The Samba-Bugzilla – Attachment 13102 Details for
Bug 12708
winbindd 4.6.0: child process crashes when kerberos-authenticating a user with wrong password
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Fix for 4.6.next
krb5_crash-46.patch (text/plain), 6.54 KB, created by
Uri Simchoni
on 2017-03-22 10:37:25 UTC
(
hide
)
Description:
Fix for 4.6.next
Filename:
MIME Type:
Creator:
Uri Simchoni
Created:
2017-03-22 10:37:25 UTC
Size:
6.54 KB
patch
obsolete
>From 83a4031e1d7fdecc15f9f77aea176d4676ea7a6e Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 21 Mar 2017 09:57:30 +0100 >Subject: [PATCH 1/2] s3:libads: Remove obsolete > smb_krb5_get_ntstatus_from_init_creds() > >There is no way we can get a better error code out of this. The original >function called was krb5_get_init_creds_opt_get_error() which has been >deprecated in 2008. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Uri Simchoni <uri@samba.org> >(cherry picked from commit e2028837b958618a66449a77ee628e4e176e521e) >--- > source3/libads/kerberos.c | 169 ---------------------------------------------- > 1 file changed, 169 deletions(-) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index dcb268e..13c48ca 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -99,156 +99,6 @@ kerb_prompter(krb5_context ctx, void *data, > return 0; > } > >-static bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx, >- DATA_BLOB *edata, >- DATA_BLOB *edata_out) >-{ >- DATA_BLOB edata_contents; >- ASN1_DATA *data; >- int edata_type; >- >- if (!edata->length) { >- return false; >- } >- >- data = asn1_init(mem_ctx); >- if (data == NULL) { >- return false; >- } >- >- if (!asn1_load(data, *edata)) goto err; >- if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err; >- if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err; >- if (!asn1_read_Integer(data, &edata_type)) goto err; >- >- if (edata_type != KRB5_PADATA_PW_SALT) { >- DEBUG(0,("edata is not of required type %d but of type %d\n", >- KRB5_PADATA_PW_SALT, edata_type)); >- goto err; >- } >- >- if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err; >- if (!asn1_read_OctetString(data, talloc_tos(), &edata_contents)) goto err; >- if (!asn1_end_tag(data)) goto err; >- if (!asn1_end_tag(data)) goto err; >- if (!asn1_end_tag(data)) goto err; >- asn1_free(data); >- >- *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length); >- >- data_blob_free(&edata_contents); >- >- return true; >- >- err: >- >- asn1_free(data); >- return false; >-} >- >- static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error, >- NTSTATUS *nt_status) >-{ >- DATA_BLOB edata; >- DATA_BLOB unwrapped_edata; >- TALLOC_CTX *mem_ctx; >- struct KRB5_EDATA_NTSTATUS parsed_edata; >- enum ndr_err_code ndr_err; >- >-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR >- edata = data_blob(error->e_data->data, error->e_data->length); >-#else >- edata = data_blob(error->e_data.data, error->e_data.length); >-#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */ >- >-#ifdef DEVELOPER >- dump_data(10, edata.data, edata.length); >-#endif /* DEVELOPER */ >- >- mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error"); >- if (mem_ctx == NULL) { >- data_blob_free(&edata); >- return False; >- } >- >- if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) { >- data_blob_free(&edata); >- TALLOC_FREE(mem_ctx); >- return False; >- } >- >- data_blob_free(&edata); >- >- ndr_err = ndr_pull_struct_blob_all(&unwrapped_edata, mem_ctx, >- &parsed_edata, (ndr_pull_flags_fn_t)ndr_pull_KRB5_EDATA_NTSTATUS); >- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { >- data_blob_free(&unwrapped_edata); >- TALLOC_FREE(mem_ctx); >- return False; >- } >- >- data_blob_free(&unwrapped_edata); >- >- if (nt_status) { >- *nt_status = parsed_edata.ntstatus; >- } >- >- TALLOC_FREE(mem_ctx); >- >- return True; >-} >- >-static bool smb_krb5_get_ntstatus_from_init_creds(krb5_context ctx, >- krb5_principal client, >- krb5_get_init_creds_opt *opt, >- NTSTATUS *nt_status) >-{ >- krb5_init_creds_context icc; >- krb5_error_code code; >-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR >- /* HEIMDAL */ >- krb5_error error; >-#else >- krb5_error *error = NULL; >-#endif >- bool ok; >- >- code = krb5_init_creds_init(ctx, >- client, >- NULL, >- NULL, >- 0, >- opt, >- &icc); >- if (code != 0) { >- DBG_WARNING("krb5_init_creds_init failed with: %s\n", >- error_message(code)); >- return false; >- } >- >- code = krb5_init_creds_get_error(ctx, >- icc, >- &error); >- if (code != 0) { >- DBG_WARNING("krb5_init_creds_get_error failed with: %s\n", >- error_message(code)); >- return false; >- } >- krb5_init_creds_free(ctx, icc); >- >-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR >- ok = smb_krb5_get_ntstatus_from_krb5_error(&error, nt_status); >- >- krb5_free_error_contents(ctx, &error); >-#else >- ok = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status); >- >- krb5_free_error(ctx, error); >-#endif >- >- return ok; >-} >- > /* > simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL > place in default cache location. >@@ -356,31 +206,12 @@ int kerberos_kinit_password_ext(const char *principal, > } > out: > if (ntstatus) { >- >- NTSTATUS status; >- > /* fast path */ > if (code == 0) { > *ntstatus = NT_STATUS_OK; > goto cleanup; > } > >- /* try to get ntstatus code out of krb5_error when we have it >- * inside the krb5_get_init_creds_opt - gd */ >- >- if (opt != NULL) { >- bool ok; >- >- ok = smb_krb5_get_ntstatus_from_init_creds(ctx, >- me, >- opt, >- &status); >- if (ok) { >- *ntstatus = status; >- goto cleanup; >- } >- } >- > /* fall back to self-made-mapping */ > *ntstatus = krb5_to_nt_status(code); > } >-- >2.9.3 > > >From ce7794f3591b4880a215343e80ce35d30ca7e04b Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 20 Mar 2017 12:22:44 +0100 >Subject: [PATCH 2/2] nsswtich: Add negative tests for authentication with > wbinfo > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Uri Simchoni <uri@samba.org> > >Autobuild-User(master): Uri Simchoni <uri@samba.org> >Autobuild-Date(master): Wed Mar 22 10:58:58 CET 2017 on sn-devel-144 > >(cherry picked from commit e7d1d8c49322a131e7ca1993f9956f0bddcaff3c) >--- > nsswitch/tests/test_wbinfo.sh | 4 ++++ > 1 file changed, 4 insertions(+) > >diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh >index 69cc437..cfe582d 100755 >--- a/nsswitch/tests/test_wbinfo.sh >+++ b/nsswitch/tests/test_wbinfo.sh >@@ -254,6 +254,10 @@ testit "wbinfo -K against $TARGET with domain creds" $wbinfo --krb5ccname=$KRB5C > > testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=`expr $failed + 1` > >+testit_expect_failure "wbinfo -a against $TARGET with invalid password" $wbinfo -a "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1` >+ >+testit_expect_failure "wbinfo -K against $TARGET with invalid password" $wbinfo -K "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1` >+ > rm -f $KRB5CCNAME_PATH > > exit $failed >-- >2.9.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=13102">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
asn
:
review+
Actions:
View
Attachments on
bug 12708
: 13102