Author: jpeach Date: 2006-10-13 23:43:27 +0000 (Fri, 13 Oct 2006) New Revision: 19270
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=19270 Log: Stop depending on internal MIT symbols. These are private on MacOS x, so we can't get at them even if we wanted to. Kerberos experts, please take a look to make sure I've done the right thing! Modified: branches/SAMBA_3_0/source/configure.in branches/SAMBA_3_0/source/include/includes.h branches/SAMBA_3_0/source/libsmb/clikrb5.c Changeset: Modified: branches/SAMBA_3_0/source/configure.in =================================================================== --- branches/SAMBA_3_0/source/configure.in 2006-10-13 13:40:47 UTC (rev 19269) +++ branches/SAMBA_3_0/source/configure.in 2006-10-13 23:43:27 UTC (rev 19270) @@ -3439,6 +3439,7 @@ AC_CHECK_FUNC_EXT(krb5_set_real_time, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_set_default_in_tkt_etypes, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(krb5_set_default_tgs_enctypes, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_set_default_tgs_ktypes, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_principal2salt, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_use_enctype, $KRB5_LIBS) @@ -3450,20 +3451,18 @@ AC_CHECK_FUNC_EXT(krb5_locate_kdc, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_get_permitted_enctypes, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_get_default_in_tkt_etypes, $KRB5_LIBS) - AC_CHECK_FUNC_EXT(krb5_free_ktypes, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_free_data_contents, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_principal_get_comp_string, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_free_unparsed_name, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_free_keytab_entry_contents, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_kt_free_entry, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(krb5_krbhst_init, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_krbhst_get_addrinfo, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_c_enctype_compare, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_enctypes_compatible_keys, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_crypto_init, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_crypto_destroy, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_decode_ap_req, $KRB5_LIBS) - AC_CHECK_FUNC_EXT(decode_krb5_ap_req, $KRB5_LIBS) - AC_CHECK_FUNC_EXT(krb5_free_ap_req, $KRB5_LIBS) AC_CHECK_FUNC_EXT(free_AP_REQ, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_c_verify_checksum, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_principal_compare_any_realm, $KRB5_LIBS) @@ -3473,9 +3472,34 @@ AC_CHECK_FUNC_EXT(krb5_get_renewed_creds, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_get_kdc_cred, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_free_error_contents, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(initialize_krb5_error_table, $KRB5_LIBS) LIBS="$KRB5_LIBS $LIBS" + AC_CACHE_CHECK(whether krb5_ticket contains kvno and enctype, + smb_krb5_ticket_has_keyinfo, + [ + AC_TRY_COMPILE( + [ + #include <krb5.h> + ], + [ + krb5_ticket ticket; + krb5_kvno kvno; + krb5_enctype enctype; + + enctype = ticket.enc_part.enctype; + kvno = ticket.enc_part.kvno; + ], + [ smb_krb5_ticket_has_keyinfo=yes ], + [ smb_krb5_ticket_has_keyinfo=no ]) + ]) + + if test x"$smb_krb5_ticket_has_keyinfo" = x"yes" ; then + AC_DEFINE(KRB5_TICKET_HAS_KEYINFO, 1, + [Whether the krb5_ticket structure contains the kvno and enctype]) + fi + AC_CACHE_CHECK(whether krb5_verify_checksum takes 7 arguments, smb_krb5_verify_checksum, [ AC_TRY_COMPILE([ #include <krb5.h>], @@ -3832,18 +3856,23 @@ use_ads=no fi - if test x"$ac_cv_func_ext_krb5_free_ap_req" != x"yes" -a \ - x"$ac_cv_func_ext_free_AP_REQ" != x"yes" - then - AC_MSG_WARN(no KRB5_AP_REQ_FREE_FUNCTION detected) - use_ads=no - fi + if test x"$smb_krb5_ticket_has_keyinfo" != x"yes" ; then - if test x"$ac_cv_func_ext_krb5_decode_ap_req" != x"yes" -a \ - x"$ac_cv_func_ext_decode_krb5_ap_req" != x"yes" - then - AC_MSG_WARN(no KRB5_AP_REQ_DECODING_FUNCTION detected) - use_ads=no + # We only need the following functions if we can't get the enctype + # and kvno out of the ticket directly (ie. on Heimdal). + + if test x"$ac_cv_func_ext_free_AP_REQ" != x"yes" + then + AC_MSG_WARN(no KRB5_AP_REQ_FREE_FUNCTION detected) + use_ads=no + fi + + if test x"$ac_cv_func_ext_decode_krb5_ap_req" != x"yes" + then + AC_MSG_WARN(no KRB5_AP_REQ_DECODING_FUNCTION detected) + use_ads=no + fi + fi if test x"$use_ads" = x"yes"; then Modified: branches/SAMBA_3_0/source/include/includes.h =================================================================== --- branches/SAMBA_3_0/source/include/includes.h 2006-10-13 13:40:47 UTC (rev 19269) +++ branches/SAMBA_3_0/source/include/includes.h 2006-10-13 23:43:27 UTC (rev 19270) @@ -1105,6 +1105,14 @@ void krb5_free_unparsed_name(krb5_context ctx, char *val); #endif +/* Stub out initialize_krb5_error_table since it is not present in all + * Kerberos implementations. If it's not present, it's not necessary to + * call it. + */ +#ifndef HAVE_INITIALIZE_KRB5_ERROR_TABLE +#define initialize_krb5_error_table() +#endif + /* Samba wrapper function for krb5 functionality. */ void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr); int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype); @@ -1113,7 +1121,6 @@ krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt); krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes); -void free_kerberos_etypes(krb5_context context, krb5_enctype *enctypes); BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote); krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry); krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype); Modified: branches/SAMBA_3_0/source/libsmb/clikrb5.c =================================================================== --- branches/SAMBA_3_0/source/libsmb/clikrb5.c 2006-10-13 13:40:47 UTC (rev 19269) +++ branches/SAMBA_3_0/source/libsmb/clikrb5.c 2006-10-13 23:43:27 UTC (rev 19270) @@ -130,13 +130,35 @@ } #endif -#if defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES) && !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES) +#if !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES) + +#if defined(HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES) + +/* With MIT kerberos, we should use krb5_set_default_tgs_enctypes in preference + * to krb5_set_default_tgs_ktypes. See + * http://lists.samba.org/archive/samba-technical/2006-July/048271.html + * + * If the MIT libraries are not exporting internal symbols, we will end up in + * this branch, which is correct. Otherwise we will continue to use the + * internal symbol + */ krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc) { + return krb5_set_default_tgs_enctypes(ctx, enc); +} + +#elif defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES) + +/* Heimdal */ + krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc) +{ return krb5_set_default_in_tkt_etypes(ctx, enc); } -#endif +#endif /* HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES */ + +#endif /* HAVE_KRB5_SET_DEFAULT_TGS_KTYPES */ + #if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* HEIMDAL */ void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr) @@ -239,18 +261,6 @@ #error UNKNOWN_GET_ENCTYPES_FUNCTIONS #endif - void free_kerberos_etypes(krb5_context context, - krb5_enctype *enctypes) -{ -#if defined(HAVE_KRB5_FREE_KTYPES) - krb5_free_ktypes(context, enctypes); - return; -#else - SAFE_FREE(enctypes); - return; -#endif -} - #if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, @@ -373,6 +383,14 @@ } #if !defined(HAVE_KRB5_LOCATE_KDC) + +/* krb5_locate_kdc is an internal MIT symbol. MIT are not yet willing to commit + * to a public interface for this functionality, so we have to be able to live + * without it if the MIT libraries are hiding their internal symbols. + */ + +#if defined(KRB5_KRBHST_INIT) +/* Heimdal */ krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters) { krb5_krbhst_handle hnd; @@ -431,8 +449,20 @@ *addr_pp = sa; return 0; } -#endif +#else /* ! defined(KRB5_KRBHST_INIT) */ + + krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, + struct sockaddr **addr_pp, int *naddrs, int get_masters) +{ + DEBUG(0, ("unable to explicitly locate the KDC on this platform\n")); + return KRB5_KDC_UNREACH; +} + +#endif /* KRB5_KRBHST_INIT */ + +#endif /* HAVE_KRB5_LOCATE_KDC */ + #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME) void krb5_free_unparsed_name(krb5_context context, char *val) { @@ -906,31 +936,16 @@ return ret; } - void smb_krb5_free_ap_req(krb5_context context, - krb5_ap_req *ap_req) -{ -#ifdef HAVE_KRB5_FREE_AP_REQ /* MIT */ - krb5_free_ap_req(context, ap_req); -#elif defined(HAVE_FREE_AP_REQ) /* Heimdal */ - free_AP_REQ(ap_req); -#else -#error UNKNOWN_KRB5_AP_REQ_FREE_FUNCTION -#endif -} - /* Prototypes */ -#if defined(HAVE_DECODE_KRB5_AP_REQ) /* MIT */ -krb5_error_code decode_krb5_ap_req(const krb5_data *code, krb5_ap_req **rep); -#endif krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context, const krb5_data *inbuf, krb5_kvno *kvno, krb5_enctype *enctype) { - krb5_error_code ret; #ifdef HAVE_KRB5_DECODE_AP_REQ /* Heimdal */ { + krb5_error_code ret; krb5_ap_req ap_req; ret = krb5_decode_ap_req(context, inbuf, &ap_req); @@ -941,24 +956,13 @@ *enctype = get_enctype_from_ap_req(&ap_req); smb_krb5_free_ap_req(context, &ap_req); + free_AP_REQ(ap_req); + return 0; } -#elif defined(HAVE_DECODE_KRB5_AP_REQ) /* MIT */ - { - krb5_ap_req *ap_req = NULL; +#endif - ret = decode_krb5_ap_req(inbuf, &ap_req); - if (ret) - return ret; - - *kvno = get_kvno_from_ap_req(ap_req); - *enctype = get_enctype_from_ap_req(ap_req); - - smb_krb5_free_ap_req(context, ap_req); - } -#else -#error UNKNOWN_KRB5_AP_REQ_DECODING_FUNCTION -#endif - return ret; + /* Possibly not an appropriate error code. */ + return KRB5KDC_ERR_BADOPTION; } krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context, @@ -986,10 +990,15 @@ return ret; } +#ifdef KRB5_TICKET_HAS_KEYINFO + enctype = (*ticket)->enc_part.enctype; + kvno = (*ticket)->enc_part.kvno; +#else ret = smb_krb5_get_keyinfo_from_ap_req(context, inbuf, &kvno, &enctype); if (ret) { return ret; } +#endif ret = get_key_from_keytab(context, server,
