The Samba-Bugzilla – Attachment 15902 Details for
Bug 14342
mit-kdc: adapt sign_authdata in our KDB module for krb5 v1.18 (MR !1062)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.12 branch
v412_krb5_v118.patch (text/plain), 12.07 KB, created by
Isaac Boukris
on 2020-04-09 19:42:54 UTC
(
hide
)
Description:
patch for 4.12 branch
Filename:
MIME Type:
Creator:
Isaac Boukris
Created:
2020-04-09 19:42:54 UTC
Size:
12.07 KB
patch
obsolete
>From b041bc0345730663d241390efa2352ba4107ffad Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Mon, 16 Sep 2019 16:40:12 +0300 >Subject: [PATCH 1/5] Adapt sign_authdata in our KDB module for krb5 v1.18 > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342 > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >--- > source4/kdc/mit-kdb/kdb_samba.c | 2 +- > source4/kdc/mit-kdb/kdb_samba.h | 21 ++++++++++++++++++ > source4/kdc/mit-kdb/kdb_samba_policies.c | 27 ++++++++++++++++++++++++ > 3 files changed, 49 insertions(+), 1 deletion(-) > >diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c >index c5157d6ed1b..02bbdca9f54 100644 >--- a/source4/kdc/mit-kdb/kdb_samba.c >+++ b/source4/kdc/mit-kdb/kdb_samba.c >@@ -139,7 +139,7 @@ static void kdb_samba_db_free_principal_e_data(krb5_context context, > > kdb_vftabl kdb_function_table = { > .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, >- .min_ver = 1, >+ .min_ver = KRB5_KDB_DAL_MAJOR_VERSION == 6 ? 1 : 0, > > .init_library = kdb_samba_init_library, > .fini_library = kdb_samba_fini_library, >diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h >index 22ef9085b6a..ad4f6e27573 100644 >--- a/source4/kdc/mit-kdb/kdb_samba.h >+++ b/source4/kdc/mit-kdb/kdb_samba.h >@@ -114,6 +114,7 @@ krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context, > > /* from kdb_samba_policies.c */ > >+#if KRB5_KDB_API_VERSION < 10 > krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, > unsigned int flags, > krb5_const_principal client_princ, >@@ -127,6 +128,26 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, > krb5_timestamp authtime, > krb5_authdata **tgt_auth_data, > krb5_authdata ***signed_auth_data); >+#else >+krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, >+ unsigned int flags, >+ krb5_const_principal client_princ, >+ krb5_const_principal server_princ, >+ krb5_db_entry *client, >+ krb5_db_entry *server, >+ krb5_db_entry *krbtgt, >+ krb5_db_entry *local_krbtgt, >+ krb5_keyblock *client_key, >+ krb5_keyblock *server_key, >+ krb5_keyblock *krbtgt_key, >+ krb5_keyblock *local_krbtgt_key, >+ krb5_keyblock *session_key, >+ krb5_timestamp authtime, >+ krb5_authdata **tgt_auth_data, >+ void *authdata_info, >+ krb5_data ***auth_indicators, >+ krb5_authdata ***signed_auth_data); >+#endif > > krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, > krb5_kdc_req *kdcreq, >diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c >index fc80329f221..586cf81451d 100644 >--- a/source4/kdc/mit-kdb/kdb_samba_policies.c >+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c >@@ -287,6 +287,7 @@ done: > return code; > } > >+#if KRB5_KDB_API_VERSION < 10 > krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, > unsigned int flags, > krb5_const_principal client_princ, >@@ -301,6 +302,27 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, > krb5_authdata **tgt_auth_data, > krb5_authdata ***signed_auth_data) > { >+#else >+krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, >+ unsigned int flags, >+ krb5_const_principal client_princ, >+ krb5_const_principal server_princ, >+ krb5_db_entry *client, >+ krb5_db_entry *server, >+ krb5_db_entry *krbtgt, >+ krb5_db_entry *local_krbtgt, >+ krb5_keyblock *client_key, >+ krb5_keyblock *server_key, >+ krb5_keyblock *krbtgt_key, >+ krb5_keyblock *local_krbtgt_key, >+ krb5_keyblock *session_key, >+ krb5_timestamp authtime, >+ krb5_authdata **tgt_auth_data, >+ void *authdata_info, >+ krb5_data ***auth_indicators, >+ krb5_authdata ***signed_auth_data) >+{ >+#endif > krb5_const_principal ks_client_princ; > krb5_authdata **authdata = NULL; > krb5_boolean is_as_req; >@@ -308,6 +330,11 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, > krb5_pac pac = NULL; > krb5_data pac_data; > >+#if KRB5_KDB_API_VERSION >= 10 >+ krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; >+ krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; >+#endif >+ > /* Prefer canonicalised name from client entry */ > if (client != NULL) { > ks_client_princ = client->princ; >-- >2.24.1 > > >From f77de940e4437dbf0ef5ad14a7632068ef6a1721 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Thu, 16 Jan 2020 21:36:24 +0100 >Subject: [PATCH 2/5] Fix uxsuccess test with new MIT krb5 library 1.18 > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342 > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >--- > .../{knownfail.d/kinit_mit => knownfail_mit_krb5_pre_1_18} | 0 > selftest/wscript | 3 +++ > testprogs/blackbox/test_kinit_mit.sh | 4 ---- > wscript_configure_system_mitkrb5 | 3 +++ > 4 files changed, 6 insertions(+), 4 deletions(-) > rename selftest/{knownfail.d/kinit_mit => knownfail_mit_krb5_pre_1_18} (100%) > >diff --git a/selftest/knownfail.d/kinit_mit b/selftest/knownfail_mit_krb5_pre_1_18 >similarity index 100% >rename from selftest/knownfail.d/kinit_mit >rename to selftest/knownfail_mit_krb5_pre_1_18 >diff --git a/selftest/wscript b/selftest/wscript >index 4d03eb76842..501a5df5824 100644 >--- a/selftest/wscript >+++ b/selftest/wscript >@@ -142,6 +142,9 @@ def cmd_testonly(opt): > '--flapping=${srcdir}/selftest/flapping ' > '--flapping=${srcdir}/selftest/flapping.d') > >+ if CONFIG_GET(opt, 'HAVE_MIT_KRB5_PRE_1_18'): >+ env.FILTER_XFAIL += ' --expected-failures=${srcdir}/selftest/knownfail_mit_krb5_pre_1_18' >+ > if Options.options.FAIL_IMMEDIATELY: > env.FILTER_XFAIL += ' --fail-immediately' > >diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh >index d28caecd603..61029a5e04c 100755 >--- a/testprogs/blackbox/test_kinit_mit.sh >+++ b/testprogs/blackbox/test_kinit_mit.sh >@@ -134,10 +134,6 @@ testit "enable user with kerberos cache" $VALGRIND $PYTHON $samba_enableaccount > ### Test kinit with canonicalization > ########################################################### > >-# This is currently not working due to an upstream bug in MIT Kerberos. The >-# test will ensure that we get notified when we can turn on canonicalization >-# in ads_krb5_chg_password(). >-# https://bugzilla.samba.org/show_bug.cgi?id=14155 > upperusername=$(echo $USERNAME | tr '[a-z]' '[A-Z]') > testit "kinit with canonicalize" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -C $upperusername@$REALM -S kadmin/changepw@$REALM || failed=`expr $failed + 1` > >diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 >index b05ac3f3e50..23587797119 100644 >--- a/wscript_configure_system_mitkrb5 >+++ b/wscript_configure_system_mitkrb5 >@@ -77,6 +77,9 @@ if conf.env.KRB5_CONFIG: > else: > Logs.info('MIT Kerberos %s detected, MIT krb5 build can proceed' % (krb5_version)) > >+ if parse_version(krb5_version) < parse_version('1.18'): >+ conf.DEFINE('HAVE_MIT_KRB5_PRE_1_18', 1) >+ > conf.CHECK_CFG(args="--cflags --libs", package="com_err", uselib_store="com_err") > conf.CHECK_FUNCS_IN('_et_list', 'com_err') > conf.CHECK_HEADERS('com_err.h', lib='com_err') >-- >2.24.1 > > >From 5ad6c7cab18ecfe436d107c1ed71574dbae39825 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Thu, 16 Jan 2020 22:00:21 +0100 >Subject: [PATCH 3/5] Sign and verify PAC with ticket principal instead of > canon principal > >With MIT library 1.18 the KDC no longer set >KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows >us to not canonicalize them (like in Windows / Heimdal). > >However, it now breaks the PAC signature verification as it was >wrongly done using canonical client rather than ticket client name. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342 > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >--- > source4/kdc/mit-kdb/kdb_samba_policies.c | 12 ++---------- > 1 file changed, 2 insertions(+), 10 deletions(-) > >diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c >index 586cf81451d..2eec496fa92 100644 >--- a/source4/kdc/mit-kdb/kdb_samba_policies.c >+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c >@@ -323,7 +323,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, > krb5_authdata ***signed_auth_data) > { > #endif >- krb5_const_principal ks_client_princ; > krb5_authdata **authdata = NULL; > krb5_boolean is_as_req; > krb5_error_code code; >@@ -335,13 +334,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, > krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; > #endif > >- /* Prefer canonicalised name from client entry */ >- if (client != NULL) { >- ks_client_princ = client->princ; >- } else { >- ks_client_princ = client_princ; >- } >- > is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); > > if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) { >@@ -354,7 +346,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, > if (!is_as_req) { > code = ks_verify_pac(context, > flags, >- ks_client_princ, >+ client_princ, > client, > server, > krbtgt, >@@ -381,7 +373,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, > goto done; > } > >- code = krb5_pac_sign(context, pac, authtime, ks_client_princ, >+ code = krb5_pac_sign(context, pac, authtime, client_princ, > server_key, krbtgt_key, &pac_data); > if (code != 0) { > DBG_ERR("krb5_pac_sign failed: %d\n", code); >-- >2.24.1 > > >From d343726ed103ed8e0fe9bbce7e3dc8957cd11c1f Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Fri, 6 Mar 2020 17:15:45 +0100 >Subject: [PATCH 4/5] selftest: Set KRB5RCACHETYPE to none for selftest > >This is required that out tests work with MIT KRB5 1.18. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >Reviewed-by: Isaac Boukris <iboukris@samba.org> >--- > selftest/selftest.pl | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/selftest/selftest.pl b/selftest/selftest.pl >index b6094fef3b9..b166b28e0cb 100755 >--- a/selftest/selftest.pl >+++ b/selftest/selftest.pl >@@ -451,6 +451,7 @@ my $testenv_default = "none"; > > if ($opt_mitkrb5 == 1) { > $ENV{MITKRB5} = $opt_mitkrb5; >+ $ENV{KRB5RCACHETYPE} = "none"; > } > > # After this many seconds, the server will self-terminate. All tests >-- >2.24.1 > > >From 698400f9f88d80ed30fb1cd196afbba1e8acd521 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Fri, 31 Jan 2020 22:34:21 +0100 >Subject: [PATCH 5/5] mit-kdc: Explicitly reject S4U requests > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342 > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> > >Autobuild-User(master): Isaac Boukris <iboukris@samba.org> >Autobuild-Date(master): Tue Mar 10 14:46:04 UTC 2020 on sn-devel-184 >--- > source4/kdc/mit-kdb/kdb_samba_policies.c | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c >index 2eec496fa92..9197551ed61 100644 >--- a/source4/kdc/mit-kdb/kdb_samba_policies.c >+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c >@@ -334,6 +334,11 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, > krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; > #endif > >+ /* FIXME: We don't support S4U yet */ >+ if (flags & KRB5_KDB_FLAGS_S4U) { >+ return KRB5_KDB_DBTYPE_NOSUP; >+ } >+ > is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); > > if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) { >-- >2.24.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
iboukris
:
review+
gd
:
review+
iboukris
:
ci-passed+
Actions:
View
Attachments on
bug 14342
: 15902