From 42127cdbb040a260c2c745e9114b600f2186794a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 11 Oct 2010 16:53:08 +1100 Subject: s4-credentials Add explicit event context handling to Kerberos calls (only) By setting the event context to use for this operation (only) onto the krb5_context just before we call that operation, we can try and emulate the specification of an event context to the actual send_to_kdc() This eliminates the specification of an event context to many other cli_credentials calls, and the last use of event_context_find() Special care is taken to restore the event context in the event of nesting in the send_to_kdc function. Andrew Bartlett --- source4/auth/credentials/credentials.c | 2 +- source4/auth/credentials/credentials.h | 7 ----- source4/auth/credentials/credentials_krb5.c | 41 +++++++++++--------------- source4/auth/credentials/credentials_krb5.h | 1 - source4/auth/credentials/credentials_secrets.c | 15 ++++------ 5 files changed, 24 insertions(+), 42 deletions(-) (limited to 'source4/auth/credentials') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 2bd041450c..21ee987852 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -727,7 +727,7 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred, } if (cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) { - cli_credentials_set_ccache(cred, event_context_find(cred), lp_ctx, NULL, CRED_GUESS_FILE, + cli_credentials_set_ccache(cred, lp_ctx, NULL, CRED_GUESS_FILE, &error_string); } } diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index a468624b1f..0b0de59752 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -168,7 +168,6 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_ const char *cli_credentials_get_realm(struct cli_credentials *cred); const char *cli_credentials_get_username(struct cli_credentials *cred); int cli_credentials_get_krb5_context(struct cli_credentials *cred, - struct tevent_context *event_ctx, struct loadparm_context *lp_ctx, struct smb_krb5_context **smb_krb5_context); int cli_credentials_get_ccache(struct cli_credentials *cred, @@ -182,7 +181,6 @@ int cli_credentials_get_named_ccache(struct cli_credentials *cred, char *ccache_name, struct ccache_container **ccc, const char **error_string); int cli_credentials_get_keytab(struct cli_credentials *cred, - struct tevent_context *event_ctx, struct loadparm_context *lp_ctx, struct keytab_container **_ktc); const char *cli_credentials_get_domain(struct cli_credentials *cred); @@ -193,7 +191,6 @@ void cli_credentials_set_conf(struct cli_credentials *cred, struct loadparm_context *lp_ctx); const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx); int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, - struct tevent_context *event_ctx, struct loadparm_context *lp_ctx, struct gssapi_creds_container **_gcc); int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, @@ -238,7 +235,6 @@ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred, struct smb_krb5_context *smb_krb5_context); NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, - struct tevent_context *event_ctx, struct loadparm_context *lp_ctx, const char *serviceprincipal); NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, @@ -265,14 +261,12 @@ bool cli_credentials_set_ntlm_response(struct cli_credentials *cred, const DATA_BLOB *nt_response, enum credentials_obtained obtained); int cli_credentials_set_keytab_name(struct cli_credentials *cred, - struct tevent_context *event_ctx, struct loadparm_context *lp_ctx, const char *keytab_name, enum credentials_obtained obtained); void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features); uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds); int cli_credentials_set_ccache(struct cli_credentials *cred, - struct tevent_context *event_ctx, struct loadparm_context *lp_ctx, const char *name, enum credentials_obtained obtained, @@ -291,7 +285,6 @@ const char *cli_credentials_get_target_service(struct cli_credentials *cred); enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds); enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds); NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, - struct tevent_context *event_ctx, struct loadparm_context *lp_ctx, struct ldb_context *ldb, const char *base, diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c index c678b80f87..fb4b440281 100644 --- a/source4/auth/credentials/credentials_krb5.c +++ b/source4/auth/credentials/credentials_krb5.c @@ -32,7 +32,6 @@ #include "param/param.h" _PUBLIC_ int cli_credentials_get_krb5_context(struct cli_credentials *cred, - struct tevent_context *event_ctx, struct loadparm_context *lp_ctx, struct smb_krb5_context **smb_krb5_context) { @@ -42,7 +41,7 @@ _PUBLIC_ int cli_credentials_get_krb5_context(struct cli_credentials *cred, return 0; } - ret = smb_krb5_init_context(cred, event_ctx, lp_ctx, + ret = smb_krb5_init_context(cred, NULL, lp_ctx, &cred->smb_krb5_context); if (ret) { cred->smb_krb5_context = NULL; @@ -126,7 +125,6 @@ static int free_dccache(struct ccache_container *ccc) { } _PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred, - struct tevent_context *event_ctx, struct loadparm_context *lp_ctx, const char *name, enum credentials_obtained obtained, @@ -145,7 +143,7 @@ _PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred, return ENOMEM; } - ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, + ret = cli_credentials_get_krb5_context(cred, lp_ctx, &ccc->smb_krb5_context); if (ret) { (*error_string) = error_message(ret); @@ -204,7 +202,6 @@ _PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred, static int cli_credentials_new_ccache(struct cli_credentials *cred, - struct tevent_context *event_ctx, struct loadparm_context *lp_ctx, char *ccache_name, struct ccache_container **_ccc, @@ -217,7 +214,7 @@ static int cli_credentials_new_ccache(struct cli_credentials *cred, return ENOMEM; } - ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, + ret = cli_credentials_get_krb5_context(cred, lp_ctx, &ccc->smb_krb5_context); if (ret) { talloc_free(ccc); @@ -294,12 +291,12 @@ _PUBLIC_ int cli_credentials_get_named_ccache(struct cli_credentials *cred, return EINVAL; } - ret = cli_credentials_new_ccache(cred, event_ctx, lp_ctx, ccache_name, ccc, error_string); + ret = cli_credentials_new_ccache(cred, lp_ctx, ccache_name, ccc, error_string); if (ret) { return ret; } - ret = kinit_to_ccache(cred, cred, (*ccc)->smb_krb5_context, (*ccc)->ccache, &obtained, error_string); + ret = kinit_to_ccache(cred, cred, (*ccc)->smb_krb5_context, event_ctx, (*ccc)->ccache, &obtained, error_string); if (ret) { return ret; } @@ -529,7 +526,6 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, */ int cli_credentials_set_client_gss_creds(struct cli_credentials *cred, - struct tevent_context *event_ctx, struct loadparm_context *lp_ctx, gss_cred_id_t gssapi_cred, enum credentials_obtained obtained, @@ -549,7 +545,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, return ENOMEM; } - ret = cli_credentials_new_ccache(cred, event_ctx, lp_ctx, NULL, &ccc, error_string); + ret = cli_credentials_new_ccache(cred, lp_ctx, NULL, &ccc, error_string); if (ret != 0) { return ret; } @@ -589,9 +585,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, * it will be generated from the password. */ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, - struct tevent_context *event_ctx, - struct loadparm_context *lp_ctx, - struct keytab_container **_ktc) + struct loadparm_context *lp_ctx, + struct keytab_container **_ktc) { krb5_error_code ret; struct keytab_container *ktc; @@ -608,7 +603,7 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, return EINVAL; } - ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, + ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context); if (ret) { return ret; @@ -640,10 +635,9 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, * FILE:/etc/krb5.keytab), open it and attach it */ _PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred, - struct tevent_context *event_ctx, - struct loadparm_context *lp_ctx, - const char *keytab_name, - enum credentials_obtained obtained) + struct loadparm_context *lp_ctx, + const char *keytab_name, + enum credentials_obtained obtained) { krb5_error_code ret; struct keytab_container *ktc; @@ -654,7 +648,7 @@ _PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred, return 0; } - ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &smb_krb5_context); + ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context); if (ret) { return ret; } @@ -682,9 +676,8 @@ _PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred, /* Get server gss credentials (in gsskrb5, this means the keytab) */ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, - struct tevent_context *event_ctx, - struct loadparm_context *lp_ctx, - struct gssapi_creds_container **_gcc) + struct loadparm_context *lp_ctx, + struct gssapi_creds_container **_gcc) { int ret = 0; OM_uint32 maj_stat, min_stat; @@ -701,7 +694,7 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, return ENOMEM; } - ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &smb_krb5_context); + ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context); if (ret) { return ret; } @@ -720,7 +713,7 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, return 0; } - ret = cli_credentials_get_keytab(cred, event_ctx, lp_ctx, &ktc); + ret = cli_credentials_get_keytab(cred, lp_ctx, &ktc); if (ret) { DEBUG(1, ("Failed to get keytab for GSSAPI server: %s\n", error_message(ret))); return ret; diff --git a/source4/auth/credentials/credentials_krb5.h b/source4/auth/credentials/credentials_krb5.h index 1630b210db..36bf03d5eb 100644 --- a/source4/auth/credentials/credentials_krb5.h +++ b/source4/auth/credentials/credentials_krb5.h @@ -33,7 +33,6 @@ struct gssapi_creds_container { /* Manually prototyped here to avoid needing gss headers in most callers */ int cli_credentials_set_client_gss_creds(struct cli_credentials *cred, - struct tevent_context *event_ctx, struct loadparm_context *lp_ctx, gss_cred_id_t gssapi_cred, enum credentials_obtained obtained, diff --git a/source4/auth/credentials/credentials_secrets.c b/source4/auth/credentials/credentials_secrets.c index 9ffc39c0c3..0f30dc5e1b 100644 --- a/source4/auth/credentials/credentials_secrets.c +++ b/source4/auth/credentials/credentials_secrets.c @@ -42,7 +42,6 @@ * @retval NTSTATUS error detailing any failure */ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, - struct tevent_context *event_ctx, struct loadparm_context *lp_ctx, struct ldb_context *ldb, const char *base, @@ -180,7 +179,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, * (chewing CPU time) from the password */ keytab = keytab_name_from_msg(cred, ldb, msg); if (keytab) { - cli_credentials_set_keytab_name(cred, event_ctx, lp_ctx, keytab, CRED_SPECIFIED); + cli_credentials_set_keytab_name(cred, lp_ctx, keytab, CRED_SPECIFIED); talloc_free(keytab); } talloc_free(mem_ctx); @@ -205,9 +204,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr * any more */ cred->machine_account_pending = false; filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, - cli_credentials_get_domain(cred)); - status = cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL, - SECRETS_PRIMARY_DOMAIN_DN, + cli_credentials_get_domain(cred)); + status = cli_credentials_set_secrets(cred, lp_ctx, NULL, + SECRETS_PRIMARY_DOMAIN_DN, filter, &error_string); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Could not find machine account in secrets database: %s: %s", nt_errstr(status), error_string)); @@ -223,7 +222,6 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr * @retval NTSTATUS error detailing any failure */ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, - struct tevent_context *event_ctx, struct loadparm_context *lp_ctx) { NTSTATUS status; @@ -236,7 +234,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred)); - status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, + status = cli_credentials_set_secrets(cred, lp_ctx, NULL, SECRETS_PRINCIPALS_DN, filter, &error_string); if (!NT_STATUS_IS_OK(status)) { @@ -253,7 +251,6 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, * @retval NTSTATUS error detailing any failure */ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, - struct tevent_context *event_ctx, struct loadparm_context *lp_ctx, const char *serviceprincipal) { @@ -268,7 +265,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c cli_credentials_get_realm(cred), cli_credentials_get_domain(cred), serviceprincipal); - status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, + status = cli_credentials_set_secrets(cred, lp_ctx, NULL, SECRETS_PRINCIPALS_DN, filter, &error_string); if (!NT_STATUS_IS_OK(status)) { -- cgit