summaryrefslogtreecommitdiff
path: root/client/cifs.upcall.c
AgeCommit message (Collapse)AuthorFilesLines
2010-02-17cifs.upcall: allocate a talloc context for smb_krb5_unparse_nameJeff Layton1-1/+4
cifs.upcall calls smb_krb5_unparse_name with a NULL talloc context. Older versions of this function though will conditionally use SMB_REALLOC instead of TALLOC_REALLOC when a NULL context is passed in. To make it more consistent, just spawn a talloc context that we can pass into this function. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=565446 https://bugzilla.samba.org/show_bug.cgi?id=6868 Reported-by: Ludek Finstrle <luf@seznam.cz> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Günther Deschner <gd@samba.org>
2009-11-27s3-kerberos: only use krb5 headers where required.Günther Deschner1-0/+1
This seems to be the only way to deal with mixed heimdal/MIT setups during merged build. Guenther
2009-11-25cifs.upcall: 2nd part of fix for Bug #6868: support building with Heimdal we ↵Günther Deschner1-0/+2
well as with MIT. Guenther
2009-11-12cifs.upcall: Fix Bug #6868: support building with Heimdal we well as with MIT.Günther Deschner1-18/+16
Guenther
2009-11-06s3-kerberos: modify cli_krb5_get_ticket to take a new impersonate_princ_s arg.Günther Deschner1-1/+1
Guenther
2009-09-17cifs-upcall: fix the build after spnego merge.Günther Deschner1-0/+1
Guenther
2009-09-04cifs.upcall: do a brute-force search for KRB5 credcacheJeff Layton1-46/+138
A few weeks ago, I added some code to cifs.upcall to take the pid sent by the kernel and use that to get the value of the $KRB5CCNAME environment var for the process. That works fine on the initial mount, but could be problematic on reconnect. There's no guarantee on a reconnect that the process that initiates the upcall will have $KRB5CCNAME pointed at the correct credcache. Because of this, the current scheme isn't going to be reliable enough and we need to use something different. This patch replaces that scheme with one very similar to the one used by rpc.gssd in nfs-utils. It searches the credcache dir (currently hardcoded to /tmp) for a valid credcache for the given uid. If it finds one then it uses that as the credentials cache. If it finds more than one, it uses the one with the latest TGT expiration. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-26cifs.upcall: make using ip address conditional on new optionJeff Layton1-22/+40
Igor Mammedov pointed out that reverse resolving an IP address to get the hostname portion of a principal could open a possible attack vector. If an attacker were to gain control of DNS, then he could redirect the mount to a server of his choosing, and fix the reverse resolution to point to a hostname of his choosing (one where he has the key for the corresponding cifs/ or host/ principal). That said, we often trust DNS for other reasons and it can be useful to do so. Make the code that allows trusting DNS to be enabled by adding --trust-dns to the cifs.upcall invocation. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-26cifs.upcall: switch to getopt_longJeff Layton1-1/+7
...to allow long option names. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14cifs.upcall: fix IPv6 addrs sent to upcall to have colon delimitersJeff Layton1-4/+29
Current kernels don't send IPv6 addresses with the colon delimiters, add a routine to add them when they're not present. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14cifs.upcall: use ip address passed by kernel to get server's hostnameJeff Layton1-12/+56
Instead of using the hostname given by the upcall to get the server's principal, take the IP address given in the upcall and reverse resolve it to a hostname. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14cifs.upcall: clean up flag handlingJeff Layton1-10/+10
Add a new stack var to hold the flags returned by the decoder routine so that we don't need to worry so much about preserving "rc". With this, we can drop privs before trying to find the location of the credcache. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14cifs.upcall: try getting a "cifs/" principal and fall back to "host/"Jeff Layton1-12/+16
cifs.upcall takes a "-c" flag that tells the upcall to get a principal in the form of "cifs/hostname.example.com@REALM" instead of "host/hostname.example.com@REALM". This has turned out to be a source of great confusion for users. Instead of requiring this flag, have the upcall try to get a "cifs/" principal first. If that fails, fall back to getting a "host/" principal. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14cifs.upcall: declare a structure for holding decoded argsJeff Layton1-30/+33
The argument list for the decoder is becoming rather long. Declare an args structure and use that for holding the args. This also simplifies pointer handling a bit. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14cifs.upcall: formatting cleanupJeff Layton1-47/+37
Clean up some unneeded curly braces, and fix some indentation. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-14cifs.upcall: clean up logging and add debug messagesJeff Layton1-32/+47
Change the log levels to be more appropriate to the messages being logged. Error messages should be LOG_ERR and not LOG_WARNING, for instance. Add some LOG_DEBUG messages that we can use to diagnose problems with krb5 upcalls. With these, someone can set up syslog to log daemon.debug and should be able to get more info when things aren't working. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-07-10Attempt to fix the build -- jlayton, please check!Volker Lendecke1-1/+1
2009-07-09cifs.upcall: use pid value from kernel to determine KRB5CCNAME to useJeff Layton1-12/+75
If the kernel sends the upcall a pid of the requesting process, we can open that process' /proc/<pid>/environ file and scrape the KRB5CCNAME value out of it. Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-06-02Move mount.cifs/umount.cifs to the top level and remove the outdated copyJelmer Vernooij1-0/+391
in Samba 4.