The branch, master has been updated via 1ca6fb563b0 lib/replace: make sure krb5_cc_default[_name]() is no longer used directly via afcd53b8d09 auth/credentials_krb5: let cli_credentials_set_ccache() use smb_force_krb5_cc_default() via a5d46f69d12 auth/credentials_krb5: use system/{gssapi,kerberos}.h via 845a2aae6f0 smbspool: let kerberos_ccache_is_valid() use smb_force_krb5_cc_default_name() via 4514fb5f439 smbspool_krb5_wrapper: let kerberos_get_default_ccache() use smb_force_krb5_cc_default_name() via a8da9de9f4a smbspool_krb5_wrapper: remove unused includes via eb6dc35a704 krb5_wrap: let smb_krb5_renew_ticket() use smb_force_krb5_cc_default_name() via f850bcfc0b4 krb5_wrap: add smb_force_krb5_cc_default[_name]() wrappers via d49de777104 s3:libads: let kerberos_kinit_password_ext() require an explicit krb5 ccache via 70f9e3a0567 krb5_wrap: let ads_krb5_cli_get_ticket() require an explicit krb5 ccache via fc92025ecb2 s3:libads: finally remove unused ads_connect[_user_creds]() and related code via 25806314dae s3:net: finally remove net_context->opt_{user_specified,user_name,password} via a1ab1c8620c s3:net: remove unused net_context->smb_encrypt via 9620d2ecc18 s3:net: remove unused net_context->opt_kerberos via 2de585a9787 s3:include: remove unused krb5_env.h via eb9ad5cc890 s3:net_ads: remove unused use_in_memory_ccache() via e76fe56fdf6 s3:net_ads: make use of ads_connect_{cldap_only,creds}() in ads_startup_int() via d59d957caba s3:libads: let ads_krb5_set_password() require an explicit krb5 ccache to operate on via 432273dd3ec s3:libads: kerberos_set_password() don't need to kinit before ads_krb5_chg_password() via 125db2ed815 s3:libads: remove unused kdc_host and time_offset arguments to kerberos_set_password() via b641b35b028 s3:libads: remove unused kdc_host and time_offset arguments to ads_krb5_chg_password() via 3141423feb3 s3:libads: remove krb5_set_real_time() from ads_krb5_set_password() via c85c084d69e s3:libads: remove unused kdc_host argument of ads_krb5_set_password() via 5f32f14ef58 s3:net_ads: require kerberos if we use ads_krb5_set_password() in ads_user_add() via 1eeeb76e6c5 s3:net_ads: use ADS_SASL_SEAL by default, so that we always get encryption via 612af29cef1 s3:net_ads: use cli_credentials_get_principal() in order to call kerberos functions via 55c9a6c0e3a s3:net: remove useless net_prompt_pass() wrapper via d9082129f21 s3:net_rpc: make use of !c->explicit_credentials for NET_FLAGS_ANONYMOUS via e690666fd10 s3:net: make use of c->explicit_credentials in order to check for valid credentials via be1051f3792 s3:net: add net_context->explicit_credentials to check if credentials were passed via a9beae36f0a s3:net: correctly implement --use-ccache as legacy for --use-winbind-ccache for 'net' via 579195769d6 s3:net_offlinejoin: we don't need to call libnetapi_set_use_kerberos() as we already passed cli_credentials via f4f31236c4a s3:libnet_join: pass down cli_credentials *admin_credentials to libnet_{Join,Unjoin}Ctx() via c0edd3406b9 s3:lib/netapi: make use of ads_simple_creds/libnetapi_get_creds in NetGetJoinableOUs_l via 0470cc385d9 s3:lib/netapi: add libnetapi_get_creds() via bd53e20764b libgpo/pygpo: make use of ads_connect_{creds,machine}() via 87e7a9488a0 s3:printing: make use of ads_connect_machine() via f9496bfdf4e s3:libads: add ads_connect_machine() helper via 353abcb4d3e s3:libads: add ads_simple_creds() helper via c36b0442244 s3:libads: make use of ads_connect_simple_anon() in ldap.c where possible via 7bfbea4c3c8 s3:libads: add ads_connect_simple_anon() helper via c95a2785e20 lib/addns: rewrite signed dns update code to use gensec instead of plain gssapi via 5807689f968 s3:utils: let net_update_dns_internal() set status before goto done in all cases via 28af0829263 s3:winbindd: make use of winbindd_get_trust_credentials() in idmap_ad.c via ed75331f525 s3:winbindd: make use of winbindd_get_trust_credentials() in _winbind_LogonControl_TC_VERIFY() via 16bbb407fa5 s3:winbindd: make use of samba_sockaddr to avoid compiler warnings via f903d80769b s3:winbindd: use winbindd_get_trust_credentials()/ads_connect_creds() in winbindd_ads.c via 8166642e1bd s3:winbindd: make winbindd_get_trust_credentials() public via 81a6c54fddc s3:libads: add ads_set_reconnect_fn() and only reconnect if we can get creds via 31e4614ee36 s3:libads: add ads_connect_creds() helper via 76e0d348ddd s3:libads: fix compiler warning in ads_mod_ber() via bac243442a6 s3:libads: move ads->auth.time_offset to ads->config.time_offset via ea97abd545e s3:libads: we only need to gensec_expire_time()... via ce1ad21ce63 s3:libads: remove unused ads->auth.renewable via fcd47a49660 s3:winbindd: remove useless 'renewable' argument to ads_cached_connection_connect() via bb8b7be74a7 s3:libads: let ads_sasl_spnego_bind() really use spnego to negotiate krb5/ntlmssp via 1474f9c5de3 testprogs/blackbox: add better testnames in test_weak_disable_ntlmssp_ldap.sh via cff7656e665 s3:net_ads: make use of ads_connect_cldap_only() and ADS_AUTH_GENERATE_KRB5_CONFIG in net_ads_password() via f024063aec9 s3:winbindd: make use of ads_connect_cldap_only() in dcip_check_name_ads() via e8250f16240 s3:net_ads: make use of ads_connect_cldap_only() in net_ads_check_int() via fdd34b57c41 s3:libsmb: make use of ads_connect_cldap_only() via f34e64baf6c s3:libads: add ads_connect_cldap_only() helper via 36748002f01 s3:libads: also avoid ADS_AUTH_GENERATE_KRB5_CONFIG for ADS_AUTH_ANON_BIND via 9ea1ea16290 s3:libads: add ADS_AUTH_GENERATE_KRB5_CONFIG to generate a custom krb5.conf via b3110ec049b s3:libads: split out ads_connect_internal() and call it with ads_legacy_creds() via be771670eb3 s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_unparsed_name() via 4d42574c542 s3:libads: let ads_sasl_spnego_bind() reset krb5_state at the end via f7ab92ea7e0 s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_kerberos_state() via b98f9a341f4 s3:libads: split out ads_legacy_creds() via 6f33e46c19f s3:libads: remove unused LIBADS_CCACHE_NAME define via a70c62a78e4 s3:libads: make use of talloc_stackframe() in ads_setup_tls_wrapping() via d26e4c6e272 s3:libsmb: remove unused cli_session_creds_prepare_krb5() via ef205f6b52e s3:gse: get an explicit ccache_name from creds and kinit if required via 98ee5ca7e83 s3:gse: Pass down the mech to gse_context_init() via bc2a2399e52 s3:gse: Implement gensec_gse_security_by_oid() via 2ec3e59f58b s3:gse: Use smb_gss_mech_import_cred() in gse_init_server() via ca90f213a27 lib:krb5_wrap: Implement smb_gss_mech_import_cred() via 2fd2d28b8fe s3:libsmb: fix lpcfg_gensec_settings() no memory check in auth_generic_client_prepare() via fb7e19826af s3:libsmb: explicitly use the default krb5 ccache in cli_session_creds_init() without a password via 2dc76cc84c1 s3:ntlm_auth: explicitly include default krb5 ccache if no explicit username/password are given via 52715b461a8 tests/ntlm_auth: Do not set a client_password via a6b94a690b5 tests/ntlm_auth_krb5: don't test that a krb5ccache work with an explicit username via 3ea605d8af2 blackbox/test_kinit.sh: verify that --use-krb5-ccache= works without KRB5CCNAME via e47f9415b77 s3:libads: don't allow ads_kdestroy(NULL) anymore via 4959f932279 s3:winbindd: don't use ads_kdestroy(NULL) in winbindd_raw_kerberos_login() from 712ffbffc03 s3:libsmb: allow store_cldap_reply() to work with a ipv6 response
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 1ca6fb563b0bf25b36a2961754d94cc54d3d9292 Author: Stefan Metzmacher <me...@samba.org> Date: Sat May 11 02:38:21 2024 +0200 lib/replace: make sure krb5_cc_default[_name]() is no longer used directly Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Tue May 14 11:22:28 UTC 2024 on atb-devel-224 commit afcd53b8d09c8cdba0e23980567920e399ff62f5 Author: Stefan Metzmacher <me...@samba.org> Date: Sat May 11 02:38:21 2024 +0200 auth/credentials_krb5: let cli_credentials_set_ccache() use smb_force_krb5_cc_default() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit a5d46f69d12dde94caac5a7472157205081f6e0e Author: Stefan Metzmacher <me...@samba.org> Date: Sat May 11 02:38:21 2024 +0200 auth/credentials_krb5: use system/{gssapi,kerberos}.h Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 845a2aae6f0d9efc1913e85e91f8f52e92e6b211 Author: Stefan Metzmacher <me...@samba.org> Date: Sat May 11 02:38:21 2024 +0200 smbspool: let kerberos_ccache_is_valid() use smb_force_krb5_cc_default_name() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 4514fb5f43988f080e55a3a9278dfce75876d475 Author: Stefan Metzmacher <me...@samba.org> Date: Sat May 11 02:38:21 2024 +0200 smbspool_krb5_wrapper: let kerberos_get_default_ccache() use smb_force_krb5_cc_default_name() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit a8da9de9f4ac37b6bb9fb95aa8b2767251188cbb Author: Stefan Metzmacher <me...@samba.org> Date: Sat May 11 02:38:21 2024 +0200 smbspool_krb5_wrapper: remove unused includes Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit eb6dc35a704dec309acd45af8781402b875feeaa Author: Stefan Metzmacher <me...@samba.org> Date: Sat May 11 02:38:21 2024 +0200 krb5_wrap: let smb_krb5_renew_ticket() use smb_force_krb5_cc_default_name() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit f850bcfc0b42302e39b35faa64ad9743b736745e Author: Stefan Metzmacher <me...@samba.org> Date: Sat May 11 02:38:21 2024 +0200 krb5_wrap: add smb_force_krb5_cc_default[_name]() wrappers If we touch the global krb5_ccache we want to make that explicit, so calling krb5_cc_default[_name] will result in an error during the next patches. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit d49de777104fb491f8cca837791dea7bed1c572b Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 11 17:46:45 2024 +0100 s3:libads: let kerberos_kinit_password_ext() require an explicit krb5 ccache Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 70f9e3a0567af3c4f1a62eb2df56c6bcc1132599 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 11 17:46:45 2024 +0100 krb5_wrap: let ads_krb5_cli_get_ticket() require an explicit krb5 ccache Reviewed-by: Andreas Schneider <a...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> commit fc92025ecb2c43305bde43f0c2a9856abed654c4 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 5 17:55:14 2024 +0100 s3:libads: finally remove unused ads_connect[_user_creds]() and related code That was a long way, but now we're cli_credentials/gensec only :-) Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 25806314daef8d2958b63bc429c9973c2755a865 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 7 14:56:45 2024 +0100 s3:net: finally remove net_context->opt_{user_specified,user_name,password} Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit a1ab1c8620c907a6cced8d1d1cd9686746b59717 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 7 13:50:39 2024 +0100 s3:net: remove unused net_context->smb_encrypt Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 9620d2ecc188799798fbef31b6934b861f3bbe33 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 7 13:44:53 2024 +0100 s3:net: remove unused net_context->opt_kerberos Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 2de585a97870306ec7ce4e1effabd2d47ed07ec7 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 7 13:27:06 2024 +0100 s3:include: remove unused krb5_env.h Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit eb9ad5cc8902678b399a777138f3b92c4d949874 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 7 12:08:00 2024 +0100 s3:net_ads: remove unused use_in_memory_ccache() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit e76fe56fdf649b370fb4d280ca64f66bc36b2b07 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 29 14:07:05 2024 +0100 s3:net_ads: make use of ads_connect_{cldap_only,creds}() in ads_startup_int() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit d59d957caba354d771445661fc297995880cb47a Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 11 17:45:43 2024 +0100 s3:libads: let ads_krb5_set_password() require an explicit krb5 ccache to operate on Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 432273dd3ec94ecc695002ab51f99f38048c3902 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 11 17:45:43 2024 +0100 s3:libads: kerberos_set_password() don't need to kinit before ads_krb5_chg_password() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 125db2ed8158ced630c02860a40a1199c74a0381 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 11 17:45:43 2024 +0100 s3:libads: remove unused kdc_host and time_offset arguments to kerberos_set_password() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit b641b35b028e6986dbff6667fd5198393f50aef2 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 11 17:45:43 2024 +0100 s3:libads: remove unused kdc_host and time_offset arguments to ads_krb5_chg_password() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 3141423feb3d027da29ba0c84c6ed90ff48db961 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 11 17:45:43 2024 +0100 s3:libads: remove krb5_set_real_time() from ads_krb5_set_password() Callers typically only pass in 0 anyway. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit c85c084d69e4d5048b6d9a79d2b806bd4f022d73 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 11 17:45:43 2024 +0100 s3:libads: remove unused kdc_host argument of ads_krb5_set_password() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 5f32f14ef58df1e43df87acb952a367cbab9122d Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 11 17:45:43 2024 +0100 s3:net_ads: require kerberos if we use ads_krb5_set_password() in ads_user_add() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 1eeeb76e6c5e76f69ed90274721de8fe94014a02 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Mar 11 17:45:43 2024 +0100 s3:net_ads: use ADS_SASL_SEAL by default, so that we always get encryption Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 612af29cef19b6b3722aa94adff34542ac519236 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 7 14:55:09 2024 +0100 s3:net_ads: use cli_credentials_get_principal() in order to call kerberos functions This is better than the value from cli_credentials_get_username()... Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 55c9a6c0e3a403ac38f018fcf3b003e39c3c79f3 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 7 14:54:18 2024 +0100 s3:net: remove useless net_prompt_pass() wrapper Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit d9082129f21e5b6f7cc5c2011336a952da84441e Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 7 13:43:13 2024 +0100 s3:net_rpc: make use of !c->explicit_credentials for NET_FLAGS_ANONYMOUS Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit e690666fd108667595caf6f062b6665fb8aa604d Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 7 14:47:06 2024 +0100 s3:net: make use of c->explicit_credentials in order to check for valid credentials Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit be1051f3792689209496c8039658b02b6ebdf53d Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 7 14:40:10 2024 +0100 s3:net: add net_context->explicit_credentials to check if credentials were passed Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit a9beae36f0a41cd912a8238f9e3563638cbadc9d Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 7 13:50:39 2024 +0100 s3:net: correctly implement --use-ccache as legacy for --use-winbind-ccache for 'net' Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 579195769d6d8a39921b6622bc76ac1be0418d46 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 7 13:41:51 2024 +0100 s3:net_offlinejoin: we don't need to call libnetapi_set_use_kerberos() as we already passed cli_credentials c->opt_kerberos is derived from c->creds... Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit f4f31236c4aac21e4e6e96fd507ea3ba1b6d3fef Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 28 17:59:00 2022 +0200 s3:libnet_join: pass down cli_credentials *admin_credentials to libnet_{Join,Unjoin}Ctx() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit c0edd3406b9a0db65a77dd17ca9ab6ad28c09728 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 5 17:40:48 2024 +0100 s3:lib/netapi: make use of ads_simple_creds/libnetapi_get_creds in NetGetJoinableOUs_l Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 0470cc385d935d6898afd6cf993fef3b9881f8ac Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 5 17:38:25 2024 +0100 s3:lib/netapi: add libnetapi_get_creds() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit bd53e20764bc87cc4c3681106927a3629c3dc257 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 5 17:21:02 2024 +0100 libgpo/pygpo: make use of ads_connect_{creds,machine}() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 87e7a9488a0a132847b25a40ac1fa7752b248502 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 28 18:58:27 2022 +0200 s3:printing: make use of ads_connect_machine() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit f9496bfdf4e62fb1707e8fc6520439757978da6e Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 28 18:53:03 2022 +0200 s3:libads: add ads_connect_machine() helper Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 353abcb4d3eb7952997abfa6f8196c673ab7ac9b Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 28 17:51:57 2022 +0200 s3:libads: add ads_simple_creds() helper Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit c36b044224494b0f4ea59cf146073ba42cc10767 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 28 18:43:00 2022 +0200 s3:libads: make use of ads_connect_simple_anon() in ldap.c where possible Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 7bfbea4c3c8f71dceedcc017153dcf31ab223b59 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 28 18:38:17 2022 +0200 s3:libads: add ads_connect_simple_anon() helper Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit c95a2785e209cbd0fcec5f6a553a95e12ff19fa1 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 7 12:03:05 2024 +0100 lib/addns: rewrite signed dns update code to use gensec instead of plain gssapi Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 5807689f96889e1ce886d253bf2e4c478c554ce2 Author: Stefan Metzmacher <me...@samba.org> Date: Sat May 11 02:38:21 2024 +0200 s3:utils: let net_update_dns_internal() set status before goto done in all cases Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 28af08292635d1eecbf6e020957b03bb5f57b199 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Feb 27 09:59:09 2024 +0100 s3:winbindd: make use of winbindd_get_trust_credentials() in idmap_ad.c Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit ed75331f525b7e7cb71bab88aa08832c2716a610 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Feb 27 09:53:04 2024 +0100 s3:winbindd: make use of winbindd_get_trust_credentials() in _winbind_LogonControl_TC_VERIFY() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 16bbb407fa512bbab7edab6b0ba4d9063996b35e Author: Stefan Metzmacher <me...@samba.org> Date: Tue Feb 27 09:44:54 2024 +0100 s3:winbindd: make use of samba_sockaddr to avoid compiler warnings Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit f903d80769be8893c08c020f24d0d63040d51027 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Feb 27 09:44:19 2024 +0100 s3:winbindd: use winbindd_get_trust_credentials()/ads_connect_creds() in winbindd_ads.c Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 8166642e1bd4c9bfdae266e9be445f605dc9fb85 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Feb 27 09:23:17 2024 +0100 s3:winbindd: make winbindd_get_trust_credentials() public We'll use it outside of winbindd_cm.c soon. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 81a6c54fddc7b1d783d8c1c9a1b4607e5e055bff Author: Stefan Metzmacher <me...@samba.org> Date: Wed Mar 6 10:13:11 2024 +0100 s3:libads: add ads_set_reconnect_fn() and only reconnect if we can get creds This reconnect is only useful for long running connections (e.g. in winbindd) and there we'll make use of it... Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 31e4614ee3636eb5d835435dfe68379b0bee382e Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 27 13:11:26 2022 +0200 s3:libads: add ads_connect_creds() helper In future ads_connect_creds() will be used by callers directly instead of using ads_connect(). Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 76e0d348dddd08d05a53911601c2aa499056cf34 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 26 21:02:08 2024 +0100 s3:libads: fix compiler warning in ads_mod_ber() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit bac243442a6ce812a4dcce0168b7d6d9ba0a17fc Author: Stefan Metzmacher <me...@samba.org> Date: Tue Feb 27 13:49:08 2024 +0100 s3:libads: move ads->auth.time_offset to ads->config.time_offset There's no reason to pass the LDAP servers time to the kerberos libraries, as we may talk to a KDC different than the LDAP server! Also Heimdal handles AS-REQ with KRB5KRB_AP_ERR_SKEW fine and retries with the time from the krb-error. MIT records the time from the KDC_ERR_PREAUTH_REQUIRED response in order to use the KDCs time. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit ea97abd545ec13a161b7082cae10f0012f11e8e6 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Feb 27 13:03:46 2024 +0100 s3:libads: we only need to gensec_expire_time()... The lifetime of a service ticket is never longer than the lifetime of the TGT... Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit ce1ad21ce638792d815c04819e9b479273cdb729 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Feb 27 12:52:14 2024 +0100 s3:libads: remove unused ads->auth.renewable Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit fcd47a49660de8dcfca5516c9457fdd851c85c56 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 5 13:22:37 2024 +0100 s3:winbindd: remove useless 'renewable' argument to ads_cached_connection_connect() There's really no need to get a reneable ticket for an ldap connection, we currently always do a kinit for each connection anyway. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit bb8b7be74a79defbd0955ac6d73dd1e65a75389f Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 29 14:50:31 2024 +0100 s3:libads: let ads_sasl_spnego_bind() really use spnego to negotiate krb5/ntlmssp For now we still do the ads_kinit_password() in ads_legacy_creds() for callers that rely on the global krb5ccache to be filled. E.g. the dns update code and the kpasswd code. But at least ads_connect_internal() and ads_sasl_spnego_bind() will allow to do the kinit in the gensec layer only if needed... We'll remove ads_legacy_creds() during the following commits. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 1474f9c5de3a0ca0a91596694b73aa19832ae3eb Author: Stefan Metzmacher <me...@samba.org> Date: Wed Mar 13 16:53:44 2024 +0100 testprogs/blackbox: add better testnames in test_weak_disable_ntlmssp_ldap.sh This makes it easier to adjust the expected output when it changes in the next commits. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit cff7656e665c3e581c3f316a904d4d5bf58bac66 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 29 14:08:55 2024 +0100 s3:net_ads: make use of ads_connect_cldap_only() and ADS_AUTH_GENERATE_KRB5_CONFIG in net_ads_password() We don't need a real ldap connection here. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit f024063aec9be8362c2651108c5ce0d933994ecf Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 5 17:48:34 2024 +0100 s3:winbindd: make use of ads_connect_cldap_only() in dcip_check_name_ads() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit e8250f16240451ed584b329a3887ec6e94deced5 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 5 17:47:37 2024 +0100 s3:net_ads: make use of ads_connect_cldap_only() in net_ads_check_int() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit fdd34b57c41908b5727cdd916eb4ed4fbf34470a Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 5 17:46:10 2024 +0100 s3:libsmb: make use of ads_connect_cldap_only() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit f34e64baf6c1a496643d788d1f25aabc7fd47074 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 5 17:45:35 2024 +0100 s3:libads: add ads_connect_cldap_only() helper Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 36748002f011c418ab061fb77c945f17fbe6be47 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 7 09:56:00 2024 +0100 s3:libads: also avoid ADS_AUTH_GENERATE_KRB5_CONFIG for ADS_AUTH_ANON_BIND For anonymous binds we don't need a krb5.conf. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 9ea1ea16290016a1c390c7e30f6a3a1613dac735 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 7 09:56:00 2024 +0100 s3:libads: add ADS_AUTH_GENERATE_KRB5_CONFIG to generate a custom krb5.conf That's better then using !ADS_AUTH_NO_BIND. And it allows callers to be more flexible in future. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit b3110ec049bae7c97aa0f642773fe0deb56f8e14 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 27 13:11:26 2022 +0200 s3:libads: split out ads_connect_internal() and call it with ads_legacy_creds() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit be771670eb331de55cab2e51d2de98d4edac9435 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 27 12:45:04 2022 +0200 s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_unparsed_name() We should only operate on the creds structure and avoid using ads->auth.{user_name,realm}. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 4d42574c54210022bec7e765739f5495b285145a Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 27 13:39:11 2022 +0200 s3:libads: let ads_sasl_spnego_bind() reset krb5_state at the end In future we'll pass in creds from the caller, so we better restore the original krb5_state at the end of ads_sasl_spnego_bind(). Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit f7ab92ea7e01a89d7d9ede115c576fb221374d6a Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 27 12:32:30 2022 +0200 s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_kerberos_state() We should only operate on the creds structure and avoid ads->auth.flags Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit b98f9a341f41ccfaf47c3cb8578e71eed96bb2a2 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Apr 25 18:08:33 2022 +0200 s3:libads: split out ads_legacy_creds() This is just a temporary change until the highlevel caller will pass in a cli_credentials structure and we'll get rid of ads->auth.{user_name,realm,password}. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 6f33e46c19f5d0e9513d8f7aa1d170ab57418585 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Feb 28 17:31:23 2024 +0100 s3:libads: remove unused LIBADS_CCACHE_NAME define Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit a70c62a78e4eaab5e5a7558a15f0d1acc688f196 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 24 09:59:53 2024 +0200 s3:libads: make use of talloc_stackframe() in ads_setup_tls_wrapping() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit d26e4c6e2728bd786cb4091242c8c8ebc1556f75 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 29 14:27:36 2024 +0100 s3:libsmb: remove unused cli_session_creds_prepare_krb5() Kinit will be done within gensec if required. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit ef205f6b52ea1fec13e647e15e4f3edf536fd93e Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 14 15:23:13 2022 +0200 s3:gse: get an explicit ccache_name from creds and kinit if required This means we may call kinit multiple times for now, but we'll remove the kinit from the callers soon. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 98ee5ca7e8399b865b8e94feceaed61be703061f Author: Andreas Schneider <a...@samba.org> Date: Fri Apr 26 10:49:33 2024 +0200 s3:gse: Pass down the mech to gse_context_init() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit bc2a2399e5202a03087500056db3c575eda69a27 Author: Andreas Schneider <a...@samba.org> Date: Thu Apr 25 15:51:40 2024 +0200 s3:gse: Implement gensec_gse_security_by_oid() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 2ec3e59f58b768f7c0c462a0d0e51a0f8fed1962 Author: Andreas Schneider <a...@samba.org> Date: Fri Apr 26 10:54:47 2024 +0200 s3:gse: Use smb_gss_mech_import_cred() in gse_init_server() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit ca90f213a27743b7b715146c59f9287506e2da70 Author: Andreas Schneider <a...@samba.org> Date: Fri Apr 26 10:40:13 2024 +0200 lib:krb5_wrap: Implement smb_gss_mech_import_cred() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 2fd2d28b8fea0611bd21862a3eff29633b0c781d Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 12 11:51:25 2024 +0100 s3:libsmb: fix lpcfg_gensec_settings() no memory check in auth_generic_client_prepare() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit fb7e19826afab4fce33769eb7aef16a1c650b23a Author: Stefan Metzmacher <me...@samba.org> Date: Wed Mar 6 23:05:00 2024 +0100 s3:libsmb: explicitly use the default krb5 ccache in cli_session_creds_init() without a password This happened implicitly as the gse_krb5 module always used the default krb5 ccache, but that will change soon. If kerberos is requested without a fallback to ntlm AND the caller doesn't provide a password we'll use the default ccache. This will keep our the following tests happy once the gse_krb5 module changes the behavior: samba3.blackbox.krbsmbspool samba3.blackbox.smbget Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 2dc76cc84c1d2edde7eea3d39412e3b41b631137 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Mar 6 21:55:24 2024 +0100 s3:ntlm_auth: explicitly include default krb5 ccache if no explicit username/password are given Before this silently happened because the gse_krb5 module just used the default ccache, but that will change soon. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 52715b461a8be25af7d24f87f9a3b78421ff1424 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Mar 13 10:49:55 2024 +0100 tests/ntlm_auth: Do not set a client_password This fixes test_ntlmssp_gss_spnego_cached_creds Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit a6b94a690b59fa7a3106f19d76eb37b8f0bab9f0 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 7 17:59:02 2024 +0100 tests/ntlm_auth_krb5: don't test that a krb5ccache work with an explicit username This test is useless and won't work anymore in future. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 3ea605d8af2a06b719f8d59cc73f3fb612284219 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Mar 8 12:57:06 2024 +0100 blackbox/test_kinit.sh: verify that --use-krb5-ccache= works without KRB5CCNAME Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit e47f9415b77cf9f7290379a531a4d371b6f3aeda Author: Stefan Metzmacher <me...@samba.org> Date: Sat May 11 02:38:21 2024 +0200 s3:libads: don't allow ads_kdestroy(NULL) anymore This should not happen, if we ever need that behaviour we should add an ads_kdestroy_default() helper. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 4959f932279105e1de7c0bdf11ea503e1967a341 Author: Stefan Metzmacher <me...@samba.org> Date: Tue May 14 09:02:07 2024 +0200 s3:winbindd: don't use ads_kdestroy(NULL) in winbindd_raw_kerberos_login() This fixes a problem introduced in the commit: commit e6c693b705686a590d2fa8f434ff015d8926a349 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Feb 28 17:28:43 2024 +0100 s3:winbindd: pass a NULL ccache to kerberos_return_pac() for a MEMORY ccache It means kerberos_return_pac() will use smb_krb5_cc_new_unique_memory(). ... Before that commit cc was never NULL as generate_krb5_ccache() returned "MEMORY:winbindd_pam_ccache" as fallback. So we called ads_kdestroy("MEMORY:winbindd_pam_ccache"). Now we have cc == NULL if user_ccache_file == NULL. and kerberos_return_pac() uses smb_krb5_cc_new_unique_memory() and krb5_cc_destroy() internally. It means unless user_ccache_file != NULL we should not call ads_kdestroy(cc) as cc is NULL and means we would destroy any global default krb5 ccache. Review with: git show -U25 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/credentials/credentials_krb5.c | 6 +- auth/credentials/credentials_krb5.h | 5 +- lib/addns/dns.h | 18 +- lib/addns/dnsgss.c | 240 +++++------------ lib/addns/wscript_build | 2 +- lib/krb5_wrap/gss_samba.c | 29 +- lib/krb5_wrap/gss_samba.h | 8 + lib/krb5_wrap/krb5_samba.c | 45 +++- lib/krb5_wrap/krb5_samba.h | 11 + lib/replace/system/kerberos.h | 3 + libgpo/pygpo.c | 75 +----- python/samba/tests/ntlm_auth.py | 2 +- python/samba/tests/ntlm_auth_base.py | 18 +- python/samba/tests/ntlm_auth_krb5.py | 8 +- source3/auth/auth_generic.c | 3 +- source3/client/smbspool.c | 2 +- source3/client/smbspool_krb5_wrapper.c | 7 +- source3/include/ads.h | 11 + source3/include/krb5_env.h | 26 -- source3/lib/netapi/joindomain.c | 124 ++++----- source3/lib/netapi/netapi.c | 24 +- source3/lib/netapi/netapi.h | 2 + source3/libads/ads_ldap_protos.h | 6 + source3/libads/ads_proto.h | 17 +- source3/libads/ads_struct.c | 7 + source3/libads/authdata.c | 2 +- source3/libads/kerberos.c | 46 ++-- source3/libads/kerberos_proto.h | 13 +- source3/libads/kerberos_util.c | 80 ------ source3/libads/krb5_setpw.c | 103 ++++++-- source3/libads/ldap.c | 153 ++++++++--- source3/libads/ldap_utils.c | 52 +++- source3/libads/sasl.c | 185 ++++++------- source3/libads/tls_wrapping.c | 9 +- source3/libads/util.c | 5 +- source3/libnet/libnet_join.c | 261 ++++-------------- source3/libnet/libnet_join.h | 2 +- source3/librpc/crypto/gse.c | 294 ++++++++++++++++++++- source3/librpc/crypto/gse.h | 3 +- source3/librpc/idl/ads.idl | 17 +- source3/librpc/idl/libnet_join.idl | 16 +- source3/libsmb/auth_generic.c | 4 +- source3/libsmb/cliconnect.c | 177 ++----------- source3/libsmb/namequery_dc.c | 3 +- source3/printing/nt_printing_ads.c | 80 +----- source3/rpc_server/wkssvc/srv_wkssvc_nt.c | 28 +- source3/utils/net.c | 38 +-- source3/utils/net.h | 8 +- source3/utils/net_ads.c | 220 ++++++--------- source3/utils/net_ads_join_dns.c | 96 +++---- source3/utils/net_dns.c | 94 ++++++- source3/utils/net_dns.h | 3 + source3/utils/net_offlinejoin.c | 4 - source3/utils/net_proto.h | 6 +- source3/utils/net_rpc.c | 17 +- source3/utils/net_util.c | 23 +- source3/utils/ntlm_auth.c | 24 +- source3/utils/py_net.c | 14 +- source3/winbindd/idmap_ad.c | 20 +- source3/winbindd/winbindd.c | 9 +- source3/winbindd/winbindd_ads.c | 194 ++++---------- source3/winbindd/winbindd_cm.c | 46 +++- source3/winbindd/winbindd_dual_srv.c | 18 +- source3/winbindd/winbindd_pam.c | 32 +-- source3/winbindd/winbindd_proto.h | 7 + source3/wscript_build | 1 - testprogs/blackbox/test_kinit.sh | 101 ++++--- .../blackbox/test_weak_disable_ntlmssp_ldap.sh | 11 +- 68 files changed, 1547 insertions(+), 1671 deletions(-) delete mode 100644 source3/include/krb5_env.h delete mode 100644 source3/libads/kerberos_util.c Changeset truncated at 500 lines: diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index 49077db23b3..ce76b10361d 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -323,7 +323,11 @@ _PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred, return ret; } } else { - ret = krb5_cc_default(ccc->smb_krb5_context->krb5_context, &ccc->ccache); + /* + * This is where the caller really wants to use + * the default krb5 ccache. + */ + ret = smb_force_krb5_cc_default(ccc->smb_krb5_context->krb5_context, &ccc->ccache); if (ret) { (*error_string) = talloc_asprintf(cred, "failed to read default krb5 ccache: %s\n", smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context, diff --git a/auth/credentials/credentials_krb5.h b/auth/credentials/credentials_krb5.h index e454de36240..a9c049c58da 100644 --- a/auth/credentials/credentials_krb5.h +++ b/auth/credentials/credentials_krb5.h @@ -23,9 +23,8 @@ #ifndef __CREDENTIALS_KRB5_H__ #define __CREDENTIALS_KRB5_H__ -#include <gssapi/gssapi.h> -#include <gssapi/gssapi_krb5.h> -#include <krb5.h> +#include "system/gssapi.h" +#include "system/kerberos.h" struct gssapi_creds_container { gss_cred_id_t creds; diff --git a/lib/addns/dns.h b/lib/addns/dns.h index 2c311e72a00..abf0906fdab 100644 --- a/lib/addns/dns.h +++ b/lib/addns/dns.h @@ -347,20 +347,16 @@ const char *dns_errstr(DNS_ERROR err); /* from dnsgss.c */ -#ifdef HAVE_GSSAPI - -void display_status( const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat ); -DNS_ERROR dns_negotiate_sec_ctx( const char *target_realm, - const char *servername, - const char *keyname, - gss_ctx_id_t *gss_ctx, - enum dns_ServerType srv_type ); +struct gensec_security; + +DNS_ERROR dns_negotiate_sec_ctx(const char *servername, + const char *keyname, + struct gensec_security *gensec, + enum dns_ServerType srv_type); DNS_ERROR dns_sign_update(struct dns_update_request *req, - gss_ctx_id_t gss_ctx, + struct gensec_security *gensec, const char *keyname, const char *algorithmname, time_t time_signed, uint16_t fudge); -#endif /* HAVE_GSSAPI */ - #endif /* _DNS_H */ diff --git a/lib/addns/dnsgss.c b/lib/addns/dnsgss.c index a315b804df4..8800ac24c8a 100644 --- a/lib/addns/dnsgss.c +++ b/lib/addns/dnsgss.c @@ -22,110 +22,51 @@ License along with this library; if not, see <http://www.gnu.org/licenses/>. */ -#include "dns.h" -#include <ctype.h> - - -#ifdef HAVE_GSSAPI - -/********************************************************************* -*********************************************************************/ - -#ifndef HAVE_STRUPR -static int strupr( char *szDomainName ) -{ - if ( !szDomainName ) { - return ( 0 ); - } - while ( *szDomainName != '\0' ) { - *szDomainName = toupper( *szDomainName ); - szDomainName++; - } - return ( 0 ); -} -#endif - -#if 0 -/********************************************************************* -*********************************************************************/ - -static void display_status_1( const char *m, OM_uint32 code, int type ) -{ - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while ( 1 ) { - maj_stat = gss_display_status( &min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg ); - fprintf( stdout, "GSS-API error %s: %s\n", m, - ( char * ) msg.value ); - ( void ) gss_release_buffer( &min_stat, &msg ); - - if ( !msg_ctx ) - break; - } -} +#include "replace.h" +#include <talloc.h> +#include "lib/util/talloc_stack.h" +#include "lib/util/data_blob.h" +#include "lib/util/time.h" +#include "lib/util/charset/charset.h" +#include "libcli/util/ntstatus.h" +#include "auth/gensec/gensec.h" -/********************************************************************* -*********************************************************************/ +#include "dns.h" -void display_status( const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat ) -{ - display_status_1( msg, maj_stat, GSS_C_GSS_CODE ); - display_status_1( msg, min_stat, GSS_C_MECH_CODE ); -} -#endif - -static DNS_ERROR dns_negotiate_gss_ctx_int( TALLOC_CTX *mem_ctx, - struct dns_connection *conn, - const char *keyname, - const gss_name_t target_name, - gss_ctx_id_t *ctx, - enum dns_ServerType srv_type ) +static DNS_ERROR dns_negotiate_gss_ctx_int(struct dns_connection *conn, + const char *keyname, + struct gensec_security *gensec, + enum dns_ServerType srv_type) { - struct gss_buffer_desc_struct input_desc, *input_ptr, output_desc; - OM_uint32 major, minor; - OM_uint32 ret_flags; + TALLOC_CTX *frame = talloc_stackframe(); struct dns_request *req = NULL; struct dns_buffer *buf = NULL; + DATA_BLOB in = { .length = 0, }; + DATA_BLOB out = { .length = 0, }; + NTSTATUS status; DNS_ERROR err; - gss_OID_desc krb5_oid_desc = - { 9, discard_const("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") }; - - *ctx = GSS_C_NO_CONTEXT; - input_ptr = NULL; - do { - major = gss_init_sec_context( - &minor, NULL, ctx, target_name, &krb5_oid_desc, - GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | - GSS_C_CONF_FLAG | - GSS_C_INTEG_FLAG, - 0, NULL, input_ptr, NULL, &output_desc, - &ret_flags, NULL ); - - if (input_ptr != NULL) { - TALLOC_FREE(input_desc.value); + status = gensec_update(gensec, frame, in, &out); + data_blob_free(&in); + if (GENSEC_UPDATE_IS_NTERROR(status)) { + err = ERROR_DNS_GSS_ERROR; + goto error; } - if (output_desc.length != 0) { - + if (out.length != 0) { struct dns_rrec *rec; time_t t = time(NULL); - err = dns_create_query(mem_ctx, keyname, QTYPE_TKEY, + err = dns_create_query(frame, keyname, QTYPE_TKEY, DNS_CLASS_IN, &req); if (!ERR_DNS_IS_OK(err)) goto error; err = dns_create_tkey_record( req, keyname, "gss.microsoft.com", t, t + 86400, DNS_TKEY_MODE_GSSAPI, 0, - output_desc.length, (uint8_t *)output_desc.value, + out.length, out.data, &rec ); if (!ERR_DNS_IS_OK(err)) goto error; @@ -143,7 +84,7 @@ static DNS_ERROR dns_negotiate_gss_ctx_int( TALLOC_CTX *mem_ctx, if (!ERR_DNS_IS_OK(err)) goto error; - err = dns_marshall_request(mem_ctx, req, &buf); + err = dns_marshall_request(frame, req, &buf); if (!ERR_DNS_IS_OK(err)) goto error; err = dns_send(conn, buf); @@ -151,24 +92,21 @@ static DNS_ERROR dns_negotiate_gss_ctx_int( TALLOC_CTX *mem_ctx, TALLOC_FREE(buf); TALLOC_FREE(req); - } - - gss_release_buffer(&minor, &output_desc); - if ((major != GSS_S_COMPLETE) && - (major != GSS_S_CONTINUE_NEEDED)) { - return ERROR_DNS_GSS_ERROR; + err = dns_receive(frame, conn, &buf); + if (!ERR_DNS_IS_OK(err)) goto error; } - if (major == GSS_S_CONTINUE_NEEDED) { - + if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { struct dns_request *resp; struct dns_tkey_record *tkey; struct dns_rrec *tkey_answer = NULL; uint16_t i; - err = dns_receive(mem_ctx, conn, &buf); - if (!ERR_DNS_IS_OK(err)) goto error; + if (buf == NULL) { + err = ERROR_DNS_BAD_RESPONSE; + goto error; + } err = dns_unmarshall_request(buf, buf, &resp); if (!ERR_DNS_IS_OK(err)) goto error; @@ -191,18 +129,15 @@ static DNS_ERROR dns_negotiate_gss_ctx_int( TALLOC_CTX *mem_ctx, } err = dns_unmarshall_tkey_record( - mem_ctx, resp->answers[0], &tkey); + frame, resp->answers[0], &tkey); if (!ERR_DNS_IS_OK(err)) goto error; - input_desc.length = tkey->key_length; - input_desc.value = talloc_move(mem_ctx, &tkey->key); - - input_ptr = &input_desc; + in = data_blob_const(tkey->key, tkey->key_length); TALLOC_FREE(buf); } - } while ( major == GSS_S_CONTINUE_NEEDED ); + } while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)); /* If we arrive here, we have a valid security context */ @@ -210,94 +145,54 @@ static DNS_ERROR dns_negotiate_gss_ctx_int( TALLOC_CTX *mem_ctx, error: - TALLOC_FREE(buf); - TALLOC_FREE(req); + TALLOC_FREE(frame); return err; } -DNS_ERROR dns_negotiate_sec_ctx( const char *target_realm, - const char *servername, - const char *keyname, - gss_ctx_id_t *gss_ctx, - enum dns_ServerType srv_type ) +DNS_ERROR dns_negotiate_sec_ctx(const char *servername, + const char *keyname, + struct gensec_security *gensec, + enum dns_ServerType srv_type) { - OM_uint32 major, minor; - - char *upcaserealm, *targetname; + TALLOC_CTX *frame = talloc_stackframe(); DNS_ERROR err; + struct dns_connection *conn = NULL; - gss_buffer_desc input_name; - struct dns_connection *conn; - - gss_name_t targ_name; - - gss_OID_desc nt_host_oid_desc = - {10, discard_const("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01")}; - - TALLOC_CTX *mem_ctx; - - if (!(mem_ctx = talloc_init("dns_negotiate_sec_ctx"))) { - return ERROR_DNS_NO_MEMORY; - } - - err = dns_open_connection( servername, DNS_TCP, mem_ctx, &conn ); + err = dns_open_connection( servername, DNS_TCP, frame, &conn ); if (!ERR_DNS_IS_OK(err)) goto error; - if (!(upcaserealm = talloc_strdup(mem_ctx, target_realm))) { - err = ERROR_DNS_NO_MEMORY; - goto error; - } - - strupr(upcaserealm); - - if (!(targetname = talloc_asprintf(mem_ctx, "dns/%s@%s", - servername, upcaserealm))) { - err = ERROR_DNS_NO_MEMORY; - goto error; - } - - input_name.value = targetname; - input_name.length = strlen(targetname); - - major = gss_import_name( &minor, &input_name, - &nt_host_oid_desc, &targ_name ); - - if (major) { - err = ERROR_DNS_GSS_ERROR; - goto error; - } - - err = dns_negotiate_gss_ctx_int(mem_ctx, conn, keyname, - targ_name, gss_ctx, srv_type ); - - gss_release_name( &minor, &targ_name ); + err = dns_negotiate_gss_ctx_int(conn, keyname, + gensec, + srv_type); + if (!ERR_DNS_IS_OK(err)) goto error; error: - TALLOC_FREE(mem_ctx); + TALLOC_FREE(frame); return err; } DNS_ERROR dns_sign_update(struct dns_update_request *req, - gss_ctx_id_t gss_ctx, + struct gensec_security *gensec, const char *keyname, const char *algorithmname, time_t time_signed, uint16_t fudge) { + TALLOC_CTX *frame = talloc_stackframe(); struct dns_buffer *buf; DNS_ERROR err; struct dns_domain_name *key, *algorithm; - struct gss_buffer_desc_struct msg, mic; - OM_uint32 major, minor; struct dns_rrec *rec; + DATA_BLOB mic = { .length = 0, }; + NTSTATUS status; - err = dns_marshall_update_request(req, req, &buf); + err = dns_marshall_update_request(frame, req, &buf); if (!ERR_DNS_IS_OK(err)) return err; - err = dns_domain_name_from_string(buf, keyname, &key); + err = dns_domain_name_from_string(frame, keyname, &key); if (!ERR_DNS_IS_OK(err)) goto error; - err = dns_domain_name_from_string(buf, algorithmname, &algorithm); + err = dns_domain_name_from_string(frame, algorithmname, &algorithm); if (!ERR_DNS_IS_OK(err)) goto error; dns_marshall_domain_name(buf, key); @@ -313,32 +208,31 @@ DNS_ERROR dns_sign_update(struct dns_update_request *req, err = buf->error; if (!ERR_DNS_IS_OK(buf->error)) goto error; - msg.value = (void *)buf->data; - msg.length = buf->offset; - - major = gss_get_mic(&minor, gss_ctx, 0, &msg, &mic); - if (major != 0) { + status = gensec_sign_packet(gensec, + frame, + buf->data, + buf->offset, + buf->data, + buf->offset, + &mic); + if (!NT_STATUS_IS_OK(status)) { err = ERROR_DNS_GSS_ERROR; goto error; } if (mic.length > 0xffff) { - gss_release_buffer(&minor, &mic); err = ERROR_DNS_GSS_ERROR; goto error; } - err = dns_create_tsig_record(buf, keyname, algorithmname, time_signed, - fudge, mic.length, (uint8_t *)mic.value, + err = dns_create_tsig_record(frame, keyname, algorithmname, time_signed, + fudge, mic.length, mic.data, req->id, 0, &rec); - gss_release_buffer(&minor, &mic); if (!ERR_DNS_IS_OK(err)) goto error; err = dns_add_rrec(req, rec, &req->num_additionals, &req->additional); error: - TALLOC_FREE(buf); + TALLOC_FREE(frame); return err; } - -#endif /* HAVE_GSSAPI */ diff --git a/lib/addns/wscript_build b/lib/addns/wscript_build index cc72b35b437..694d71b732e 100644 --- a/lib/addns/wscript_build +++ b/lib/addns/wscript_build @@ -11,6 +11,6 @@ bld.SAMBA_LIBRARY('addns', error.c dnsquery_srv.c ''', - public_deps='samba-util gssapi ndr resolv dns_lookup', + public_deps='samba-util gensec ndr resolv dns_lookup', private_library=True, vars=locals()) diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c index a5940561cda..608cb60f155 100644 --- a/lib/krb5_wrap/gss_samba.c +++ b/lib/krb5_wrap/gss_samba.c @@ -48,16 +48,35 @@ int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid) } #endif /* !HAVE_GSS_OID_EQUAL */ - /* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from() * if this GSSAPI extension is available. gss_acquire_cred_from() is properly * interposed by GSSPROXY while gss_krb5_import_cred() is not. * * This wrapper requires a proper krb5_context to resolve ccache name. * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */ -uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx, - krb5_ccache id, krb5_principal keytab_principal, - krb5_keytab keytab, gss_cred_id_t *cred) +uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, + krb5_context ctx, + krb5_ccache id, + krb5_principal keytab_principal, + krb5_keytab keytab, + gss_cred_id_t *cred) +{ + return smb_gss_mech_import_cred(minor_status, + ctx, + id, + keytab_principal, + keytab, + gss_mech_krb5, + cred); +} + +uint32_t smb_gss_mech_import_cred(OM_uint32 *minor_status, + krb5_context ctx, + krb5_ccache id, + krb5_principal keytab_principal, + krb5_keytab keytab, + const struct gss_OID_desc_struct *mech, + gss_cred_id_t *cred) { uint32_t major_status = 0; @@ -86,7 +105,7 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx, gss_OID_set_desc mech_set = { .count = 1, .elements = discard_const_p(struct gss_OID_desc_struct, - gss_mech_krb5), + mech), }; gss_cred_usage_t cred_usage = GSS_C_INITIATE; diff --git a/lib/krb5_wrap/gss_samba.h b/lib/krb5_wrap/gss_samba.h index 89aee3479c5..9e91f21e406 100644 --- a/lib/krb5_wrap/gss_samba.h +++ b/lib/krb5_wrap/gss_samba.h @@ -45,5 +45,13 @@ uint32_t smb_gss_krb5_import_cred(OM_uint32 *minor_status, krb5_context ctx, krb5_ccache id, krb5_principal keytab_principal, krb5_keytab keytab, gss_cred_id_t *cred); -- Samba Shared Repository