The branch, master has been updated
via 87698dc s4-kerberos Don't regenerate key values for each alias in
keytab
via 7b9a664 s4-kdc Rework 'allowed encryption types' handling in the KDC
via a82e3ab s4-auth Add make_server_info_pac() to include 'resource
domain' groups
via 6488d5b s4-auth Allocate domain SIDs under the sids array, not
server_info
via a68f447 heimdal use returned server entry from HDB to compare realms
from d17a6f0 s3-spoolss: Strip off ", DrvConvert" and ",LocalOnly" in
OpenPrinterEx as seen from Win7 clients.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 87698dc2a1adb52c381b35f5cc80437f91e75798
Author: Andrew Bartlett <abart...@samba.org>
Date: Sat Oct 2 07:12:48 2010 +1000
s4-kerberos Don't regenerate key values for each alias in keytab
Instead, store the same key value under the multiple alias names.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abart...@samba.org>
Autobuild-Date: Sat Oct 2 00:16:52 UTC 2010 on sn-devel-104
commit 7b9a6645b11dff64e04c2ddb0cabc9145c0f029f
Author: Andrew Bartlett <abart...@samba.org>
Date: Sat Oct 2 05:25:26 2010 +1000
s4-kdc Rework 'allowed encryption types' handling in the KDC
All DCs and all krbtgt servers are forced to use AES, regardless
of the msDS-SecondaryKrbTgtNumber value.
Andrew Bartlett
commit a82e3abc707ecaf68ee26828f11987d621ec1bb5
Author: Andrew Bartlett <abart...@samba.org>
Date: Sat Oct 2 05:09:42 2010 +1000
s4-auth Add make_server_info_pac() to include 'resource domain' groups
Previously, our PAC code didn't include these groups into the
server_info from which we would eventually calculate the full
list of tokenGroups.
Andrew Bartlett
commit 6488d5bc0b585d91b185ae37315293123c4b1001
Author: Andrew Bartlett <abart...@samba.org>
Date: Sat Oct 2 04:52:50 2010 +1000
s4-auth Allocate domain SIDs under the sids array, not server_info
Andrew Bartlett
commit a68f4476f780df4a87a99371b49c5e38b0fcb4d7
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Oct 1 13:58:36 2010 +1000
heimdal use returned server entry from HDB to compare realms
Some hdb modules (samba4) may change the case of the realm in
a returned result. Use that to determine if it matches the krbtgt
realm also returned from the DB (the DB will return it in the 'right' case)
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source4/auth/auth_sam_reply.c | 39 ++++++++++++++++-
source4/auth/kerberos/kerberos_pac.c | 8 +--
source4/auth/kerberos/kerberos_util.c | 78 +++++++++++++++------------------
source4/heimdal/kdc/krb5tgs.c | 2 +-
source4/kdc/db-glue.c | 72 ++++++++++++++++++------------
5 files changed, 121 insertions(+), 78 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/auth_sam_reply.c b/source4/auth/auth_sam_reply.c
index d7792e5..0c03e78 100644
--- a/source4/auth/auth_sam_reply.c
+++ b/source4/auth/auth_sam_reply.c
@@ -208,7 +208,7 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX
*mem_ctx,
}
for (i = 0; i < base->groups.count; i++) {
- server_info->domain_groups[i] = dom_sid_add_rid(server_info,
base->domain_sid, base->groups.rids[i].rid);
+ server_info->domain_groups[i] =
dom_sid_add_rid(server_info->domain_groups, base->domain_sid,
base->groups.rids[i].rid);
NT_STATUS_HAVE_NO_MEMORY(server_info->domain_groups[i]);
}
@@ -287,3 +287,40 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX
*mem_ctx,
return NT_STATUS_OK;
}
+/**
+ * Make a server_info struct from the PAC_LOGON_INFO supplied in the krb5 logon
+ */
+NTSTATUS make_server_info_pac(TALLOC_CTX *mem_ctx,
+ struct PAC_LOGON_INFO *pac_logon_info,
+ struct auth_serversupplied_info **_server_info)
+{
+ uint32_t i;
+ NTSTATUS nt_status;
+ union netr_Validation validation;
+ struct auth_serversupplied_info *server_info;
+
+ validation.sam3 = &pac_logon_info->info3;
+
+ nt_status = make_server_info_netlogon_validation(mem_ctx, "", 3,
&validation, &server_info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ if (pac_logon_info->res_groups.count > 0) {
+ struct dom_sid **rgrps;
+ size_t sidcount = server_info->n_domain_groups +
pac_logon_info->res_groups.count;
+ server_info->domain_groups = rgrps
+ = talloc_realloc(server_info,
server_info->domain_groups, struct dom_sid *, sidcount);
+ NT_STATUS_HAVE_NO_MEMORY(rgrps);
+
+ for (i = 0; pac_logon_info->res_group_dom_sid && i <
pac_logon_info->res_groups.count; i++) {
+ size_t sid_idx = server_info->n_domain_groups + i;
+ rgrps[sid_idx]
+ = dom_sid_add_rid(rgrps,
pac_logon_info->res_group_dom_sid,
+
pac_logon_info->res_groups.rids[i].rid);
+
NT_STATUS_HAVE_NO_MEMORY(rgrps[server_info->n_domain_groups + sid_idx]);
+ }
+ }
+ *_server_info = server_info;
+ return NT_STATUS_OK;
+}
diff --git a/source4/auth/kerberos/kerberos_pac.c
b/source4/auth/kerberos/kerberos_pac.c
index aca807e..40f0cf7 100644
--- a/source4/auth/kerberos/kerberos_pac.c
+++ b/source4/auth/kerberos/kerberos_pac.c
@@ -684,11 +684,9 @@ krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX
*mem_ctx,
}
/* Pull this right into the normal auth sysstem structures */
- validation.sam3 = &info.logon_info.info->info3;
- nt_status = make_server_info_netlogon_validation(mem_ctx,
- "",
- 3, &validation,
- &server_info_out);
+ nt_status = make_server_info_pac(mem_ctx,
+ info.logon_info.info,
+ &server_info_out);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return EINVAL;
diff --git a/source4/auth/kerberos/kerberos_util.c
b/source4/auth/kerberos/kerberos_util.c
index f83fd78..27cbeb0 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -507,8 +507,7 @@ krb5_error_code smb_krb5_open_keytab(TALLOC_CTX *mem_ctx,
}
static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
- const char *princ_string,
- krb5_principal princ,
+ struct principal_container **principals,
krb5_principal salt_princ,
int kvno,
const char *password_s,
@@ -517,13 +516,9 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX
*parent_ctx,
krb5_keytab keytab,
const char **error_string)
{
- int i;
+ unsigned int i, p;
krb5_error_code ret;
krb5_data password;
- TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
- if (!mem_ctx) {
- return ENOMEM;
- }
password.data = discard_const_p(char *, password_s);
password.length = strlen(password_s);
@@ -536,32 +531,33 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX
*parent_ctx,
ret =
create_kerberos_key_from_string(smb_krb5_context->krb5_context,
salt_princ, &password,
&entry.keyblock, enctypes[i]);
if (ret != 0) {
- talloc_free(mem_ctx);
return ret;
}
- entry.principal = princ;
- entry.vno = kvno;
- ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, keytab,
&entry);
- if (ret != 0) {
- *error_string = talloc_asprintf(parent_ctx, "Failed to
add enctype %d entry for %s(kvno %d) to keytab: %s\n",
- (int)enctypes[i],
- princ_string,
- kvno,
-
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
-
ret, mem_ctx));
- talloc_free(mem_ctx);
-
krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
- return ret;
- }
+ entry.vno = kvno;
+
+ for (p=0; principals[p]; p++) {
+ entry.principal = principals[p]->principal;
+ ret = krb5_kt_add_entry(smb_krb5_context->krb5_context,
keytab, &entry);
+ if (ret != 0) {
+ char *k5_error_string =
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+
ret, NULL);
+ *error_string = talloc_asprintf(parent_ctx,
"Failed to add enctype %d entry for %s(kvno %d) to keytab: %s\n",
+
(int)enctypes[i],
+
principals[p]->string_form,
+ kvno,
+
k5_error_string);
+ talloc_free(k5_error_string);
+
krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
+ return ret;
+ }
- DEBUG(5, ("Added %s(kvno %d) to keytab (enctype %d)\n",
- princ_string, kvno,
- (int)enctypes[i]));
-
+ DEBUG(5, ("Added %s(kvno %d) to keytab (enctype %d)\n",
+ principals[p]->string_form, kvno,
+ (int)enctypes[i]));
+ }
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&entry.keyblock);
}
- talloc_free(mem_ctx);
return 0;
}
@@ -573,7 +569,6 @@ static krb5_error_code create_keytab(TALLOC_CTX *parent_ctx,
bool add_old,
const char **error_string)
{
- unsigned int i;
krb5_error_code ret;
const char *password_s;
const char *old_secret;
@@ -624,27 +619,24 @@ static krb5_error_code create_keytab(TALLOC_CTX
*parent_ctx,
return ret;
}
- /* Walk over the principals */
- for (i=0; principals[i]; i++) {
- ret = keytab_add_keys(mem_ctx, principals[i]->string_form,
principals[i]->principal,
+ ret = keytab_add_keys(mem_ctx, principals,
+ salt_princ,
+ kvno, password_s, smb_krb5_context,
+ enctypes, keytab, error_string);
+ if (ret) {
+ talloc_free(mem_ctx);
+ return ret;
+ }
+
+ if (old_secret) {
+ ret = keytab_add_keys(mem_ctx, principals,
salt_princ,
- kvno, password_s, smb_krb5_context,
+ kvno - 1, old_secret, smb_krb5_context,
enctypes, keytab, error_string);
if (ret) {
talloc_free(mem_ctx);
return ret;
}
-
- if (old_secret) {
- ret = keytab_add_keys(mem_ctx,
principals[i]->string_form, principals[i]->principal,
- salt_princ,
- kvno - 1, old_secret,
smb_krb5_context,
- enctypes, keytab, error_string);
- if (ret) {
- talloc_free(mem_ctx);
- return ret;
- }
- }
}
talloc_free(mem_ctx);
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 3560a0d..06a535d 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1689,7 +1689,7 @@ server_lookup:
* backward.
*/
- if (strcmp(krb5_principal_get_realm(context, sp),
+ if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
krb5_principal_get_comp_string(context,
krbtgt->entry.principal,
1)) != 0) {
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 2f416c9..581328d 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -214,21 +214,38 @@ static krb5_error_code
samba_kdc_message2entry_keys(krb5_context context,
uint16_t i;
uint16_t allocated_keys = 0;
int rodc_krbtgt_number = 0;
+ uint32_t supported_enctypes;
- /* Supported Enc for this entry */
- uint32_t supported_enctypes = ENC_ALL_TYPES; /* by default, we support
all enc types */
-
- /* However, if this is a TGS-REQ, then lock it down to a
- * reasonable guess as to what the server can decode. The
- * krbtgt is special - default to use what is stored for the KDC */
- if (rid != DOMAIN_RID_KRBTGT && ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
- /* This is the standard set for a server that has not declared
a msDS-SupportedEncryptionTypes */
- supported_enctypes = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
+ if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
+ /* KDCs (and KDCs on RODCs) use AES, but not DES */
+ supported_enctypes = ENC_ALL_TYPES;
+ supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
+ } else if (userAccountControl &
(UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) {
+ /* DCs and RODCs comptuer accounts use AES */
+ supported_enctypes = ENC_ALL_TYPES;
+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT ||
+ (ent_type == SAMBA_KDC_ENT_TYPE_ANY)) {
+ /* for AS-REQ the client chooses the enc types it
+ * supports, and this will vary between computers a
+ * user logs in from. However, some accounts may be
+ * banned from using DES, so allow the default to be
+ * overridden
+ *
+ * likewise for 'any' return as much as is supported,
+ * to export into a keytab */
+ supported_enctypes = ldb_msg_find_attr_as_uint(msg,
"msDS-SupportedEncryptionTypes",
+ ENC_ALL_TYPES);
+ } else {
+ /* However, if this is a TGS-REQ, then lock it down to
+ * a reasonable guess as to what the server can decode
+ * - we must use whatever is in
+ * "msDS-SupportedEncryptionTypes", or the 'old' set
+ * of keys (ie, what Windows 2000 supported) */
+ supported_enctypes = ldb_msg_find_attr_as_uint(msg,
"msDS-SupportedEncryptionTypes",
+ ENC_CRC32 |
ENC_RSA_MD5 | ENC_RC4_HMAC_MD5);
}
- supported_enctypes = ldb_msg_find_attr_as_uint(msg,
"msDS-SupportedEncryptionTypes",
- supported_enctypes);
- /* Is this the krbtgt or a RODC */
+ /* Is this the krbtgt or a RODC krbtgt */
if (is_rodc) {
rodc_krbtgt_number = ldb_msg_find_attr_as_int(msg,
"msDS-SecondaryKrbTgtNumber", -1);
@@ -237,26 +254,25 @@ static krb5_error_code
samba_kdc_message2entry_keys(krb5_context context,
}
}
- if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
- /* Be double-sure never to use DES here */
- supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
- }
-
- switch (ent_type) {
- case SAMBA_KDC_ENT_TYPE_KRBTGT:
- case SAMBA_KDC_ENT_TYPE_TRUST:
- /* Disallow krbtgt and trust tickets to be DES encrypted, it's
just too dangerous */
- supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
- break;
- default:
- break;
- /* No further restrictions */
- }
/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the
newer enc types */
if (userAccountControl & UF_USE_DES_KEY_ONLY) {
- /* However, don't allow use of DES, if we were told not to by
msDS-SupportedEncTypes */
+ /* However, this still won't allow use of DES, if we
+ * were told not to by msDS-SupportedEncTypes */
supported_enctypes &= ENC_CRC32|ENC_RSA_MD5;
+ } else {
+ switch (ent_type) {
+ case SAMBA_KDC_ENT_TYPE_KRBTGT:
+ case SAMBA_KDC_ENT_TYPE_TRUST:
+ /* Unless a very special effort it made,
+ * disallow trust tickets to be DES encrypted,
+ * it's just too dangerous */
+ supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
+ break;
+ default:
+ break;
+ /* No further restrictions */
+ }
}
entry_ex->entry.keys.val = NULL;
--
Samba Shared Repository
