summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-10-11 16:53:08 +1100
committerAndrew Bartlett <abartlet@samba.org>2010-10-11 13:02:16 +0000
commit42127cdbb040a260c2c745e9114b600f2186794a (patch)
tree348783a93d8fd3efe162470678ae1cc128edb6f6
parent5cd9495fb3f74d8e896c81e5c060a1643722870e (diff)
downloadsamba-42127cdbb040a260c2c745e9114b600f2186794a.tar.gz
samba-42127cdbb040a260c2c745e9114b600f2186794a.tar.bz2
samba-42127cdbb040a260c2c745e9114b600f2186794a.zip
s4-credentials Add explicit event context handling to Kerberos calls (only)
By setting the event context to use for this operation (only) onto the krb5_context just before we call that operation, we can try and emulate the specification of an event context to the actual send_to_kdc() This eliminates the specification of an event context to many other cli_credentials calls, and the last use of event_context_find() Special care is taken to restore the event context in the event of nesting in the send_to_kdc function. Andrew Bartlett
-rw-r--r--source4/auth/credentials/credentials.c2
-rw-r--r--source4/auth/credentials/credentials.h7
-rw-r--r--source4/auth/credentials/credentials_krb5.c41
-rw-r--r--source4/auth/credentials/credentials_krb5.h1
-rw-r--r--source4/auth/credentials/credentials_secrets.c15
-rw-r--r--source4/auth/gensec/gensec_gssapi.c36
-rw-r--r--source4/auth/gensec/gensec_krb5.c12
-rw-r--r--source4/auth/kerberos/kerberos_credentials.h11
-rw-r--r--source4/auth/kerberos/kerberos_util.c13
-rw-r--r--source4/auth/kerberos/krb5_init_context.c125
-rw-r--r--source4/auth/kerberos/krb5_init_context.h1
-rw-r--r--source4/dsdb/samdb/samdb.c7
-rw-r--r--source4/kdc/kpasswdd.c2
-rw-r--r--source4/smbd/service_named_pipe.c1
14 files changed, 187 insertions, 87 deletions
diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c
index 2bd041450c..21ee987852 100644
--- a/source4/auth/credentials/credentials.c
+++ b/source4/auth/credentials/credentials.c
@@ -727,7 +727,7 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred,
}
if (cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) {
- cli_credentials_set_ccache(cred, event_context_find(cred), lp_ctx, NULL, CRED_GUESS_FILE,
+ cli_credentials_set_ccache(cred, lp_ctx, NULL, CRED_GUESS_FILE,
&error_string);
}
}
diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h
index a468624b1f..0b0de59752 100644
--- a/source4/auth/credentials/credentials.h
+++ b/source4/auth/credentials/credentials.h
@@ -168,7 +168,6 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_
const char *cli_credentials_get_realm(struct cli_credentials *cred);
const char *cli_credentials_get_username(struct cli_credentials *cred);
int cli_credentials_get_krb5_context(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
struct smb_krb5_context **smb_krb5_context);
int cli_credentials_get_ccache(struct cli_credentials *cred,
@@ -182,7 +181,6 @@ int cli_credentials_get_named_ccache(struct cli_credentials *cred,
char *ccache_name,
struct ccache_container **ccc, const char **error_string);
int cli_credentials_get_keytab(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
struct keytab_container **_ktc);
const char *cli_credentials_get_domain(struct cli_credentials *cred);
@@ -193,7 +191,6 @@ void cli_credentials_set_conf(struct cli_credentials *cred,
struct loadparm_context *lp_ctx);
const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
struct gssapi_creds_container **_gcc);
int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
@@ -238,7 +235,6 @@ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred,
struct smb_krb5_context *smb_krb5_context);
NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
const char *serviceprincipal);
NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
@@ -265,14 +261,12 @@ bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
const DATA_BLOB *nt_response,
enum credentials_obtained obtained);
int cli_credentials_set_keytab_name(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
const char *keytab_name,
enum credentials_obtained obtained);
void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features);
uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds);
int cli_credentials_set_ccache(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
const char *name,
enum credentials_obtained obtained,
@@ -291,7 +285,6 @@ const char *cli_credentials_get_target_service(struct cli_credentials *cred);
enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
struct ldb_context *ldb,
const char *base,
diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c
index c678b80f87..fb4b440281 100644
--- a/source4/auth/credentials/credentials_krb5.c
+++ b/source4/auth/credentials/credentials_krb5.c
@@ -32,7 +32,6 @@
#include "param/param.h"
_PUBLIC_ int cli_credentials_get_krb5_context(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
struct smb_krb5_context **smb_krb5_context)
{
@@ -42,7 +41,7 @@ _PUBLIC_ int cli_credentials_get_krb5_context(struct cli_credentials *cred,
return 0;
}
- ret = smb_krb5_init_context(cred, event_ctx, lp_ctx,
+ ret = smb_krb5_init_context(cred, NULL, lp_ctx,
&cred->smb_krb5_context);
if (ret) {
cred->smb_krb5_context = NULL;
@@ -126,7 +125,6 @@ static int free_dccache(struct ccache_container *ccc) {
}
_PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
const char *name,
enum credentials_obtained obtained,
@@ -145,7 +143,7 @@ _PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred,
return ENOMEM;
}
- ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx,
+ ret = cli_credentials_get_krb5_context(cred, lp_ctx,
&ccc->smb_krb5_context);
if (ret) {
(*error_string) = error_message(ret);
@@ -204,7 +202,6 @@ _PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred,
static int cli_credentials_new_ccache(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
char *ccache_name,
struct ccache_container **_ccc,
@@ -217,7 +214,7 @@ static int cli_credentials_new_ccache(struct cli_credentials *cred,
return ENOMEM;
}
- ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx,
+ ret = cli_credentials_get_krb5_context(cred, lp_ctx,
&ccc->smb_krb5_context);
if (ret) {
talloc_free(ccc);
@@ -294,12 +291,12 @@ _PUBLIC_ int cli_credentials_get_named_ccache(struct cli_credentials *cred,
return EINVAL;
}
- ret = cli_credentials_new_ccache(cred, event_ctx, lp_ctx, ccache_name, ccc, error_string);
+ ret = cli_credentials_new_ccache(cred, lp_ctx, ccache_name, ccc, error_string);
if (ret) {
return ret;
}
- ret = kinit_to_ccache(cred, cred, (*ccc)->smb_krb5_context, (*ccc)->ccache, &obtained, error_string);
+ ret = kinit_to_ccache(cred, cred, (*ccc)->smb_krb5_context, event_ctx, (*ccc)->ccache, &obtained, error_string);
if (ret) {
return ret;
}
@@ -529,7 +526,6 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
*/
int cli_credentials_set_client_gss_creds(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
gss_cred_id_t gssapi_cred,
enum credentials_obtained obtained,
@@ -549,7 +545,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
return ENOMEM;
}
- ret = cli_credentials_new_ccache(cred, event_ctx, lp_ctx, NULL, &ccc, error_string);
+ ret = cli_credentials_new_ccache(cred, lp_ctx, NULL, &ccc, error_string);
if (ret != 0) {
return ret;
}
@@ -589,9 +585,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
* it will be generated from the password.
*/
_PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
- struct loadparm_context *lp_ctx,
- struct keytab_container **_ktc)
+ struct loadparm_context *lp_ctx,
+ struct keytab_container **_ktc)
{
krb5_error_code ret;
struct keytab_container *ktc;
@@ -608,7 +603,7 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
return EINVAL;
}
- ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx,
+ ret = cli_credentials_get_krb5_context(cred, lp_ctx,
&smb_krb5_context);
if (ret) {
return ret;
@@ -640,10 +635,9 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
* FILE:/etc/krb5.keytab), open it and attach it */
_PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
- struct loadparm_context *lp_ctx,
- const char *keytab_name,
- enum credentials_obtained obtained)
+ struct loadparm_context *lp_ctx,
+ const char *keytab_name,
+ enum credentials_obtained obtained)
{
krb5_error_code ret;
struct keytab_container *ktc;
@@ -654,7 +648,7 @@ _PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred,
return 0;
}
- ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &smb_krb5_context);
+ ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context);
if (ret) {
return ret;
}
@@ -682,9 +676,8 @@ _PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred,
/* Get server gss credentials (in gsskrb5, this means the keytab) */
_PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
- struct loadparm_context *lp_ctx,
- struct gssapi_creds_container **_gcc)
+ struct loadparm_context *lp_ctx,
+ struct gssapi_creds_container **_gcc)
{
int ret = 0;
OM_uint32 maj_stat, min_stat;
@@ -701,7 +694,7 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
return ENOMEM;
}
- ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &smb_krb5_context);
+ ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context);
if (ret) {
return ret;
}
@@ -720,7 +713,7 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
return 0;
}
- ret = cli_credentials_get_keytab(cred, event_ctx, lp_ctx, &ktc);
+ ret = cli_credentials_get_keytab(cred, lp_ctx, &ktc);
if (ret) {
DEBUG(1, ("Failed to get keytab for GSSAPI server: %s\n", error_message(ret)));
return ret;
diff --git a/source4/auth/credentials/credentials_krb5.h b/source4/auth/credentials/credentials_krb5.h
index 1630b210db..36bf03d5eb 100644
--- a/source4/auth/credentials/credentials_krb5.h
+++ b/source4/auth/credentials/credentials_krb5.h
@@ -33,7 +33,6 @@ struct gssapi_creds_container {
/* Manually prototyped here to avoid needing gss headers in most callers */
int cli_credentials_set_client_gss_creds(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
gss_cred_id_t gssapi_cred,
enum credentials_obtained obtained,
diff --git a/source4/auth/credentials/credentials_secrets.c b/source4/auth/credentials/credentials_secrets.c
index 9ffc39c0c3..0f30dc5e1b 100644
--- a/source4/auth/credentials/credentials_secrets.c
+++ b/source4/auth/credentials/credentials_secrets.c
@@ -42,7 +42,6 @@
* @retval NTSTATUS error detailing any failure
*/
_PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
struct ldb_context *ldb,
const char *base,
@@ -180,7 +179,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
* (chewing CPU time) from the password */
keytab = keytab_name_from_msg(cred, ldb, msg);
if (keytab) {
- cli_credentials_set_keytab_name(cred, event_ctx, lp_ctx, keytab, CRED_SPECIFIED);
+ cli_credentials_set_keytab_name(cred, lp_ctx, keytab, CRED_SPECIFIED);
talloc_free(keytab);
}
talloc_free(mem_ctx);
@@ -205,9 +204,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
* any more */
cred->machine_account_pending = false;
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
- cli_credentials_get_domain(cred));
- status = cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL,
- SECRETS_PRIMARY_DOMAIN_DN,
+ cli_credentials_get_domain(cred));
+ status = cli_credentials_set_secrets(cred, lp_ctx, NULL,
+ SECRETS_PRIMARY_DOMAIN_DN,
filter, &error_string);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not find machine account in secrets database: %s: %s", nt_errstr(status), error_string));
@@ -223,7 +222,6 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
* @retval NTSTATUS error detailing any failure
*/
NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx)
{
NTSTATUS status;
@@ -236,7 +234,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred));
- status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
+ status = cli_credentials_set_secrets(cred, lp_ctx, NULL,
SECRETS_PRINCIPALS_DN,
filter, &error_string);
if (!NT_STATUS_IS_OK(status)) {
@@ -253,7 +251,6 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
* @retval NTSTATUS error detailing any failure
*/
_PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
- struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
const char *serviceprincipal)
{
@@ -268,7 +265,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c
cli_credentials_get_realm(cred),
cli_credentials_get_domain(cred),
serviceprincipal);
- status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
+ status = cli_credentials_set_secrets(cred, lp_ctx, NULL,
SECRETS_PRINCIPALS_DN, filter,
&error_string);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 51d59d9f21..4729ed6062 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -147,7 +147,6 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
{
struct gensec_gssapi_state *gensec_gssapi_state;
krb5_error_code ret;
- struct gsskrb5_send_to_kdc send_to_kdc;
const char *realm;
gensec_gssapi_state = talloc(gensec_security, struct gensec_gssapi_state);
@@ -209,7 +208,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
gensec_gssapi_state->pac = data_blob(NULL, 0);
ret = smb_krb5_init_context(gensec_gssapi_state,
- gensec_security->event_ctx,
+ NULL,
gensec_security->settings->lp_ctx,
&gensec_gssapi_state->smb_krb5_context);
if (ret) {
@@ -237,16 +236,6 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destructor);
- send_to_kdc.func = smb_krb5_send_and_recv_func;
- send_to_kdc.ptr = gensec_security->event_ctx;
-
- ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
- if (ret) {
- DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
- talloc_free(gensec_gssapi_state);
- return NT_STATUS_INTERNAL_ERROR;
- }
-
realm = lpcfg_realm(gensec_security->settings->lp_ctx);
if (realm != NULL) {
ret = gsskrb5_set_default_realm(realm);
@@ -290,7 +279,6 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
} else {
ret = cli_credentials_get_server_gss_creds(machine_account,
- gensec_security->event_ctx,
gensec_security->settings->lp_ctx, &gcc);
if (ret) {
DEBUG(1, ("Aquiring acceptor credentials failed: %s\n",
@@ -469,6 +457,17 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
switch (gensec_security->gensec_role) {
case GENSEC_CLIENT:
{
+ struct gsskrb5_send_to_kdc send_to_kdc;
+ krb5_error_code ret;
+ send_to_kdc.func = smb_krb5_send_and_recv_func;
+ send_to_kdc.ptr = gensec_security->event_ctx;
+
+ min_stat = gsskrb5_set_send_to_kdc(&send_to_kdc);
+ if (min_stat) {
+ DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
maj_stat = gss_init_sec_context(&min_stat,
gensec_gssapi_state->client_cred->creds,
&gensec_gssapi_state->gssapi_context,
@@ -485,6 +484,16 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
if (gss_oid_p) {
gensec_gssapi_state->gss_oid = gss_oid_p;
}
+
+ send_to_kdc.func = smb_krb5_send_and_recv_func;
+ send_to_kdc.ptr = NULL;
+
+ ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
+ if (ret) {
+ DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
break;
}
case GENSEC_SERVER:
@@ -1369,7 +1378,6 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
cli_credentials_set_anonymous(session_info->credentials);
ret = cli_credentials_set_client_gss_creds(session_info->credentials,
- gensec_security->event_ctx,
gensec_security->settings->lp_ctx,
gensec_gssapi_state->delegated_cred_handle,
CRED_SPECIFIED, &error_string);
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index a0d880f5b2..345ef361ed 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -119,7 +119,6 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool
talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy);
if (cli_credentials_get_krb5_context(creds,
- gensec_security->event_ctx,
gensec_security->settings->lp_ctx, &gensec_krb5_state->smb_krb5_context)) {
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
@@ -240,6 +239,7 @@ static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_s
const char *error_string;
const char *principal;
krb5_data in_data;
+ struct tevent_context *previous_ev;
hostname = gensec_get_target_hostname(gensec_security);
if (!hostname) {
@@ -299,6 +299,12 @@ static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_s
}
in_data.length = 0;
+ /* Do this every time, in case we have weird recursive issues here */
+ ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, gensec_security->event_ctx, &previous_ev);
+ if (ret != 0) {
+ DEBUG(1, ("gensec_krb5_start: Setting event context failed\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
if (principal) {
krb5_principal target_principal;
ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
@@ -322,6 +328,9 @@ static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_s
&in_data, ccache_container->ccache,
&gensec_krb5_state->enc_ticket);
}
+
+ smb_krb5_context_remove_event_ctx(gensec_krb5_state->smb_krb5_context, previous_ev, gensec_security->event_ctx);
+
switch (ret) {
case 0:
return NT_STATUS_OK;
@@ -488,7 +497,6 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
/* Grab the keytab, however generated */
ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security),
- gensec_security->event_ctx,
gensec_security->settings->lp_ctx, &keytab);
if (ret) {
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
diff --git a/source4/auth/kerberos/kerberos_credentials.h b/source4/auth/kerberos/kerberos_credentials.h
index 55227752e3..e94b88e005 100644
--- a/source4/auth/kerberos/kerberos_credentials.h
+++ b/source4/auth/kerberos/kerberos_credentials.h
@@ -21,8 +21,9 @@
*/
krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
- struct cli_credentials *credentials,
- struct smb_krb5_context *smb_krb5_context,
- krb5_ccache ccache,
- enum credentials_obtained *obtained,
- const char **error_string);
+ struct cli_credentials *credentials,
+ struct smb_krb5_context *smb_krb5_context,
+ struct tevent_context *event_ctx,
+ krb5_ccache ccache,
+ enum credentials_obtained *obtained,
+ const char **error_string);
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 3020e978bd..c5079123ef 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -332,6 +332,7 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
struct cli_credentials *credentials,
struct smb_krb5_context *smb_krb5_context,
+ struct tevent_context *event_ctx,
krb5_ccache ccache,
enum credentials_obtained *obtained,
const char **error_string)
@@ -392,6 +393,13 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
tries = 2;
while (tries--) {
+ struct tevent_context *previous_ev;
+ /* Do this every time, in case we have weird recursive issues here */
+ ret = smb_krb5_context_set_event_ctx(smb_krb5_context, event_ctx, &previous_ev);
+ if (ret) {
+ talloc_free(mem_ctx);
+ return ret;
+ }
if (password) {
ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache,
princ, password,
@@ -399,6 +407,7 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
krb_options,
NULL, &kdc_time);
} else if (impersonate_principal) {
+ talloc_free(mem_ctx);
(*error_string) = "INTERNAL error: Cannot impersonate principal with just a keyblock. A password must be specified in the credentials";
return EINVAL;
} else {
@@ -411,6 +420,7 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
talloc_free(mem_ctx);
(*error_string) = "kinit_to_ccache: No password available for kinit\n";
krb5_get_init_creds_opt_free(smb_krb5_context->krb5_context, krb_options);
+ smb_krb5_context_remove_event_ctx(smb_krb5_context, previous_ev, event_ctx);
return EINVAL;
}
ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
@@ -427,6 +437,8 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
}
}
+ smb_krb5_context_remove_event_ctx(smb_krb5_context, previous_ev, event_ctx);
+
if (ret == KRB5KRB_AP_ERR_SKEW || ret == KRB5_KDCREP_SKEW) {
/* Perhaps we have been given an invalid skew, so try again without it */
time_t t = time(NULL);
@@ -460,6 +472,7 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
ret = kinit_to_ccache(parent_ctx,
credentials,
smb_krb5_context,
+ event_ctx,
ccache, obtained,
error_string);
}
diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c
index aebc79e767..54f27b0860 100644
--- a/source4/auth/kerberos/krb5_init_context.c
+++ b/source4/auth/kerberos/krb5_init_context.c
@@ -211,18 +211,37 @@ krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
struct addrinfo *ai, *a;
struct smb_krb5_socket *smb_krb5;
- struct tevent_context *ev = talloc_get_type(data, struct tevent_context);
+ DATA_BLOB send_blob;
- DATA_BLOB send_blob = data_blob_const(send_buf->data, send_buf->length);
+ struct tevent_context *ev;
+ TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) {
+ return ENOMEM;
+ }
+
+ if (!data) {
+ /* If no event context was available, then create one for this loop */
+ ev = tevent_context_init(tmp_ctx);
+ if (!ev) {
+ talloc_free(tmp_ctx);
+ return ENOMEM;
+ }
+ } else {
+ ev = talloc_get_type_abort(data, struct tevent_context);
+ }
+
+ send_blob = data_blob_const(send_buf->data, send_buf->length);
ret = krb5_krbhst_get_addrinfo(context, hi, &ai);
if (ret) {
+ talloc_free(tmp_ctx);
return ret;
}
for (a = ai; a; a = ai->ai_next) {
- smb_krb5 = talloc(NULL, struct smb_krb5_socket);
+ smb_krb5 = talloc(tmp_ctx, struct smb_krb5_socket);
if (!smb_krb5) {
+ talloc_free(tmp_ctx);
return ENOMEM;
}
smb_krb5->hi = hi;
@@ -237,7 +256,7 @@ krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
break;
#endif
default:
- talloc_free(smb_krb5);
+ talloc_free(tmp_ctx);
return EINVAL;
}
@@ -250,7 +269,7 @@ krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
status = socket_create(name, SOCKET_TYPE_STREAM, &smb_krb5->sock, 0);
break;
case KRB5_KRBHST_HTTP:
- talloc_free(smb_krb5);
+ talloc_free(tmp_ctx);
return EINVAL;
}
if (!NT_STATUS_IS_OK(status)) {
@@ -319,14 +338,28 @@ krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
packet_send(smb_krb5->packet, smb_krb5->request);
break;
case KRB5_KRBHST_HTTP:
- talloc_free(smb_krb5);
+ talloc_free(tmp_ctx);
return EINVAL;
}
while ((NT_STATUS_IS_OK(smb_krb5->status)) && !smb_krb5->reply.length) {
if (tevent_loop_once(ev) != 0) {
- talloc_free(smb_krb5);
+ talloc_free(tmp_ctx);
return EINVAL;
}
+
+ /* After each and every event loop, reset the
+ * send_to_kdc pointers to what they were when
+ * we entered this loop. That way, if a
+ * nested event has invalidated them, we put
+ * it back before we return to the heimdal
+ * code */
+ ret = krb5_set_send_to_kdc_func(context,
+ smb_krb5_send_and_recv_func,
+ data);
+ if (ret != 0) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
}
if (NT_STATUS_EQUAL(smb_krb5->status, NT_STATUS_IO_TIMEOUT)) {
talloc_free(smb_krb5);
@@ -341,13 +374,14 @@ krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
ret = krb5_data_copy(recv_buf, smb_krb5->reply.data, smb_krb5->reply.length);
if (ret) {
- talloc_free(smb_krb5);
+ talloc_free(tmp_ctx);
return ret;
}
talloc_free(smb_krb5);
break;
}
+ talloc_free(tmp_ctx);
if (a) {
return 0;
}
@@ -415,7 +449,7 @@ smb_krb5_init_context_basic(TALLOC_CTX *tmp_ctx,
krb5_error_code smb_krb5_init_context(void *parent_ctx,
struct tevent_context *ev,
struct loadparm_context *lp_ctx,
- struct smb_krb5_context **smb_krb5_context)
+ struct smb_krb5_context **smb_krb5_context)
{
krb5_error_code ret;
TALLOC_CTX *tmp_ctx;
@@ -423,7 +457,7 @@ krb5_error_code smb_krb5_init_context(void *parent_ctx,
initialize_krb5_error_table();
tmp_ctx = talloc_new(parent_ctx);
- *smb_krb5_context = talloc(tmp_ctx, struct smb_krb5_context);
+ *smb_krb5_context = talloc_zero(tmp_ctx, struct smb_krb5_context);
if (!*smb_krb5_context || !tmp_ctx) {
talloc_free(tmp_ctx);
@@ -463,14 +497,14 @@ krb5_error_code smb_krb5_init_context(void *parent_ctx,
krb5_set_warn_dest((*smb_krb5_context)->krb5_context, (*smb_krb5_context)->logf);
/* Set use of our socket lib */
- ret = krb5_set_send_to_kdc_func((*smb_krb5_context)->krb5_context,
- smb_krb5_send_and_recv_func,
- ev);
- if (ret) {
- DEBUG(1,("krb5_set_send_recv_func failed (%s)\n",
- smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
- talloc_free(tmp_ctx);
- return ret;
+ if (ev) {
+ struct tevent_context *previous_ev;
+ ret = smb_krb5_context_set_event_ctx(*smb_krb5_context,
+ ev, &previous_ev);
+ if (ret) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
}
talloc_steal(parent_ctx, *smb_krb5_context);
@@ -484,3 +518,58 @@ krb5_error_code smb_krb5_init_context(void *parent_ctx,
return 0;
}
+krb5_error_code smb_krb5_context_set_event_ctx(struct smb_krb5_context *smb_krb5_context,
+ struct tevent_context *ev,
+ struct tevent_context **previous_ev)
+{
+ int ret;
+ if (!ev) {
+ return EINVAL;
+ }
+
+ if (smb_krb5_context->current_ev) {
+ *previous_ev = smb_krb5_context->current_ev;
+ }
+
+ smb_krb5_context->current_ev = talloc_reference(smb_krb5_context, ev);
+ if (!smb_krb5_context->current_ev) {
+ return ENOMEM;
+ }
+
+ /* Set use of our socket lib */
+ ret = krb5_set_send_to_kdc_func(smb_krb5_context->krb5_context,
+ smb_krb5_send_and_recv_func,
+ ev);
+ if (ret) {
+ TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+ DEBUG(1,("krb5_set_send_recv_func failed (%s)\n",
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, tmp_ctx)));
+ talloc_free(tmp_ctx);
+ talloc_unlink(smb_krb5_context, smb_krb5_context->current_ev);
+ smb_krb5_context->current_ev = NULL;
+ return ret;
+ }
+ return 0;
+}
+
+krb5_error_code smb_krb5_context_remove_event_ctx(struct smb_krb5_context *smb_krb5_context,
+ struct tevent_context *previous_ev,
+ struct tevent_context *ev)
+{
+ int ret;
+ talloc_unlink(smb_krb5_context, ev);
+ /* If there was a mismatch with things happening on a stack, then don't wipe things */
+ smb_krb5_context->current_ev = previous_ev;
+ /* Set use of our socket lib */
+ ret = krb5_set_send_to_kdc_func(smb_krb5_context->krb5_context,
+ smb_krb5_send_and_recv_func,
+ previous_ev);
+ if (ret) {
+ TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+ DEBUG(1,("krb5_set_send_recv_func failed (%s)\n",
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, tmp_ctx)));
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+ return 0;
+}
diff --git a/source4/auth/kerberos/krb5_init_context.h b/source4/auth/kerberos/krb5_init_context.h
index c55b2dc8bc..047772c8f7 100644
--- a/source4/auth/kerberos/krb5_init_context.h
+++ b/source4/auth/kerberos/krb5_init_context.h
@@ -20,6 +20,7 @@
struct smb_krb5_context {
krb5_context krb5_context;
krb5_log_facility *logf;
+ struct tevent_context *current_ev;
};
struct tevent_context;
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 57de27a22e..d8c1728d3f 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -55,8 +55,7 @@ static int samdb_credentials_destructor(struct cli_credentials *creds)
this returns a static set of system credentials. It is static so
that we always get the same pointer in ldb_wrap_connect()
*/
-struct cli_credentials *samdb_credentials(struct tevent_context *event_ctx,
- struct loadparm_context *lp_ctx)
+struct cli_credentials *samdb_credentials(struct loadparm_context *lp_ctx)
{
static struct cli_credentials *static_credentials;
struct cli_credentials *cred;
@@ -77,7 +76,7 @@ struct cli_credentials *samdb_credentials(struct tevent_context *event_ctx,
* anyway */
cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
- if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, NULL,
+ if (!NT_STATUS_IS_OK(cli_credentials_set_secrets(cred, lp_ctx, NULL, NULL,
SECRETS_LDAP_FILTER, &error_string))) {
DEBUG(5, ("(normal if no LDAP backend) %s", error_string));
/* Perfectly OK - if not against an LDAP backend */
@@ -106,7 +105,7 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx,
int ret;
url = lpcfg_sam_url(lp_ctx);
- credentials = samdb_credentials(ev_ctx, lp_ctx);
+ credentials = samdb_credentials(lp_ctx);
ldb = ldb_wrap_find(url, ev_ctx, lp_ctx, session_info, credentials, flags);
if (ldb != NULL)
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 1ccae10eda..5254b62384 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -519,7 +519,7 @@ bool kpasswdd_process(struct kdc_server *kdc,
keytab_name = talloc_asprintf(server_credentials, "HDB:samba4&%p", kdc->base_ctx);
cli_credentials_set_username(server_credentials, "kadmin/changepw", CRED_SPECIFIED);
- ret = cli_credentials_set_keytab_name(server_credentials, kdc->task->event_ctx, kdc->task->lp_ctx, keytab_name, CRED_SPECIFIED);
+ ret = cli_credentials_set_keytab_name(server_credentials, kdc->task->lp_ctx, keytab_name, CRED_SPECIFIED);
if (ret != 0) {
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
diff --git a/source4/smbd/service_named_pipe.c b/source4/smbd/service_named_pipe.c
index 84b490ac2d..7beab5676f 100644
--- a/source4/smbd/service_named_pipe.c
+++ b/source4/smbd/service_named_pipe.c
@@ -226,7 +226,6 @@ static void named_pipe_accept_done(struct tevent_req *subreq)
cli_credentials_set_anonymous(creds);
ret = cli_credentials_set_client_gss_creds(creds,
- conn->event.ctx,
conn->lp_ctx,
cred_handle,
CRED_SPECIFIED,