The branch, v4-15-test has been updated via ca5abc39c1d s3:winbind: Use the canonical realm name to renew the credentials via e7ae7cba136 s3:winbind: Create service principal inside add_ccache_to_list() via 206c4f0094e nfs4_acls: Correctly skip chown when gid did not change from fce5a61033a s3:libads: Check if we have a valid sockaddr
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log ----------------------------------------------------------------- commit ca5abc39c1d1f8d3bfa7bee79a1cf0b1944fc85d Author: Samuel Cabrero <scabr...@samba.org> Date: Thu Jul 7 11:32:39 2022 +0200 s3:winbind: Use the canonical realm name to renew the credentials Consider the following AD topology where all trusts are parent-child trusts: ADOM.AFOREST.AD | ACHILD.ADOM.AFOREST.AD | AGRANDCHILD.ACHILD.ADOM.AFOREST.AD <-- Samba joined When logging into the Samba machine using pam_winbind with kerberos enabled with user ACHILD\user1, the ccache content is: Default principal: us...@achild.adom.aforest.ad Valid starting Expires Service principal 07/06/2022 16:09:23 07/06/2022 16:14:23 krbtgt/achild.adom.aforest...@achild.adom.aforest.ad renew until 07/13/2022 16:09:23 --> 07/06/2022 16:09:23 07/06/2022 16:14:23 krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad <-- NOTE this TGT ticket renew until 07/13/2022 16:09:23 07/06/2022 16:09:23 07/06/2022 16:14:23 SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD renew until 07/13/2022 16:09:23 But when logging in with user ADOM\user1, the ccache content is: Default principal: us...@adom.aforest.ad Valid starting Expires Service principal 07/06/2022 16:04:37 07/06/2022 16:09:37 krbtgt/adom.aforest...@adom.aforest.ad renew until 07/13/2022 16:04:37 07/06/2022 16:04:37 07/06/2022 16:09:37 SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD renew until 07/13/2022 16:04:37 MIT does not store the intermediate TGTs when there is more than one hop: ads_krb5_cli_get_ticket: Getting ticket for service [SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD] using creds from [FILE:/tmp/krb5cc_11105] and impersonating [(null)] Getting credentials us...@adom.aforest.ad -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD using ccache FILE:/tmp/krb5cc_11105 Starting with TGT for client realm: us...@adom.aforest.ad -> krbtgt/adom.aforest...@adom.aforest.ad Requesting TGT krbtgt/agrandchild.achild.adom.aforest...@adom.aforest.ad using TGT krbtgt/adom.aforest...@adom.aforest.ad Sending request to ADOM.AFOREST.AD Received answer from stream 192.168.101.32:88 TGS reply is for us...@adom.aforest.ad -> krbtgt/achild.adom.aforest...@adom.aforest.ad with session key rc4-hmac/D88B --> Received TGT for offpath realm ACHILD.ADOM.AFOREST.AD <-- NOTE this TGT ticket is not stored Requesting TGT krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad using TGT krbtgt/achild.adom.aforest...@adom.aforest.ad Sending request (1748 bytes) to ACHILD.ADOM.AFOREST.AD Received answer (1628 bytes) from stream 192.168.101.33:88 TGS reply is for us...@adom.aforest.ad -> krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad with session key rc4-hmac/D015 --> Received TGT for service realm: krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad <-- NOTE this TGT is not stored Requesting tickets for SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD, referrals on Sending request (1721 bytes) to AGRANDCHILD.ACHILD.ADOM.AFOREST.AD Received answer (1647 bytes) from stream 192.168.101.34:88 TGS reply is for us...@adom.aforest.ad -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD with session key aes256-cts/345A Received creds for desired service SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD Storing us...@adom.aforest.ad -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_11105 In the case of ACHILD\user1: ads_krb5_cli_get_ticket: Getting ticket for service [SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD] using creds from [FILE:/tmp/krb5cc_2000] and impersonating [(null)] Getting credentials us...@achild.adom.aforest.ad -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD using ccache FILE:/tmp/krb5cc_2000 Starting with TGT for client realm: us...@achild.adom.aforest.ad -> krbtgt/achild.adom.aforest...@achild.adom.aforest.ad Requesting TGT krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad using TGT krbtgt/achild.adom.aforest...@achild.adom.aforest.ad Sending request to ACHILD.ADOM.AFOREST.AD Received answer from stream 192.168.101.33:88 TGS reply is for us...@achild.adom.aforest.ad -> krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad with session key rc4-hmac/0F60 --> Storing us...@achild.adom.aforest.ad -> krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad in FILE:/tmp/krb5cc_2000 <-- NOTE this TGT is stored Received TGT for service realm: krbtgt/agrandchild.achild.adom.aforest...@achild.adom.aforest.ad Requesting tickets for SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD, referrals on Sending request (1745 bytes) to AGRANDCHILD.ACHILD.ADOM.AFOREST.AD Received answer (1675 bytes) from stream 192.168.101.34:88 TGS reply is for us...@achild.adom.aforest.ad -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD with session key aes256-cts/3576 Received creds for desired service SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD Storing us...@achild.adom.aforest.ad -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_2000 The result is that winbindd can't refresh the tickets for ADOM\user1 because the local realm is used to build the TGT service name. smb_krb5_renew_ticket: Using FILE:/tmp/krb5cc_11105 as ccache for client 'us...@adom.aforest.ad' and service 'krbtgt/agrandchild.achild.adom.aforest...@agrandchild.achild.adom.aforest.ad' Retrieving us...@adom.aforest.ad -> krbtgt/agrandchild.achild.adom.aforest...@adom.aforest.ad from FILE:/tmp/krb5cc_11105 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_11105) The canonical realm name must be used instead: smb_krb5_renew_ticket: Using FILE:/tmp/krb5cc_11105 as ccache for client 'us...@adom.aforest.ad' and service 'krbtgt/adom.aforest...@adom.aforest.ad' Retrieving us...@adom.aforest.ad -> krbtgt/adom.aforest...@adom.aforest.ad from FILE:/tmp/krb5cc_11105 with result: 0/Success Get cred via TGT krbtgt/adom.aforest...@adom.aforest.ad after requesting krbtgt/adom.aforest...@adom.aforest.ad (canonicalize off) Sending request to ADOM.AFOREST.AD Received answer from stream 192.168.101.32:88 TGS reply is for us...@adom.aforest.ad -> krbtgt/adom.aforest...@adom.aforest.ad with session key aes256-cts/8C7B Storing us...@adom.aforest.ad -> krbtgt/adom.aforest...@adom.aforest.ad in FILE:/tmp/krb5cc_11105 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 Signed-off-by: Samuel Cabrero <scabr...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Tue Jul 12 12:38:55 UTC 2022 on sn-devel-184 (cherry picked from commit 116af0df4f74aa450cbb77c79f8cac4bfc288631) Autobuild-User(v4-15-test): Jule Anger <jan...@samba.org> Autobuild-Date(v4-15-test): Mon Jul 18 10:36:35 UTC 2022 on sn-devel-184 commit e7ae7cba1361fec80df015ccc8263b2133cd877a Author: Samuel Cabrero <scabr...@samba.org> Date: Thu Jul 7 11:22:05 2022 +0200 s3:winbind: Create service principal inside add_ccache_to_list() The function can build the service principal itself, there is no need to do it in the caller. This removes code duplication. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 Signed-off-by: Samuel Cabrero <scabr...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 8bef8e3de9fc96ff45319f80529e878977563f3a) commit 206c4f0094e11239903bf183ebd817443608a235 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 12 05:12:21 2022 -0700 nfs4_acls: Correctly skip chown when gid did not change Commit 86f7af84 introduced a problem that a chown is always attempted, even when the owning gid did not change. Then the ACL is set in the file system as root. Fix the check by correctly comparing with gid, not uid. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15120 Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> Autobuild-User(master): Christof Schmitt <c...@samba.org> Autobuild-Date(master): Wed Jul 13 17:30:30 UTC 2022 on sn-devel-184 (cherry picked from commit a6ccceb97ebd43d453ae4f835927cbacde0fdcef) ----------------------------------------------------------------------- Summary of changes: source3/modules/nfs4_acls.c | 2 +- source3/winbindd/winbindd_cred_cache.c | 16 +++++++++------- source3/winbindd/winbindd_pam.c | 14 -------------- source3/winbindd/winbindd_proto.h | 1 - 4 files changed, 10 insertions(+), 23 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c index c7808037a09..ff446bb1166 100644 --- a/source3/modules/nfs4_acls.c +++ b/source3/modules/nfs4_acls.c @@ -1022,7 +1022,7 @@ NTSTATUS smb_set_nt_acl_nfs4(vfs_handle_struct *handle, files_struct *fsp, /* chown logic is a copy/paste from posix_acl.c:set_nt_acl */ uid_t old_uid = fsp->fsp_name->st.st_ex_uid; - uid_t old_gid = fsp->fsp_name->st.st_ex_uid; + gid_t old_gid = fsp->fsp_name->st.st_ex_gid; status = unpack_nt_owners(fsp->conn, &newUID, &newGID, security_info_sent, psd); if (!NT_STATUS_IS_OK(status)) { diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c index 6c65db6a73f..9d27cbe8f78 100644 --- a/source3/winbindd/winbindd_cred_cache.c +++ b/source3/winbindd/winbindd_cred_cache.c @@ -493,7 +493,6 @@ bool ccache_entry_identical(const char *username, NTSTATUS add_ccache_to_list(const char *princ_name, const char *ccname, - const char *service, const char *username, const char *pass, const char *realm, @@ -613,12 +612,6 @@ NTSTATUS add_ccache_to_list(const char *princ_name, goto no_mem; } } - if (service) { - entry->service = talloc_strdup(entry, service); - if (!entry->service) { - goto no_mem; - } - } if (canon_principal != NULL) { entry->canon_principal = talloc_strdup(entry, canon_principal); if (entry->canon_principal == NULL) { @@ -642,6 +635,15 @@ NTSTATUS add_ccache_to_list(const char *princ_name, goto no_mem; } + entry->service = talloc_asprintf(entry, + "%s/%s@%s", + KRB5_TGS_NAME, + canon_realm, + canon_realm); + if (entry->service == NULL) { + goto no_mem; + } + entry->create_time = create_time; entry->renew_until = renew_until; entry->uid = uid; diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 5505220335f..d574834ba94 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -672,7 +672,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, krb5_error_code krb5_ret; const char *cc = NULL; const char *principal_s = NULL; - const char *service = NULL; char *realm = NULL; fstring name_namespace, name_domain, name_user; time_t ticket_lifetime = 0; @@ -755,11 +754,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - service = talloc_asprintf(mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm); - if (service == NULL) { - return NT_STATUS_NO_MEMORY; - } - local_service = talloc_asprintf(mem_ctx, "%s$@%s", lp_netbios_name(), lp_realm()); if (local_service == NULL) { @@ -848,7 +842,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, result = add_ccache_to_list(principal_s, cc, - service, user, pass, realm, @@ -1180,7 +1173,6 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, const char *cc = NULL; char *realm = NULL; const char *principal_s = NULL; - const char *service = NULL; const char *user_ccache_file; if (domain->alt_name == NULL) { @@ -1215,11 +1207,6 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, return NT_STATUS_NO_MEMORY; } - service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm); - if (service == NULL) { - return NT_STATUS_NO_MEMORY; - } - if (user_ccache_file != NULL) { fstrcpy(state->response->data.auth.krb5ccname, @@ -1227,7 +1214,6 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, result = add_ccache_to_list(principal_s, cc, - service, state->request->data.auth.user, state->request->data.auth.pass, realm, diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 16c23f3de40..c685fab2606 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -228,7 +228,6 @@ void ccache_remove_all_after_fork(void); void ccache_regain_all_now(void); NTSTATUS add_ccache_to_list(const char *princ_name, const char *ccname, - const char *service, const char *username, const char *password, const char *realm, -- Samba Shared Repository