The Samba-Bugzilla – Attachment 15532 Details for
Bug 14155
kpasswd fails when built with MIT Kerberos
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.11
v4.11.patch (text/plain), 3.50 KB, created by
Andreas Schneider
on 2019-10-14 08:15:43 UTC
(
hide
)
Description:
patch for 4.11
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2019-10-14 08:15:43 UTC
Size:
3.50 KB
patch
obsolete
>From 3a37579b0dc95830d8fa7d596eec17d720940998 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Wed, 9 Oct 2019 20:11:03 +0200 >Subject: [PATCH 1/2] lib:krb5_wrap: Do not create a temporary file for MEMORY > keytabs > >The autobuild cleanup script fails with: > >The tree has 3 new uncommitted files!!! >git clean -n >Would remove MEMORY:tmp_smb_creds_SK98Lv >Would remove MEMORY:tmp_smb_creds_kornU6 >Would remove MEMORY:tmp_smb_creds_ljR828 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit d888655244b4d8ec7a69a042e0ff3c074585b0de) >--- > lib/krb5_wrap/krb5_samba.c | 19 ++++++++----------- > 1 file changed, 8 insertions(+), 11 deletions(-) > >diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c >index a4e73c64f00..5aceae44eec 100644 >--- a/lib/krb5_wrap/krb5_samba.c >+++ b/lib/krb5_wrap/krb5_samba.c >@@ -2002,26 +2002,23 @@ krb5_error_code smb_krb5_kinit_keyblock_ccache(krb5_context ctx, > krb_options); > #elif defined(HAVE_KRB5_GET_INIT_CREDS_KEYTAB) > { >-#define SMB_CREDS_KEYTAB "MEMORY:tmp_smb_creds_XXXXXX" >- char tmp_name[sizeof(SMB_CREDS_KEYTAB)]; >+#define SMB_CREDS_KEYTAB "MEMORY:tmp_kinit_keyblock_ccache" >+ char tmp_name[64] = {0}; > krb5_keytab_entry entry; > krb5_keytab keytab; >- int tmpfd; >- mode_t mask; >+ int rc; > > memset(&entry, 0, sizeof(entry)); > entry.principal = principal; > *(KRB5_KT_KEY(&entry)) = *keyblock; > >- memcpy(tmp_name, SMB_CREDS_KEYTAB, sizeof(SMB_CREDS_KEYTAB)); >- mask = umask(S_IRWXO | S_IRWXG); >- tmpfd = mkstemp(tmp_name); >- umask(mask); >- if (tmpfd == -1) { >- DBG_ERR("Failed to mkstemp %s\n", tmp_name); >+ rc = snprintf(tmp_name, sizeof(tmp_name), >+ "%s-%p", >+ SMB_CREDS_KEYTAB, >+ &my_creds); >+ if (rc < 0) { > return KRB5_KT_BADNAME; > } >- close(tmpfd); > code = krb5_kt_resolve(ctx, tmp_name, &keytab); > if (code) { > return code; >-- >2.23.0 > > >From 2d17adb1d8ca727258ae79c8bfa69c7f5b0c5560 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Wed, 9 Oct 2019 16:32:47 +0200 >Subject: [PATCH 2/2] s3:libads: Do not turn on canonicalization flag for MIT > Kerberos > >This partially reverts 303b7e59a286896888ee2473995fc50bb2b5ce5e. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155 > >Pair-Programmed-With: Isaac Boukris <iboukris@redhat.com> > >Signed-off-by: Andreas Schneider <asn@samba.org> >Signed-off-by: Isaac Boukris <iboukris@redhat.com> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 123584294cfd153acc2d9a5be9d71c395c847a25) >--- > source3/libads/krb5_setpw.c | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > >diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c >index 67bc2f4640d..028b0dcfa65 100644 >--- a/source3/libads/krb5_setpw.c >+++ b/source3/libads/krb5_setpw.c >@@ -207,7 +207,22 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host, > krb5_get_init_creds_opt_set_win2k(context, opts, true); > krb5_get_init_creds_opt_set_canonicalize(context, opts, true); > #else /* MIT */ >+#if 0 >+ /* >+ * FIXME >+ * >+ * Due to an upstream MIT Kerberos bug, this feature is not >+ * not working. Affection versions (2019-10-09): <= 1.17 >+ * >+ * Reproducer: >+ * kinit -C aDmInIsTrAtOr@ACME.COM -S kadmin/changepw@ACME.COM >+ * >+ * This is NOT a problem if the service is a krbtgt. >+ * >+ * https://bugzilla.samba.org/show_bug.cgi?id=14155 >+ */ > krb5_get_init_creds_opt_set_canonicalize(opts, true); >+#endif > #endif /* MIT */ > > /* note that heimdal will fill in the local addresses if the addresses >-- >2.23.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 14155
: 15532 |
15533
|
15534