The branch, master has been updated via b452fb3 waf: for MIT krb5 build require kerberos version above 1.9 via 72029d5 s3-smbldap: Add API for external callback to perform LDAP bind in smbldap via 838435ab3 s4/scripting: in MIT build do not install samba-tool, it is not usable yet via ca2b625 s4-selftest: Demonstrate the correct behaviour between specified usernames and kerberos ccache via dc3f74a auth/credentials: 'workgroup' set via command line will not drop existing ccache from a95b2ba s3:smbd/msdfs: pass allow_broken_path to resolve_dfspath_wcard()
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit b452fb30f79c5effa508b891bcb453de8f452286 Author: Alexander Bokovoy <a...@samba.org> Date: Thu May 24 16:28:31 2012 +0300 waf: for MIT krb5 build require kerberos version above 1.9 MIT krb5 implementation provides sufficient support for features used in Samba 4 starting with 1.9. Require version above when using system MIT krb5 build. Autobuild-User: Alexander Bokovoy <a...@samba.org> Autobuild-Date: Thu May 24 18:15:36 CEST 2012 on sn-devel-104 commit 72029d5547766787afb0a76c3959d1820388e28e Author: Alexander Bokovoy <a...@samba.org> Date: Thu May 24 15:38:41 2012 +0300 s3-smbldap: Add API for external callback to perform LDAP bind in smbldap In order to support other bind methods, introduce a generic bind callback. When smbldap_state.bind_callback is set, it means there is an alternative way to perform LDAP bind to ldap_simple_bind_s() so call it instead. The call is wrapped in become_root()/unbecome_root() to allow proper permissions in smbd to access needed resources in the callback, for example, credential caches. When run outside smbd, become_root()/unbecome_root() are no-op. The API expectation is similar to ldap_simple_bind_s(). A caller of smbldap API can pass additional information to the callback by setting smbldap_state.bind_callback_data pointer. Both callback and the data pointer elements of smbldap_state structure get cleaned up if someone sets proper credentials on smbldap_state with smbldap_set_creds() so if you are interested in using smbldap_state.bind_dn with the callback, make sure to set callback after credentials are set. commit 838435ab30c03e5db7eb1e80f486528231dffdfc Author: Alexander Bokovoy <a...@samba.org> Date: Thu May 24 15:24:12 2012 +0300 s4/scripting: in MIT build do not install samba-tool, it is not usable yet commit ca2b6259b7f0787eb372b56076e63413f530ec12 Author: Andrew Bartlett <abart...@samba.org> Date: Thu May 24 13:36:20 2012 +1000 s4-selftest: Demonstrate the correct behaviour between specified usernames and kerberos ccache This shows that a username/password on the command line must always override any credentials cache in the environment. Andrew Bartlett commit dc3f74a953de0fcf9b3f693efe2ba8dea7b93da9 Author: Alexander Bokovoy <a...@samba.org> Date: Thu May 24 15:17:40 2012 +0300 auth/credentials: 'workgroup' set via command line will not drop existing ccache The root cause for existing ccache being invalidated was use of global loadparm with 'workgroup' value set as if from command line. However, we don't really need to take 'workgroup' parameter value's nature into account when invalidating existing ccache. When -U is used on the command line, one can specify a password to force ccache invalidation. The commit also reverts previous fix now that root cause is clear. ----------------------------------------------------------------------- Summary of changes: auth/credentials/credentials.c | 6 +++++- auth/credentials/credentials_krb5.c | 14 ++------------ source3/include/smbldap.h | 2 ++ source3/lib/smbldap.c | 20 +++++++++++++++++++- source4/scripting/bin/wscript_build | 4 +--- source4/scripting/wscript_build | 7 +++---- testprogs/blackbox/test_kinit.sh | 1 - testprogs/blackbox/test_passwords.sh | 8 ++++++++ wscript_configure_system_mitkrb5 | 9 ++++++++- 9 files changed, 48 insertions(+), 23 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index 3eaccde..05f0a62 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -483,7 +483,11 @@ _PUBLIC_ bool cli_credentials_set_domain(struct cli_credentials *cred, * calculations */ cred->domain = strupper_talloc(cred, val); cred->domain_obtained = obtained; - cli_credentials_invalidate_ccache(cred, cred->domain_obtained); + /* setting domain does not mean we have to invalidate ccache + * because domain in not used for Kerberos operations. + * If ccache invalidation is required, one will anyway specify + * a password to kinit, and that will force invalidation of the ccache + */ return true; } diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index 2c93a8f..2a23688 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -486,18 +486,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, } } - - if (cred->ccache_obtained == CRED_UNINITIALISED) { - /* Only attempt to re-acquire ccache if it is not already in place. - * this is important for client-side use within frameworks with already acquired tickets - * like Apache+mod_auth_kerb+Python - */ - ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx, - &ccache, error_string); - } else { - ccache = cred->ccache; - } - + ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx, + &ccache, error_string); if (ret) { if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) { DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string)); diff --git a/source3/include/smbldap.h b/source3/include/smbldap.h index df9df76..5051fcf 100644 --- a/source3/include/smbldap.h +++ b/source3/include/smbldap.h @@ -44,6 +44,8 @@ struct smbldap_state { bool anonymous; char *bind_dn; char *bind_secret; + int (*bind_callback)(LDAP *ldap_struct, struct smbldap_state *ldap_state, void *data); + void *bind_callback_data; bool paged_results; diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c index c01d3fd..43ddaff 100644 --- a/source3/lib/smbldap.c +++ b/source3/lib/smbldap.c @@ -976,7 +976,20 @@ static int smbldap_connect_system(struct smbldap_state *ldap_state) #endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/ #endif - rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret); + /* When there is an alternative bind callback is set, + attempt to use it to perform the bind */ + if (ldap_state->bind_callback != NULL) { + /* We have to allow bind callback to be run under become_root/unbecome_root + to make sure within smbd the callback has proper write access to its resources, + like credential cache. This is similar to passdb case where this callback is supposed + to be used. When used outside smbd, become_root()/unbecome_root() are no-op. + */ + become_root(); + rc = ldap_state->bind_callback(ldap_struct, ldap_state, ldap_state->bind_callback_data); + unbecome_root(); + } else { + rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret); + } if (rc != LDAP_SUCCESS) { char *ld_error = NULL; @@ -1667,6 +1680,8 @@ void smbldap_free_struct(struct smbldap_state **ldap_state) SAFE_FREE((*ldap_state)->bind_dn); SAFE_FREE((*ldap_state)->bind_secret); + (*ldap_state)->bind_callback = NULL; + (*ldap_state)->bind_callback_data = NULL; TALLOC_FREE(*ldap_state); @@ -1846,6 +1861,9 @@ bool smbldap_set_creds(struct smbldap_state *ldap_state, bool anon, const char * /* free any previously set credential */ SAFE_FREE(ldap_state->bind_dn); + ldap_state->bind_callback = NULL; + ldap_state->bind_callback_data = NULL; + if (ldap_state->bind_secret) { /* make sure secrets are zeroed out of memory */ memset(ldap_state->bind_secret, '\0', strlen(ldap_state->bind_secret)); diff --git a/source4/scripting/bin/wscript_build b/source4/scripting/bin/wscript_build index 200562b..e95fd03 100644 --- a/source4/scripting/bin/wscript_build +++ b/source4/scripting/bin/wscript_build @@ -1,7 +1,5 @@ #!/usr/bin/env python if bld.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'): - for script in ['samba_dnsupdate', 'samba_spnupdate', 'samba_kcc', 'upgradeprovision', 'samba_upgradedns']: + for script in ['samba-tool', 'samba_dnsupdate', 'samba_spnupdate', 'samba_kcc', 'upgradeprovision', 'samba_upgradedns']: bld.SAMBA_SCRIPT(script, pattern=script, installdir='.') - -bld.SAMBA_SCRIPT('samba-tool', pattern='samba-tool', installdir='.') diff --git a/source4/scripting/wscript_build b/source4/scripting/wscript_build index 221f030..2362a64 100644 --- a/source4/scripting/wscript_build +++ b/source4/scripting/wscript_build @@ -3,18 +3,17 @@ from samba_utils import MODE_755 sbin_files = None -bin_files = 'bin/samba-tool' if bld.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'): sbin_files = 'bin/upgradeprovision bin/samba_dnsupdate bin/samba_spnupdate bin/samba_upgradedns' - bin_files = bin_files + ' bin/samba_kcc' if sbin_files: bld.INSTALL_FILES('${SBINDIR}', 'bin/upgradeprovision bin/samba_dnsupdate bin/samba_spnupdate bin/samba_upgradedns', chmod=MODE_755, python_fixup=True, flat=True) -bld.INSTALL_FILES('${BINDIR}', - bin_files, +if bld.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'): + bld.INSTALL_FILES('${BINDIR}', + 'bin/samba-tool bin/samba_kcc', chmod=MODE_755, python_fixup=True, flat=True) bld.RECURSE('bin') diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh index 14f1e62..981987d 100755 --- a/testprogs/blackbox/test_kinit.sh +++ b/testprogs/blackbox/test_kinit.sh @@ -174,7 +174,6 @@ rm -f $KRB5CCNAME testit "kinit with machineaccountccache script" $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=`expr $failed + 1` test_smbclient "Test machine account login with kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1` -rm -f $KRB5CCNAME testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings $PWSETCONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1` rm -f $PREFIX/tmpccache tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript diff --git a/testprogs/blackbox/test_passwords.sh b/testprogs/blackbox/test_passwords.sh index fe8386d..822f0fb 100755 --- a/testprogs/blackbox/test_passwords.sh +++ b/testprogs/blackbox/test_passwords.sh @@ -72,6 +72,14 @@ testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1` +# +# These tests demonstrate that a credential cache in the environment does not +# override a username/password, even an incorrect one, on the command line +# + +testit_expect_failure "Test login with user kerberos ccache, but wrong password specified" $VALGRIND $smbclient //$SERVER/tmp -c 'ls' -k yes -Unettestuser@$REALM%wrongpass && failed=`expr $failed + 1` +testit_expect_failure "Test login with user kerberos ccache, but old password specified" $VALGRIND $smbclient //$SERVER/tmp -c 'ls' -k yes -Unettestuser@$REALM%$USERPASS && failed=`expr $failed + 1` + USERPASS=$NEWUSERPASS WEAKPASS=testpass1 diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 index 7523103..805c452 100644 --- a/wscript_configure_system_mitkrb5 +++ b/wscript_configure_system_mitkrb5 @@ -1,4 +1,4 @@ -import Logs, Options +import Logs, Options, sys # Check for kerberos have_gssapi=False @@ -30,6 +30,13 @@ if conf.env.KRB5_CONFIG: if conf.env.KRB5_VENDOR != 'heimdal': conf.define('USING_SYSTEM_KRB5', 1) del conf.env.HEIMDAL_KRB5_CONFIG + kversion = conf.cmd_and_log("%(path)s --version" % dict(path=conf.env.KRB5_CONFIG), dict()).strip() + kversion_split = map(int, kversion.split(" ")[-1].split(".")) + if kversion_split < [1, 9]: + Logs.error('ERROR: MIT krb5 build requires at least 1.9.0. %s is found and cannot be used' % (kversion)) + sys.exit(1) + else: + Logs.info('%s is detected, MIT krb5 build can proceed' % (kversion)) conf.check_cfg(args="--cflags --libs", package="com_err", uselib_store="com_err") conf.CHECK_FUNCS_IN('_et_list', 'com_err') -- Samba Shared Repository