The branch, master has been updated via 9adfe82 pam_winbind: update documentation for "DIR" krb5ccname pragma. via 7ad3a36 s3-winbindd: support the DIR pragma for raw kerberos user pam authentication. via 73e6fef wbinfo: allow to define a custom krb5ccname for kerberized pam auth. via e9ae36e s4-lib/socket: Allocate a the larger sockaddr_un and not just a sockaddr_in in unixdom_get_peer_addr() from fe06e1b smbd: Fix CID 1035536 Uninitialized pointer read
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 9adfe82a1785aa6a7baefb435072a0a81dfb13cb Author: Günther Deschner <g...@samba.org> Date: Thu Jul 18 19:09:14 2013 +0200 pam_winbind: update documentation for "DIR" krb5ccname pragma. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Wed Jul 24 02:43:10 CEST 2013 on sn-devel-104 commit 7ad3a367d52b1f123c318946d654e95639202130 Author: Günther Deschner <g...@samba.org> Date: Thu Jul 18 19:05:51 2013 +0200 s3-winbindd: support the DIR pragma for raw kerberos user pam authentication. It is currently only available in MIT. In addition, allow to define custom filepaths for FILE, WRFILE and DIR pragmas and substitute one occurence of the %u pattern. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Pair-Programmed-With: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit 73e6feff9b3f30e70d84fe256aff239fafdfdb95 Author: Günther Deschner <g...@samba.org> Date: Thu Jul 18 19:04:29 2013 +0200 wbinfo: allow to define a custom krb5ccname for kerberized pam auth. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit e9ae36e9683372b86f1efbd29904722a33fea083 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jul 24 10:19:26 2013 +1200 s4-lib/socket: Allocate a the larger sockaddr_un and not just a sockaddr_in in unixdom_get_peer_addr() This caused crashes in _tsocket_address_bsd_from_sockaddr() when we read past the end of the allocation. Andrew Bartlett Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> ----------------------------------------------------------------------- Summary of changes: docs-xml/manpages/pam_winbind.conf.5.xml | 39 ++++++++++++++++++++++------- examples/pam_winbind/pam_winbind.conf | 3 +- nsswitch/wbinfo.c | 6 +++- source3/winbindd/winbindd_pam.c | 23 +++++++++++++++++ source4/lib/socket/socket_unix.c | 4 +- 5 files changed, 60 insertions(+), 15 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml index 8c36719..020cb67 100644 --- a/docs-xml/manpages/pam_winbind.conf.5.xml +++ b/docs-xml/manpages/pam_winbind.conf.5.xml @@ -106,16 +106,35 @@ <term>krb5_ccache_type = [type]</term> <listitem><para> - When pam_winbind is configured to try kerberos authentication - by enabling the <parameter>krb5_auth</parameter> option, it can - store the retrieved Ticket Granting Ticket (TGT) in a - credential cache. The type of credential cache can be set with - this option. Currently the only supported value is: - <parameter>FILE</parameter>. In that case a credential cache in - the form of /tmp/krb5cc_UID will be created, where UID is - replaced with the numeric user id. Leave empty to just do - kerberos authentication without having a ticket cache after the - logon has succeeded. This setting is empty by default. + When pam_winbind is configured to try kerberos authentication by + enabling the <parameter>krb5_auth</parameter> option, it can + store the retrieved Ticket Granting Ticket (TGT) in a credential + cache. The type of credential cache can be controlled with this + option. The supported values are: <parameter>FILE</parameter> + and <parameter>DIR</parameter> (when the DIR type is supported + by the system's Kerberos library). In case of FILE a credential + cache in the form of /tmp/krb5cc_UID will be created - in case + of DIR it will be located under the /run/user/UID/krb5cc + directory. UID is replaced with the numeric user id.</para> + + <para>It is also possible to define custom filepaths and use the "%u" + pattern in order to substitue the numeric user id. + Examples:</para> + + <variablelist> + <varlistentry> + <term>krb5_ccache_type = DIR:/run/user/%u/krb5cc</term> + <listitem><para>This will create a credential cache file in the specified directory.</para></listitem> + </varlistentry> + <varlistentry> + <term>krb5_ccache_type = FILE:/tmp/krb5cc_%u</term> + <listitem><para>This will create a credential cache file.</para></listitem> + </varlistentry> + </variablelist> + + <para> Leave empty to just do kerberos authentication without + having a ticket cache after the logon has succeeded. + This setting is empty by default. </para></listitem> </varlistentry> diff --git a/examples/pam_winbind/pam_winbind.conf b/examples/pam_winbind/pam_winbind.conf index dd0b112..87bc388 100644 --- a/examples/pam_winbind/pam_winbind.conf +++ b/examples/pam_winbind/pam_winbind.conf @@ -3,6 +3,7 @@ # # /etc/security/pam_winbind.conf # +# For more details see man pam_winbind.conf(5) [global] @@ -19,7 +20,7 @@ # authenticate using kerberos ;krb5_auth = no -# when using kerberos, request a "FILE" krb5 credential cache type +# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type # (leave empty to just do krb5 authentication but not have a ticket # afterwards) ;krb5_ccache_type = diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c index a1ca7fc..cba469e 100644 --- a/nsswitch/wbinfo.c +++ b/nsswitch/wbinfo.c @@ -2097,6 +2097,7 @@ int main(int argc, char **argv, char **envp) bool use_lanman = false; char *logoff_user = getenv("USER"); int logoff_uid = geteuid(); + const char *opt_krb5ccname = "FILE"; struct poptOption long_options[] = { POPT_AUTOHELP @@ -2178,6 +2179,7 @@ int main(int argc, char **argv, char **envp) { "krb5auth", 'K', POPT_ARG_STRING, &string_arg, 'K', "authenticate user using Kerberos", "user%password" }, /* destroys wbinfo --help output */ /* "user%password,DOM\\user%password,u...@example.com,EXAMPLE.COM\\user%password" }, */ + { "krb5ccname", 0, POPT_ARG_STRING, &opt_krb5ccname, '0', "authenticate user using Kerberos and specific credential cache type", "krb5ccname" }, #endif { "separator", 0, POPT_ARG_NONE, 0, OPT_SEPARATOR, "Get the active winbind separator", NULL }, { "verbose", 0, POPT_ARG_NONE, 0, OPT_VERBOSE, "Print additional information per command", NULL }, @@ -2547,13 +2549,13 @@ int main(int argc, char **argv, char **envp) WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_CONTACT_TRUSTDOM; - if (!wbinfo_auth_krb5(string_arg, "FILE", + if (!wbinfo_auth_krb5(string_arg, opt_krb5ccname, flags)) { d_fprintf(stderr, "Could not authenticate user " "[%s] with Kerberos " "(ccache: %s)\n", string_arg, - "FILE"); + opt_krb5ccname); goto done; } break; diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index aed4741..7b67154 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -492,6 +492,29 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx, gen_cc = talloc_asprintf( mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid); } + if (strequal(type, "DIR")) { + gen_cc = talloc_asprintf( + mem_ctx, "DIR:/run/user/%d/krb5cc", uid); + } + + if (strnequal(type, "FILE:/", 6) || + strnequal(type, "WRFILE:/", 8) || + strnequal(type, "DIR:/", 5)) { + + /* we allow only one "%u" substitution */ + + char *p; + + p = strchr(type, '%'); + if (p != NULL) { + + p++; + + if (p != NULL && *p == 'u' && strchr(p, '%') == NULL) { + gen_cc = talloc_asprintf(mem_ctx, type, uid); + } + } + } } *user_ccache_file = gen_cc; diff --git a/source4/lib/socket/socket_unix.c b/source4/lib/socket/socket_unix.c index 0774b12..3aa5440 100644 --- a/source4/lib/socket/socket_unix.c +++ b/source4/lib/socket/socket_unix.c @@ -323,7 +323,7 @@ static char *unixdom_get_peer_name(struct socket_context *sock, TALLOC_CTX *mem_ static struct socket_address *unixdom_get_peer_addr(struct socket_context *sock, TALLOC_CTX *mem_ctx) { - struct sockaddr_in *peer_addr; + struct sockaddr_un *peer_addr; socklen_t len = sizeof(*peer_addr); struct socket_address *peer; int ret; @@ -334,7 +334,7 @@ static struct socket_address *unixdom_get_peer_addr(struct socket_context *sock, } peer->family = sock->backend_name; - peer_addr = talloc(peer, struct sockaddr_in); + peer_addr = talloc(peer, struct sockaddr_un); if (!peer_addr) { talloc_free(peer); return NULL; -- Samba Shared Repository