| 1 |
From 334a4870cbbfefcd09c10f432a320ceaac29a14a Mon Sep 17 00:00:00 2001 |
| 2 |
From: Alexander Bokovoy <ab@samba.org> |
| 3 |
Date: Fri, 3 Mar 2017 17:08:09 +0200 |
| 4 |
Subject: [PATCH 1/6] gssapi: check for gss_acquire_cred_from |
| 5 |
|
| 6 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 |
| 7 |
|
| 8 |
Signed-off-by: Alexander Bokovoy <ab@samba.org> |
| 9 |
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
| 10 |
(cherry picked from commit d630a364f9d74443e482934f76cd7107c331e108) |
| 11 |
--- |
| 12 |
wscript_configure_system_mitkrb5 | 1 + |
| 13 |
1 file changed, 1 insertion(+) |
| 14 |
|
| 15 |
diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 |
| 16 |
index 06a9821..d3e8ebf 100644 |
| 17 |
--- a/wscript_configure_system_mitkrb5 |
| 18 |
+++ b/wscript_configure_system_mitkrb5 |
| 19 |
@@ -92,6 +92,7 @@ conf.CHECK_FUNCS_IN(''' |
| 20 |
gsskrb5_extract_authz_data_from_sec_context |
| 21 |
gss_krb5_export_lucid_sec_context |
| 22 |
gss_import_cred gss_export_cred |
| 23 |
+ gss_acquire_cred_from |
| 24 |
''', 'gssapi gssapi_krb5') |
| 25 |
conf.CHECK_VARIABLE('GSS_KRB5_CRED_NO_CI_FLAGS_X', headers=possible_gssapi_headers) |
| 26 |
conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5') |
| 27 |
-- |
| 28 |
2.9.3 |
| 29 |
|
| 30 |
|
| 31 |
From 4b4a95436a56ee91e6bef8e905656c387ce2f62c Mon Sep 17 00:00:00 2001 |
| 32 |
From: Alexander Bokovoy <ab@samba.org> |
| 33 |
Date: Fri, 3 Mar 2017 16:14:57 +0200 |
| 34 |
Subject: [PATCH 2/6] lib/krb5_wrap: add smb_gss_krb5_import_cred wrapper |
| 35 |
|
| 36 |
Wrap gss_krb5_import_cred() to allow re-implementing it with |
| 37 |
gss_acquire_cred_from() for newer MIT versions. gss_acquire_cred_from() |
| 38 |
works fine with GSSAPI interposer (GSS-proxy) while |
| 39 |
gss_krb5_import_cred() is not interposed yet. |
| 40 |
|
| 41 |
The wrapper has additional parameter, krb5_context handle, to facilitate |
| 42 |
with credentials cache name discovery. All our callers to |
| 43 |
gss_krb5_import_cred() already have krb5 context handy. |
| 44 |
|
| 45 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 |
| 46 |
|
| 47 |
Signed-off-by: Alexander Bokovoy <ab@samba.org> |
| 48 |
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
| 49 |
(cherry picked from commit 0e6e8dd2600c699a7a02e3d11fed21b5bc49858d) |
| 50 |
--- |
| 51 |
lib/krb5_wrap/gss_samba.c | 121 ++++++++++++++++++++++++++++++++++++++++++++++ |
| 52 |
lib/krb5_wrap/gss_samba.h | 13 +++++ |
| 53 |
2 files changed, 134 insertions(+) |
| 54 |
|
| 55 |
diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c |
| 56 |
index b444633..757ffc5 100644 |
| 57 |
--- a/lib/krb5_wrap/gss_samba.c |
| 58 |
+++ b/lib/krb5_wrap/gss_samba.c |
| 59 |
@@ -48,4 +48,125 @@ int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid) |
| 60 |
} |
| 61 |
#endif /* !HAVE_GSS_OID_EQUAL */ |
| 62 |
|
| 63 |
+ |
| 64 |
+/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from() |
| 65 |
+ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly |
| 66 |
+ * interposed by GSSPROXY while gss_krb5_import_cred() is not. |
| 67 |
+ * |
| 68 |
+ * This wrapper requires a proper krb5_context to resolve ccache name. |
| 69 |
+ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */ |
| 70 |
+uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx, |
| 71 |
+ krb5_ccache id, krb5_principal keytab_principal, |
| 72 |
+ krb5_keytab keytab, gss_cred_id_t *cred) |
| 73 |
+{ |
| 74 |
+ uint32_t major_status = 0; |
| 75 |
+ |
| 76 |
+#if HAVE_GSS_ACQUIRE_CRED_FROM |
| 77 |
+ uint32_t minor = 0; |
| 78 |
+ gss_key_value_element_desc ccache_element = { |
| 79 |
+ .key = "ccache", |
| 80 |
+ .value = NULL, |
| 81 |
+ }; |
| 82 |
+ |
| 83 |
+ gss_key_value_element_desc keytab_element = { |
| 84 |
+ .key = "keytab", |
| 85 |
+ .value = NULL, |
| 86 |
+ }; |
| 87 |
+ |
| 88 |
+ gss_key_value_element_desc elements[2]; |
| 89 |
+ |
| 90 |
+ gss_key_value_set_desc cred_store = { |
| 91 |
+ .elements = &ccache_element, |
| 92 |
+ .count = 1, |
| 93 |
+ }; |
| 94 |
+ |
| 95 |
+ gss_OID_set mech_set = GSS_C_NO_OID_SET; |
| 96 |
+ gss_cred_usage_t cred_usage = GSS_C_INITIATE; |
| 97 |
+ gss_name_t name = NULL; |
| 98 |
+ gss_buffer_desc pr_name = { |
| 99 |
+ .value = NULL, |
| 100 |
+ .length = 0, |
| 101 |
+ }; |
| 102 |
+ |
| 103 |
+ if (id != NULL) { |
| 104 |
+ major_status = krb5_cc_get_full_name(ctx, |
| 105 |
+ id, |
| 106 |
+ discard_const(&ccache_element.value)); |
| 107 |
+ if (major_status != 0) { |
| 108 |
+ return major_status; |
| 109 |
+ } |
| 110 |
+ } |
| 111 |
+ |
| 112 |
+ if (keytab != NULL) { |
| 113 |
+ keytab_element.value = malloc(4096); |
| 114 |
+ if (!keytab_element.value) { |
| 115 |
+ return ENOMEM; |
| 116 |
+ } |
| 117 |
+ major_status = krb5_kt_get_name(ctx, |
| 118 |
+ keytab, |
| 119 |
+ discard_const(keytab_element.value), 4096); |
| 120 |
+ if (major_status != 0) { |
| 121 |
+ free(discard_const(keytab_element.value)); |
| 122 |
+ return major_status; |
| 123 |
+ } |
| 124 |
+ cred_usage = GSS_C_ACCEPT; |
| 125 |
+ cred_store.elements = &keytab_element; |
| 126 |
+ |
| 127 |
+ if (keytab_principal != NULL) { |
| 128 |
+ major_status = krb5_unparse_name(ctx, keytab_principal, (char**)&pr_name.value); |
| 129 |
+ if (major_status != 0) { |
| 130 |
+ free(discard_const(keytab_element.value)); |
| 131 |
+ return major_status; |
| 132 |
+ } |
| 133 |
+ pr_name.length = strlen(pr_name.value); |
| 134 |
+ |
| 135 |
+ major_status = gss_import_name(minor_status, |
| 136 |
+ &pr_name, |
| 137 |
+ discard_const(GSS_KRB5_NT_PRINCIPAL_NAME), |
| 138 |
+ &name); |
| 139 |
+ if (major_status != 0) { |
| 140 |
+ krb5_free_unparsed_name(ctx, pr_name.value); |
| 141 |
+ free(discard_const(keytab_element.value)); |
| 142 |
+ return major_status; |
| 143 |
+ } |
| 144 |
+ } |
| 145 |
+ } |
| 146 |
+ |
| 147 |
+ if (id != NULL && keytab != NULL) { |
| 148 |
+ elements[0] = ccache_element; |
| 149 |
+ elements[1] = keytab_element; |
| 150 |
+ |
| 151 |
+ cred_store.elements = elements; |
| 152 |
+ cred_store.count = 2; |
| 153 |
+ cred_usage = GSS_C_BOTH; |
| 154 |
+ } |
| 155 |
+ |
| 156 |
+ major_status = gss_acquire_cred_from(minor_status, |
| 157 |
+ name, |
| 158 |
+ 0, |
| 159 |
+ mech_set, |
| 160 |
+ cred_usage, |
| 161 |
+ &cred_store, |
| 162 |
+ cred, |
| 163 |
+ NULL, |
| 164 |
+ NULL); |
| 165 |
+ |
| 166 |
+ if (pr_name.value != NULL) { |
| 167 |
+ (void)gss_release_name(&minor, &name); |
| 168 |
+ krb5_free_unparsed_name(ctx, pr_name.value); |
| 169 |
+ } |
| 170 |
+ if (keytab_element.value != NULL) { |
| 171 |
+ free(discard_const(keytab_element.value)); |
| 172 |
+ } |
| 173 |
+ krb5_free_string(ctx, discard_const(ccache_element.value)); |
| 174 |
+#else |
| 175 |
+ major_status = gss_krb5_import_cred(minor_status, |
| 176 |
+ id, |
| 177 |
+ keytab_principal, |
| 178 |
+ keytab, cred); |
| 179 |
+#endif |
| 180 |
+ return major_status; |
| 181 |
+} |
| 182 |
+ |
| 183 |
+ |
| 184 |
#endif /* HAVE_GSSAPI */ |
| 185 |
diff --git a/lib/krb5_wrap/gss_samba.h b/lib/krb5_wrap/gss_samba.h |
| 186 |
index 5319932..89aee34 100644 |
| 187 |
--- a/lib/krb5_wrap/gss_samba.h |
| 188 |
+++ b/lib/krb5_wrap/gss_samba.h |
| 189 |
@@ -25,6 +25,7 @@ |
| 190 |
#ifdef HAVE_GSSAPI |
| 191 |
|
| 192 |
#include "system/gssapi.h" |
| 193 |
+#include "krb5_samba.h" |
| 194 |
|
| 195 |
#if defined(HAVE_GSS_OID_EQUAL) |
| 196 |
#define smb_gss_oid_equal gss_oid_equal |
| 197 |
@@ -32,5 +33,17 @@ |
| 198 |
int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid); |
| 199 |
#endif /* HAVE_GSS_OID_EQUAL */ |
| 200 |
|
| 201 |
+/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from() |
| 202 |
+ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly |
| 203 |
+ * interposed by GSS-proxy while gss_krb5_import_cred() is not. |
| 204 |
+ * |
| 205 |
+ * This wrapper requires a proper krb5_context to resolve the ccache name for |
| 206 |
+ * gss_acquire_cred_from(). |
| 207 |
+ * |
| 208 |
+ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */ |
| 209 |
+uint32_t smb_gss_krb5_import_cred(OM_uint32 *minor_status, krb5_context ctx, |
| 210 |
+ krb5_ccache id, krb5_principal keytab_principal, |
| 211 |
+ krb5_keytab keytab, gss_cred_id_t *cred); |
| 212 |
+ |
| 213 |
#endif /* HAVE_GSSAPI */ |
| 214 |
#endif /* _GSS_SAMBA_H */ |
| 215 |
-- |
| 216 |
2.9.3 |
| 217 |
|
| 218 |
|
| 219 |
From f06fafce32a27acf4028ab573297c64189b62e30 Mon Sep 17 00:00:00 2001 |
| 220 |
From: Alexander Bokovoy <ab@samba.org> |
| 221 |
Date: Fri, 3 Mar 2017 16:57:13 +0200 |
| 222 |
Subject: [PATCH 3/6] credentials_krb5: convert to use smb_gss_krb5_import_cred |
| 223 |
|
| 224 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 |
| 225 |
|
| 226 |
Signed-off-by: Alexander Bokovoy <ab@samba.org> |
| 227 |
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
| 228 |
(cherry picked from commit ca8fd793930173b4e625d3f286739de214155bc1) |
| 229 |
--- |
| 230 |
auth/credentials/credentials_krb5.c | 22 +++++++++++++--------- |
| 231 |
1 file changed, 13 insertions(+), 9 deletions(-) |
| 232 |
|
| 233 |
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c |
| 234 |
index e974df9..0e68012 100644 |
| 235 |
--- a/auth/credentials/credentials_krb5.c |
| 236 |
+++ b/auth/credentials/credentials_krb5.c |
| 237 |
@@ -579,8 +579,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, |
| 238 |
return ENOMEM; |
| 239 |
} |
| 240 |
|
| 241 |
- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL, |
| 242 |
- &gcc->creds); |
| 243 |
+ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context, |
| 244 |
+ ccache->ccache, NULL, NULL, |
| 245 |
+ &gcc->creds); |
| 246 |
if ((maj_stat == GSS_S_FAILURE) && |
| 247 |
(min_stat == (OM_uint32)KRB5_CC_END || |
| 248 |
min_stat == (OM_uint32)KRB5_CC_NOTFOUND || |
| 249 |
@@ -597,8 +598,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, |
| 250 |
return ret; |
| 251 |
} |
| 252 |
|
| 253 |
- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL, |
| 254 |
- &gcc->creds); |
| 255 |
+ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context, |
| 256 |
+ ccache->ccache, NULL, NULL, |
| 257 |
+ &gcc->creds); |
| 258 |
|
| 259 |
} |
| 260 |
|
| 261 |
@@ -609,7 +611,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, |
| 262 |
} else { |
| 263 |
ret = EINVAL; |
| 264 |
} |
| 265 |
- (*error_string) = talloc_asprintf(cred, "gss_krb5_import_cred failed: %s", error_message(ret)); |
| 266 |
+ (*error_string) = talloc_asprintf(cred, "smb_gss_krb5_import_cred failed: %s", error_message(ret)); |
| 267 |
return ret; |
| 268 |
} |
| 269 |
|
| 270 |
@@ -1076,12 +1078,14 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, |
| 271 |
|
| 272 |
if (ktc->password_based || obtained < CRED_SPECIFIED) { |
| 273 |
/* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */ |
| 274 |
- maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab, |
| 275 |
- &gcc->creds); |
| 276 |
+ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context, |
| 277 |
+ NULL, NULL, ktc->keytab, |
| 278 |
+ &gcc->creds); |
| 279 |
} else { |
| 280 |
/* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */ |
| 281 |
- maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab, |
| 282 |
- &gcc->creds); |
| 283 |
+ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context, |
| 284 |
+ NULL, princ, ktc->keytab, |
| 285 |
+ &gcc->creds); |
| 286 |
} |
| 287 |
if (maj_stat) { |
| 288 |
if (min_stat) { |
| 289 |
-- |
| 290 |
2.9.3 |
| 291 |
|
| 292 |
|
| 293 |
From 5305bffd4c72a85cc6c3148222ef7e346cbe3d87 Mon Sep 17 00:00:00 2001 |
| 294 |
From: Alexander Bokovoy <ab@samba.org> |
| 295 |
Date: Fri, 3 Mar 2017 16:57:50 +0200 |
| 296 |
Subject: [PATCH 4/6] libads: convert to use smb_gss_krb5_import_cred |
| 297 |
|
| 298 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 |
| 299 |
|
| 300 |
Signed-off-by: Alexander Bokovoy <ab@samba.org> |
| 301 |
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
| 302 |
(cherry picked from commit 520167992bd2477bc11920d2dc9ec87f2cb339c9) |
| 303 |
--- |
| 304 |
source3/libads/sasl.c | 2 +- |
| 305 |
1 file changed, 1 insertion(+), 1 deletion(-) |
| 306 |
|
| 307 |
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c |
| 308 |
index 8570788..30127fa 100644 |
| 309 |
--- a/source3/libads/sasl.c |
| 310 |
+++ b/source3/libads/sasl.c |
| 311 |
@@ -372,7 +372,7 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred) |
| 312 |
goto done; |
| 313 |
} |
| 314 |
|
| 315 |
- maj = gss_krb5_import_cred(&min, kccache, NULL, NULL, cred); |
| 316 |
+ maj = smb_gss_krb5_import_cred(&min, kctx, kccache, NULL, NULL, cred); |
| 317 |
if (maj != GSS_S_COMPLETE) { |
| 318 |
status = ADS_ERROR_GSS(maj, min); |
| 319 |
goto done; |
| 320 |
-- |
| 321 |
2.9.3 |
| 322 |
|
| 323 |
|
| 324 |
From 1dbc68f9bee19a9c26825cc5be7d81951dcac710 Mon Sep 17 00:00:00 2001 |
| 325 |
From: Alexander Bokovoy <ab@samba.org> |
| 326 |
Date: Fri, 3 Mar 2017 16:58:14 +0200 |
| 327 |
Subject: [PATCH 5/6] s3-gse: convert to use smb_gss_krb5_import_cred |
| 328 |
|
| 329 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 |
| 330 |
|
| 331 |
Signed-off-by: Alexander Bokovoy <ab@samba.org> |
| 332 |
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
| 333 |
(cherry picked from commit 3d733d5791a6d82edda13ac39790bd8ba893f3d7) |
| 334 |
--- |
| 335 |
source3/librpc/crypto/gse.c | 20 +++++++++++--------- |
| 336 |
1 file changed, 11 insertions(+), 9 deletions(-) |
| 337 |
|
| 338 |
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c |
| 339 |
index abf20bc..f4238f3 100644 |
| 340 |
--- a/source3/librpc/crypto/gse.c |
| 341 |
+++ b/source3/librpc/crypto/gse.c |
| 342 |
@@ -252,11 +252,12 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, |
| 343 |
/* TODO: get krb5 ticket using username/password, if no valid |
| 344 |
* one already available in ccache */ |
| 345 |
|
| 346 |
- gss_maj = gss_krb5_import_cred(&gss_min, |
| 347 |
- gse_ctx->ccache, |
| 348 |
- NULL, /* keytab_principal */ |
| 349 |
- NULL, /* keytab */ |
| 350 |
- &gse_ctx->creds); |
| 351 |
+ gss_maj = smb_gss_krb5_import_cred(&gss_min, |
| 352 |
+ gse_ctx->k5ctx, |
| 353 |
+ gse_ctx->ccache, |
| 354 |
+ NULL, /* keytab_principal */ |
| 355 |
+ NULL, /* keytab */ |
| 356 |
+ &gse_ctx->creds); |
| 357 |
if (gss_maj) { |
| 358 |
char *ccache = NULL; |
| 359 |
int kret; |
| 360 |
@@ -268,7 +269,7 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, |
| 361 |
ccache = NULL; |
| 362 |
} |
| 363 |
|
| 364 |
- DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -" |
| 365 |
+ DEBUG(5, ("smb_gss_krb5_import_cred ccache[%s] failed with [%s] -" |
| 366 |
"the caller may retry after a kinit.\n", |
| 367 |
ccache, gse_errstr(gse_ctx, gss_maj, gss_min))); |
| 368 |
SAFE_FREE(ccache); |
| 369 |
@@ -430,12 +431,13 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, |
| 370 |
} |
| 371 |
|
| 372 |
/* This creates a GSSAPI cred_id_t with the keytab set */ |
| 373 |
- gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab, |
| 374 |
- &gse_ctx->creds); |
| 375 |
+ gss_maj = smb_gss_krb5_import_cred(&gss_min, gse_ctx->k5ctx, |
| 376 |
+ NULL, NULL, gse_ctx->keytab, |
| 377 |
+ &gse_ctx->creds); |
| 378 |
|
| 379 |
if (gss_maj != 0 |
| 380 |
&& gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) { |
| 381 |
- DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n", |
| 382 |
+ DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n", |
| 383 |
gse_errstr(gse_ctx, gss_maj, gss_min))); |
| 384 |
status = NT_STATUS_INTERNAL_ERROR; |
| 385 |
goto done; |
| 386 |
-- |
| 387 |
2.9.3 |
| 388 |
|
| 389 |
|
| 390 |
From 3c9390d26cf12e483d98f005b43da7b10348753d Mon Sep 17 00:00:00 2001 |
| 391 |
From: Alexander Bokovoy <ab@samba.org> |
| 392 |
Date: Wed, 8 Mar 2017 12:38:49 +0200 |
| 393 |
Subject: [PATCH 6/6] s3-gse: move krb5 fallback to smb_gss_krb5_import_cred |
| 394 |
wrapper |
| 395 |
|
| 396 |
MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing |
| 397 |
credentials from a keytab without specifying actual principal. |
| 398 |
This was fixed in MIT krb5 1.9.2 (see commit |
| 399 |
71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git |
| 400 |
master's version is bd18687a705a8a6cdcb7c140764d1a7c6a3381b5). |
| 401 |
|
| 402 |
Move fallback code to the smb_gss_krb5_import_cred wrapper. We only |
| 403 |
expect this fallback to happen with krb5 GSSAPI mechanism, thus hard |
| 404 |
code use of krb5 mech when calling to gss_acquire_cred. |
| 405 |
|
| 406 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 |
| 407 |
|
| 408 |
Signed-off-by: Alexander Bokovoy <ab@samba.org> |
| 409 |
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
| 410 |
|
| 411 |
Autobuild-User(master): Alexander Bokovoy <ab@samba.org> |
| 412 |
Autobuild-Date(master): Wed Mar 8 22:00:24 CET 2017 on sn-devel-144 |
| 413 |
|
| 414 |
(cherry picked from commit 57286d57732d49fdb8b8e21f584787cdbc917c32) |
| 415 |
--- |
| 416 |
lib/krb5_wrap/gss_samba.c | 46 +++++++++++++++++++++++++++++++++++++++--- |
| 417 |
source3/librpc/crypto/gse.c | 49 +-------------------------------------------- |
| 418 |
2 files changed, 44 insertions(+), 51 deletions(-) |
| 419 |
|
| 420 |
diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c |
| 421 |
index 757ffc5..9e5ad4a 100644 |
| 422 |
--- a/lib/krb5_wrap/gss_samba.c |
| 423 |
+++ b/lib/krb5_wrap/gss_samba.c |
| 424 |
@@ -161,9 +161,49 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx, |
| 425 |
krb5_free_string(ctx, discard_const(ccache_element.value)); |
| 426 |
#else |
| 427 |
major_status = gss_krb5_import_cred(minor_status, |
| 428 |
- id, |
| 429 |
- keytab_principal, |
| 430 |
- keytab, cred); |
| 431 |
+ id, |
| 432 |
+ keytab_principal, |
| 433 |
+ keytab, cred); |
| 434 |
+ |
| 435 |
+ if (major_status == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) { |
| 436 |
+ if ((keytab_principal == NULL) && (keytab != NULL)) { |
| 437 |
+ /* No principal was specified and MIT krb5 1.9 version failed. |
| 438 |
+ * We have to fall back to set global acceptor identity */ |
| 439 |
+ gss_OID_set_desc mech_set; |
| 440 |
+ char *kt_name = NULL; |
| 441 |
+ |
| 442 |
+ kt_name = malloc(4096); |
| 443 |
+ if (!kt_name) { |
| 444 |
+ return ENOMEM; |
| 445 |
+ } |
| 446 |
+ |
| 447 |
+ major_status = krb5_kt_get_name(ctx, |
| 448 |
+ keytab, |
| 449 |
+ kt_name, 4096); |
| 450 |
+ if (major_status != 0) { |
| 451 |
+ free(kt_name); |
| 452 |
+ return major_status; |
| 453 |
+ } |
| 454 |
+ |
| 455 |
+ major_status = gsskrb5_register_acceptor_identity(kt_name); |
| 456 |
+ if (major_status) { |
| 457 |
+ free(kt_name); |
| 458 |
+ return major_status; |
| 459 |
+ } |
| 460 |
+ |
| 461 |
+ /* We are dealing with krb5 GSSAPI mech in this fallback */ |
| 462 |
+ mech_set.count = 1; |
| 463 |
+ mech_set.elements = gss_mech_krb5; |
| 464 |
+ major_status = gss_acquire_cred(minor_status, |
| 465 |
+ GSS_C_NO_NAME, |
| 466 |
+ GSS_C_INDEFINITE, |
| 467 |
+ &mech_set, |
| 468 |
+ GSS_C_ACCEPT, |
| 469 |
+ cred, |
| 470 |
+ NULL, NULL); |
| 471 |
+ free(kt_name); |
| 472 |
+ } |
| 473 |
+ } |
| 474 |
#endif |
| 475 |
return major_status; |
| 476 |
} |
| 477 |
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c |
| 478 |
index f4238f3..a111320 100644 |
| 479 |
--- a/source3/librpc/crypto/gse.c |
| 480 |
+++ b/source3/librpc/crypto/gse.c |
| 481 |
@@ -435,58 +435,11 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, |
| 482 |
NULL, NULL, gse_ctx->keytab, |
| 483 |
&gse_ctx->creds); |
| 484 |
|
| 485 |
- if (gss_maj != 0 |
| 486 |
- && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) { |
| 487 |
+ if (gss_maj != 0) { |
| 488 |
DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n", |
| 489 |
gse_errstr(gse_ctx, gss_maj, gss_min))); |
| 490 |
status = NT_STATUS_INTERNAL_ERROR; |
| 491 |
goto done; |
| 492 |
- |
| 493 |
- /* This is the error the MIT krb5 1.9 gives when it |
| 494 |
- * implements the function, but we do not specify the |
| 495 |
- * principal. However, when we specify the principal |
| 496 |
- * as host$@REALM the GSS acceptor fails with 'wrong |
| 497 |
- * principal in request'. Work around the issue by |
| 498 |
- * falling back to the alternate approach below. */ |
| 499 |
- } else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) |
| 500 |
- /* FIXME!!! |
| 501 |
- * This call sets the default keytab for the whole server, not |
| 502 |
- * just for this context. Need to find a way that does not alter |
| 503 |
- * the state of the whole server ... */ |
| 504 |
- { |
| 505 |
- const char *ktname; |
| 506 |
- gss_OID_set_desc mech_set; |
| 507 |
- |
| 508 |
- ret = smb_krb5_kt_get_name(gse_ctx, gse_ctx->k5ctx, |
| 509 |
- gse_ctx->keytab, &ktname); |
| 510 |
- if (ret) { |
| 511 |
- status = NT_STATUS_INTERNAL_ERROR; |
| 512 |
- goto done; |
| 513 |
- } |
| 514 |
- |
| 515 |
- ret = gsskrb5_register_acceptor_identity(ktname); |
| 516 |
- if (ret) { |
| 517 |
- status = NT_STATUS_INTERNAL_ERROR; |
| 518 |
- goto done; |
| 519 |
- } |
| 520 |
- |
| 521 |
- mech_set.count = 1; |
| 522 |
- mech_set.elements = &gse_ctx->gss_mech; |
| 523 |
- |
| 524 |
- gss_maj = gss_acquire_cred(&gss_min, |
| 525 |
- GSS_C_NO_NAME, |
| 526 |
- GSS_C_INDEFINITE, |
| 527 |
- &mech_set, |
| 528 |
- GSS_C_ACCEPT, |
| 529 |
- &gse_ctx->creds, |
| 530 |
- NULL, NULL); |
| 531 |
- |
| 532 |
- if (gss_maj) { |
| 533 |
- DEBUG(0, ("gss_acquire_creds failed with [%s]\n", |
| 534 |
- gse_errstr(gse_ctx, gss_maj, gss_min))); |
| 535 |
- status = NT_STATUS_INTERNAL_ERROR; |
| 536 |
- goto done; |
| 537 |
- } |
| 538 |
} |
| 539 |
|
| 540 |
status = NT_STATUS_OK; |
| 541 |
-- |
| 542 |
2.9.3 |
| 543 |
|
Parent Directory
| 
Revision Log
| 
Revision Graph
