The branch, master has been updated via 87698dc s4-kerberos Don't regenerate key values for each alias in keytab via 7b9a664 s4-kdc Rework 'allowed encryption types' handling in the KDC via a82e3ab s4-auth Add make_server_info_pac() to include 'resource domain' groups via 6488d5b s4-auth Allocate domain SIDs under the sids array, not server_info via a68f447 heimdal use returned server entry from HDB to compare realms from d17a6f0 s3-spoolss: Strip off ", DrvConvert" and ",LocalOnly" in OpenPrinterEx as seen from Win7 clients.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 87698dc2a1adb52c381b35f5cc80437f91e75798 Author: Andrew Bartlett <abart...@samba.org> Date: Sat Oct 2 07:12:48 2010 +1000 s4-kerberos Don't regenerate key values for each alias in keytab Instead, store the same key value under the multiple alias names. Andrew Bartlett Autobuild-User: Andrew Bartlett <abart...@samba.org> Autobuild-Date: Sat Oct 2 00:16:52 UTC 2010 on sn-devel-104 commit 7b9a6645b11dff64e04c2ddb0cabc9145c0f029f Author: Andrew Bartlett <abart...@samba.org> Date: Sat Oct 2 05:25:26 2010 +1000 s4-kdc Rework 'allowed encryption types' handling in the KDC All DCs and all krbtgt servers are forced to use AES, regardless of the msDS-SecondaryKrbTgtNumber value. Andrew Bartlett commit a82e3abc707ecaf68ee26828f11987d621ec1bb5 Author: Andrew Bartlett <abart...@samba.org> Date: Sat Oct 2 05:09:42 2010 +1000 s4-auth Add make_server_info_pac() to include 'resource domain' groups Previously, our PAC code didn't include these groups into the server_info from which we would eventually calculate the full list of tokenGroups. Andrew Bartlett commit 6488d5bc0b585d91b185ae37315293123c4b1001 Author: Andrew Bartlett <abart...@samba.org> Date: Sat Oct 2 04:52:50 2010 +1000 s4-auth Allocate domain SIDs under the sids array, not server_info Andrew Bartlett commit a68f4476f780df4a87a99371b49c5e38b0fcb4d7 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Oct 1 13:58:36 2010 +1000 heimdal use returned server entry from HDB to compare realms Some hdb modules (samba4) may change the case of the realm in a returned result. Use that to determine if it matches the krbtgt realm also returned from the DB (the DB will return it in the 'right' case) Andrew Bartlett ----------------------------------------------------------------------- Summary of changes: source4/auth/auth_sam_reply.c | 39 ++++++++++++++++- source4/auth/kerberos/kerberos_pac.c | 8 +-- source4/auth/kerberos/kerberos_util.c | 78 +++++++++++++++------------------ source4/heimdal/kdc/krb5tgs.c | 2 +- source4/kdc/db-glue.c | 72 ++++++++++++++++++------------ 5 files changed, 121 insertions(+), 78 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/auth/auth_sam_reply.c b/source4/auth/auth_sam_reply.c index d7792e5..0c03e78 100644 --- a/source4/auth/auth_sam_reply.c +++ b/source4/auth/auth_sam_reply.c @@ -208,7 +208,7 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx, } for (i = 0; i < base->groups.count; i++) { - server_info->domain_groups[i] = dom_sid_add_rid(server_info, base->domain_sid, base->groups.rids[i].rid); + server_info->domain_groups[i] = dom_sid_add_rid(server_info->domain_groups, base->domain_sid, base->groups.rids[i].rid); NT_STATUS_HAVE_NO_MEMORY(server_info->domain_groups[i]); } @@ -287,3 +287,40 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +/** + * Make a server_info struct from the PAC_LOGON_INFO supplied in the krb5 logon + */ +NTSTATUS make_server_info_pac(TALLOC_CTX *mem_ctx, + struct PAC_LOGON_INFO *pac_logon_info, + struct auth_serversupplied_info **_server_info) +{ + uint32_t i; + NTSTATUS nt_status; + union netr_Validation validation; + struct auth_serversupplied_info *server_info; + + validation.sam3 = &pac_logon_info->info3; + + nt_status = make_server_info_netlogon_validation(mem_ctx, "", 3, &validation, &server_info); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + if (pac_logon_info->res_groups.count > 0) { + struct dom_sid **rgrps; + size_t sidcount = server_info->n_domain_groups + pac_logon_info->res_groups.count; + server_info->domain_groups = rgrps + = talloc_realloc(server_info, server_info->domain_groups, struct dom_sid *, sidcount); + NT_STATUS_HAVE_NO_MEMORY(rgrps); + + for (i = 0; pac_logon_info->res_group_dom_sid && i < pac_logon_info->res_groups.count; i++) { + size_t sid_idx = server_info->n_domain_groups + i; + rgrps[sid_idx] + = dom_sid_add_rid(rgrps, pac_logon_info->res_group_dom_sid, + pac_logon_info->res_groups.rids[i].rid); + NT_STATUS_HAVE_NO_MEMORY(rgrps[server_info->n_domain_groups + sid_idx]); + } + } + *_server_info = server_info; + return NT_STATUS_OK; +} diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index aca807e..40f0cf7 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -684,11 +684,9 @@ krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx, } /* Pull this right into the normal auth sysstem structures */ - validation.sam3 = &info.logon_info.info->info3; - nt_status = make_server_info_netlogon_validation(mem_ctx, - "", - 3, &validation, - &server_info_out); + nt_status = make_server_info_pac(mem_ctx, + info.logon_info.info, + &server_info_out); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return EINVAL; diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index f83fd78..27cbeb0 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -507,8 +507,7 @@ krb5_error_code smb_krb5_open_keytab(TALLOC_CTX *mem_ctx, } static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx, - const char *princ_string, - krb5_principal princ, + struct principal_container **principals, krb5_principal salt_princ, int kvno, const char *password_s, @@ -517,13 +516,9 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx, krb5_keytab keytab, const char **error_string) { - int i; + unsigned int i, p; krb5_error_code ret; krb5_data password; - TALLOC_CTX *mem_ctx = talloc_new(parent_ctx); - if (!mem_ctx) { - return ENOMEM; - } password.data = discard_const_p(char *, password_s); password.length = strlen(password_s); @@ -536,32 +531,33 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx, ret = create_kerberos_key_from_string(smb_krb5_context->krb5_context, salt_princ, &password, &entry.keyblock, enctypes[i]); if (ret != 0) { - talloc_free(mem_ctx); return ret; } - entry.principal = princ; - entry.vno = kvno; - ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, keytab, &entry); - if (ret != 0) { - *error_string = talloc_asprintf(parent_ctx, "Failed to add enctype %d entry for %s(kvno %d) to keytab: %s\n", - (int)enctypes[i], - princ_string, - kvno, - smb_get_krb5_error_message(smb_krb5_context->krb5_context, - ret, mem_ctx)); - talloc_free(mem_ctx); - krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock); - return ret; - } + entry.vno = kvno; + + for (p=0; principals[p]; p++) { + entry.principal = principals[p]->principal; + ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, keytab, &entry); + if (ret != 0) { + char *k5_error_string = smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, NULL); + *error_string = talloc_asprintf(parent_ctx, "Failed to add enctype %d entry for %s(kvno %d) to keytab: %s\n", + (int)enctypes[i], + principals[p]->string_form, + kvno, + k5_error_string); + talloc_free(k5_error_string); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock); + return ret; + } - DEBUG(5, ("Added %s(kvno %d) to keytab (enctype %d)\n", - princ_string, kvno, - (int)enctypes[i])); - + DEBUG(5, ("Added %s(kvno %d) to keytab (enctype %d)\n", + principals[p]->string_form, kvno, + (int)enctypes[i])); + } krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock); } - talloc_free(mem_ctx); return 0; } @@ -573,7 +569,6 @@ static krb5_error_code create_keytab(TALLOC_CTX *parent_ctx, bool add_old, const char **error_string) { - unsigned int i; krb5_error_code ret; const char *password_s; const char *old_secret; @@ -624,27 +619,24 @@ static krb5_error_code create_keytab(TALLOC_CTX *parent_ctx, return ret; } - /* Walk over the principals */ - for (i=0; principals[i]; i++) { - ret = keytab_add_keys(mem_ctx, principals[i]->string_form, principals[i]->principal, + ret = keytab_add_keys(mem_ctx, principals, + salt_princ, + kvno, password_s, smb_krb5_context, + enctypes, keytab, error_string); + if (ret) { + talloc_free(mem_ctx); + return ret; + } + + if (old_secret) { + ret = keytab_add_keys(mem_ctx, principals, salt_princ, - kvno, password_s, smb_krb5_context, + kvno - 1, old_secret, smb_krb5_context, enctypes, keytab, error_string); if (ret) { talloc_free(mem_ctx); return ret; } - - if (old_secret) { - ret = keytab_add_keys(mem_ctx, principals[i]->string_form, principals[i]->principal, - salt_princ, - kvno - 1, old_secret, smb_krb5_context, - enctypes, keytab, error_string); - if (ret) { - talloc_free(mem_ctx); - return ret; - } - } } talloc_free(mem_ctx); diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 3560a0d..06a535d 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -1689,7 +1689,7 @@ server_lookup: * backward. */ - if (strcmp(krb5_principal_get_realm(context, sp), + if (strcmp(krb5_principal_get_realm(context, server->entry.principal), krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1)) != 0) { diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 2f416c9..581328d 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -214,21 +214,38 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, uint16_t i; uint16_t allocated_keys = 0; int rodc_krbtgt_number = 0; + uint32_t supported_enctypes; - /* Supported Enc for this entry */ - uint32_t supported_enctypes = ENC_ALL_TYPES; /* by default, we support all enc types */ - - /* However, if this is a TGS-REQ, then lock it down to a - * reasonable guess as to what the server can decode. The - * krbtgt is special - default to use what is stored for the KDC */ - if (rid != DOMAIN_RID_KRBTGT && ent_type == SAMBA_KDC_ENT_TYPE_SERVER) { - /* This is the standard set for a server that has not declared a msDS-SupportedEncryptionTypes */ - supported_enctypes = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; + if (rid == DOMAIN_RID_KRBTGT || is_rodc) { + /* KDCs (and KDCs on RODCs) use AES, but not DES */ + supported_enctypes = ENC_ALL_TYPES; + supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5); + } else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) { + /* DCs and RODCs comptuer accounts use AES */ + supported_enctypes = ENC_ALL_TYPES; + } else if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || + (ent_type == SAMBA_KDC_ENT_TYPE_ANY)) { + /* for AS-REQ the client chooses the enc types it + * supports, and this will vary between computers a + * user logs in from. However, some accounts may be + * banned from using DES, so allow the default to be + * overridden + * + * likewise for 'any' return as much as is supported, + * to export into a keytab */ + supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes", + ENC_ALL_TYPES); + } else { + /* However, if this is a TGS-REQ, then lock it down to + * a reasonable guess as to what the server can decode + * - we must use whatever is in + * "msDS-SupportedEncryptionTypes", or the 'old' set + * of keys (ie, what Windows 2000 supported) */ + supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes", + ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5); } - supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes", - supported_enctypes); - /* Is this the krbtgt or a RODC */ + /* Is this the krbtgt or a RODC krbtgt */ if (is_rodc) { rodc_krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1); @@ -237,26 +254,25 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, } } - if (rid == DOMAIN_RID_KRBTGT || is_rodc) { - /* Be double-sure never to use DES here */ - supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5); - } - - switch (ent_type) { - case SAMBA_KDC_ENT_TYPE_KRBTGT: - case SAMBA_KDC_ENT_TYPE_TRUST: - /* Disallow krbtgt and trust tickets to be DES encrypted, it's just too dangerous */ - supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5); - break; - default: - break; - /* No further restrictions */ - } /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */ if (userAccountControl & UF_USE_DES_KEY_ONLY) { - /* However, don't allow use of DES, if we were told not to by msDS-SupportedEncTypes */ + /* However, this still won't allow use of DES, if we + * were told not to by msDS-SupportedEncTypes */ supported_enctypes &= ENC_CRC32|ENC_RSA_MD5; + } else { + switch (ent_type) { + case SAMBA_KDC_ENT_TYPE_KRBTGT: + case SAMBA_KDC_ENT_TYPE_TRUST: + /* Unless a very special effort it made, + * disallow trust tickets to be DES encrypted, + * it's just too dangerous */ + supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5); + break; + default: + break; + /* No further restrictions */ + } } entry_ex->entry.keys.val = NULL; -- Samba Shared Repository