The branch, v4-23-stable has been updated
via cd1acdf3240 VERSION: Disable GIT_SNAPSHOT for the 4.23.0rc4 release.
via 53f7e31eade WHATSNEW: Add release notes for Samba 4.23.0rc4.
via 968b453b8d5 s3:net: fix "net ads group"
via e4581ccfe7b krb5: handle GSS-Proxy credentials lifetime
via 48ea6b39878 VERSION: Bump version up to Samba 4.23.0rc4...
from 7a8bcd84200 VERSION: Disable GIT_SNAPSHOT for the 4.23.0rc3 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-23-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 12 +++++++++++-
auth/credentials/credentials_krb5.c | 36 ++++++++++++++++++++++++++----------
lib/krb5_wrap/krb5_samba.c | 35 +++++++++++++++++++++++++++++++++--
source3/utils/net_ads.c | 2 +-
5 files changed, 72 insertions(+), 15 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 35ac38d9d15..a037177e3f0 100644
--- a/VERSION
+++ b/VERSION
@@ -89,7 +89,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=3
+SAMBA_VERSION_RC_RELEASE=4
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 7367f771995..73af675c1ab 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
Release Announcements
=====================
-This is the third release candidate release of Samba 4.23. This is *not*
+This is the fourth release candidate release of Samba 4.23. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
@@ -126,6 +126,16 @@ smb.conf changes
winbind varlink service New no
+CHANGES SINCE 4.23.0rc3
+=======================
+
+o Alexander Bokovoy <[email protected]>
+ * BUG 15902: Regression in gssproxy support in 4.23.rc1+.
+
+o MikeLiu <[email protected]>
+ * BUG 15900: 'net ads group' failed to list domain groups.
+
+
CHANGES SINCE 4.23.0rc2
=======================
diff --git a/auth/credentials/credentials_krb5.c
b/auth/credentials/credentials_krb5.c
index 4dc7e7be67e..8d289e26781 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -687,7 +687,14 @@ _PUBLIC_ int cli_credentials_get_named_ccache(struct
cli_credentials *cred,
bool kinit_required = false;
ret =
smb_krb5_cc_get_lifetime(cred->ccache->smb_krb5_context->krb5_context,
cred->ccache->ccache, &lifetime);
- if (ret == KRB5_CC_END || ret == ENOENT) {
+ if (ret == KRB5_PLUGIN_NO_HANDLE) {
+ /*
+ * KRB5_PLUGIN_NO_HANDLE is a special case of the
encrypted
+ * GSSProxy credential. We don't know its lifetime but
assume it
+ * is a valid one. Acquiring it will show the lifetime.
+ */
+ kinit_required = false;
+ } else if (ret == KRB5_CC_END || ret == ENOENT) {
kinit_required = true;
} else if (ret == 0) {
if (lifetime == 0) {
@@ -800,18 +807,27 @@ _PUBLIC_ bool cli_credentials_get_ccache_name_obtained(
if (ret == KRB5_CC_END || ret == ENOENT) {
return false;
}
- if (ret != 0) {
+
+ /*
+ * KRB5_PLUGIN_NO_HANDLE is a special case of the encrypted
+ * GSSProxy credential. We don't know its lifetime but assume it
+ * is a valid one. Acquiring it will show the lifetime.
+ * */
+ if (ret != 0 && ret != KRB5_PLUGIN_NO_HANDLE) {
return false;
}
- if (lifetime == 0) {
- return false;
- } else if (lifetime < 300) {
- if (cred->password_obtained >= cred->ccache_obtained) {
- /*
- * we have a password to re-kinit
- * so let the caller try that.
- */
+
+ if (ret == 0) {
+ if (lifetime == 0) {
return false;
+ } else if (lifetime < 300) {
+ if (cred->password_obtained >=
cred->ccache_obtained) {
+ /*
+ * we have a password to re-kinit
+ * so let the caller try that.
+ */
+ return false;
+ }
}
}
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index f9d91a4f0c1..dcf91348d1a 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -3025,6 +3025,8 @@ krb5_error_code smb_krb5_cc_get_lifetime(krb5_context
context,
krb5_creds cred;
krb5_timestamp endtime = 0;
krb5_timestamp now;
+ char *realm = NULL;
+ TALLOC_CTX *mem_ctx = NULL;
*t = 0;
@@ -3038,12 +3040,37 @@ krb5_error_code smb_krb5_cc_get_lifetime(krb5_context
context,
return kerr;
}
+ mem_ctx = talloc_stackframe();
+ if (mem_ctx == NULL) {
+ krb5_cc_end_seq_get(context, id, &cursor);
+ return ENOMEM;
+ }
+
while ((kerr = krb5_cc_next_cred(context, id, &cursor, &cred)) == 0) {
if (krb5_is_config_principal(context, cred.server)) {
krb5_free_cred_contents(context, &cred);
continue;
}
+ realm = smb_krb5_principal_get_realm(mem_ctx, context,
cred.server);
+ if (realm == NULL) {
+ krb5_free_cred_contents(context, &cred);
+ kerr = ENOMEM;
+ break;
+ }
+
+ /*
+ * 'X-GSSPROXY:' is the realm for an encrypted credential stored
+ * by the GSSProxy. There are no other creds in such ccache and
+ * we cannot see the actual lifetime (it is set to 0),
+ * indicate to the caller they need to handle this themselves.
+ */
+ if (strcmp(realm, "X-GSSPROXY:") == 0) {
+ krb5_free_cred_contents(context, &cred);
+ kerr = KRB5_PLUGIN_NO_HANDLE;
+ break;
+ }
+
#ifndef HAVE_FLAGS_IN_KRB5_CREDS
if (cred.ticket_flags & TKT_FLG_INITIAL) {
#else
@@ -3073,13 +3100,17 @@ krb5_error_code smb_krb5_cc_get_lifetime(krb5_context
context,
krb5_free_cred_contents(context, &cred);
}
+ krb5_cc_end_seq_get(context, id, &cursor);
+ talloc_free(mem_ctx);
+ if (kerr == ENOMEM || kerr == KRB5_PLUGIN_NO_HANDLE) {
+ return kerr;
+ }
+
if (now < endtime) {
*t = (time_t) (endtime - now);
kerr = 0;
}
- krb5_cc_end_seq_get(context, id, &cursor);
-
return kerr;
}
#endif /* HAVE_KRB5_CC_GET_LIFETIME */
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index f77c2b8210a..6c11faeb091 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -1360,7 +1360,7 @@ int net_ads_group(struct net_context *c, int argc, const
char **argv)
char *disp_fields[2] = {NULL, NULL};
int ret = -1;
- if (argc >= 0) {
+ if (argc > 0) {
TALLOC_FREE(tmp_ctx);
return net_run_function(c, argc, argv, "net ads group", func);
}
--
Samba Shared Repository
