From 6ec4306f8c3fed7ec5b5bd164c5829b2661589b7 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 16 Apr 2011 15:41:50 +1000
Subject: auth/kerberos: Create common helper to get the verified PAC from
 GSSAPI

This only works for Heimdal and MIT Krb5 1.8, other versions will get
an ACCESS_DEINED error.

We no longer manually verify any details of the PAC in Samba for
GSSAPI logins, as we never had the information to do it properly, and
it is better to have the GSSAPI library handle it.

Andrew Bartlett
---
 auth/kerberos/gssapi_pac.c | 123 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 123 insertions(+)
 create mode 100644 auth/kerberos/gssapi_pac.c

(limited to 'auth/kerberos/gssapi_pac.c')

diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c
new file mode 100644
index 0000000000..dd2fb7e0a7
--- /dev/null
+++ b/auth/kerberos/gssapi_pac.c
@@ -0,0 +1,123 @@
+/*
+   Unix SMB/CIFS implementation.
+   kerberos authorization data (PAC) utility library
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2011
+   Copyright (C) Simo Sorce 2010.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#ifdef HAVE_KRB5
+
+#include "libcli/auth/krb5_wrap.h"
+
+/* The Heimdal OID for getting the PAC */
+#define EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH 8
+/*					                EXTRACTION OID		   AUTHZ ID */
+#define EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2a\x85\x70\x2b\x0d\x03" "\x81\x00"
+
+static gss_OID_desc pac_data_oid = {
+	EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH,
+	(void *)EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID
+};
+
+NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
+				gss_ctx_id_t gssapi_context,
+				gss_name_t gss_client_name,
+				DATA_BLOB *pac_blob)
+{
+	OM_uint32 gss_maj, gss_min;
+	gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
+	gss_buffer_desc pac_buffer;
+	gss_buffer_desc pac_display_buffer;
+	gss_buffer_desc pac_name = {
+		.value = "urn:mspac:",
+		.length = sizeof("urn:mspac:")-1
+	};
+	NTSTATUS status;
+	int more = -1;
+	int authenticated = false;
+	int complete = false;
+
+#ifdef HAVE_GSS_GET_NAME_ATTRIBUTE
+	gss_maj = gss_get_name_attribute(
+		&gss_min, gss_client_name, &pac_name,
+		&authenticated, &complete,
+		&pac_buffer, &pac_display_buffer, &more);
+
+	if (gss_maj != 0) {
+		DEBUG(0, ("obtaining PAC via GSSAPI gss_get_name_attribute failed: %s\n",
+			  gssapi_error_string(mem_ctx, gss_maj, gss_min, gss_mech_krb5)));
+		return NT_STATUS_ACCESS_DENIED;
+	} else if (authenticated && complete) {
+		/* The PAC blob is returned directly */
+		*pac_blob = data_blob_talloc(mem_ctx, pac_buffer.value,
+					    pac_buffer.length);
+
+		if (!pac_blob->data) {
+			status = NT_STATUS_NO_MEMORY;
+		} else {
+			status = NT_STATUS_OK;
+		}
+
+		gss_maj = gss_release_buffer(&gss_min, &pac_buffer);
+		gss_maj = gss_release_buffer(&gss_min, &pac_display_buffer);
+		return status;
+	} else {
+		DEBUG(0, ("obtaining PAC via GSSAPI failed: authenticated: %s, complete: %s, more: %s\n",
+			  authenticated ? "true" : "false",
+			  complete ? "true" : "false",
+			  more ? "true" : "false"));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+#endif
+	/* If we didn't have the routine to get a verified, validated
+	 * PAC (supplied only by MIT at the time of writing), then try
+	 * with the Heimdal OID (fetches the PAC directly and always
+	 * validates) */
+	gss_maj = gss_inquire_sec_context_by_oid(
+				&gss_min, gssapi_context,
+				&pac_data_oid, &set);
+
+	/* First check for the error MIT gives for an unknown OID */
+	if (gss_maj == GSS_S_UNAVAILABLE) {
+		DEBUG(1, ("unable to obtain a PAC against this GSSAPI library.  "
+			  "GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8\n"));
+	} else if (gss_maj != 0) {
+		DEBUG(2, ("obtaining PAC via GSSAPI gss_inqiure_sec_context_by_oid (Heimdal OID) failed: %s\n",
+			  gssapi_error_string(mem_ctx, gss_maj, gss_min, gss_mech_krb5)));
+	} else {
+		if (set == GSS_C_NO_BUFFER_SET) {
+			DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown "
+				  "data in results.\n"));
+			return NT_STATUS_INTERNAL_ERROR;
+		}
+
+		/* The PAC blob is returned directly */
+		*pac_blob = data_blob_talloc(mem_ctx, set->elements[0].value,
+					    set->elements[0].length);
+		if (!pac_blob->data) {
+			status = NT_STATUS_NO_MEMORY;
+		} else {
+			status = NT_STATUS_OK;
+		}
+
+		gss_maj = gss_release_buffer_set(&gss_min, &set);
+		return status;
+	}
+	return NT_STATUS_ACCESS_DENIED;
+}
+#endif
-- 
cgit 


From 47e28702288f065d539baab70907d50b7d59d27e Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 27 Apr 2011 14:34:03 +1000
Subject: auth/kerberos Add check for gss_inquire_sec_context_by_oid

Not all kerberos distributions have this function.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Apr 27 07:39:08 CEST 2011 on sn-devel-104
---
 auth/kerberos/gssapi_pac.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

(limited to 'auth/kerberos/gssapi_pac.c')

diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c
index dd2fb7e0a7..d89a649ff2 100644
--- a/auth/kerberos/gssapi_pac.c
+++ b/auth/kerberos/gssapi_pac.c
@@ -38,20 +38,19 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
 				gss_name_t gss_client_name,
 				DATA_BLOB *pac_blob)
 {
+	NTSTATUS status;
 	OM_uint32 gss_maj, gss_min;
-	gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
+#ifdef HAVE_GSS_GET_NAME_ATTRIBUTE
 	gss_buffer_desc pac_buffer;
 	gss_buffer_desc pac_display_buffer;
 	gss_buffer_desc pac_name = {
 		.value = "urn:mspac:",
 		.length = sizeof("urn:mspac:")-1
 	};
-	NTSTATUS status;
 	int more = -1;
 	int authenticated = false;
 	int complete = false;
 
-#ifdef HAVE_GSS_GET_NAME_ATTRIBUTE
 	gss_maj = gss_get_name_attribute(
 		&gss_min, gss_client_name, &pac_name,
 		&authenticated, &complete,
@@ -83,7 +82,10 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-#endif
+#elif defined(HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID)
+
+	gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
+
 	/* If we didn't have the routine to get a verified, validated
 	 * PAC (supplied only by MIT at the time of writing), then try
 	 * with the Heimdal OID (fetches the PAC directly and always
@@ -118,6 +120,10 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
 		gss_maj = gss_release_buffer_set(&gss_min, &set);
 		return status;
 	}
+#else
+	DEBUG(1, ("unable to obtain a PAC against this GSSAPI library.  "
+		  "GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8\n"));
+#endif
 	return NT_STATUS_ACCESS_DENIED;
 }
 #endif
-- 
cgit 


From ac25835ab7b76226bd59fec9ffef46d5c5817d54 Mon Sep 17 00:00:00 2001
From: Gordon Ross <gordon.w.ross@gmail.com>
Date: Fri, 6 May 2011 16:00:08 -0700
Subject: Fix Samba3 on OpenIndiana.

I'd like Samba to use the native OpenLDAP and MIT Kerberos libs.
Attached are some patches to do that. (relative to git master)
It does not build for me without these.

(OpenIndiana is an off-shoot of OpenSolaris  See http://www.openindiana.org)

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat May  7 02:20:14 CEST 2011 on sn-devel-104
---
 auth/kerberos/gssapi_pac.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

(limited to 'auth/kerberos/gssapi_pac.c')

diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c
index d89a649ff2..e115cfe85c 100644
--- a/auth/kerberos/gssapi_pac.c
+++ b/auth/kerberos/gssapi_pac.c
@@ -23,6 +23,30 @@
 
 #include "libcli/auth/krb5_wrap.h"
 
+#if 0
+/* FIXME - need proper configure/waf test
+ * to determine if gss_mech_krb5 and friends
+ * exist. JRA.
+ */
+/*
+ * These are not exported by Solaris -lkrb5
+ * Maybe move to libreplace somewhere?
+ */
+static const gss_OID_desc krb5_gss_oid_array[] = {
+	/* this is the official, rfc-specified OID */
+	{ 9, "\052\206\110\206\367\022\001\002\002" },
+	/* this is the pre-RFC mech OID */
+	{ 5, "\053\005\001\005\002" },
+	/* this is the unofficial, incorrect mech OID emitted by MS */
+	{ 9, "\052\206\110\202\367\022\001\002\002" },
+	{ 0, 0 }
+};
+
+const gss_OID_desc * const gss_mech_krb5              = krb5_gss_oid_array+0;
+const gss_OID_desc * const gss_mech_krb5_old          = krb5_gss_oid_array+1;
+const gss_OID_desc * const gss_mech_krb5_wrong        = krb5_gss_oid_array+2;
+#endif
+
 /* The Heimdal OID for getting the PAC */
 #define EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH 8
 /*					                EXTRACTION OID		   AUTHZ ID */
-- 
cgit 


From 9ba10877aa558c016e2a40f209d1eaf694e47965 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 30 Apr 2011 17:39:48 +0200
Subject: auth/kerberos/gssapi_pac: fix compiler warnings

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jun 15 19:06:24 CEST 2011 on sn-devel-104
---
 auth/kerberos/gssapi_pac.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

(limited to 'auth/kerberos/gssapi_pac.c')

diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c
index e115cfe85c..70bc9e576a 100644
--- a/auth/kerberos/gssapi_pac.c
+++ b/auth/kerberos/gssapi_pac.c
@@ -52,11 +52,6 @@ const gss_OID_desc * const gss_mech_krb5_wrong        = krb5_gss_oid_array+2;
 /*					                EXTRACTION OID		   AUTHZ ID */
 #define EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2a\x85\x70\x2b\x0d\x03" "\x81\x00"
 
-static gss_OID_desc pac_data_oid = {
-	EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH,
-	(void *)EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID
-};
-
 NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
 				gss_ctx_id_t gssapi_context,
 				gss_name_t gss_client_name,
@@ -68,7 +63,7 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
 	gss_buffer_desc pac_buffer;
 	gss_buffer_desc pac_display_buffer;
 	gss_buffer_desc pac_name = {
-		.value = "urn:mspac:",
+		.value = discard_const("urn:mspac:"),
 		.length = sizeof("urn:mspac:")-1
 	};
 	int more = -1;
@@ -107,6 +102,10 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
 	}
 
 #elif defined(HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID)
+	gss_OID_desc pac_data_oid = {
+		.elements = discard_const(EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID),
+		.length = EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH
+	};
 
 	gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
 
-- 
cgit