| 1 |
From 83a4031e1d7fdecc15f9f77aea176d4676ea7a6e Mon Sep 17 00:00:00 2001 |
| 2 |
From: Andreas Schneider <asn@samba.org> |
| 3 |
Date: Tue, 21 Mar 2017 09:57:30 +0100 |
| 4 |
Subject: [PATCH 1/2] s3:libads: Remove obsolete |
| 5 |
smb_krb5_get_ntstatus_from_init_creds() |
| 6 |
|
| 7 |
There is no way we can get a better error code out of this. The original |
| 8 |
function called was krb5_get_init_creds_opt_get_error() which has been |
| 9 |
deprecated in 2008. |
| 10 |
|
| 11 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708 |
| 12 |
|
| 13 |
Signed-off-by: Andreas Schneider <asn@samba.org> |
| 14 |
Reviewed-by: Uri Simchoni <uri@samba.org> |
| 15 |
(cherry picked from commit e2028837b958618a66449a77ee628e4e176e521e) |
| 16 |
--- |
| 17 |
source3/libads/kerberos.c | 169 ---------------------------------------------- |
| 18 |
1 file changed, 169 deletions(-) |
| 19 |
|
| 20 |
Index: samba-4.6.2/source3/libads/kerberos.c |
| 21 |
=================================================================== |
| 22 |
--- samba-4.6.2.orig/source3/libads/kerberos.c |
| 23 |
+++ samba-4.6.2/source3/libads/kerberos.c |
| 24 |
@@ -99,156 +99,6 @@ kerb_prompter(krb5_context ctx, void *da |
| 25 |
return 0; |
| 26 |
} |
| 27 |
|
| 28 |
-static bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx, |
| 29 |
- DATA_BLOB *edata, |
| 30 |
- DATA_BLOB *edata_out) |
| 31 |
-{ |
| 32 |
- DATA_BLOB edata_contents; |
| 33 |
- ASN1_DATA *data; |
| 34 |
- int edata_type; |
| 35 |
- |
| 36 |
- if (!edata->length) { |
| 37 |
- return false; |
| 38 |
- } |
| 39 |
- |
| 40 |
- data = asn1_init(mem_ctx); |
| 41 |
- if (data == NULL) { |
| 42 |
- return false; |
| 43 |
- } |
| 44 |
- |
| 45 |
- if (!asn1_load(data, *edata)) goto err; |
| 46 |
- if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err; |
| 47 |
- if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err; |
| 48 |
- if (!asn1_read_Integer(data, &edata_type)) goto err; |
| 49 |
- |
| 50 |
- if (edata_type != KRB5_PADATA_PW_SALT) { |
| 51 |
- DEBUG(0,("edata is not of required type %d but of type %d\n", |
| 52 |
- KRB5_PADATA_PW_SALT, edata_type)); |
| 53 |
- goto err; |
| 54 |
- } |
| 55 |
- |
| 56 |
- if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err; |
| 57 |
- if (!asn1_read_OctetString(data, talloc_tos(), &edata_contents)) goto err; |
| 58 |
- if (!asn1_end_tag(data)) goto err; |
| 59 |
- if (!asn1_end_tag(data)) goto err; |
| 60 |
- if (!asn1_end_tag(data)) goto err; |
| 61 |
- asn1_free(data); |
| 62 |
- |
| 63 |
- *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length); |
| 64 |
- |
| 65 |
- data_blob_free(&edata_contents); |
| 66 |
- |
| 67 |
- return true; |
| 68 |
- |
| 69 |
- err: |
| 70 |
- |
| 71 |
- asn1_free(data); |
| 72 |
- return false; |
| 73 |
-} |
| 74 |
- |
| 75 |
- static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error, |
| 76 |
- NTSTATUS *nt_status) |
| 77 |
-{ |
| 78 |
- DATA_BLOB edata; |
| 79 |
- DATA_BLOB unwrapped_edata; |
| 80 |
- TALLOC_CTX *mem_ctx; |
| 81 |
- struct KRB5_EDATA_NTSTATUS parsed_edata; |
| 82 |
- enum ndr_err_code ndr_err; |
| 83 |
- |
| 84 |
-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR |
| 85 |
- edata = data_blob(error->e_data->data, error->e_data->length); |
| 86 |
-#else |
| 87 |
- edata = data_blob(error->e_data.data, error->e_data.length); |
| 88 |
-#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */ |
| 89 |
- |
| 90 |
-#ifdef DEVELOPER |
| 91 |
- dump_data(10, edata.data, edata.length); |
| 92 |
-#endif /* DEVELOPER */ |
| 93 |
- |
| 94 |
- mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error"); |
| 95 |
- if (mem_ctx == NULL) { |
| 96 |
- data_blob_free(&edata); |
| 97 |
- return False; |
| 98 |
- } |
| 99 |
- |
| 100 |
- if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) { |
| 101 |
- data_blob_free(&edata); |
| 102 |
- TALLOC_FREE(mem_ctx); |
| 103 |
- return False; |
| 104 |
- } |
| 105 |
- |
| 106 |
- data_blob_free(&edata); |
| 107 |
- |
| 108 |
- ndr_err = ndr_pull_struct_blob_all(&unwrapped_edata, mem_ctx, |
| 109 |
- &parsed_edata, (ndr_pull_flags_fn_t)ndr_pull_KRB5_EDATA_NTSTATUS); |
| 110 |
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { |
| 111 |
- data_blob_free(&unwrapped_edata); |
| 112 |
- TALLOC_FREE(mem_ctx); |
| 113 |
- return False; |
| 114 |
- } |
| 115 |
- |
| 116 |
- data_blob_free(&unwrapped_edata); |
| 117 |
- |
| 118 |
- if (nt_status) { |
| 119 |
- *nt_status = parsed_edata.ntstatus; |
| 120 |
- } |
| 121 |
- |
| 122 |
- TALLOC_FREE(mem_ctx); |
| 123 |
- |
| 124 |
- return True; |
| 125 |
-} |
| 126 |
- |
| 127 |
-static bool smb_krb5_get_ntstatus_from_init_creds(krb5_context ctx, |
| 128 |
- krb5_principal client, |
| 129 |
- krb5_get_init_creds_opt *opt, |
| 130 |
- NTSTATUS *nt_status) |
| 131 |
-{ |
| 132 |
- krb5_init_creds_context icc; |
| 133 |
- krb5_error_code code; |
| 134 |
-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR |
| 135 |
- /* HEIMDAL */ |
| 136 |
- krb5_error error; |
| 137 |
-#else |
| 138 |
- krb5_error *error = NULL; |
| 139 |
-#endif |
| 140 |
- bool ok; |
| 141 |
- |
| 142 |
- code = krb5_init_creds_init(ctx, |
| 143 |
- client, |
| 144 |
- NULL, |
| 145 |
- NULL, |
| 146 |
- 0, |
| 147 |
- opt, |
| 148 |
- &icc); |
| 149 |
- if (code != 0) { |
| 150 |
- DBG_WARNING("krb5_init_creds_init failed with: %s\n", |
| 151 |
- error_message(code)); |
| 152 |
- return false; |
| 153 |
- } |
| 154 |
- |
| 155 |
- code = krb5_init_creds_get_error(ctx, |
| 156 |
- icc, |
| 157 |
- &error); |
| 158 |
- if (code != 0) { |
| 159 |
- DBG_WARNING("krb5_init_creds_get_error failed with: %s\n", |
| 160 |
- error_message(code)); |
| 161 |
- return false; |
| 162 |
- } |
| 163 |
- krb5_init_creds_free(ctx, icc); |
| 164 |
- |
| 165 |
-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR |
| 166 |
- ok = smb_krb5_get_ntstatus_from_krb5_error(&error, nt_status); |
| 167 |
- |
| 168 |
- krb5_free_error_contents(ctx, &error); |
| 169 |
-#else |
| 170 |
- ok = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status); |
| 171 |
- |
| 172 |
- krb5_free_error(ctx, error); |
| 173 |
-#endif |
| 174 |
- |
| 175 |
- return ok; |
| 176 |
-} |
| 177 |
- |
| 178 |
/* |
| 179 |
simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL |
| 180 |
place in default cache location. |
| 181 |
@@ -356,31 +206,12 @@ int kerberos_kinit_password_ext(const ch |
| 182 |
} |
| 183 |
out: |
| 184 |
if (ntstatus) { |
| 185 |
- |
| 186 |
- NTSTATUS status; |
| 187 |
- |
| 188 |
/* fast path */ |
| 189 |
if (code == 0) { |
| 190 |
*ntstatus = NT_STATUS_OK; |
| 191 |
goto cleanup; |
| 192 |
} |
| 193 |
|
| 194 |
- /* try to get ntstatus code out of krb5_error when we have it |
| 195 |
- * inside the krb5_get_init_creds_opt - gd */ |
| 196 |
- |
| 197 |
- if (opt != NULL) { |
| 198 |
- bool ok; |
| 199 |
- |
| 200 |
- ok = smb_krb5_get_ntstatus_from_init_creds(ctx, |
| 201 |
- me, |
| 202 |
- opt, |
| 203 |
- &status); |
| 204 |
- if (ok) { |
| 205 |
- *ntstatus = status; |
| 206 |
- goto cleanup; |
| 207 |
- } |
| 208 |
- } |
| 209 |
- |
| 210 |
/* fall back to self-made-mapping */ |
| 211 |
*ntstatus = krb5_to_nt_status(code); |
| 212 |
} |
| 213 |
Index: samba-4.6.2/nsswitch/tests/test_wbinfo.sh |
| 214 |
=================================================================== |
| 215 |
--- samba-4.6.2.orig/nsswitch/tests/test_wbinfo.sh |
| 216 |
+++ samba-4.6.2/nsswitch/tests/test_wbinfo.sh |
| 217 |
@@ -254,6 +254,10 @@ testit "wbinfo -K against $TARGET with d |
| 218 |
|
| 219 |
testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=`expr $failed + 1` |
| 220 |
|
| 221 |
+testit_expect_failure "wbinfo -a against $TARGET with invalid password" $wbinfo -a "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1` |
| 222 |
+ |
| 223 |
+testit_expect_failure "wbinfo -K against $TARGET with invalid password" $wbinfo -K "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1` |
| 224 |
+ |
| 225 |
rm -f $KRB5CCNAME_PATH |
| 226 |
|
| 227 |
exit $failed |
Parent Directory
| 
Revision Log
| 
Revision Graph
