Attachment 13983 Details for Bug 13304 – Patch for 4.8 cherry-picked from master

[patch] Patch for 4.8 cherry-picked from master

bug13304-v48.patch (text/plain), 4.93 KB, created by Ralph Böhme on 2018-02-27 09:41:36 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Ralph Böhme

Created: 2018-02-27 09:41:36 UTC

Size: 4.93 KB

patch

obsolete

>From d617da66ec7d12bbeccdbccb7bc25029b873bc9f Mon Sep 17 00:00:00 2001
>From: Alexander Bokovoy <ab@samba.org>
>Date: Tue, 24 Oct 2017 12:01:39 +0300
>Subject: [PATCH] mit-kdb: support MIT Kerberos 1.16 KDB API changes
>
>MIT Kerberos 1.16 adds ability to audit local and remote addresses
>during AS_REQ processing. As result, audit_as_req callback signature
>was changed to include the addresses and KDB API version was increased.
>
>Change mit-kdb code to properly expose audit_as_req signature KDC
>expects in 1.16 version. Also update #ifdefs to account for the new
>KDB API version.
>
>This commit does not add actual audit of the local and remote IP
>addresses, it only makes it possible to compile against MIT Kerberos
>1.16.
>
>Bug: https://bugzilla.samba.org/show_bug.cgi?id=13304
>
>Signed-off-by: Alexander Bokovoy <ab@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>
>Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
>Autobuild-Date(master): Fri Jan 19 01:36:22 CET 2018 on sn-devel-144
>
>(cherry picked from commit 7c1c8c68174ed484fe86a0d9e429daad3a47a57d)
>---
> source4/kdc/mit-kdb/kdb_samba.h            | 13 ++++++++-
> source4/kdc/mit-kdb/kdb_samba_policies.c   | 42 +++++++++++++++++++++---------
> source4/kdc/mit-kdb/kdb_samba_principals.c |  2 +-
> 3 files changed, 42 insertions(+), 15 deletions(-)
>
>diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h
>index abca2c166ae..b9c571f26cb 100644
>--- a/source4/kdc/mit-kdb/kdb_samba.h
>+++ b/source4/kdc/mit-kdb/kdb_samba.h
>@@ -78,7 +78,7 @@ krb5_error_code kdb_samba_db_put_principal(krb5_context context,
> krb5_error_code kdb_samba_db_delete_principal(krb5_context context,
> 					      krb5_const_principal princ);
> 
>-#if KRB5_KDB_API_VERSION == 8
>+#if KRB5_KDB_API_VERSION >= 8
> krb5_error_code kdb_samba_db_iterate(krb5_context context,
> 				     char *match_entry,
> 				     int (*func)(krb5_pointer, krb5_db_entry *),
>@@ -148,12 +148,23 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
> 						       const krb5_db_entry *server,
> 						       krb5_const_principal proxy);
> 
>+#if KRB5_KDB_API_VERSION >= 9
> void kdb_samba_db_audit_as_req(krb5_context kcontext,
> 			       krb5_kdc_req *request,
>+			       const krb5_address *local_addr,
>+			       const krb5_address *remote_addr,
> 			       krb5_db_entry *client,
> 			       krb5_db_entry *server,
> 			       krb5_timestamp authtime,
> 			       krb5_error_code error_code);
>+#else
>+void kdb_samba_db_audit_as_req(krb5_context kcontext,
>+			       krb5_kdc_req *request,
>+			       krb5_db_entry *client,
>+			       krb5_db_entry *server,
>+			       krb5_timestamp authtime,
>+			       krb5_error_code error_code);
>+#endif
> 
> /* from kdb_samba_change_pwd.c */
> 
>diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
>index 81140abfd50..de5813bde2f 100644
>--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
>+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
>@@ -432,20 +432,10 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
> 	return code;
> }
> 
>-void kdb_samba_db_audit_as_req(krb5_context context,
>-			       krb5_kdc_req *request,
>-			       krb5_db_entry *client,
>-			       krb5_db_entry *server,
>-			       krb5_timestamp authtime,
>-			       krb5_error_code error_code)
>-{
>-	struct mit_samba_context *mit_ctx;
>-
>-	mit_ctx = ks_get_context(context);
>-	if (mit_ctx == NULL) {
>-		return;
>-	}
> 
>+static void samba_bad_password_count(krb5_db_entry *client,
>+				     krb5_error_code error_code)
>+{
> 	switch (error_code) {
> 	case 0:
> 		mit_samba_zero_bad_password_count(client);
>@@ -456,3 +446,29 @@ void kdb_samba_db_audit_as_req(krb5_context context,
> 		break;
> 	}
> }
>+
>+#if KRB5_KDB_API_VERSION >= 9
>+void kdb_samba_db_audit_as_req(krb5_context context,
>+			       krb5_kdc_req *request,
>+			       const krb5_address *local_addr,
>+			       const krb5_address *remote_addr,
>+			       krb5_db_entry *client,
>+			       krb5_db_entry *server,
>+			       krb5_timestamp authtime,
>+			       krb5_error_code error_code)
>+{
>+	samba_bad_password_count(client, error_code);
>+
>+	/* TODO: perform proper audit logging for addresses */
>+}
>+#else
>+void kdb_samba_db_audit_as_req(krb5_context context,
>+			       krb5_kdc_req *request,
>+			       krb5_db_entry *client,
>+			       krb5_db_entry *server,
>+			       krb5_timestamp authtime,
>+			       krb5_error_code error_code)
>+{
>+	samba_bad_password_count(client, error_code);
>+}
>+#endif
>diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c
>index 1dbb69b561d..8b67436dc47 100644
>--- a/source4/kdc/mit-kdb/kdb_samba_principals.c
>+++ b/source4/kdc/mit-kdb/kdb_samba_principals.c
>@@ -308,7 +308,7 @@ krb5_error_code kdb_samba_db_delete_principal(krb5_context context,
> 	return KRB5_KDB_DB_INUSE;
> }
> 
>-#if KRB5_KDB_API_VERSION == 8
>+#if KRB5_KDB_API_VERSION >= 8
> krb5_error_code kdb_samba_db_iterate(krb5_context context,
> 				     char *match_entry,
> 				     int (*func)(krb5_pointer, krb5_db_entry *),
>-- 
>2.13.6
>

Flags:

asn: review+

Actions: View

Attachments on bug 13304: 13983