The branch, v4-0-test has been updated
via c01fee80a79cd9e0f7bb295333bb03bd37328d05 (commit)
via 699e3cdb52acdf2524347d8c053730306c579dd9 (commit)
via c2cc8ef943e8c2e02edb1eb20214de245cc6914c (commit)
via afd07073b9caa4b5f7d2ad747e79afaec4203506 (commit)
from 816bb64a56a75d1eb5e879b4abf211af27243686 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit c01fee80a79cd9e0f7bb295333bb03bd37328d05
Author: Stefan Metzmacher <[EMAIL PROTECTED]>
Date: Fri Aug 1 16:10:06 2008 +0200
auth/ntlmssp: don't crash when the backend give no challenge
metze
commit 699e3cdb52acdf2524347d8c053730306c579dd9
Author: Stefan Metzmacher <[EMAIL PROTECTED]>
Date: Fri Aug 1 15:53:01 2008 +0200
auth_server: fix the logic of server_get_challenge()
metze
commit c2cc8ef943e8c2e02edb1eb20214de245cc6914c
Author: Stefan Metzmacher <[EMAIL PROTECTED]>
Date: Fri Aug 1 15:19:27 2008 +0200
auth_server: fix segfault reported by Julien Kerihuel <[EMAIL PROTECTED]>
metze
commit afd07073b9caa4b5f7d2ad747e79afaec4203506
Author: Stefan Metzmacher <[EMAIL PROTECTED]>
Date: Fri Aug 1 09:20:46 2008 +0200
Revert "Start implementind domain trusts in our KDC."
This reverts commit 736ce50afd9da9b5fbc3db777fd5341dfa4b721a.
This breaks the build...
metze
-----------------------------------------------------------------------
Summary of changes:
source/auth/ntlm/auth_server.c | 10 ++++----
source/auth/ntlmssp/ntlmssp_server.c | 6 +++++
source/kdc/hdb-ldb.c | 40 ++++++----------------------------
3 files changed, 18 insertions(+), 38 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/auth/ntlm/auth_server.c b/source/auth/ntlm/auth_server.c
index f154cf0..42606c1 100644
--- a/source/auth/ntlm/auth_server.c
+++ b/source/auth/ntlm/auth_server.c
@@ -70,7 +70,7 @@ static NTSTATUS server_get_challenge(struct
auth_method_context *ctx, TALLOC_CTX
io.in.called_name = strupper_talloc(mem_ctx, io.in.dest_host);
/* We don't want to get as far as the session setup */
- io.in.credentials = NULL;
+ io.in.credentials = cli_credentials_init_anon(mem_ctx);
io.in.service = NULL;
io.in.workgroup = ""; /* only used with SPNEGO, disabled above */
@@ -79,10 +79,10 @@ static NTSTATUS server_get_challenge(struct
auth_method_context *ctx, TALLOC_CTX
status = smb_composite_connect(&io, mem_ctx,
lp_resolve_context(ctx->auth_ctx->lp_ctx),
ctx->auth_ctx->event_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- *_blob = io.out.tree->session->transport->negotiate.secblob;
- ctx->private_data = talloc_steal(ctx, io.out.tree->session);
- }
+ NT_STATUS_NOT_OK_RETURN(status);
+
+ *_blob = io.out.tree->session->transport->negotiate.secblob;
+ ctx->private_data = talloc_steal(ctx, io.out.tree->session);
return NT_STATUS_OK;
}
diff --git a/source/auth/ntlmssp/ntlmssp_server.c
b/source/auth/ntlmssp/ntlmssp_server.c
index dfc5940..838596e 100644
--- a/source/auth/ntlmssp/ntlmssp_server.c
+++ b/source/auth/ntlmssp/ntlmssp_server.c
@@ -157,6 +157,10 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security
*gensec_security,
/* Ask our caller what challenge they would like in the packet */
cryptkey = gensec_ntlmssp_state->get_challenge(gensec_ntlmssp_state);
+ if (!cryptkey) {
+ DEBUG(1, ("ntlmssp_server_negotiate: backend doesn't give a
challenge\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
/* Check if we may set the challenge */
if (!gensec_ntlmssp_state->may_set_challenge(gensec_ntlmssp_state)) {
@@ -614,6 +618,8 @@ static const uint8_t *auth_ntlmssp_get_challenge(const
struct gensec_ntlmssp_sta
status = auth_get_challenge(gensec_ntlmssp_state->auth_context, &chal);
if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge:
%s\n",
+ nt_errstr(status)));
return NULL;
}
diff --git a/source/kdc/hdb-ldb.c b/source/kdc/hdb-ldb.c
index a997eb0..8f8ce30 100644
--- a/source/kdc/hdb-ldb.c
+++ b/source/kdc/hdb-ldb.c
@@ -853,8 +853,7 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context
context, HDB *db,
{
krb5_error_code ret;
struct ldb_message **msg = NULL;
- struct ldb_message **realm_ref_msg_1 = NULL;
- struct ldb_message **realm_ref_msg_2 = NULL;
+ struct ldb_message **realm_ref_msg = NULL;
struct ldb_dn *realm_dn;
krb5_principal alloc_principal = NULL;
@@ -865,18 +864,14 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context
context, HDB *db,
}
/* krbtgt case. Either us or a trusted realm */
-
if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
- mem_ctx, principal->realm, &realm_ref_msg_1) == 0)
- && (LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
- mem_ctx, principal->name.name_string.val[1],
&realm_ref_msg_2) == 0)
- && (ldb_dn_cmp(realm_ref_msg_1[0]->dn, realm_ref_msg_1[0]->dn) ==
0)) {
+ mem_ctx, principal->name.name_string.val[1],
&realm_ref_msg) == 0)) {
/* us */
/* Cludge, cludge cludge. If the realm part of krbtgt/realm,
* is in our db, then direct the caller at our primary
- * krbtgt */
+ * krgtgt */
- const char *dnsdomain =
ldb_msg_find_attr_as_string(realm_ref_msg_1[0], "dnsRoot", NULL);
+ const char *dnsdomain =
ldb_msg_find_attr_as_string(realm_ref_msg[0], "dnsRoot", NULL);
char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain);
if (!realm_fixed) {
krb5_set_error_string(context, "strupper_talloc: out of
memory");
@@ -896,26 +891,8 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context
context, HDB *db,
return ENOMEM;
}
principal = alloc_principal;
- realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db,
mem_ctx, realm_ref_msg_1[0], "nCName", NULL);
+ realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db,
mem_ctx, realm_ref_msg[0], "nCName", NULL);
} else {
- enum direction {
- INBOUND,
- OUTBOUND
- }
-
- struct loadparm_context *lp_ctx =
talloc_get_type(ldb_get_opaque(ldb, "loadparm"), struct loadparm_context *);
- /* Either an inbound or outbound trust */
-
- if (strcasecmp(lp_realm(lp_ctx), principal->realm) == 0) {
- /* look for inbound trust */
- }
-
- if (strcasecmp(lp_realm(lp_ctx),
principal->name.name_string.val[1]) == 0) {
- /* look for outbound trust */
- }
-
- /* Trusted domains are under CN=system */
-
/* we should lookup trusted domains */
return HDB_ERR_NOENTRY;
}
@@ -1045,13 +1022,10 @@ static krb5_error_code LDB_fetch(krb5_context context,
HDB *db,
if (ret != HDB_ERR_NOENTRY) goto done;
}
if (flags & HDB_F_GET_SERVER) {
- /* krbtgt fits into this situation for trusted realms, and for
resolving different versions of our own realm name */
- ret = LDB_fetch_krbtgt(context, db, mem_ctx, principal, flags,
entry_ex);
- if (ret != HDB_ERR_NOENTRY) goto done;
-
- /* We return 'no entry' if it does not start with krbtgt/, so
move to the common case quickly */
ret = LDB_fetch_server(context, db, mem_ctx, principal, flags,
entry_ex);
if (ret != HDB_ERR_NOENTRY) goto done;
+ ret = LDB_fetch_krbtgt(context, db, mem_ctx, principal, flags,
entry_ex);
+ if (ret != HDB_ERR_NOENTRY) goto done;
}
if (flags & HDB_F_GET_KRBTGT) {
ret = LDB_fetch_krbtgt(context, db, mem_ctx, principal, flags,
entry_ex);
--
Samba Shared Repository
