You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
411 lines
14 KiB
411 lines
14 KiB
From a32bef9d1193e2bc253b7af8f4d0adb6476937f5 Mon Sep 17 00:00:00 2001 |
|
From: Samuel Cabrero <scabrero@suse.de> |
|
Date: Tue, 22 Feb 2022 12:59:44 +0100 |
|
Subject: [PATCH 1/6] s3:libads: Fix memory leak in kerberos_return_pac() error |
|
path |
|
|
|
Signed-off-by: Samuel Cabrero <scabrero@samba.org> |
|
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
|
Reviewed-by: Andreas Schneider <asn@samba.org> |
|
(cherry picked from commit 3dbcd20de98cd28683a9c248368e5082b6388111) |
|
--- |
|
source3/libads/authdata.c | 11 ++++++++--- |
|
1 file changed, 8 insertions(+), 3 deletions(-) |
|
|
|
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c |
|
index dd21d895fc2..c048510d480 100644 |
|
--- a/source3/libads/authdata.c |
|
+++ b/source3/libads/authdata.c |
|
@@ -61,7 +61,10 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, |
|
{ |
|
krb5_error_code ret; |
|
NTSTATUS status = NT_STATUS_INVALID_PARAMETER; |
|
- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1; |
|
+ DATA_BLOB tkt = data_blob_null; |
|
+ DATA_BLOB tkt_wrapped = data_blob_null; |
|
+ DATA_BLOB ap_rep = data_blob_null; |
|
+ DATA_BLOB sesskey1 = data_blob_null; |
|
const char *auth_princ = NULL; |
|
const char *cc = "MEMORY:kerberos_return_pac"; |
|
struct auth_session_info *session_info; |
|
@@ -81,7 +84,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, |
|
ZERO_STRUCT(sesskey1); |
|
|
|
if (!name || !pass) { |
|
- return NT_STATUS_INVALID_PARAMETER; |
|
+ status = NT_STATUS_INVALID_PARAMETER; |
|
+ goto out; |
|
} |
|
|
|
if (cache_name) { |
|
@@ -131,7 +135,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, |
|
|
|
if (expire_time && renew_till_time && |
|
(*expire_time == 0) && (*renew_till_time == 0)) { |
|
- return NT_STATUS_INVALID_LOGON_TYPE; |
|
+ status = NT_STATUS_INVALID_LOGON_TYPE; |
|
+ goto out; |
|
} |
|
|
|
ret = ads_krb5_cli_get_ticket(mem_ctx, |
|
-- |
|
2.35.1 |
|
|
|
|
|
From d5a800beb60ee0b9310fa073c2e06a7dcbe65d5e Mon Sep 17 00:00:00 2001 |
|
From: Samuel Cabrero <scabrero@suse.de> |
|
Date: Tue, 22 Feb 2022 13:00:05 +0100 |
|
Subject: [PATCH 2/6] lib:krb5_wrap: Improve debug message and use newer debug |
|
macro |
|
|
|
Signed-off-by: Samuel Cabrero <scabrero@samba.org> |
|
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
|
Reviewed-by: Andreas Schneider <asn@samba.org> |
|
(cherry picked from commit ed14513be055cc56eb39785323df2c538a813865) |
|
--- |
|
lib/krb5_wrap/krb5_samba.c | 2 +- |
|
1 file changed, 1 insertion(+), 1 deletion(-) |
|
|
|
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c |
|
index fff5b4e2a22..42d4b950f80 100644 |
|
--- a/lib/krb5_wrap/krb5_samba.c |
|
+++ b/lib/krb5_wrap/krb5_samba.c |
|
@@ -1079,7 +1079,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, |
|
goto done; |
|
} |
|
|
|
- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string)); |
|
+ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string); |
|
|
|
/* FIXME: we should not fall back to defaults */ |
|
ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache); |
|
-- |
|
2.35.1 |
|
|
|
|
|
From 79d08465f66df67b69fdafed8eec48290acf24b9 Mon Sep 17 00:00:00 2001 |
|
From: Samuel Cabrero <scabrero@suse.de> |
|
Date: Tue, 22 Feb 2022 14:28:28 +0100 |
|
Subject: [PATCH 3/6] lib:krb5_wrap: Fix wrong debug message and use newer |
|
debug macro |
|
|
|
Signed-off-by: Samuel Cabrero <scabrero@samba.org> |
|
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
|
Reviewed-by: Andreas Schneider <asn@samba.org> |
|
(cherry picked from commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a) |
|
--- |
|
lib/krb5_wrap/krb5_samba.c | 5 ++++- |
|
1 file changed, 4 insertions(+), 1 deletion(-) |
|
|
|
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c |
|
index 42d4b950f80..76c2dcd2126 100644 |
|
--- a/lib/krb5_wrap/krb5_samba.c |
|
+++ b/lib/krb5_wrap/krb5_samba.c |
|
@@ -1101,7 +1101,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, |
|
|
|
ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string)); |
|
if (ret) { |
|
- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret))); |
|
+ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' " |
|
+ "for client '%s' and service '%s' failed: %s\n", |
|
+ ccache_string, client_string, service_string, |
|
+ error_message(ret)); |
|
goto done; |
|
} |
|
|
|
-- |
|
2.35.1 |
|
|
|
|
|
From 00418e5b78fa4361c0386c13374154d310426f77 Mon Sep 17 00:00:00 2001 |
|
From: Samuel Cabrero <scabrero@suse.de> |
|
Date: Tue, 22 Feb 2022 13:08:56 +0100 |
|
Subject: [PATCH 4/6] s3:libads: Return canonical principal and realm from |
|
kerberos_return_pac() |
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 |
|
|
|
Signed-off-by: Samuel Cabrero <scabrero@samba.org> |
|
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
|
Reviewed-by: Andreas Schneider <asn@samba.org> |
|
(cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f) |
|
--- |
|
source3/libads/authdata.c | 22 +++++++++++++++++++++- |
|
source3/libads/kerberos_proto.h | 2 ++ |
|
source3/utils/net_ads.c | 2 ++ |
|
source3/winbindd/winbindd_pam.c | 2 ++ |
|
4 files changed, 27 insertions(+), 1 deletion(-) |
|
|
|
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c |
|
index c048510d480..bf9a2335445 100644 |
|
--- a/source3/libads/authdata.c |
|
+++ b/source3/libads/authdata.c |
|
@@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, |
|
time_t renewable_time, |
|
const char *impersonate_princ_s, |
|
const char *local_service, |
|
+ char **_canon_principal, |
|
+ char **_canon_realm, |
|
struct PAC_DATA_CTR **_pac_data_ctr) |
|
{ |
|
krb5_error_code ret; |
|
@@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, |
|
struct auth4_context *auth_context; |
|
struct loadparm_context *lp_ctx; |
|
struct PAC_DATA_CTR *pac_data_ctr = NULL; |
|
+ char *canon_principal = NULL; |
|
+ char *canon_realm = NULL; |
|
|
|
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); |
|
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); |
|
@@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, |
|
goto out; |
|
} |
|
|
|
+ if (_canon_principal != NULL) { |
|
+ *_canon_principal = NULL; |
|
+ } |
|
+ |
|
+ if (_canon_realm != NULL) { |
|
+ *_canon_realm = NULL; |
|
+ } |
|
+ |
|
if (cache_name) { |
|
cc = cache_name; |
|
} |
|
@@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, |
|
request_pac, |
|
add_netbios_addr, |
|
renewable_time, |
|
- NULL, NULL, NULL, |
|
+ tmp_ctx, |
|
+ &canon_principal, |
|
+ &canon_realm, |
|
&status); |
|
if (ret) { |
|
DEBUG(1,("kinit failed for '%s' with: %s (%d)\n", |
|
@@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, |
|
} |
|
|
|
*_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr); |
|
+ if (_canon_principal != NULL) { |
|
+ *_canon_principal = talloc_move(mem_ctx, &canon_principal); |
|
+ } |
|
+ if (_canon_realm != NULL) { |
|
+ *_canon_realm = talloc_move(mem_ctx, &canon_realm); |
|
+ } |
|
|
|
out: |
|
talloc_free(tmp_ctx); |
|
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h |
|
index 3d7b5bc074b..807381248c8 100644 |
|
--- a/source3/libads/kerberos_proto.h |
|
+++ b/source3/libads/kerberos_proto.h |
|
@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, |
|
time_t renewable_time, |
|
const char *impersonate_princ_s, |
|
const char *local_service, |
|
+ char **_canon_principal, |
|
+ char **_canon_realm, |
|
struct PAC_DATA_CTR **pac_data_ctr); |
|
|
|
/* The following definitions come from libads/krb5_setpw.c */ |
|
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c |
|
index 8f993f9ba4c..c41fb0afe9c 100644 |
|
--- a/source3/utils/net_ads.c |
|
+++ b/source3/utils/net_ads.c |
|
@@ -3273,6 +3273,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch |
|
2592000, /* one month */ |
|
impersonate_princ_s, |
|
local_service, |
|
+ NULL, |
|
+ NULL, |
|
pac_data_ctr); |
|
if (!NT_STATUS_IS_OK(status)) { |
|
d_printf(_("failed to query kerberos PAC: %s\n"), |
|
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c |
|
index 7606bfb4ecd..025a5cbc111 100644 |
|
--- a/source3/winbindd/winbindd_pam.c |
|
+++ b/source3/winbindd/winbindd_pam.c |
|
@@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, |
|
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, |
|
NULL, |
|
local_service, |
|
+ NULL, |
|
+ NULL, |
|
&pac_data_ctr); |
|
if (user_ccache_file != NULL) { |
|
gain_root_privilege(); |
|
-- |
|
2.35.1 |
|
|
|
|
|
From d754753ab8edf6dde241d91442fe6afba8993de5 Mon Sep 17 00:00:00 2001 |
|
From: Samuel Cabrero <scabrero@suse.de> |
|
Date: Tue, 22 Feb 2022 13:19:02 +0100 |
|
Subject: [PATCH 5/6] s3:winbind: Store canonical principal and realm in ccache |
|
entry |
|
|
|
They will be used later to refresh the tickets. |
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 |
|
|
|
Signed-off-by: Samuel Cabrero <scabrero@samba.org> |
|
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
|
Reviewed-by: Andreas Schneider <asn@samba.org> |
|
(cherry picked from commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b) |
|
--- |
|
source3/winbindd/winbindd.h | 2 ++ |
|
source3/winbindd/winbindd_cred_cache.c | 16 +++++++++++++++- |
|
source3/winbindd/winbindd_pam.c | 14 ++++++++++---- |
|
source3/winbindd/winbindd_proto.h | 4 +++- |
|
4 files changed, 30 insertions(+), 6 deletions(-) |
|
|
|
diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h |
|
index a6b2238cec1..dac4a1fa927 100644 |
|
--- a/source3/winbindd/winbindd.h |
|
+++ b/source3/winbindd/winbindd.h |
|
@@ -344,6 +344,8 @@ struct WINBINDD_CCACHE_ENTRY { |
|
const char *service; |
|
const char *username; |
|
const char *realm; |
|
+ const char *canon_principal; |
|
+ const char *canon_realm; |
|
struct WINBINDD_MEMORY_CREDS *cred_ptr; |
|
int ref_count; |
|
uid_t uid; |
|
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c |
|
index c3077e21989..88847b1ab97 100644 |
|
--- a/source3/winbindd/winbindd_cred_cache.c |
|
+++ b/source3/winbindd/winbindd_cred_cache.c |
|
@@ -501,7 +501,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name, |
|
time_t create_time, |
|
time_t ticket_end, |
|
time_t renew_until, |
|
- bool postponed_request) |
|
+ bool postponed_request, |
|
+ const char *canon_principal, |
|
+ const char *canon_realm) |
|
{ |
|
struct WINBINDD_CCACHE_ENTRY *entry = NULL; |
|
struct timeval t; |
|
@@ -617,6 +619,18 @@ NTSTATUS add_ccache_to_list(const char *princ_name, |
|
goto no_mem; |
|
} |
|
} |
|
+ if (canon_principal != NULL) { |
|
+ entry->canon_principal = talloc_strdup(entry, canon_principal); |
|
+ if (entry->canon_principal == NULL) { |
|
+ goto no_mem; |
|
+ } |
|
+ } |
|
+ if (canon_realm != NULL) { |
|
+ entry->canon_realm = talloc_strdup(entry, canon_realm); |
|
+ if (entry->canon_realm == NULL) { |
|
+ goto no_mem; |
|
+ } |
|
+ } |
|
|
|
entry->ccname = talloc_strdup(entry, ccname); |
|
if (!entry->ccname) { |
|
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c |
|
index 025a5cbc111..a24cef78440 100644 |
|
--- a/source3/winbindd/winbindd_pam.c |
|
+++ b/source3/winbindd/winbindd_pam.c |
|
@@ -687,6 +687,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, |
|
const char *local_service; |
|
uint32_t i; |
|
struct netr_SamInfo6 *info6_copy = NULL; |
|
+ char *canon_principal = NULL; |
|
+ char *canon_realm = NULL; |
|
bool ok; |
|
|
|
*info6 = NULL; |
|
@@ -789,8 +791,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, |
|
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, |
|
NULL, |
|
local_service, |
|
- NULL, |
|
- NULL, |
|
+ &canon_principal, |
|
+ &canon_realm, |
|
&pac_data_ctr); |
|
if (user_ccache_file != NULL) { |
|
gain_root_privilege(); |
|
@@ -856,7 +858,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, |
|
time(NULL), |
|
ticket_lifetime, |
|
renewal_until, |
|
- false); |
|
+ false, |
|
+ canon_principal, |
|
+ canon_realm); |
|
|
|
if (!NT_STATUS_IS_OK(result)) { |
|
DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n", |
|
@@ -1233,7 +1237,9 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, |
|
time(NULL), |
|
time(NULL) + lp_winbind_cache_time(), |
|
time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, |
|
- true); |
|
+ true, |
|
+ principal_s, |
|
+ realm); |
|
|
|
if (!NT_STATUS_IS_OK(result)) { |
|
DEBUG(10,("winbindd_dual_pam_auth_cached: failed " |
|
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h |
|
index c0d653a6d77..16c23f3de40 100644 |
|
--- a/source3/winbindd/winbindd_proto.h |
|
+++ b/source3/winbindd/winbindd_proto.h |
|
@@ -236,7 +236,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name, |
|
time_t create_time, |
|
time_t ticket_end, |
|
time_t renew_until, |
|
- bool postponed_request); |
|
+ bool postponed_request, |
|
+ const char *canon_principal, |
|
+ const char *canon_realm); |
|
NTSTATUS remove_ccache(const char *username); |
|
struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username); |
|
NTSTATUS winbindd_add_memory_creds(const char *username, |
|
-- |
|
2.35.1 |
|
|
|
|
|
From 82452eb54758de50700776fb92b7e7af892fdaea Mon Sep 17 00:00:00 2001 |
|
From: Samuel Cabrero <scabrero@suse.de> |
|
Date: Tue, 22 Feb 2022 14:28:44 +0100 |
|
Subject: [PATCH 6/6] s3:winbind: Use the canonical principal name to renew the |
|
credentials |
|
|
|
The principal name stored in the winbindd ccache entry might be an |
|
enterprise principal name if enterprise principals are enabled. Use |
|
the canonical name to renew the credentials. |
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 |
|
|
|
Signed-off-by: Samuel Cabrero <scabrero@samba.org> |
|
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
|
Reviewed-by: Andreas Schneider <asn@samba.org> |
|
(cherry picked from commit 8246ccc23d064147412bb3475e6431a9fffc0d27) |
|
--- |
|
source3/winbindd/winbindd_cred_cache.c | 2 +- |
|
1 file changed, 1 insertion(+), 1 deletion(-) |
|
|
|
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c |
|
index 88847b1ab97..6c65db6a73f 100644 |
|
--- a/source3/winbindd/winbindd_cred_cache.c |
|
+++ b/source3/winbindd/winbindd_cred_cache.c |
|
@@ -209,7 +209,7 @@ rekinit: |
|
set_effective_uid(entry->uid); |
|
|
|
ret = smb_krb5_renew_ticket(entry->ccname, |
|
- entry->principal_name, |
|
+ entry->canon_principal, |
|
entry->service, |
|
&new_start); |
|
#if defined(DEBUG_KRB5_TKT_RENEWAL) |
|
-- |
|
2.35.1 |
|
|
|
|