From 04bf12b176d5abe06b7f1401810369bcafe0b611 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 2 Aug 2003 20:06:57 +0000 Subject: port latest changes from SAMBA_3_0 tree (This used to be commit 3101c236b8241dc0183995ffceed551876427de4) --- source3/libads/authdata.c | 2 +- source3/libads/kerberos_verify.c | 52 ++++++++++++++-------- source3/libads/ldap.c | 94 +++++++++------------------------------- source3/libads/ldap_printer.c | 2 +- source3/libads/ldap_user.c | 2 +- source3/libads/sasl.c | 3 +- 6 files changed, 59 insertions(+), 96 deletions(-) (limited to 'source3/libads') diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index c554a02e90..50a9ef2718 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -1,7 +1,7 @@ /* Unix SMB/CIFS implementation. kerberos authorization data (PAC) utility library - Copyright (C) Jim McDonough 2003 + Copyright (C) Jim McDonough 2003 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index 25b7f9d948..48b61cd1f2 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -60,13 +60,13 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, ZERO_STRUCTP(ap_rep); if (!secrets_init()) { - DEBUG(1,("secrets_init failed\n")); + DEBUG(1,("ads_verify_ticket: secrets_init failed\n")); return NT_STATUS_LOGON_FAILURE; } password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); if (!password_s) { - DEBUG(1,("failed to fetch machine password\n")); + DEBUG(1,("ads_verify_ticket: failed to fetch machine password\n")); return NT_STATUS_LOGON_FAILURE; } @@ -75,13 +75,13 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, ret = krb5_init_context(&context); if (ret) { - DEBUG(1,("krb5_init_context failed (%s)\n", error_message(ret))); + DEBUG(1,("ads_verify_ticket: krb5_init_context failed (%s)\n", error_message(ret))); return NT_STATUS_LOGON_FAILURE; } ret = krb5_set_default_realm(context, ads->auth.realm); if (ret) { - DEBUG(1,("krb5_set_default_realm failed (%s)\n", error_message(ret))); + DEBUG(1,("ads_verify_ticket: krb5_set_default_realm failed (%s)\n", error_message(ret))); sret = NT_STATUS_LOGON_FAILURE; goto out; } @@ -92,7 +92,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, ret = krb5_auth_con_init(context, &auth_context); if (ret) { - DEBUG(1,("krb5_auth_con_init failed (%s)\n", error_message(ret))); + DEBUG(1,("ads_verify_ticket: krb5_auth_con_init failed (%s)\n", error_message(ret))); sret = NT_STATUS_LOGON_FAILURE; goto out; } @@ -102,32 +102,31 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, asprintf(&host_princ_s, "HOST/%s@%s", myname, lp_realm()); ret = krb5_parse_name(context, host_princ_s, &host_princ); if (ret) { - DEBUG(1,("krb5_parse_name(%s) failed (%s)\n", host_princ_s, error_message(ret))); + DEBUG(1,("ads_verify_ticket: krb5_parse_name(%s) failed (%s)\n", + host_princ_s, error_message(ret))); sret = NT_STATUS_LOGON_FAILURE; goto out; } /* - * JRA. We must set the rcache and the allowed addresses in the auth_context - * here. This will prevent replay attacks and ensure the client has got a key from - * the correct IP address. + * JRA. We must set the rcache here. This will prevent replay attacks. */ ret = krb5_get_server_rcache(context, krb5_princ_component(context, host_princ, 0), &rcache); if (ret) { - DEBUG(1,("krb5_get_server_rcache failed (%s)\n", error_message(ret))); + DEBUG(1,("ads_verify_ticket: krb5_get_server_rcache failed (%s)\n", error_message(ret))); sret = NT_STATUS_LOGON_FAILURE; goto out; } ret = krb5_auth_con_setrcache(context, auth_context, rcache); if (ret) { - DEBUG(1,("krb5_auth_con_setrcache failed (%s)\n", error_message(ret))); + DEBUG(1,("ads_verify_ticket: krb5_auth_con_setrcache failed (%s)\n", error_message(ret))); sret = NT_STATUS_LOGON_FAILURE; goto out; } - /* Now we need to add the addresses.... JRA. */ + /* CIFS doesn't use addresses in tickets. This would breat NAT. JRA */ if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) { sret = NT_STATUS_NO_MEMORY; @@ -135,13 +134,22 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, } if ((ret = get_kerberos_allowed_etypes(context, &enctypes))) { - DEBUG(1,("krb5_get_permitted_enctypes failed (%s)\n", + DEBUG(1,("ads_verify_ticket: krb5_get_permitted_enctypes failed (%s)\n", error_message(ret))); sret = NT_STATUS_LOGON_FAILURE; goto out; } - /* we need to setup a auth context with each possible encoding type in turn */ + /* Lock a mutex surrounding the replay as there is no locking in the MIT krb5 + * code surrounding the replay cache... */ + + if (!grab_server_mutex("replay cache mutex")) { + DEBUG(1,("ads_verify_ticket: unable to protect replay cache with mutex.\n")); + sret = NT_STATUS_LOGON_FAILURE; + goto out; + } + + /* We need to setup a auth context with each possible encoding type in turn. */ for (i=0;enctypes[i];i++) { if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) { continue; @@ -154,14 +162,22 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, if (!(ret = krb5_rd_req(context, &auth_context, &packet, NULL, keytab, NULL, &tkt))) { + DEBUG(10,("ads_verify_ticket: enc type [%u] decrypted message !\n", + (unsigned int)enctypes[i] )); free_kerberos_etypes(context, enctypes); auth_ok = True; break; } + + DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10, + ("ads_verify_ticket: enc type [%u] failed to decrypt with error %s\n", + (unsigned int)enctypes[i], error_message(ret))); } + release_server_mutex(); + if (!auth_ok) { - DEBUG(3,("krb5_rd_req with auth failed (%s)\n", + DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n", error_message(ret))); sret = NT_STATUS_LOGON_FAILURE; goto out; @@ -169,7 +185,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, ret = krb5_mk_rep(context, auth_context, &packet); if (ret) { - DEBUG(3,("Failed to generate mutual authentication reply (%s)\n", + DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n", error_message(ret))); sret = NT_STATUS_LOGON_FAILURE; goto out; @@ -178,7 +194,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, *ap_rep = data_blob(packet.data, packet.length); free(packet.data); - get_krb5_smb_session_key(context, auth_context, session_key); + get_krb5_smb_session_key(context, auth_context, session_key, True); #ifdef DEBUG_PASSWORD DEBUG(10,("SMB session key (from ticket) follows:\n")); dump_data(10, session_key, 16); @@ -205,7 +221,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, if ((ret = krb5_unparse_name(context, get_principal_from_tkt(tkt), principal))) { - DEBUG(3,("krb5_unparse_name failed (%s)\n", + DEBUG(3,("ads_verify_ticket: krb5_unparse_name failed (%s)\n", error_message(ret))); sret = NT_STATUS_LOGON_FAILURE; goto out; diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index cf6f9375f8..5a12288b16 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -3,7 +3,7 @@ ads (active directory) utility library Copyright (C) Andrew Tridgell 2001 Copyright (C) Remus Koos 2001 - Copyright (C) Jim McDonough 2002 + Copyright (C) Jim McDonough 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -106,12 +106,24 @@ static BOOL ads_find_dc(ADS_STRUCT *ads) struct ip_service *ip_list; pstring realm; BOOL got_realm = False; + BOOL use_own_domain = False; + + /* if the realm and workgroup are both empty, assume they are ours */ /* realm */ c_realm = ads->server.realm; + + if ( !c_realm || !*c_realm ) { + /* special case where no realm and no workgroup means our own */ + if ( !ads->server.workgroup || !*ads->server.workgroup ) { + use_own_domain = True; + c_realm = lp_realm(); + } + } + if (c_realm && *c_realm) got_realm = True; - + again: /* we need to try once with the realm name and fallback to the netbios domain name if we fail (if netbios has not been disabled */ @@ -119,7 +131,12 @@ again: if ( !got_realm && !lp_disable_netbios() ) { c_realm = ads->server.workgroup; if (!c_realm || !*c_realm) { - DEBUG(0,("ads_find_dc: no realm or workgroup! Was the structure initialized?\n")); + if ( use_own_domain ) + c_realm = lp_workgroup(); + } + + if ( !c_realm || !*c_realm ) { + DEBUG(0,("ads_find_dc: no realm or workgroup! Don't know what to do\n")); return False; } } @@ -1871,77 +1888,6 @@ ADS_STATUS ads_server_info(ADS_STRUCT *ads) return ADS_SUCCESS; } - -/** - * find the list of trusted domains - * @param ads connection to ads server - * @param mem_ctx TALLOC_CTX for allocating results - * @param num_trusts pointer to number of trusts - * @param names pointer to trusted domain name list - * @param sids pointer to list of sids of trusted domains - * @return the count of SIDs pulled - **/ -ADS_STATUS ads_trusted_domains(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, - int *num_trusts, - char ***names, - char ***alt_names, - DOM_SID **sids) -{ - const char *attrs[] = {"name", "flatname", "securityIdentifier", - "trustDirection", NULL}; - ADS_STATUS status; - void *res, *msg; - int count, i; - - *num_trusts = 0; - - status = ads_search(ads, &res, "(objectcategory=trustedDomain)", attrs); - if (!ADS_ERR_OK(status)) return status; - - count = ads_count_replies(ads, res); - if (count == 0) { - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_RESULTS_RETURNED); - } - - (*names) = talloc(mem_ctx, sizeof(char *) * count); - (*alt_names) = talloc(mem_ctx, sizeof(char *) * count); - (*sids) = talloc(mem_ctx, sizeof(DOM_SID) * count); - if (! *names || ! *sids) return ADS_ERROR(LDAP_NO_MEMORY); - - for (i=0, msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) { - uint32 direction; - - /* direction is a 2 bit bitfield, 1 means they trust us - but we don't trust them, so we should not list them - as users from that domain can't login */ - if (ads_pull_uint32(ads, msg, "trustDirection", &direction) && - direction == 1) { - continue; - } - - (*names)[i] = ads_pull_string(ads, mem_ctx, msg, "name"); - (*alt_names)[i] = ads_pull_string(ads, mem_ctx, msg, "flatname"); - - if ((*alt_names)[i] && (*alt_names)[i][0]) { - /* we prefer the flatname as the primary name - for consistency with RPC */ - char *name = (*alt_names)[i]; - (*alt_names)[i] = (*names)[i]; - (*names)[i] = name; - } - if (ads_pull_sid(ads, msg, "securityIdentifier", &(*sids)[i])) { - i++; - } - } - - ads_msgfree(ads, res); - - *num_trusts = i; - - return ADS_SUCCESS; -} - /** * find the domain sid for our domain * @param ads connection to ads server diff --git a/source3/libads/ldap_printer.c b/source3/libads/ldap_printer.c index b650a5eb38..1448074ea0 100644 --- a/source3/libads/ldap_printer.c +++ b/source3/libads/ldap_printer.c @@ -1,7 +1,7 @@ /* Unix SMB/CIFS implementation. ads (active directory) printer utility library - Copyright (C) Jim McDonough 2002 + Copyright (C) Jim McDonough 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/source3/libads/ldap_user.c b/source3/libads/ldap_user.c index e70249dd78..56a0d8013b 100644 --- a/source3/libads/ldap_user.c +++ b/source3/libads/ldap_user.c @@ -1,7 +1,7 @@ /* Unix SMB/CIFS implementation. ads (active directory) utility library - Copyright (C) Jim McDonough 2002 + Copyright (C) Jim McDonough 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 598208b17f..910ff3f4dc 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -124,9 +124,10 @@ static ADS_STATUS ads_sasl_spnego_krb5_bind(ADS_STRUCT *ads, const char *princip { DATA_BLOB blob; struct berval cred, *scred; + unsigned char sk[16]; int rc; - blob = spnego_gen_negTokenTarg(principal, ads->auth.time_offset); + blob = spnego_gen_negTokenTarg(principal, ads->auth.time_offset, sk); if (!blob.data) { return ADS_ERROR(LDAP_OPERATIONS_ERROR); -- cgit