The Samba-Bugzilla – Attachment 13983 Details for
Bug 13304
mit-kdb: support MIT Kerberos 1.16 KDB API changes
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for 4.8 cherry-picked from master
bug13304-v48.patch (text/plain), 4.93 KB, created by
Ralph Böhme
on 2018-02-27 09:41:36 UTC
(
hide
)
Description:
Patch for 4.8 cherry-picked from master
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2018-02-27 09:41:36 UTC
Size:
4.93 KB
patch
obsolete
>From d617da66ec7d12bbeccdbccb7bc25029b873bc9f Mon Sep 17 00:00:00 2001 >From: Alexander Bokovoy <ab@samba.org> >Date: Tue, 24 Oct 2017 12:01:39 +0300 >Subject: [PATCH] mit-kdb: support MIT Kerberos 1.16 KDB API changes > >MIT Kerberos 1.16 adds ability to audit local and remote addresses >during AS_REQ processing. As result, audit_as_req callback signature >was changed to include the addresses and KDB API version was increased. > >Change mit-kdb code to properly expose audit_as_req signature KDC >expects in 1.16 version. Also update #ifdefs to account for the new >KDB API version. > >This commit does not add actual audit of the local and remote IP >addresses, it only makes it possible to compile against MIT Kerberos >1.16. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=13304 > >Signed-off-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> > >Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >Autobuild-Date(master): Fri Jan 19 01:36:22 CET 2018 on sn-devel-144 > >(cherry picked from commit 7c1c8c68174ed484fe86a0d9e429daad3a47a57d) >--- > source4/kdc/mit-kdb/kdb_samba.h | 13 ++++++++- > source4/kdc/mit-kdb/kdb_samba_policies.c | 42 +++++++++++++++++++++--------- > source4/kdc/mit-kdb/kdb_samba_principals.c | 2 +- > 3 files changed, 42 insertions(+), 15 deletions(-) > >diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h >index abca2c166ae..b9c571f26cb 100644 >--- a/source4/kdc/mit-kdb/kdb_samba.h >+++ b/source4/kdc/mit-kdb/kdb_samba.h >@@ -78,7 +78,7 @@ krb5_error_code kdb_samba_db_put_principal(krb5_context context, > krb5_error_code kdb_samba_db_delete_principal(krb5_context context, > krb5_const_principal princ); > >-#if KRB5_KDB_API_VERSION == 8 >+#if KRB5_KDB_API_VERSION >= 8 > krb5_error_code kdb_samba_db_iterate(krb5_context context, > char *match_entry, > int (*func)(krb5_pointer, krb5_db_entry *), >@@ -148,12 +148,23 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, > const krb5_db_entry *server, > krb5_const_principal proxy); > >+#if KRB5_KDB_API_VERSION >= 9 > void kdb_samba_db_audit_as_req(krb5_context kcontext, > krb5_kdc_req *request, >+ const krb5_address *local_addr, >+ const krb5_address *remote_addr, > krb5_db_entry *client, > krb5_db_entry *server, > krb5_timestamp authtime, > krb5_error_code error_code); >+#else >+void kdb_samba_db_audit_as_req(krb5_context kcontext, >+ krb5_kdc_req *request, >+ krb5_db_entry *client, >+ krb5_db_entry *server, >+ krb5_timestamp authtime, >+ krb5_error_code error_code); >+#endif > > /* from kdb_samba_change_pwd.c */ > >diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c >index 81140abfd50..de5813bde2f 100644 >--- a/source4/kdc/mit-kdb/kdb_samba_policies.c >+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c >@@ -432,20 +432,10 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, > return code; > } > >-void kdb_samba_db_audit_as_req(krb5_context context, >- krb5_kdc_req *request, >- krb5_db_entry *client, >- krb5_db_entry *server, >- krb5_timestamp authtime, >- krb5_error_code error_code) >-{ >- struct mit_samba_context *mit_ctx; >- >- mit_ctx = ks_get_context(context); >- if (mit_ctx == NULL) { >- return; >- } > >+static void samba_bad_password_count(krb5_db_entry *client, >+ krb5_error_code error_code) >+{ > switch (error_code) { > case 0: > mit_samba_zero_bad_password_count(client); >@@ -456,3 +446,29 @@ void kdb_samba_db_audit_as_req(krb5_context context, > break; > } > } >+ >+#if KRB5_KDB_API_VERSION >= 9 >+void kdb_samba_db_audit_as_req(krb5_context context, >+ krb5_kdc_req *request, >+ const krb5_address *local_addr, >+ const krb5_address *remote_addr, >+ krb5_db_entry *client, >+ krb5_db_entry *server, >+ krb5_timestamp authtime, >+ krb5_error_code error_code) >+{ >+ samba_bad_password_count(client, error_code); >+ >+ /* TODO: perform proper audit logging for addresses */ >+} >+#else >+void kdb_samba_db_audit_as_req(krb5_context context, >+ krb5_kdc_req *request, >+ krb5_db_entry *client, >+ krb5_db_entry *server, >+ krb5_timestamp authtime, >+ krb5_error_code error_code) >+{ >+ samba_bad_password_count(client, error_code); >+} >+#endif >diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c >index 1dbb69b561d..8b67436dc47 100644 >--- a/source4/kdc/mit-kdb/kdb_samba_principals.c >+++ b/source4/kdc/mit-kdb/kdb_samba_principals.c >@@ -308,7 +308,7 @@ krb5_error_code kdb_samba_db_delete_principal(krb5_context context, > return KRB5_KDB_DB_INUSE; > } > >-#if KRB5_KDB_API_VERSION == 8 >+#if KRB5_KDB_API_VERSION >= 8 > krb5_error_code kdb_samba_db_iterate(krb5_context context, > char *match_entry, > int (*func)(krb5_pointer, krb5_db_entry *), >-- >2.13.6 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
asn
:
review+
Actions:
View
Attachments on
bug 13304
: 13983