port latest changes from SAMBA_3_0 tree

(This used to be commit 3101c236b8241dc0183995ffceed551876427de4)

6 files changed, 59 insertions, 96 deletions

diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index c554a02e90..50a9ef2718 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -1,7 +1,7 @@
 /* 
    Unix SMB/CIFS implementation.
    kerberos authorization data (PAC) utility library
-   Copyright (C) Jim McDonough 2003   
+   Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003   
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 25b7f9d948..48b61cd1f2 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -60,13 +60,13 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
 	ZERO_STRUCTP(ap_rep);
 
 	if (!secrets_init()) {
-		DEBUG(1,("secrets_init failed\n"));
+		DEBUG(1,("ads_verify_ticket: secrets_init failed\n"));
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
 	password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
 	if (!password_s) {
-		DEBUG(1,("failed to fetch machine password\n"));
+		DEBUG(1,("ads_verify_ticket: failed to fetch machine password\n"));
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
@@ -75,13 +75,13 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
 
 	ret = krb5_init_context(&context);
 	if (ret) {
-		DEBUG(1,("krb5_init_context failed (%s)\n", error_message(ret)));
+		DEBUG(1,("ads_verify_ticket: krb5_init_context failed (%s)\n", error_message(ret)));
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
 	ret = krb5_set_default_realm(context, ads->auth.realm);
 	if (ret) {
-		DEBUG(1,("krb5_set_default_realm failed (%s)\n", error_message(ret)));
+		DEBUG(1,("ads_verify_ticket: krb5_set_default_realm failed (%s)\n", error_message(ret)));
 		sret = NT_STATUS_LOGON_FAILURE;
 		goto out;
 	}
@@ -92,7 +92,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
 
 	ret = krb5_auth_con_init(context, &auth_context);
 	if (ret) {
-		DEBUG(1,("krb5_auth_con_init failed (%s)\n", error_message(ret)));
+		DEBUG(1,("ads_verify_ticket: krb5_auth_con_init failed (%s)\n", error_message(ret)));
 		sret = NT_STATUS_LOGON_FAILURE;
 		goto out;
 	}
@@ -102,32 +102,31 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
 	asprintf(&host_princ_s, "HOST/%s@%s", myname, lp_realm());
 	ret = krb5_parse_name(context, host_princ_s, &host_princ);
 	if (ret) {
-		DEBUG(1,("krb5_parse_name(%s) failed (%s)\n", host_princ_s, error_message(ret)));
+		DEBUG(1,("ads_verify_ticket: krb5_parse_name(%s) failed (%s)\n",
+					host_princ_s, error_message(ret)));
 		sret = NT_STATUS_LOGON_FAILURE;
 		goto out;
 	}
 
 	/*
-	 * JRA. We must set the rcache and the allowed addresses in the auth_context
-	 * here. This will prevent replay attacks and ensure the client has got a key from
-	 * the correct IP address.
+	 * JRA. We must set the rcache here. This will prevent replay attacks.
 	 */
 
 	ret = krb5_get_server_rcache(context, krb5_princ_component(context, host_princ, 0), &rcache);
 	if (ret) {
-		DEBUG(1,("krb5_get_server_rcache failed (%s)\n", error_message(ret)));
+		DEBUG(1,("ads_verify_ticket: krb5_get_server_rcache failed (%s)\n", error_message(ret)));
 		sret = NT_STATUS_LOGON_FAILURE;
 		goto out;
 	}
 
 	ret = krb5_auth_con_setrcache(context, auth_context, rcache);
 	if (ret) {
-		DEBUG(1,("krb5_auth_con_setrcache failed (%s)\n", error_message(ret)));
+		DEBUG(1,("ads_verify_ticket: krb5_auth_con_setrcache failed (%s)\n", error_message(ret)));
 		sret = NT_STATUS_LOGON_FAILURE;
 		goto out;
 	}
 
-	/* Now we need to add the addresses.... JRA. */
+	/* CIFS doesn't use addresses in tickets. This would breat NAT. JRA */
 
 	if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) {
 		sret = NT_STATUS_NO_MEMORY;
@@ -135,13 +134,22 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
 	}
 	
 	if ((ret = get_kerberos_allowed_etypes(context, &enctypes))) {
-		DEBUG(1,("krb5_get_permitted_enctypes failed (%s)\n", 
+		DEBUG(1,("ads_verify_ticket: krb5_get_permitted_enctypes failed (%s)\n", 
 			 error_message(ret)));
 		sret = NT_STATUS_LOGON_FAILURE;
 		goto out;
 	}
 
-	/* we need to setup a auth context with each possible encoding type in turn */
+	/* Lock a mutex surrounding the replay as there is no locking in the MIT krb5
+	 * code surrounding the replay cache... */
+
+	if (!grab_server_mutex("replay cache mutex")) {
+		DEBUG(1,("ads_verify_ticket: unable to protect replay cache with mutex.\n"));
+		sret = NT_STATUS_LOGON_FAILURE;
+		goto out;
+	}
+
+	/* We need to setup a auth context with each possible encoding type in turn. */
 	for (i=0;enctypes[i];i++) {
 		if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) {
 			continue;
@@ -154,14 +162,22 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
 
 		if (!(ret = krb5_rd_req(context, &auth_context, &packet, 
 				       NULL, keytab, NULL, &tkt))) {
+			DEBUG(10,("ads_verify_ticket: enc type [%u] decrypted message !\n",
+				(unsigned int)enctypes[i] ));
 			free_kerberos_etypes(context, enctypes);
 			auth_ok = True;
 			break;
 		}
+	
+		DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
+				("ads_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
+				(unsigned int)enctypes[i], error_message(ret)));
 	}
 
+	release_server_mutex();
+
 	if (!auth_ok) {
-		DEBUG(3,("krb5_rd_req with auth failed (%s)\n", 
+		DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n", 
 			 error_message(ret)));
 		sret = NT_STATUS_LOGON_FAILURE;
 		goto out;
@@ -169,7 +185,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
 
 	ret = krb5_mk_rep(context, auth_context, &packet);
 	if (ret) {
-		DEBUG(3,("Failed to generate mutual authentication reply (%s)\n",
+		DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n",
 			error_message(ret)));
 		sret = NT_STATUS_LOGON_FAILURE;
 		goto out;
@@ -178,7 +194,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
 	*ap_rep = data_blob(packet.data, packet.length);
 	free(packet.data);
 
-	get_krb5_smb_session_key(context, auth_context, session_key);
+	get_krb5_smb_session_key(context, auth_context, session_key, True);
 #ifdef DEBUG_PASSWORD
 	DEBUG(10,("SMB session key (from ticket) follows:\n"));
 	dump_data(10, session_key, 16);
@@ -205,7 +221,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
 
 	if ((ret = krb5_unparse_name(context, get_principal_from_tkt(tkt),
 				     principal))) {
-		DEBUG(3,("krb5_unparse_name failed (%s)\n", 
+		DEBUG(3,("ads_verify_ticket: krb5_unparse_name failed (%s)\n", 
 			 error_message(ret)));
 		sret = NT_STATUS_LOGON_FAILURE;
 		goto out;
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index cf6f9375f8..5a12288b16 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -3,7 +3,7 @@
    ads (active directory) utility library
    Copyright (C) Andrew Tridgell 2001
    Copyright (C) Remus Koos 2001
-   Copyright (C) Jim McDonough 2002
+   Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -106,12 +106,24 @@ static BOOL ads_find_dc(ADS_STRUCT *ads)
 	struct ip_service *ip_list;
 	pstring realm;
 	BOOL got_realm = False;
+	BOOL use_own_domain = False;
+
+	/* if the realm and workgroup are both empty, assume they are ours */
 
 	/* realm */
 	c_realm = ads->server.realm;
+	
+	if ( !c_realm || !*c_realm ) {
+		/* special case where no realm and no workgroup means our own */
+		if ( !ads->server.workgroup || !*ads->server.workgroup ) {
+			use_own_domain = True;
+			c_realm = lp_realm();
+		}
+	}
+	
 	if (c_realm && *c_realm) 
 		got_realm = True;
-	   
+		   
 again:
 	/* we need to try once with the realm name and fallback to the 
 	   netbios domain name if we fail (if netbios has not been disabled */
@@ -119,7 +131,12 @@ again:
 	if ( !got_realm	&& !lp_disable_netbios() ) {
 		c_realm = ads->server.workgroup;
 		if (!c_realm || !*c_realm) {
-			DEBUG(0,("ads_find_dc: no realm or workgroup!  Was the structure initialized?\n"));
+			if ( use_own_domain )
+				c_realm = lp_workgroup();
+		}
+		
+		if ( !c_realm || !*c_realm ) {
+			DEBUG(0,("ads_find_dc: no realm or workgroup!  Don't know what to do\n"));
 			return False;
 		}
 	}
@@ -1871,77 +1888,6 @@ ADS_STATUS ads_server_info(ADS_STRUCT *ads)
 	return ADS_SUCCESS;
 }
 
-
-/**
- * find the list of trusted domains
- * @param ads connection to ads server
- * @param mem_ctx TALLOC_CTX for allocating results
- * @param num_trusts pointer to number of trusts
- * @param names pointer to trusted domain name list
- * @param sids pointer to list of sids of trusted domains
- * @return the count of SIDs pulled
- **/
-ADS_STATUS ads_trusted_domains(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, 
-			       int *num_trusts, 
-			       char ***names, 
-			       char ***alt_names,
-			       DOM_SID **sids)
-{
-	const char *attrs[] = {"name", "flatname", "securityIdentifier", 
-			       "trustDirection", NULL};
-	ADS_STATUS status;
-	void *res, *msg;
-	int count, i;
-
-	*num_trusts = 0;
-
-	status = ads_search(ads, &res, "(objectcategory=trustedDomain)", attrs);
-	if (!ADS_ERR_OK(status)) return status;
-
-	count = ads_count_replies(ads, res);
-	if (count == 0) {
-		ads_msgfree(ads, res);
-		return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
-	}
-
-	(*names) = talloc(mem_ctx, sizeof(char *) * count);
-	(*alt_names) = talloc(mem_ctx, sizeof(char *) * count);
-	(*sids) = talloc(mem_ctx, sizeof(DOM_SID) * count);
-	if (! *names || ! *sids) return ADS_ERROR(LDAP_NO_MEMORY);
-
-	for (i=0, msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
-		uint32 direction;
-
-		/* direction is a 2 bit bitfield, 1 means they trust us 
-		   but we don't trust them, so we should not list them
-		   as users from that domain can't login */
-		if (ads_pull_uint32(ads, msg, "trustDirection", &direction) &&
-		    direction == 1) {
-			continue;
-		}
-		
-		(*names)[i] = ads_pull_string(ads, mem_ctx, msg, "name");
-		(*alt_names)[i] = ads_pull_string(ads, mem_ctx, msg, "flatname");
-
-		if ((*alt_names)[i] && (*alt_names)[i][0]) {
-			/* we prefer the flatname as the primary name
-			   for consistency with RPC */
-			char *name = (*alt_names)[i];
-			(*alt_names)[i] = (*names)[i];
-			(*names)[i] = name;
-		}
-		if (ads_pull_sid(ads, msg, "securityIdentifier", &(*sids)[i])) {
-			i++;
-		}
-	}
-
-	ads_msgfree(ads, res);
-
-	*num_trusts = i;
-
-	return ADS_SUCCESS;
-}
-
 /**
  * find the domain sid for our domain
  * @param ads connection to ads server
diff --git a/source3/libads/ldap_printer.c b/source3/libads/ldap_printer.c
index b650a5eb38..1448074ea0 100644
--- a/source3/libads/ldap_printer.c
+++ b/source3/libads/ldap_printer.c
@@ -1,7 +1,7 @@
 /* 
    Unix SMB/CIFS implementation.
    ads (active directory) printer utility library
-   Copyright (C) Jim McDonough 2002
+   Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
diff --git a/source3/libads/ldap_user.c b/source3/libads/ldap_user.c
index e70249dd78..56a0d8013b 100644
--- a/source3/libads/ldap_user.c
+++ b/source3/libads/ldap_user.c
@@ -1,7 +1,7 @@
 /* 
    Unix SMB/CIFS implementation.
    ads (active directory) utility library
-   Copyright (C) Jim McDonough 2002
+   Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 598208b17f..910ff3f4dc 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -124,9 +124,10 @@ static ADS_STATUS ads_sasl_spnego_krb5_bind(ADS_STRUCT *ads, const char *princip
 {
 	DATA_BLOB blob;
 	struct berval cred, *scred;
+	unsigned char sk[16];
 	int rc;
 
-	blob = spnego_gen_negTokenTarg(principal, ads->auth.time_offset);
+	blob = spnego_gen_negTokenTarg(principal, ads->auth.time_offset, sk);
 
 	if (!blob.data) {
 		return ADS_ERROR(LDAP_OPERATIONS_ERROR);