Attachment 12819 Details for Bug 12480 – Patches for v4-4-test (also applies to v4-3 and v4-2)

[patch] Patches for v4-4-test (also applies to v4-3 and v4-2)

tmp44.diff.txt (text/plain), 6.22 KB, created by Stefan Metzmacher on 2017-01-10 15:50:52 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Stefan Metzmacher

Created: 2017-01-10 15:50:52 UTC

Size: 6.22 KB

patch

obsolete

>From 29a0ec1c65d624e2f4089eaa0656ed746afaf097 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Thu, 22 Dec 2016 08:46:21 +0100
>Subject: [PATCH 1/3] s3:librpc/gse: include ccache_name in DEBUG message if
> krb5_cc_resolve() fails
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>(cherry picked from commit 6f029d58703f657e46fee35fc663128157db4d9f)
>---
> source3/librpc/crypto/gse.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
>index c4c4bbc..3f1615d 100644
>--- a/source3/librpc/crypto/gse.c
>+++ b/source3/librpc/crypto/gse.c
>@@ -172,8 +172,8 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
> 	k5ret = krb5_cc_resolve(gse_ctx->k5ctx, ccache_name,
> 				&gse_ctx->ccache);
> 	if (k5ret) {
>-		DEBUG(1, ("Failed to resolve credential cache! (%s)\n",
>-			  error_message(k5ret)));
>+		DEBUG(1, ("Failed to resolve credential cache '%s'! (%s)\n",
>+			  ccache_name, error_message(k5ret)));
> 		status = NT_STATUS_INTERNAL_ERROR;
> 		goto err_out;
> 	}
>-- 
>1.9.1
>
>
>From f2248ef492305c7a3170ca15a865ff9a588d9918 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Thu, 22 Dec 2016 08:47:32 +0100
>Subject: [PATCH 2/3] s3:librpc/gse: remove unused #ifdef
> HAVE_GSS_KRB5_IMPORT_CRED
>
>We always have gss_krb5_import_cred(), it available in heimdal
>and also the oldest version (1.9) of MIT krb5 that we support.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>(cherry picked from commit b61a93755ca59a58775c1c8c21baee49fef42fbf)
>---
> source3/librpc/crypto/gse.c | 3 ---
> 1 file changed, 3 deletions(-)
>
>diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
>index 3f1615d..1ac581f 100644
>--- a/source3/librpc/crypto/gse.c
>+++ b/source3/librpc/crypto/gse.c
>@@ -380,8 +380,6 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
> 		goto done;
> 	}
> 
>-#ifdef HAVE_GSS_KRB5_IMPORT_CRED
>-
> 	/* This creates a GSSAPI cred_id_t with the keytab set */
> 	gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab, 
> 				       &gse_ctx->creds);
>@@ -400,7 +398,6 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
> 		 * principal in request'.  Work around the issue by
> 		 * falling back to the alternate approach below. */
> 	} else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME))
>-#endif
> 	/* FIXME!!!
> 	 * This call sets the default keytab for the whole server, not
> 	 * just for this context. Need to find a way that does not alter
>-- 
>1.9.1
>
>
>From 7df11805b6308a8579c352ea03ed5b8ce8b817bd Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Thu, 22 Dec 2016 08:49:38 +0100
>Subject: [PATCH 3/3] s3:librpc/gse: make use of gss_krb5_import_cred() instead
> of gss_acquire_cred()
>
>This avoids the usage of the ccselect_realm logic in MIT krb5,
>which leads to unpredictable results.
>
>The problem is the usage of gss_acquire_cred(), that just creates
>a credential handle without ccache.
>
>As result gss_init_sec_context() will trigger a code path
>where it use "ccselect" plugins. And the ccselect_realm
>module just chooses a random ccache from a global list
>where the realm of the provides target principal matches
>the realm of the ccache user principal.
>
>In the winbindd case we're using MEMORY:cliconnect to setup
>the smb connection to the DC. For ldap connections we use
>MEMORY:winbind_ccache.
>
>The typical case is that we do the smb connection first.
>If we try to create a new ldap connection, while the
>credentials in MEMORY:cliconnect are expired,
>we'll do the required kinit into MEMORY:winbind_ccache,
>but the ccselect_realm module will select MEMORY:cliconnect
>and tries to get a service ticket for the ldap server
>using the already expired TGT from MEMORY:cliconnect.
>
>The solution will be to use gss_krb5_import_cred() and explicitly
>pass the desired ccache, which avoids the ccselect logic.
>
>We could also use gss_acquire_cred_from(), but that's only available
>in modern MIT krb5 versions, while gss_krb5_import_cred() is available
>in heimdal and all supported MIT versions (>=1.9).
>As far as I can see both call the same internal function in MIT
>(at least for the ccache case).
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>(cherry picked from commit 7c3ea9fe96336483752adb821f8062a883d52998)
>---
> source3/librpc/crypto/gse.c | 31 ++++++++++++++++++-------------
> 1 file changed, 18 insertions(+), 13 deletions(-)
>
>diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
>index 1ac581f..1b9ec24 100644
>--- a/source3/librpc/crypto/gse.c
>+++ b/source3/librpc/crypto/gse.c
>@@ -203,7 +203,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
> 	struct gse_context *gse_ctx;
> 	OM_uint32 gss_maj, gss_min;
> 	gss_buffer_desc name_buffer = GSS_C_EMPTY_BUFFER;
>-	gss_OID_set_desc mech_set;
> #ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
> 	gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
> #endif
>@@ -248,20 +247,26 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
> 	/* TODO: get krb5 ticket using username/password, if no valid
> 	 * one already available in ccache */
> 
>-	mech_set.count = 1;
>-	mech_set.elements = &gse_ctx->gss_mech;
>-
>-	gss_maj = gss_acquire_cred(&gss_min,
>-				   GSS_C_NO_NAME,
>-				   GSS_C_INDEFINITE,
>-				   &mech_set,
>-				   GSS_C_INITIATE,
>-				   &gse_ctx->creds,
>-				   NULL, NULL);
>+	gss_maj = gss_krb5_import_cred(&gss_min,
>+				       gse_ctx->ccache,
>+				       NULL, /* keytab_principal */
>+				       NULL, /* keytab */
>+				       &gse_ctx->creds);
> 	if (gss_maj) {
>-		DEBUG(5, ("gss_acquire_creds failed for GSS_C_NO_NAME with [%s] -"
>+		char *ccache = NULL;
>+		int kret;
>+
>+		kret = krb5_cc_get_full_name(gse_ctx->k5ctx,
>+					     gse_ctx->ccache,
>+					     &ccache);
>+		if (kret != 0) {
>+			ccache = NULL;
>+		}
>+
>+		DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -"
> 			  "the caller may retry after a kinit.\n",
>-			  gse_errstr(gse_ctx, gss_maj, gss_min)));
>+			  ccache, gse_errstr(gse_ctx, gss_maj, gss_min)));
>+		SAFE_FREE(ccache);
> 		status = NT_STATUS_INTERNAL_ERROR;
> 		goto err_out;
> 	}
>-- 
>1.9.1
>

Flags:

asn: review+

Actions: View

Attachments on bug 12480: 12785 | 12818 | 12819