/[smeserver]/rpms/samba/sme10/samba-v4-6-fix_winbind_child_crash.patch
ViewVC logotype

Annotation of /rpms/samba/sme10/samba-v4-6-fix_winbind_child_crash.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.2 - (hide annotations) (download)
Wed Aug 9 04:48:52 2023 UTC (12 months ago) by jpp
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +0 -0 lines
FILE REMOVED 
Initial import
1 jpp 1.1 From 83a4031e1d7fdecc15f9f77aea176d4676ea7a6e Mon Sep 17 00:00:00 2001
2     From: Andreas Schneider <asn@samba.org>
3     Date: Tue, 21 Mar 2017 09:57:30 +0100
4     Subject: [PATCH 1/2] s3:libads: Remove obsolete
5     smb_krb5_get_ntstatus_from_init_creds()
6    
7     There is no way we can get a better error code out of this. The original
8     function called was krb5_get_init_creds_opt_get_error() which has been
9     deprecated in 2008.
10    
11     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708
12    
13     Signed-off-by: Andreas Schneider <asn@samba.org>
14     Reviewed-by: Uri Simchoni <uri@samba.org>
15     (cherry picked from commit e2028837b958618a66449a77ee628e4e176e521e)
16     ---
17     source3/libads/kerberos.c | 169 ----------------------------------------------
18     1 file changed, 169 deletions(-)
19    
20     Index: samba-4.6.2/source3/libads/kerberos.c
21     ===================================================================
22     --- samba-4.6.2.orig/source3/libads/kerberos.c
23     +++ samba-4.6.2/source3/libads/kerberos.c
24     @@ -99,156 +99,6 @@ kerb_prompter(krb5_context ctx, void *da
25     return 0;
26     }
27    
28     -static bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
29     - DATA_BLOB *edata,
30     - DATA_BLOB *edata_out)
31     -{
32     - DATA_BLOB edata_contents;
33     - ASN1_DATA *data;
34     - int edata_type;
35     -
36     - if (!edata->length) {
37     - return false;
38     - }
39     -
40     - data = asn1_init(mem_ctx);
41     - if (data == NULL) {
42     - return false;
43     - }
44     -
45     - if (!asn1_load(data, *edata)) goto err;
46     - if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err;
47     - if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err;
48     - if (!asn1_read_Integer(data, &edata_type)) goto err;
49     -
50     - if (edata_type != KRB5_PADATA_PW_SALT) {
51     - DEBUG(0,("edata is not of required type %d but of type %d\n",
52     - KRB5_PADATA_PW_SALT, edata_type));
53     - goto err;
54     - }
55     -
56     - if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err;
57     - if (!asn1_read_OctetString(data, talloc_tos(), &edata_contents)) goto err;
58     - if (!asn1_end_tag(data)) goto err;
59     - if (!asn1_end_tag(data)) goto err;
60     - if (!asn1_end_tag(data)) goto err;
61     - asn1_free(data);
62     -
63     - *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length);
64     -
65     - data_blob_free(&edata_contents);
66     -
67     - return true;
68     -
69     - err:
70     -
71     - asn1_free(data);
72     - return false;
73     -}
74     -
75     - static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error,
76     - NTSTATUS *nt_status)
77     -{
78     - DATA_BLOB edata;
79     - DATA_BLOB unwrapped_edata;
80     - TALLOC_CTX *mem_ctx;
81     - struct KRB5_EDATA_NTSTATUS parsed_edata;
82     - enum ndr_err_code ndr_err;
83     -
84     -#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
85     - edata = data_blob(error->e_data->data, error->e_data->length);
86     -#else
87     - edata = data_blob(error->e_data.data, error->e_data.length);
88     -#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
89     -
90     -#ifdef DEVELOPER
91     - dump_data(10, edata.data, edata.length);
92     -#endif /* DEVELOPER */
93     -
94     - mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error");
95     - if (mem_ctx == NULL) {
96     - data_blob_free(&edata);
97     - return False;
98     - }
99     -
100     - if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) {
101     - data_blob_free(&edata);
102     - TALLOC_FREE(mem_ctx);
103     - return False;
104     - }
105     -
106     - data_blob_free(&edata);
107     -
108     - ndr_err = ndr_pull_struct_blob_all(&unwrapped_edata, mem_ctx,
109     - &parsed_edata, (ndr_pull_flags_fn_t)ndr_pull_KRB5_EDATA_NTSTATUS);
110     - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
111     - data_blob_free(&unwrapped_edata);
112     - TALLOC_FREE(mem_ctx);
113     - return False;
114     - }
115     -
116     - data_blob_free(&unwrapped_edata);
117     -
118     - if (nt_status) {
119     - *nt_status = parsed_edata.ntstatus;
120     - }
121     -
122     - TALLOC_FREE(mem_ctx);
123     -
124     - return True;
125     -}
126     -
127     -static bool smb_krb5_get_ntstatus_from_init_creds(krb5_context ctx,
128     - krb5_principal client,
129     - krb5_get_init_creds_opt *opt,
130     - NTSTATUS *nt_status)
131     -{
132     - krb5_init_creds_context icc;
133     - krb5_error_code code;
134     -#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
135     - /* HEIMDAL */
136     - krb5_error error;
137     -#else
138     - krb5_error *error = NULL;
139     -#endif
140     - bool ok;
141     -
142     - code = krb5_init_creds_init(ctx,
143     - client,
144     - NULL,
145     - NULL,
146     - 0,
147     - opt,
148     - &icc);
149     - if (code != 0) {
150     - DBG_WARNING("krb5_init_creds_init failed with: %s\n",
151     - error_message(code));
152     - return false;
153     - }
154     -
155     - code = krb5_init_creds_get_error(ctx,
156     - icc,
157     - &error);
158     - if (code != 0) {
159     - DBG_WARNING("krb5_init_creds_get_error failed with: %s\n",
160     - error_message(code));
161     - return false;
162     - }
163     - krb5_init_creds_free(ctx, icc);
164     -
165     -#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
166     - ok = smb_krb5_get_ntstatus_from_krb5_error(&error, nt_status);
167     -
168     - krb5_free_error_contents(ctx, &error);
169     -#else
170     - ok = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status);
171     -
172     - krb5_free_error(ctx, error);
173     -#endif
174     -
175     - return ok;
176     -}
177     -
178     /*
179     simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
180     place in default cache location.
181     @@ -356,31 +206,12 @@ int kerberos_kinit_password_ext(const ch
182     }
183     out:
184     if (ntstatus) {
185     -
186     - NTSTATUS status;
187     -
188     /* fast path */
189     if (code == 0) {
190     *ntstatus = NT_STATUS_OK;
191     goto cleanup;
192     }
193    
194     - /* try to get ntstatus code out of krb5_error when we have it
195     - * inside the krb5_get_init_creds_opt - gd */
196     -
197     - if (opt != NULL) {
198     - bool ok;
199     -
200     - ok = smb_krb5_get_ntstatus_from_init_creds(ctx,
201     - me,
202     - opt,
203     - &status);
204     - if (ok) {
205     - *ntstatus = status;
206     - goto cleanup;
207     - }
208     - }
209     -
210     /* fall back to self-made-mapping */
211     *ntstatus = krb5_to_nt_status(code);
212     }
213     Index: samba-4.6.2/nsswitch/tests/test_wbinfo.sh
214     ===================================================================
215     --- samba-4.6.2.orig/nsswitch/tests/test_wbinfo.sh
216     +++ samba-4.6.2/nsswitch/tests/test_wbinfo.sh
217     @@ -254,6 +254,10 @@ testit "wbinfo -K against $TARGET with d
218    
219     testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=`expr $failed + 1`
220    
221     +testit_expect_failure "wbinfo -a against $TARGET with invalid password" $wbinfo -a "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
222     +
223     +testit_expect_failure "wbinfo -K against $TARGET with invalid password" $wbinfo -K "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
224     +
225     rm -f $KRB5CCNAME_PATH
226    
227     exit $failed
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed