The branch, master has been updated via 102ad9ee6a0 librpc: match gensec_gssapi and call gsskrb5_set_dns_canonicalize() for Heimdal via cd5a5f590ff build: Add missing dependency on addns from b948aeac539 hdb: Initialise HDB structure
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 102ad9ee6a037e2aa6296d0dfbf17f3e4175a581 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Sep 26 15:10:12 2017 +1300 librpc: match gensec_gssapi and call gsskrb5_set_dns_canonicalize() for Heimdal This is needed to ensure Heimdal does not attempt to use nss to canonicalize the name. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Thu Dec 9 07:42:38 UTC 2021 on sn-devel-184 commit cd5a5f590ff21587a45405977ab6bef9ff3c2db6 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Dec 7 16:04:08 2021 +1300 build: Add missing dependency on addns This becomes noticed when we upgrade Heimdal as we do not find the correct gssapi headers any more. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/librpc/crypto/gse.c | 42 ++++++++++++++++++++++++++++++++++++------ source3/utils/wscript_build | 3 ++- 2 files changed, 38 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index 1cf111bd974..c50a8a036df 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -31,6 +31,7 @@ #include "auth/gensec/gensec_internal.h" #include "auth/credentials/credentials.h" #include "../librpc/gen_ndr/dcerpc.h" +#include "param/param.h" #if defined(HAVE_KRB5) @@ -248,7 +249,7 @@ err_out: return status; } -static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, +static NTSTATUS gse_init_client(struct gensec_security *gensec_security, bool do_sign, bool do_seal, const char *ccache_name, const char *server, @@ -271,13 +272,42 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - status = gse_context_init(mem_ctx, do_sign, do_seal, + status = gse_context_init(gensec_security, do_sign, do_seal, ccache_name, add_gss_c_flags, &gse_ctx); if (!NT_STATUS_IS_OK(status)) { return NT_STATUS_NO_MEMORY; } +#ifdef SAMBA4_USES_HEIMDAL + { + int ret; + bool set_dns_canon = gensec_setting_bool( + gensec_security->settings, + "krb5", "set_dns_canonicalize", + false); + const char *server_realm = lpcfg_realm( + gensec_security->settings->lp_ctx); + if (server_realm != NULL) { + ret = gsskrb5_set_default_realm(server_realm); + if (ret) { + DBG_ERR("gsskrb5_set_default_realm failed\n"); + return NT_STATUS_INTERNAL_ERROR; + } + } + + /* + * don't do DNS lookups of any kind, it might/will + * fail for a netbios name + */ + ret = gsskrb5_set_dns_canonicalize(set_dns_canon); + if (ret != GSS_S_COMPLETE) { + DBG_ERR("gsskrb5_set_dns_canonicalize failed\n"); + return NT_STATUS_INTERNAL_ERROR; + } + } +#endif + /* TODO: get krb5 ticket using username/password, if no valid * one already available in ccache */ @@ -1151,13 +1181,13 @@ static bool gensec_gse_have_feature(struct gensec_security *gensec_security, return false; } - status = gssapi_get_session_key(talloc_tos(), + status = gssapi_get_session_key(talloc_tos(), gse_ctx->gssapi_context, NULL, &keytype); - /* + /* * We should do a proper sig on the mechListMic unless * we know we have to be backwards compatible with - * earlier windows versions. - * + * earlier windows versions. + * * Negotiating a non-krb5 * mech for example should be regarded as having * NEW_SPNEGO diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build index 48ce876db27..a89a4db8b59 100644 --- a/source3/utils/wscript_build +++ b/source3/utils/wscript_build @@ -8,7 +8,8 @@ bld.SAMBA3_SUBSYSTEM('CONN_TDB', source='conn_tdb.c') bld.SAMBA3_SUBSYSTEM('DNS_UTIL', - source='net_dns.c net_ads_join_dns.c') + source='net_dns.c net_ads_join_dns.c', + deps='addns') bld.SAMBA3_BINARY('profiles', source='profiles.c', -- Samba Shared Repository