT
krbtgt/achild.adom.aforest...@achild.adom.aforest.ad
Sending request to ACHILD.ADOM.AFOREST.AD
Received answer from stream 192.168.101.33:88
TGS reply is for us...@achild.adom.aforest.ad ->
krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad with session
key rc4-hmac/0F60
--> Storing us...@achild.adom.aforest.ad ->
krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad in
FILE:/tmp/krb5cc_2000 <-- NOTE this TGT is stored
Received TGT for service realm:
krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad
Requesting tickets for SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD,
referrals on
Sending request (1745 bytes) to AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
Received answer (1675 bytes) from stream 192.168.101.34:88
TGS reply is for us...@achild.adom.aforest.ad ->
SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD with session key aes256-cts/3576
Received creds for desired service
SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD
Storing us...@achild.adom.aforest.ad ->
SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_2000
The result is that winbindd can't refresh the tickets for ADOM\user1
because the local realm is used to build the TGT service name.
smb_krb5_renew_ticket: Using FILE:/tmp/krb5cc_11105 as ccache for
client 'us...@adom.aforest.ad' and service
'krbtgt/agrandchild.achild.adom.aforest...@agrandchild.achild.adom.aforest.ad'
Retrieving us...@adom.aforest.ad ->
krbtgt/agrandchild.achild.adom.aforest...@adom.aforest.ad from
FILE:/tmp/krb5cc_11105 with result: -1765328243/Matching credential not found
(filename: /tmp/krb5cc_11105)
The canonical realm name must be used instead:
smb_krb5_renew_ticket: Using FILE:/tmp/krb5cc_11105 as ccache for
client 'us...@adom.aforest.ad' and service
'krbtgt/adom.aforest...@adom.aforest.ad'
Retrieving us...@adom.aforest.ad ->
krbtgt/adom.aforest...@adom.aforest.ad from FILE:/tmp/krb5cc_11105 with result:
0/Success
Get cred via TGT krbtgt/adom.aforest...@adom.aforest.ad after
requesting krbtgt/adom.aforest...@adom.aforest.ad (canonicalize off)
Sending request to ADOM.AFOREST.AD
Received answer from stream 192.168.101.32:88
TGS reply is for us...@adom.aforest.ad ->
krbtgt/adom.aforest...@adom.aforest.ad with session key aes256-cts/8C7B
Storing us...@adom.aforest.ad -> krbtgt/adom.aforest...@adom.aforest.ad
in FILE:/tmp/krb5cc_11105
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
Autobuild-Date(master): Tue Jul 12 12:38:55 UTC 2022 on sn-devel-184
commit 8bef8e3de9fc96ff45319f80529e878977563f3a
Author: Samuel Cabrero <scabr...@samba.org>
Date: Thu Jul 7 11:22:05 2022 +0200
s3:winbind: Create service principal inside add_ccache_to_list()
The function can build the service principal itself, there is no
need to do it in the caller. This removes code duplication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 2235a4aac4e879c0ffe462f9eed454c7792efc85
Author: Samuel Cabrero <scabr...@samba.org>
Date: Thu Jul 7 12:33:15 2022 +0200
lib:krb5_wrap: Add debug to ads_krb5_cli_get_ticket()
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 28db1443750b167909dbe09aaac1e28bcf95be50
Author: Samuel Cabrero <scabr...@suse.de>
Date: Thu Jul 7 14:13:02 2022 +0200
s3:winbind: Improve debug message to print service in
smb_krb5_renew_ticket()
Signed-off-by: Samuel Cabrero <scabr...@suse.de>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 266d6ebc5d79d91753f6ef777e0bedcbc0d7193b
Author: Samuel Cabrero <scabr...@samba.org>
Date: Thu Jul 7 11:28:03 2022 +0200
s3:winbind: Improve debug message to print the service in
add_ccache_to_list()
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 9409f1adc63b53039ca26d5a85e67f9fe759789d
Author: Samuel Cabrero <scabr...@samba.org>
Date: Thu Jul 7 11:19:47 2022 +0200
s3:winbind: Fix trailing whitespaces in winbindd_proto.h
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit b1056442fd3044501edeb7f8f4e8698e2b5ccc7c
Author: Samuel Cabrero <scabr...@samba.org>
Date: Thu Jul 7 11:18:42 2022 +0200
s3:winbind: Fix trailing whitespaces and spaces before tabs in
winbindd_cred_cache.c
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/krb5_wrap/krb5_samba.c | 7 ++++-
source3/winbindd/winbindd_cred_cache.c | 51 +++++++++++++++++-----------------
source3/winbindd/winbindd_pam.c | 15 ----------
source3/winbindd/winbindd_proto.h | 15 +++++-----
4 files changed, 39 insertions(+), 49 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 57ffdc72780..2b9dc97a1bc 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1084,7 +1084,8 @@ krb5_error_code smb_krb5_renew_ticket(const char
*ccache_string,
goto done;
}
- DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string,
client_string);
+ DBG_DEBUG("Using %s as ccache for client '%s' and service '%s'\n",
+ ccache_string, client_string, service_string);
/* FIXME: we should not fall back to defaults */
ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string),
&ccache);
@@ -3812,6 +3813,10 @@ int ads_krb5_cli_get_ticket(TALLOC_CTX *mem_ctx,
ENCTYPE_NULL};
bool ok;
+ DBG_DEBUG("Getting ticket for service [%s] using creds from [%s] "
+ "and impersonating [%s]\n",
+ principal, ccname, impersonate_princ_s);
+
retval = smb_krb5_init_context_common(&context);
if (retval != 0) {
DBG_ERR("kerberos init context failed (%s)\n",
diff --git a/source3/winbindd/winbindd_cred_cache.c
b/source3/winbindd/winbindd_cred_cache.c
index 6c65db6a73f..bdc16041eee 100644
--- a/source3/winbindd/winbindd_cred_cache.c
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -127,7 +127,7 @@ static void krb5_ticket_refresh_handler(struct
tevent_context *event_ctx,
#ifdef HAVE_KRB5
/* Kinit again if we have the user password and we can't renew the old
- * tgt anymore
+ * tgt anymore
* NB
* This happens when machine are put to sleep for a very long time. */
@@ -160,10 +160,10 @@ rekinit:
* it, ignore error here */
ads_kdestroy(entry->ccname);
- /* Don't break the ticket refresh chain: retry
- * refreshing ticket sometime later when KDC is
+ /* Don't break the ticket refresh chain: retry
+ * refreshing ticket sometime later when KDC is
* unreachable -- BoYang. More error code
handling
- * here?
+ * here?
* */
if ((ret == KRB5_KDC_UNREACH)
@@ -196,9 +196,9 @@ rekinit:
#endif
goto done;
} else {
- /* can this happen?
+ /* can this happen?
* No cached credentials
- * destroy ticket and refresh chain
+ * destroy ticket and refresh chain
* */
ads_kdestroy(entry->ccname);
TALLOC_FREE(entry->event);
@@ -229,18 +229,18 @@ rekinit:
/* evil rises here, we refresh ticket failed,
* but the ticket might be expired. Therefore,
- * When we refresh ticket failed, destory the
+ * When we refresh ticket failed, destory the
* ticket */
ads_kdestroy(entry->ccname);
/* avoid breaking the renewal chain: retry in
* lp_winbind_cache_time() seconds when the KDC was not
- * available right now.
- * the return code can be KRB5_REALM_CANT_RESOLVE.
+ * available right now.
+ * the return code can be KRB5_REALM_CANT_RESOLVE.
* More error code handling here? */
- if ((ret == KRB5_KDC_UNREACH)
+ if ((ret == KRB5_KDC_UNREACH)
|| (ret == KRB5_REALM_CANT_RESOLVE)) {
#if defined(DEBUG_KRB5_TKT_RENEWAL)
new_start = time(NULL) + 30;
@@ -257,7 +257,7 @@ rekinit:
/* This is evil, if the ticket was already expired.
* renew ticket function returns KRB5KRB_AP_ERR_TKT_EXPIRED.
- * But there is still a chance that we can rekinit it.
+ * But there is still a chance that we can rekinit it.
*
* This happens when user login in online mode, and then network
* down or something cause winbind goes offline for a very long
time,
@@ -274,7 +274,7 @@ rekinit:
}
done:
- /* in cases that ticket will be unrenewable soon, we don't try to renew
ticket
+ /* in cases that ticket will be unrenewable soon, we don't try to renew
ticket
* but try to regain ticket if it is possible */
if (entry->renew_until && expire_time
&& (entry->renew_until <= expire_time)) {
@@ -356,7 +356,7 @@ static void krb5_ticket_gain_handler(struct tevent_context
*event_ctx,
DEBUG(3,("krb5_ticket_gain_handler: "
"could not kinit: %s\n",
error_message(ret)));
- /* evil. If we cannot do it, destroy any the __maybe__
+ /* evil. If we cannot do it, destroy any the __maybe__
* __existing__ ticket */
ads_kdestroy(entry->ccname);
goto retry_later;
@@ -369,9 +369,9 @@ static void krb5_ticket_gain_handler(struct tevent_context
*event_ctx,
goto got_ticket;
retry_later:
-
+
#if defined(DEBUG_KRB5_TKT_RENEWAL)
- t = timeval_set(time(NULL) + 30, 0);
+ t = timeval_set(time(NULL) + 30, 0);
#else
t = timeval_current_ofs(MAX(30, lp_winbind_cache_time()), 0);
#endif
@@ -493,7 +493,6 @@ bool ccache_entry_identical(const char *username,
NTSTATUS add_ccache_to_list(const char *princ_name,
const char *ccname,
- const char *service,
const char *username,
const char *pass,
const char *realm,
@@ -613,12 +612,6 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
goto no_mem;
}
}
- if (service) {
- entry->service = talloc_strdup(entry, service);
- if (!entry->service) {
- goto no_mem;
- }
- }
if (canon_principal != NULL) {
entry->canon_principal = talloc_strdup(entry, canon_principal);
if (entry->canon_principal == NULL) {
@@ -642,6 +635,15 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
goto no_mem;
}
+ entry->service = talloc_asprintf(entry,
+ "%s/%s@%s",
+ KRB5_TGS_NAME,
+ canon_realm,
+ canon_realm);
+ if (entry->service == NULL) {
+ goto no_mem;
+ }
+
entry->create_time = create_time;
entry->renew_until = renew_until;
entry->uid = uid;
@@ -681,9 +683,8 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
DLIST_ADD(ccache_list, entry);
- DEBUG(10,("add_ccache_to_list: "
- "added ccache [%s] for user [%s] to the list\n",
- ccname, username));
+ DBG_DEBUG("Added ccache [%s] for user [%s] and service [%s]\n",
+ entry->ccname, entry->username, entry->service);
if (entry->event) {
/*
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 07835e9a263..1963163a865 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -730,7 +730,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX
*mem_ctx,
krb5_error_code krb5_ret;
const char *cc = NULL;
const char *principal_s = NULL;
- const char *service = NULL;
char *realm = NULL;
fstring name_namespace, name_domain, name_user;
time_t ticket_lifetime = 0;
@@ -817,11 +816,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX
*mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- service = talloc_asprintf(mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm,
realm);
- if (service == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
local_service = talloc_asprintf(mem_ctx, "%s$@%s",
lp_netbios_name(), lp_realm());
if (local_service == NULL) {
@@ -912,7 +906,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX
*mem_ctx,
result = add_ccache_to_list(principal_s,
cc,
- service,
user,
pass,
realm,
@@ -1285,7 +1278,6 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct
winbindd_domain *domain,
const char *cc = NULL;
char *realm = NULL;
const char *principal_s = NULL;
- const char *service = NULL;
const char *user_ccache_file;
if (domain->alt_name == NULL) {
@@ -1325,12 +1317,6 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct
winbindd_domain *domain,
goto out;
}
- service = talloc_asprintf(tmp_ctx, "%s/%s@%s",
KRB5_TGS_NAME, realm, realm);
- if (service == NULL) {
- result = NT_STATUS_NO_MEMORY;
- goto out;
- }
-
if (user_ccache_file != NULL) {
if (_krb5ccname != NULL) {
@@ -1340,7 +1326,6 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct
winbindd_domain *domain,
result = add_ccache_to_list(principal_s,
cc,
- service,
user,
pass,
realm,
diff --git a/source3/winbindd/winbindd_proto.h
b/source3/winbindd/winbindd_proto.h
index 7c5f7ad91bb..6073baca36f 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -119,15 +119,15 @@ NTSTATUS wb_cache_trusted_domains(struct winbindd_domain
*domain,
struct netr_DomainTrustList *trusts);
NTSTATUS wcache_cached_creds_exist(struct winbindd_domain *domain, const
struct dom_sid *sid);
-NTSTATUS wcache_get_creds(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
+NTSTATUS wcache_get_creds(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
const struct dom_sid *sid,
const uint8_t **cached_nt_pass,
const uint8_t **cached_salt);
-NTSTATUS wcache_save_creds(struct winbindd_domain *domain,
+NTSTATUS wcache_save_creds(struct winbindd_domain *domain,
const struct dom_sid *sid,
const uint8_t nt_pass[NT_HASH_LEN]);
-void wcache_invalidate_samlogon(struct winbindd_domain *domain,
+void wcache_invalidate_samlogon(struct winbindd_domain *domain,
const struct dom_sid *user_sid);
bool wcache_invalidate_cache(void);
bool wcache_invalidate_cache_noinit(void);
@@ -146,7 +146,7 @@ void cache_name2sid_trusted(struct winbindd_domain *domain,
const char *name,
enum lsa_SidType type,
const struct dom_sid *sid);
-void cache_name2sid(struct winbindd_domain *domain,
+void cache_name2sid(struct winbindd_domain *domain,
const char *domain_name, const char *name,
enum lsa_SidType type, const struct dom_sid *sid);
NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
@@ -230,7 +230,6 @@ void ccache_remove_all_after_fork(void);
void ccache_regain_all_now(void);
NTSTATUS add_ccache_to_list(const char *princ_name,
const char *ccname,
- const char *service,
const char *username,
const char *password,
const char *realm,
@@ -259,8 +258,8 @@ NTSTATUS winbindd_get_creds(struct winbindd_domain *domain,
const uint8_t **cached_nt_pass,
const uint8_t **cred_salt);
NTSTATUS winbindd_store_creds(struct winbindd_domain *domain,
- const char *user,
- const char *pass,
+ const char *user,
+ const char *pass,
struct netr_SamInfo3 *info3);
NTSTATUS winbindd_update_creds_by_info3(struct winbindd_domain *domain,
const char *user,
--
Samba Shared Repository
