The branch, master has been updated
via 102ad9ee6a0 librpc: match gensec_gssapi and call
gsskrb5_set_dns_canonicalize() for Heimdal
via cd5a5f590ff build: Add missing dependency on addns
from b948aeac539 hdb: Initialise HDB structure
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 102ad9ee6a037e2aa6296d0dfbf17f3e4175a581
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Sep 26 15:10:12 2017 +1300
librpc: match gensec_gssapi and call gsskrb5_set_dns_canonicalize() for
Heimdal
This is needed to ensure Heimdal does not attempt to use nss to
canonicalize the name.
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
Autobuild-Date(master): Thu Dec 9 07:42:38 UTC 2021 on sn-devel-184
commit cd5a5f590ff21587a45405977ab6bef9ff3c2db6
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Dec 7 16:04:08 2021 +1300
build: Add missing dependency on addns
This becomes noticed when we upgrade Heimdal as we do not find
the correct gssapi headers any more.
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/librpc/crypto/gse.c | 42 ++++++++++++++++++++++++++++++++++++------
source3/utils/wscript_build | 3 ++-
2 files changed, 38 insertions(+), 7 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 1cf111bd974..c50a8a036df 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -31,6 +31,7 @@
#include "auth/gensec/gensec_internal.h"
#include "auth/credentials/credentials.h"
#include "../librpc/gen_ndr/dcerpc.h"
+#include "param/param.h"
#if defined(HAVE_KRB5)
@@ -248,7 +249,7 @@ err_out:
return status;
}
-static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+static NTSTATUS gse_init_client(struct gensec_security *gensec_security,
bool do_sign, bool do_seal,
const char *ccache_name,
const char *server,
@@ -271,13 +272,42 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_PARAMETER;
}
- status = gse_context_init(mem_ctx, do_sign, do_seal,
+ status = gse_context_init(gensec_security, do_sign, do_seal,
ccache_name, add_gss_c_flags,
&gse_ctx);
if (!NT_STATUS_IS_OK(status)) {
return NT_STATUS_NO_MEMORY;
}
+#ifdef SAMBA4_USES_HEIMDAL
+ {
+ int ret;
+ bool set_dns_canon = gensec_setting_bool(
+ gensec_security->settings,
+ "krb5", "set_dns_canonicalize",
+ false);
+ const char *server_realm = lpcfg_realm(
+ gensec_security->settings->lp_ctx);
+ if (server_realm != NULL) {
+ ret = gsskrb5_set_default_realm(server_realm);
+ if (ret) {
+ DBG_ERR("gsskrb5_set_default_realm failed\n");
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ }
+
+ /*
+ * don't do DNS lookups of any kind, it might/will
+ * fail for a netbios name
+ */
+ ret = gsskrb5_set_dns_canonicalize(set_dns_canon);
+ if (ret != GSS_S_COMPLETE) {
+ DBG_ERR("gsskrb5_set_dns_canonicalize failed\n");
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ }
+#endif
+
/* TODO: get krb5 ticket using username/password, if no valid
* one already available in ccache */
@@ -1151,13 +1181,13 @@ static bool gensec_gse_have_feature(struct
gensec_security *gensec_security,
return false;
}
- status = gssapi_get_session_key(talloc_tos(),
+ status = gssapi_get_session_key(talloc_tos(),
gse_ctx->gssapi_context, NULL,
&keytype);
- /*
+ /*
* We should do a proper sig on the mechListMic unless
* we know we have to be backwards compatible with
- * earlier windows versions.
- *
+ * earlier windows versions.
+ *
* Negotiating a non-krb5
* mech for example should be regarded as having
* NEW_SPNEGO
diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
index 48ce876db27..a89a4db8b59 100644
--- a/source3/utils/wscript_build
+++ b/source3/utils/wscript_build
@@ -8,7 +8,8 @@ bld.SAMBA3_SUBSYSTEM('CONN_TDB',
source='conn_tdb.c')
bld.SAMBA3_SUBSYSTEM('DNS_UTIL',
- source='net_dns.c net_ads_join_dns.c')
+ source='net_dns.c net_ads_join_dns.c',
+ deps='addns')
bld.SAMBA3_BINARY('profiles',
source='profiles.c',
--
Samba Shared Repository
