The Samba-Bugzilla – Attachment 17179 Details for
Bug 14979
problem when winbind renews Kerberos
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.14
winbind_krb5_tgt_refresh-v4-14.patch (text/plain), 13.69 KB, created by
Samuel Cabrero
on 2022-02-24 10:26:46 UTC
(
hide
)
Description:
patch for 4.14
Filename:
MIME Type:
Creator:
Samuel Cabrero
Created:
2022-02-24 10:26:46 UTC
Size:
13.69 KB
patch
obsolete
>From 7f1e5f19c279a77560d1b0303d88423e665bd6da Mon Sep 17 00:00:00 2001 >From: Samuel Cabrero <scabrero@suse.de> >Date: Tue, 22 Feb 2022 12:59:44 +0100 >Subject: [PATCH 1/6] s3:libads: Fix memory leak in kerberos_return_pac() error > path > >Signed-off-by: Samuel Cabrero <scabrero@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 3dbcd20de98cd28683a9c248368e5082b6388111) >--- > source3/libads/authdata.c | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) > >diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c >index dd21d895fc2..c048510d480 100644 >--- a/source3/libads/authdata.c >+++ b/source3/libads/authdata.c >@@ -61,7 +61,10 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, > { > krb5_error_code ret; > NTSTATUS status = NT_STATUS_INVALID_PARAMETER; >- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1; >+ DATA_BLOB tkt = data_blob_null; >+ DATA_BLOB tkt_wrapped = data_blob_null; >+ DATA_BLOB ap_rep = data_blob_null; >+ DATA_BLOB sesskey1 = data_blob_null; > const char *auth_princ = NULL; > const char *cc = "MEMORY:kerberos_return_pac"; > struct auth_session_info *session_info; >@@ -81,7 +84,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, > ZERO_STRUCT(sesskey1); > > if (!name || !pass) { >- return NT_STATUS_INVALID_PARAMETER; >+ status = NT_STATUS_INVALID_PARAMETER; >+ goto out; > } > > if (cache_name) { >@@ -131,7 +135,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, > > if (expire_time && renew_till_time && > (*expire_time == 0) && (*renew_till_time == 0)) { >- return NT_STATUS_INVALID_LOGON_TYPE; >+ status = NT_STATUS_INVALID_LOGON_TYPE; >+ goto out; > } > > ret = ads_krb5_cli_get_ticket(mem_ctx, >-- >2.35.1 > > >From 0e75425ed06283826cda736a7ce7b1f31248319d Mon Sep 17 00:00:00 2001 >From: Samuel Cabrero <scabrero@suse.de> >Date: Tue, 22 Feb 2022 13:00:05 +0100 >Subject: [PATCH 2/6] lib:krb5_wrap: Improve debug message and use newer debug > macro > >Signed-off-by: Samuel Cabrero <scabrero@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit ed14513be055cc56eb39785323df2c538a813865) >--- > lib/krb5_wrap/krb5_samba.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c >index fff5b4e2a22..42d4b950f80 100644 >--- a/lib/krb5_wrap/krb5_samba.c >+++ b/lib/krb5_wrap/krb5_samba.c >@@ -1079,7 +1079,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, > goto done; > } > >- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string)); >+ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string); > > /* FIXME: we should not fall back to defaults */ > ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache); >-- >2.35.1 > > >From 9c60ac7709e44e0582dd0c2155f815ded0982963 Mon Sep 17 00:00:00 2001 >From: Samuel Cabrero <scabrero@suse.de> >Date: Tue, 22 Feb 2022 14:28:28 +0100 >Subject: [PATCH 3/6] lib:krb5_wrap: Fix wrong debug message and use newer > debug macro > >Signed-off-by: Samuel Cabrero <scabrero@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a) >--- > lib/krb5_wrap/krb5_samba.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > >diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c >index 42d4b950f80..76c2dcd2126 100644 >--- a/lib/krb5_wrap/krb5_samba.c >+++ b/lib/krb5_wrap/krb5_samba.c >@@ -1101,7 +1101,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, > > ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string)); > if (ret) { >- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret))); >+ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' " >+ "for client '%s' and service '%s' failed: %s\n", >+ ccache_string, client_string, service_string, >+ error_message(ret)); > goto done; > } > >-- >2.35.1 > > >From 012450df0575fb20e58871ce5bb05c4cb48cab37 Mon Sep 17 00:00:00 2001 >From: Samuel Cabrero <scabrero@suse.de> >Date: Tue, 22 Feb 2022 13:08:56 +0100 >Subject: [PATCH 4/6] s3:libads: Return canonical principal and realm from > kerberos_return_pac() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 > >Signed-off-by: Samuel Cabrero <scabrero@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f) >--- > source3/libads/authdata.c | 22 +++++++++++++++++++++- > source3/libads/kerberos_proto.h | 2 ++ > source3/utils/net_ads.c | 2 ++ > source3/winbindd/winbindd_pam.c | 2 ++ > 4 files changed, 27 insertions(+), 1 deletion(-) > >diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c >index c048510d480..bf9a2335445 100644 >--- a/source3/libads/authdata.c >+++ b/source3/libads/authdata.c >@@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, > time_t renewable_time, > const char *impersonate_princ_s, > const char *local_service, >+ char **_canon_principal, >+ char **_canon_realm, > struct PAC_DATA_CTR **_pac_data_ctr) > { > krb5_error_code ret; >@@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, > struct auth4_context *auth_context; > struct loadparm_context *lp_ctx; > struct PAC_DATA_CTR *pac_data_ctr = NULL; >+ char *canon_principal = NULL; >+ char *canon_realm = NULL; > > TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); > NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); >@@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, > goto out; > } > >+ if (_canon_principal != NULL) { >+ *_canon_principal = NULL; >+ } >+ >+ if (_canon_realm != NULL) { >+ *_canon_realm = NULL; >+ } >+ > if (cache_name) { > cc = cache_name; > } >@@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, > request_pac, > add_netbios_addr, > renewable_time, >- NULL, NULL, NULL, >+ tmp_ctx, >+ &canon_principal, >+ &canon_realm, > &status); > if (ret) { > DEBUG(1,("kinit failed for '%s' with: %s (%d)\n", >@@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, > } > > *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr); >+ if (_canon_principal != NULL) { >+ *_canon_principal = talloc_move(mem_ctx, &canon_principal); >+ } >+ if (_canon_realm != NULL) { >+ *_canon_realm = talloc_move(mem_ctx, &canon_realm); >+ } > > out: > talloc_free(tmp_ctx); >diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h >index 3d7b5bc074b..807381248c8 100644 >--- a/source3/libads/kerberos_proto.h >+++ b/source3/libads/kerberos_proto.h >@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, > time_t renewable_time, > const char *impersonate_princ_s, > const char *local_service, >+ char **_canon_principal, >+ char **_canon_realm, > struct PAC_DATA_CTR **pac_data_ctr); > > /* The following definitions come from libads/krb5_setpw.c */ >diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c >index c8b18a9c281..bec206e653b 100644 >--- a/source3/utils/net_ads.c >+++ b/source3/utils/net_ads.c >@@ -3246,6 +3246,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch > 2592000, /* one month */ > impersonate_princ_s, > local_service, >+ NULL, >+ NULL, > pac_data_ctr); > if (!NT_STATUS_IS_OK(status)) { > d_printf(_("failed to query kerberos PAC: %s\n"), >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index f71eb8197a4..001c711911b 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, > WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, > NULL, > local_service, >+ NULL, >+ NULL, > &pac_data_ctr); > if (user_ccache_file != NULL) { > gain_root_privilege(); >-- >2.35.1 > > >From 542eaaad0bfe1c41cc47d51fdaec0b3cfa65b427 Mon Sep 17 00:00:00 2001 >From: Samuel Cabrero <scabrero@suse.de> >Date: Tue, 22 Feb 2022 13:19:02 +0100 >Subject: [PATCH 5/6] s3:winbind: Store canonical principal and realm in ccache > entry > >They will be used later to refresh the tickets. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 > >Signed-off-by: Samuel Cabrero <scabrero@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b) >--- > source3/winbindd/winbindd.h | 2 ++ > source3/winbindd/winbindd_cred_cache.c | 16 +++++++++++++++- > source3/winbindd/winbindd_pam.c | 14 ++++++++++---- > source3/winbindd/winbindd_proto.h | 4 +++- > 4 files changed, 30 insertions(+), 6 deletions(-) > >diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h >index 480ba4f1282..6e3dec99798 100644 >--- a/source3/winbindd/winbindd.h >+++ b/source3/winbindd/winbindd.h >@@ -350,6 +350,8 @@ struct WINBINDD_CCACHE_ENTRY { > const char *service; > const char *username; > const char *realm; >+ const char *canon_principal; >+ const char *canon_realm; > struct WINBINDD_MEMORY_CREDS *cred_ptr; > int ref_count; > uid_t uid; >diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c >index c3077e21989..88847b1ab97 100644 >--- a/source3/winbindd/winbindd_cred_cache.c >+++ b/source3/winbindd/winbindd_cred_cache.c >@@ -501,7 +501,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name, > time_t create_time, > time_t ticket_end, > time_t renew_until, >- bool postponed_request) >+ bool postponed_request, >+ const char *canon_principal, >+ const char *canon_realm) > { > struct WINBINDD_CCACHE_ENTRY *entry = NULL; > struct timeval t; >@@ -617,6 +619,18 @@ NTSTATUS add_ccache_to_list(const char *princ_name, > goto no_mem; > } > } >+ if (canon_principal != NULL) { >+ entry->canon_principal = talloc_strdup(entry, canon_principal); >+ if (entry->canon_principal == NULL) { >+ goto no_mem; >+ } >+ } >+ if (canon_realm != NULL) { >+ entry->canon_realm = talloc_strdup(entry, canon_realm); >+ if (entry->canon_realm == NULL) { >+ goto no_mem; >+ } >+ } > > entry->ccname = talloc_strdup(entry, ccname); > if (!entry->ccname) { >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index 001c711911b..d50439de424 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -687,6 +687,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, > const char *local_service; > uint32_t i; > struct netr_SamInfo6 *info6_copy = NULL; >+ char *canon_principal = NULL; >+ char *canon_realm = NULL; > bool ok; > > *info6 = NULL; >@@ -789,8 +791,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, > WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, > NULL, > local_service, >- NULL, >- NULL, >+ &canon_principal, >+ &canon_realm, > &pac_data_ctr); > if (user_ccache_file != NULL) { > gain_root_privilege(); >@@ -856,7 +858,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, > time(NULL), > ticket_lifetime, > renewal_until, >- false); >+ false, >+ canon_principal, >+ canon_realm); > > if (!NT_STATUS_IS_OK(result)) { > DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n", >@@ -1233,7 +1237,9 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, > time(NULL), > time(NULL) + lp_winbind_cache_time(), > time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, >- true); >+ true, >+ principal_s, >+ realm); > > if (!NT_STATUS_IS_OK(result)) { > DEBUG(10,("winbindd_dual_pam_auth_cached: failed " >diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h >index 12a113ed636..96d32cc741e 100644 >--- a/source3/winbindd/winbindd_proto.h >+++ b/source3/winbindd/winbindd_proto.h >@@ -236,7 +236,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name, > time_t create_time, > time_t ticket_end, > time_t renew_until, >- bool postponed_request); >+ bool postponed_request, >+ const char *canon_principal, >+ const char *canon_realm); > NTSTATUS remove_ccache(const char *username); > struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username); > NTSTATUS winbindd_add_memory_creds(const char *username, >-- >2.35.1 > > >From 6724c94859992c990124b58227908d17b85e1793 Mon Sep 17 00:00:00 2001 >From: Samuel Cabrero <scabrero@suse.de> >Date: Tue, 22 Feb 2022 14:28:44 +0100 >Subject: [PATCH 6/6] s3:winbind: Use the canonical principal name to renew the > credentials > >The principal name stored in the winbindd ccache entry might be an >enterprise principal name if enterprise principals are enabled. Use >the canonical name to renew the credentials. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 > >Signed-off-by: Samuel Cabrero <scabrero@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 8246ccc23d064147412bb3475e6431a9fffc0d27) >--- > source3/winbindd/winbindd_cred_cache.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c >index 88847b1ab97..6c65db6a73f 100644 >--- a/source3/winbindd/winbindd_cred_cache.c >+++ b/source3/winbindd/winbindd_cred_cache.c >@@ -209,7 +209,7 @@ rekinit: > set_effective_uid(entry->uid); > > ret = smb_krb5_renew_ticket(entry->ccname, >- entry->principal_name, >+ entry->canon_principal, > entry->service, > &new_start); > #if defined(DEBUG_KRB5_TKT_RENEWAL) >-- >2.35.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
asn
:
review+
metze
:
review+
Actions:
View
Attachments on
bug 14979
:
17177
|
17178
| 17179 |
17414
|
17415
|
17416