On Thu, Jun 07, 2012 at 12:09:32PM +0200, Sumit Bose wrote:
now with patches :-)
On Thu, Jun 07, 2012 at 12:07:13PM +0200, Sumit Bose wrote:
Hi,
this patch fixes https://fedorahosted.org/freeipa/ticket/2513 and as a
consequence makes https://fedorahosted.org/freeipa/ticket/2516 obsolete.
This first patch is just a minor cleanup which is not related to the
ticket. The second make create_keys() a public function so the it can be
called by the ipasam plugin as well. Finally the third patch removes the
kadmin.local call and calls the KEYTAB_SET_OID extented operation
instead.
bye,
Sumit
Alexander asked to merge the ACI into the existing ACI for the adtrust
agents. New version attached.
bye,
Sumit
From 21fb092ec76e3241e2aeb5aeffa065bcc39c63ea Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Tue, 13 Mar 2012 14:06:02 +0100
Subject: [PATCH] Use exop instead of kadmin.local
---
daemons/ipa-sam/Makefile.am |6 +++
daemons/ipa-sam/ipa_sam.c| 101 --
install/updates/60-trusts.update |2 +-
3 Dateien geändert, 81 Zeilen hinzugefügt(+), 28 Zeilen entfernt(-)
diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am
index
b5b9b0b75b276ac14b01ce35bae63af539e596fc..275cce629385b1719544a7832a00e9ee6664b739
100644
--- a/daemons/ipa-sam/Makefile.am
+++ b/daemons/ipa-sam/Makefile.am
@@ -7,6 +7,9 @@ SAMBA40EXTRA_LIBS = $(SAMBA40EXTRA_LIBPATH) \
-lsmbconf \
$(NULL)
+KRB5_UTIL_DIR=../../util
+KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c
+
INCLUDES = \
-I. \
-I$(srcdir) \
@@ -18,6 +21,7 @@ INCLUDES =\
-DDATADIR=\$(datadir)\ \
-DLDAPIDIR=\$(localstatedir)/run\ \
-DHAVE_LDAP \
+ -I $(KRB5_UTIL_DIR) \
$(AM_CFLAGS)\
$(LDAP_CFLAGS) \
$(KRB5_CFLAGS) \
@@ -34,6 +38,7 @@ plugin_LTLIBRARIES = \
ipasam_la_SOURCES =\
ipa_sam.c \
+ $(KRB5_UTIL_SRCS) \
$(NULL)
ipasam_la_LDFLAGS =\
@@ -43,6 +48,7 @@ ipasam_la_LDFLAGS = \
ipasam_la_LIBADD = \
$(LDAP_LIBS)\
+ $(KRB5_LIBS)\
$(TALLOC_LIBS) \
$(SAMBAUTIL_LIBS) \
$(NDR_LIBS) \
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index
2627025a8f2f757ca62c58b541c002f46e7c3be1..851df8c62f0ffb159610ce0ac311463233eea497
100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -9,6 +9,7 @@
#include pwd.h
#include errno.h
#include ldap.h
+#include krb5/krb5.h
#include talloc.h
@@ -28,17 +29,7 @@
#include sasl/sasl.h
#include krb5/krb5.h
-#include time.h
-
-/* TODO: remove if smbrunsecret() is removed */
-typedef struct connection_structi {} connection_struct;
-struct current_user {
- connection_struct *conn;
- uint16_t vuid;
- struct security_unix_token ut;
- struct security_token *nt_user_token;
-};
-extern struct current_user current_user;
+#include ipa_krb5.h
/* from drsblobs.h */
struct AuthInfoNone {
@@ -104,7 +95,6 @@ char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct
dom_sid *sid); /* avai
char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so
*/
bool is_null_sid(const struct dom_sid *sid); /* available in libsecurity.so */
bool strnequal(const char *s1,const char *s2,size_t n); /* available in
libutil_str.so */
-int smbrunsecret(const char *cmd, const char *secret); /* available in
libsmbconf.so */
bool trim_char(char *s,char cfront,char cback); /* available in libutil_str.so
*/
bool sid_peek_check_rid(const struct dom_sid *exp_dom_sid, const struct
dom_sid *sid, uint32_t *rid); /* available in libsecurity.so */
char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in
libsmbconf.so */
@@ -1382,6 +1372,76 @@ static bool search_krb_princ(struct ldapsam_privates
*ldap_state,
return true;
}
+static int set_cross_realm_pw(struct ldapsam_privates *ldap_state,
+ TALLOC_CTX *mem_ctx,
+ const char *princ, const char *pwd,
+ const char *base_dn)
+{
+ int ret;
+ krb5_error_code krberr;
+ krb5_context krbctx;
+ krb5_principal service_princ;
+ struct keys_container keys;
+ char *err_msg;
+ struct berval *reqdata = NULL;
+ struct berval *retdata = NULL;
+char *retoid;
+
+ krberr = krb5_init_context(krbctx);
+
