Compare commits

..

No commits in common. "c8" and "imports/c9-beta/samba-4.15.3-1.el9" have entirely different histories.

15 changed files with 1468 additions and 2836 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/samba-4.19.4.tar.xz
SOURCES/samba-4.15.3.tar.xz
SOURCES/samba-pubkey_AA99442FB680B620.gpg

View File

@ -1,2 +1,2 @@
6a164128df94dd89e785ca9f42d7be5714f16bed SOURCES/samba-4.19.4.tar.xz
e778708ce1f39566d91d74dce8e9940b324d1ef1 SOURCES/samba-4.15.3.tar.xz
971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmGww0kACgkQqplEL7aA
tiCzMg/+IzBD53oeYFSSt6V9o1ZhD/7bL425n/7Ea2iLaHkOEQWN3AgKV7h1rdSb
tS/Ys3xUf9LB1ZVkXbu17oWj5pG8aWcp6Ky80uXHycZ5X0/fcHegSU5SIyUfLs0F
d3BXvFWkPIy8H9a55wFTpJte2ofRoFqWUG4MAlOq83ummnmrz0W5j6QcufVIRjWq
hGMbg8Vjk+UEtKNO7fl8iSQ0ZRyXCkBR3biDBtMbvtoluaVkixxwwSPqgDoNXgju
ox2EbVfHLSHc+7Tb30uKQq/mf3uhf6ASIrajNVrXotK1fgpCCKnMLb9qRHEftttY
DwYKQvsrHCw9vYg/xyO2NOBr82mxjE6NBLsV1Kp8pdc4vInmAqOCsQpOuZ0SgO6u
sZk4c5AkfH7pZtHeNtlefiGe8/7ApU6UC6kkXT3mnLBtWKMBte9/NR6ZgCLle7tV
aAx6Io9j/rAeueRRgIK98bzxXSufjtFyNmM+Qr7IXnFHtJNM919ib4pr5DzpGwAc
+FMG0LfmU0XiUXcbw/IZ3AOD2DBwZC58ZezO3alUS8eRqNTP13v3Uhg9F78+eyah
Wbohx05Y4MA1ywtMd8z/dZn97nw3bw+z6fLNC//1Sq1qo1fXipaoSQW1LK9IHeVO
cV7cvd2c16p7NN3Op+34QY7Nc7b1uhtTV3v3tiEQYR/uQx+tyz8=
=fu6B
-----END PGP SIGNATURE-----

File diff suppressed because it is too large Load Diff

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmWcCFAACgkQqplEL7aA
tiDKSBAAuWA9jT6xCfFACIlme7DbEoUm/Bsbf+GM2Somd3pgajekiNxo7CsW9Xub
Vmpj0Q5OKiri81XTqA8LlqMCBliqfw/rnP48kCH0YqXzjqD6aYuwmk0Q4G3wWBTJ
2ZT/wOpbM3YooFfE9Iffz6uNgAiQ/8kpBt2m6Zzfy8n1ThfztyGAGaSmrUWxgUlq
XjRjtgTw4isZBm+RzCFSGuPxvWvxRlfD5JCe2gc221rI3kbaQE2GSxdZ6D0635Ln
iy64SLIAKkQCrrFFckudSCCLKgLNdIClEwzamhhCbmCxnWMDufzN+BQZhq3axQ+x
svPfZqltVSQztr4nPGvKdebtVLL2Zyf/LtXWQP/s66quHlHFoEAC7MuD6tEMQVar
JQUCN51Gs0Yk12iReQFm6/Uo35aPAlai1e2uOkNzS5FnagRObYt6FYeQripks4I8
ZW5VvF4cE0zqdjrlG+Ttqmpbj7i6AUJj9wSbrEOFDUhTL+QPPOfJ05yr1BHmS6nJ
vuuUs+ei/DnYEFS91P81h5NuOdpRHIBTG6LUOLz5KOoNdIgvzjD/Ugyscj4AFTBo
+NTG9nNr6gkLV/6dxDRR2/sbU6P+FZBL+JVUoDR7XQ7oHG7sFV+/8Dtu8RivEw++
1sNGqxvGkwu7JunMkJO5YZRwXi81v3nmHkWKgb0+52iYXgmdesY=
=kOPP
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,30 @@
From 939aed0498269df3c1e012f3b68c314b583f25bd Mon Sep 17 00:00:00 2001
From: Martin Schwenke <martin@meltin.net>
Date: Tue, 27 Apr 2021 15:46:14 +1000
Subject: [PATCH] utils: Use Python 3
Due to the number of flake8 and pylint warnings it is unclear if the
source has Python 3 incompatibilities. These will be cleaned up in
subsequent commits.
Signed-off-by: "L.P.H. van Belle" <belle@bazuin.nl>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
---
ctdb/utils/etcd/ctdb_etcd_lock | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ctdb/utils/etcd/ctdb_etcd_lock b/ctdb/utils/etcd/ctdb_etcd_lock
index 000c6bb7208..7f5194eff0a 100755
--- a/ctdb/utils/etcd/ctdb_etcd_lock
+++ b/ctdb/utils/etcd/ctdb_etcd_lock
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python3
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
--
2.31.1

View File

@ -0,0 +1,64 @@
From e556b4067e0c4036e20fc26523e3b4d6d5c6be42 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 7 Oct 2021 15:55:37 +0200
Subject: [PATCH] waf: Fix resolv_wrapper with glibc 2.34
With glibc 2.34 we are not able to talk to the DNS server via socket_wrapper
anymore. The res_* symbols have been moved from libresolv to libc. We are not
able to intercept any traffic inside of libc.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
selftest/wscript | 2 +-
third_party/resolv_wrapper/wscript | 13 +++++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/selftest/wscript b/selftest/wscript
index a6be06c2ae9..85d9338489a 100644
--- a/selftest/wscript
+++ b/selftest/wscript
@@ -252,7 +252,7 @@ def cmd_testonly(opt):
if os.environ.get('USE_NAMESPACES') is None:
env.OPTIONS += " --socket_wrapper_so_path=" + CONFIG_GET(opt, 'LIBSOCKET_WRAPPER_SO_PATH')
- if Utils.unversioned_sys_platform() in ('netbsd', 'openbsd', 'sunos'):
+ if not CONFIG_SET(opt, 'HAVE_RESOLV_CONF_SUPPORT'):
env.OPTIONS += " --use-dns-faking"
if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'):
diff --git a/third_party/resolv_wrapper/wscript b/third_party/resolv_wrapper/wscript
index a7f18389b0f..7e369bd90b5 100644
--- a/third_party/resolv_wrapper/wscript
+++ b/third_party/resolv_wrapper/wscript
@@ -1,6 +1,7 @@
#!/usr/bin/env python
import os
+from waflib import Logs
VERSION="1.1.7"
@@ -49,6 +50,18 @@ def configure(conf):
if conf.CONFIG_SET('HAVE_RES_NCLOSE'):
conf.DEFINE('HAVE_RES_NCLOSE_IN_LIBRESOLV', 1)
+ # If we find res_nquery in libc, we can't do resolv.conf redirect
+ conf.CHECK_FUNCS('res_nquery __res_nquery')
+ if (conf.CONFIG_SET('HAVE_RES_NQUERY')
+ or conf.CONFIG_SET('HAVE___RES_NQUERY')):
+ Logs.warn("Detection for resolv_wrapper: "
+ "Only dns faking will be available")
+ else:
+ if conf.CHECK_FUNCS('res_nquery', lib='resolv'):
+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1)
+ if conf.CHECK_FUNCS('__res_nquery', lib='resolv'):
+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1)
+
conf.CHECK_FUNCS_IN('res_init __res_init', 'resolv', checklibc=True)
conf.CHECK_FUNCS_IN('res_ninit __res_ninit', 'resolv', checklibc=True)
conf.CHECK_FUNCS_IN('res_close __res_close', 'resolv', checklibc=True)
--
2.33.1

697
SOURCES/samba-s4u.patch Normal file
View File

@ -0,0 +1,697 @@
From 0b196043f08ea4c025f19c4519175a3a73e1d185 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 27 Sep 2019 18:25:03 +0300
Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
---
source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------
source4/kdc/mit_samba.c | 47 ++-------
source4/kdc/mit_samba.h | 6 +-
3 files changed, 71 insertions(+), 106 deletions(-)
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index f35210669c2..b1c7c5dcc5e 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -195,13 +195,17 @@ static krb5_error_code ks_verify_pac(krb5_context context,
krb5_keyblock *krbtgt_key,
krb5_timestamp authtime,
krb5_authdata **tgt_auth_data,
- krb5_pac *pac)
+ krb5_pac *out_pac)
{
struct mit_samba_context *mit_ctx;
krb5_authdata **authdata = NULL;
- krb5_pac ipac = NULL;
- DATA_BLOB logon_data = { NULL, 0 };
+ krb5_keyblock *header_server_key = NULL;
+ krb5_key_data *impersonator_kd = NULL;
+ krb5_keyblock impersonator_key = {0};
krb5_error_code code;
+ krb5_pac pac;
+
+ *out_pac = NULL;
mit_ctx = ks_get_context(context);
if (mit_ctx == NULL) {
@@ -233,41 +237,43 @@ static krb5_error_code ks_verify_pac(krb5_context context,
code = krb5_pac_parse(context,
authdata[0]->contents,
authdata[0]->length,
- &ipac);
+ &pac);
if (code != 0) {
goto done;
}
- /* TODO: verify this is correct
- *
- * In the constrained delegation case, the PAC is from a service
- * ticket rather than a TGT; we must verify the server and KDC
- * signatures to assert that the server did not forge the PAC.
+ /*
+ * For constrained delegation in MIT version < 1.18 we aren't provided
+ * with the 2nd ticket server key to verify the PAC.
+ * We can workaround that by fetching the key from the client db entry,
+ * which is the impersonator account in that version.
+ * TODO: use the provided entry in the new 1.18 version.
*/
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
- code = krb5_pac_verify(context,
- ipac,
- authtime,
- client_princ,
- server_key,
- krbtgt_key);
+ /* The impersonator must be local. */
+ if (client == NULL) {
+ code = KRB5KDC_ERR_BADOPTION;
+ goto done;
+ }
+ /* Fetch and decrypt 2nd ticket server's current key. */
+ code = krb5_dbe_find_enctype(context, client, -1, -1, 0,
+ &impersonator_kd);
+ if (code != 0) {
+ goto done;
+ }
+ code = krb5_dbe_decrypt_key_data(context, NULL,
+ impersonator_kd,
+ &impersonator_key, NULL);
+ if (code != 0) {
+ goto done;
+ }
+ header_server_key = &impersonator_key;
} else {
- code = krb5_pac_verify(context,
- ipac,
- authtime,
- client_princ,
- krbtgt_key,
- NULL);
- }
- if (code != 0) {
- goto done;
+ header_server_key = krbtgt_key;
}
- /* check and update PAC */
- code = krb5_pac_parse(context,
- authdata[0]->contents,
- authdata[0]->length,
- pac);
+ code = krb5_pac_verify(context, pac, authtime, client_princ,
+ header_server_key, NULL);
if (code != 0) {
goto done;
}
@@ -275,17 +281,22 @@ static krb5_error_code ks_verify_pac(krb5_context context,
code = mit_samba_reget_pac(mit_ctx,
context,
flags,
- client_princ,
client,
server,
krbtgt,
krbtgt_key,
- pac);
+ &pac);
+ if (code != 0) {
+ goto done;
+ }
+
+ *out_pac = pac;
+ pac = NULL;
done:
+ krb5_free_keyblock_contents(context, &impersonator_key);
krb5_free_authdata(context, authdata);
- krb5_pac_free(context, ipac);
- free(logon_data.data);
+ krb5_pac_free(context, pac);
return code;
}
@@ -314,6 +325,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krb5_authdata **pac_auth_data = NULL;
krb5_authdata **authdata = NULL;
krb5_boolean is_as_req;
+ krb5_const_principal pac_client;
krb5_error_code code;
krb5_pac pac = NULL;
krb5_data pac_data;
@@ -325,11 +337,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
- /* FIXME: We don't support S4U yet */
- if (flags & KRB5_KDB_FLAGS_S4U) {
- return KRB5_KDB_DBTYPE_NOSUP;
- }
-
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
/*
@@ -390,6 +397,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
ks_client_princ = client->princ;
}
+ /* In protocol transition, we are currently not provided with the tgt
+ * client name to verify the PAC, we could probably skip the name
+ * verification and just verify the signatures, but since we don't
+ * support cross-realm nor aliases, we can just use server->princ */
+ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
+ pac_client = server->princ;
+ } else {
+ pac_client = ks_client_princ;
+ }
+
if (client_entry == NULL) {
client_entry = client;
}
@@ -454,7 +471,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
code = ks_verify_pac(context,
flags,
- ks_client_princ,
+ pac_client,
client_entry,
server,
krbtgt,
@@ -494,7 +511,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
is_as_req ? "AS-REQ" : "TGS-REQ",
client_name);
code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
- server_key, krbtgt_key, &pac_data);
+ server_key, krbtgt_key, &pac_data);
if (code != 0) {
DBG_ERR("krb5_pac_sign failed: %d\n", code);
goto done;
@@ -520,12 +537,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
KRB5_AUTHDATA_IF_RELEVANT,
authdata,
signed_auth_data);
- if (code != 0) {
- goto done;
- }
-
- code = 0;
-
done:
if (client_entry != NULL && client_entry != client) {
ks_free_principal(context, client_entry);
@@ -551,32 +562,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
* server; -> delegating service
* proxy; -> target principal
*/
- krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server);
-
- char *target_name = NULL;
- bool is_enterprise;
- krb5_error_code code;
mit_ctx = ks_get_context(context);
if (mit_ctx == NULL) {
return KRB5_KDB_DBNOTINITED;
}
- code = krb5_unparse_name(context, proxy, &target_name);
- if (code) {
- goto done;
- }
-
- is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
-
- code = mit_samba_check_s4u2proxy(mit_ctx,
- delegating_service,
- target_name,
- is_enterprise);
-
-done:
- free(target_name);
- return code;
+ return mit_samba_check_s4u2proxy(mit_ctx, server, proxy);
}
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 4239332f0d9..acc3cba6254 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -501,7 +501,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
krb5_context context,
int flags,
- krb5_const_principal client_principal,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@@ -665,7 +664,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
context,
*pac,
server->princ,
- discard_const(client_principal),
+ client->princ,
deleg_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("Update delegation info failed: %s\n",
@@ -987,41 +986,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
}
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
- krb5_db_entry *kentry,
- const char *target_name,
- bool is_nt_enterprise_name)
+ const krb5_db_entry *server,
+ krb5_const_principal target_principal)
{
-#if 1
- /*
- * This is disabled because mit_samba_update_pac_data() does not handle
- * S4U_DELEGATION_INFO
- */
-
- return KRB5KDC_ERR_BADOPTION;
-#else
- krb5_principal target_principal;
- int flags = 0;
- int ret;
-
- if (is_nt_enterprise_name) {
- flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
- }
-
- ret = krb5_parse_name_flags(ctx->context, target_name,
- flags, &target_principal);
- if (ret) {
- return ret;
- }
-
- ret = samba_kdc_check_s4u2proxy(ctx->context,
- ctx->db_ctx,
- skdc_entry,
- target_principal);
-
- krb5_free_principal(ctx->context, target_principal);
-
- return ret;
-#endif
+ struct samba_kdc_entry *server_skdc_entry =
+ talloc_get_type_abort(server->e_data,
+ struct samba_kdc_entry);
+
+ return samba_kdc_check_s4u2proxy(ctx->context,
+ ctx->db_ctx,
+ server_skdc_entry,
+ target_principal);
}
static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h
index 636c77ec97c..9cb00c9610e 100644
--- a/source4/kdc/mit_samba.h
+++ b/source4/kdc/mit_samba.h
@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
krb5_context context,
int flags,
- krb5_const_principal client_principal,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
DATA_BLOB *e_data);
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
- krb5_db_entry *kentry,
- const char *target_name,
- bool is_nt_enterprise_name);
+ const krb5_db_entry *server,
+ krb5_const_principal target_principal);
int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
char *pwd,
--
2.33.1
From 992d38fa35c01f2f0bdb39d387fa29e8eb8d3d37 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 27 Sep 2019 18:35:30 +0300
Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
---
lib/krb5_wrap/krb5_samba.c | 185 ++++++++++++++++++++++++++
lib/krb5_wrap/krb5_samba.h | 2 -
source4/auth/kerberos/kerberos_util.c | 11 --
3 files changed, 185 insertions(+), 13 deletions(-)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index fff5b4e2a22..791b417d5ba 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
return 0;
}
+
+#else /* MIT */
+
+static bool princ_compare_no_dollar(krb5_context ctx,
+ krb5_principal a,
+ krb5_principal b)
+{
+ bool cmp;
+ krb5_principal mod = NULL;
+
+ if (a->length == 1 && b->length == 1 &&
+ a->data[0].length != 0 && b->data[0].length != 0 &&
+ a->data[0].data[a->data[0].length -1] !=
+ b->data[0].data[b->data[0].length -1]) {
+ if (a->data[0].data[a->data[0].length -1] == '$') {
+ mod = a;
+ mod->data[0].length--;
+ } else if (b->data[0].data[b->data[0].length -1] == '$') {
+ mod = b;
+ mod->data[0].length--;
+ }
+ }
+
+ cmp = krb5_principal_compare_flags(ctx, a, b,
+ KRB5_PRINCIPAL_COMPARE_CASEFOLD);
+
+ if (mod != NULL) {
+ mod->data[0].length++;
+ }
+
+ return cmp;
+}
+
+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
+ krb5_ccache store_cc,
+ krb5_principal init_principal,
+ const char *init_password,
+ krb5_principal impersonate_principal,
+ const char *self_service,
+ const char *target_service,
+ krb5_get_init_creds_opt *krb_options,
+ time_t *expire_time,
+ time_t *kdc_time)
+{
+ krb5_error_code code;
+ krb5_principal self_princ = NULL;
+ krb5_principal target_princ = NULL;
+ krb5_creds *store_creds;
+ krb5_creds *s4u2self_creds = NULL;
+ krb5_creds *s4u2proxy_creds = NULL;
+ krb5_creds init_creds = {0};
+ krb5_creds mcreds = {0};
+ krb5_flags options = KRB5_GC_NO_STORE;
+ krb5_ccache tmp_cc;
+ bool s4u2proxy;
+
+ code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc);
+ if (code != 0) {
+ return code;
+ }
+
+ code = krb5_get_init_creds_password(ctx, &init_creds,
+ init_principal,
+ init_password,
+ NULL, NULL,
+ 0,
+ NULL,
+ krb_options);
+ if (code != 0) {
+ goto done;
+ }
+
+ code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client);
+ if (code != 0) {
+ goto done;
+ }
+
+ code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ /*
+ * Check if we also need S4U2Proxy or if S4U2Self is
+ * enough in order to get a ticket for the target.
+ */
+ if (target_service == NULL) {
+ s4u2proxy = false;
+ } else if (strcmp(target_service, self_service) == 0) {
+ s4u2proxy = false;
+ } else {
+ s4u2proxy = true;
+ }
+
+ code = krb5_parse_name(ctx, self_service, &self_princ);
+ if (code != 0) {
+ goto done;
+ }
+
+ /* MIT lacks aliases support in S4U, for S4U2Self we require the tgt
+ * client and the request server to be the same principal name. */
+ if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) {
+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+ goto done;
+ }
+
+ mcreds.client = impersonate_principal;
+ mcreds.server = init_creds.client;
+
+ code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds,
+ NULL, &s4u2self_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ if (s4u2proxy) {
+ code = krb5_parse_name(ctx, target_service, &target_princ);
+ if (code != 0) {
+ goto done;
+ }
+
+ mcreds.client = init_creds.client;
+ mcreds.server = target_princ;
+ mcreds.second_ticket = s4u2self_creds->ticket;
+
+ code = krb5_get_credentials(ctx, options |
+ KRB5_GC_CONSTRAINED_DELEGATION,
+ tmp_cc, &mcreds, &s4u2proxy_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ /* Check KDC support of S4U2Proxy extension */
+ if (!krb5_principal_compare(ctx, s4u2self_creds->client,
+ s4u2proxy_creds->client)) {
+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+ goto done;
+ }
+
+ store_creds = s4u2proxy_creds;
+ } else {
+ store_creds = s4u2self_creds;;
+
+ /* We need to save the ticket with the requested server name
+ * or the caller won't be able to find it in cache. */
+ if (!krb5_principal_compare(ctx, self_princ,
+ store_creds->server)) {
+ krb5_free_principal(ctx, store_creds->server);
+ store_creds->server = NULL;
+ code = krb5_copy_principal(ctx, self_princ,
+ &store_creds->server);
+ if (code != 0) {
+ goto done;
+ }
+ }
+ }
+
+ code = krb5_cc_initialize(ctx, store_cc, store_creds->client);
+ if (code != 0) {
+ goto done;
+ }
+
+ code = krb5_cc_store_cred(ctx, store_cc, store_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ if (expire_time) {
+ *expire_time = (time_t) store_creds->times.endtime;
+ }
+
+ if (kdc_time) {
+ *kdc_time = (time_t) store_creds->times.starttime;
+ }
+
+done:
+ krb5_cc_destroy(ctx, tmp_cc);
+ krb5_free_cred_contents(ctx, &init_creds);
+ krb5_free_creds(ctx, s4u2self_creds);
+ krb5_free_creds(ctx, s4u2proxy_creds);
+ krb5_free_principal(ctx, self_princ);
+ krb5_free_principal(ctx, target_princ);
+
+ return code;
+}
#endif
#if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index eab67f6d969..b5385c69a33 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
krb5_get_init_creds_opt *krb_options,
time_t *expire_time,
time_t *kdc_time);
-#ifdef SAMBA4_USES_HEIMDAL
krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
krb5_ccache store_cc,
krb5_principal init_principal,
@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
krb5_get_init_creds_opt *krb_options,
time_t *expire_time,
time_t *kdc_time);
-#endif
#if defined(HAVE_KRB5_MAKE_PRINCIPAL)
#define smb_krb5_make_principal krb5_make_principal
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 544d9d853cc..c14d8c72d8c 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -234,9 +234,7 @@ done:
{
krb5_error_code ret;
const char *password;
-#ifdef SAMBA4_USES_HEIMDAL
const char *self_service;
-#endif
const char *target_service;
time_t kdc_time = 0;
krb5_principal princ;
@@ -268,9 +266,7 @@ done:
return ret;
}
-#ifdef SAMBA4_USES_HEIMDAL
self_service = cli_credentials_get_self_service(credentials);
-#endif
target_service = cli_credentials_get_target_service(credentials);
password = cli_credentials_get_password(credentials);
@@ -331,7 +327,6 @@ done:
#endif
if (password) {
if (impersonate_principal) {
-#ifdef SAMBA4_USES_HEIMDAL
ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context,
ccache,
princ,
@@ -342,12 +337,6 @@ done:
krb_options,
NULL,
&kdc_time);
-#else
- talloc_free(mem_ctx);
- (*error_string) = "INTERNAL error: s4u2 ops "
- "are not supported with MIT build yet";
- return EINVAL;
-#endif
} else {
ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context,
ccache,
--
2.33.1
From f1951b501ca0fb3e613f04437c99dc1bbf204609 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 19 Sep 2020 14:16:20 +0200
Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code
---
source4/heimdal/lib/hdb/hdb.h | 1 +
source4/kdc/db-glue.c | 8 ++++++--
source4/kdc/mit_samba.c | 3 +++
source4/kdc/sdb.h | 1 +
4 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
index 5ef9d9565f3..dafaffc6c2d 100644
--- a/source4/heimdal/lib/hdb/hdb.h
+++ b/source4/heimdal/lib/hdb/hdb.h
@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
#define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */
#define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
#define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
+#define HDB_F_FORCE_CANON 16384 /* force canonicalition */
/* hdb_capability_flags */
#define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index aff74f2ee71..d16b4c3329a 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
}
}
- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ?
ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
if (ret) {
krb5_clear_error_message(context);
goto out;
}
- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) {
+ } else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){
/*
* SDB_F_CANON maps from the canonicalize flag in the
* packet, and has a different meaning between AS-REQ
* and TGS-REQ. We only change the principal in the AS-REQ case
+ *
+ * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants
+ * the canonical name in all lookups, and takes care to canonicalize
+ * only when appropriate.
*/
ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
if (ret) {
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index acc3cba6254..f0b9df8b613 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -224,6 +224,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
sflags |= SDB_F_CANON;
}
+#if KRB5_KDB_API_VERSION >= 10
+ sflags |= SDB_F_FORCE_CANON;
+#endif
if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
KRB5_KDB_FLAG_INCLUDE_PAC)) {
/*
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
index c929acccce6..a9115ec23d7 100644
--- a/source4/kdc/sdb.h
+++ b/source4/kdc/sdb.h
@@ -116,6 +116,7 @@ struct sdb_entry_ex {
#define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */
#define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
#define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
+#define SDB_F_FORCE_CANON 16384 /* force canonicalition */
void sdb_free_entry(struct sdb_entry_ex *e);
void free_sdb_entry(struct sdb_entry *s);
--
2.33.1

View File

@ -1,2 +0,0 @@
#Type Name ID
g printadmin -

View File

@ -1,2 +0,0 @@
#Type Name ID
g usershares -

View File

@ -1,2 +0,0 @@
#Type Name ID
g wbpriv 88

View File

@ -1,5 +0,0 @@
#################################################
# This is a grouping library without any code
#################################################
[suppress_file]
file_name_regexp=.*libdcerpc-samr\\.so.*

View File

@ -18,9 +18,6 @@
load printers = yes
cups options = raw
# Install samba-usershares package for support
include = /etc/samba/usershares.conf
[homes]
comment = Home Directories
valid users = %S, %D%w%S

View File

@ -1,3 +0,0 @@
[global]
usershare max shares = 100
usershare allow guests = yes

File diff suppressed because it is too large Load Diff