The Samba-Bugzilla – Attachment 3483 Details for
Bug 5614
Problems mounting CIFS shares with Kerberos
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Adds support to cifs.spnego for MS_KRB5 wrapping
0001-mskrb5-support.patch (text/plain), 4.38 KB, created by
Igor Mammedov
on 2008-08-15 12:00:31 UTC
(
hide
)
Description:
Adds support to cifs.spnego for MS_KRB5 wrapping
Filename:
MIME Type:
Creator:
Igor Mammedov
Created:
2008-08-15 12:00:31 UTC
Size:
4.38 KB
patch
obsolete
>From 6312125e3296360379da01933a099aab25b7b3ae Mon Sep 17 00:00:00 2001 >From: Igor Mammedov <niallain@gmail.com> >Date: Fri, 15 Aug 2008 17:53:57 +0400 >Subject: [PATCH] mskrb5 support in cifs.spnego > > >Signed-off-by: Igor Mammedov <niallain@gmail.com> >--- > source/client/cifs.spnego.c | 48 ++++++++++++++++++++++++++++++++++-------- > 1 files changed, 39 insertions(+), 9 deletions(-) > >diff --git a/source/client/cifs.spnego.c b/source/client/cifs.spnego.c >index ece0ad7..84c7aea 100644 >--- a/source/client/cifs.spnego.c >+++ b/source/client/cifs.spnego.c >@@ -29,7 +29,7 @@ create dns_resolver * * /usr/local/sbin/cifs.spnego [-v] %k > > #include "cifs_spnego.h" > >-const char *CIFSSPNEGO_VERSION = "1.1"; >+const char *CIFSSPNEGO_VERSION = "1.2"; > static const char *prog = "cifs.spnego"; > typedef enum _secType { > KRB5, >@@ -75,7 +75,7 @@ int handle_krb5_mech(const char *oid, const char *principal, > tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ); > > /* and wrap that in a shiny SPNEGO wrapper */ >- *secblob = gen_negTokenInit(OID_KERBEROS5, tkt_wrapped); >+ *secblob = gen_negTokenInit(oid, tkt_wrapped); > > data_blob_free(&tkt_wrapped); > data_blob_free(&tkt); >@@ -88,20 +88,20 @@ int handle_krb5_mech(const char *oid, const char *principal, > #define DKD_HAVE_IPV4 8 > #define DKD_HAVE_IPV6 16 > #define DKD_HAVE_UID 32 >-#define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC) >+#define DKD_HAVE_MIC 64 >+#define DKD_MUSTHAVE_SET (DKD_HAVE_VERSION|DKD_HAVE_SEC) > > int decode_key_description(const char *desc, int *ver, secType_t * sec, >- char **hostname, uid_t * uid) >+ char **hostname, char **mic, uid_t * uid) > { >+ const char *tkn = desc; > int retval = 0; > char *pos; >- const char *tkn = desc; >+ int len; > > do { > pos = index(tkn, ';'); > if (strncmp(tkn, "host=", 5) == 0) { >- int len; >- > if (pos == NULL) { > len = strlen(tkn); > } else { >@@ -112,6 +112,17 @@ int decode_key_description(const char *desc, int *ver, secType_t * sec, > *hostname = SMB_XMALLOC_ARRAY(char, len); > strlcpy(*hostname, tkn + 5, len); > retval |= DKD_HAVE_HOSTNAME; >+ } else if (strncmp(tkn, "mic=", 4) == 0) { >+ if (pos == NULL) { >+ len = strlen(tkn); >+ } else { >+ len = pos - tkn; >+ } >+ len -= 3; >+ SAFE_FREE(*mic); >+ *mic = SMB_XMALLOC_ARRAY(char, len); >+ strlcpy(*mic, tkn + 4, len); >+ retval |= DKD_HAVE_MIC; > } else if (strncmp(tkn, "ipv4=", 5) == 0) { > /* BB: do we need it if we have hostname already? */ > } else if (strncmp(tkn, "ipv6=", 5) == 0) { >@@ -120,6 +131,9 @@ int decode_key_description(const char *desc, int *ver, secType_t * sec, > if (strncmp(tkn + 4, "krb5", 4) == 0) { > retval |= DKD_HAVE_SEC; > *sec = KRB5; >+ } else if (strncmp(tkn + 4, "mskrb5", 6) == 0) { >+ retval |= DKD_HAVE_SEC; >+ *sec = MS_KRB5; > } > } else if (strncmp(tkn, "uid=", 4) == 0) { > errno = 0; >@@ -214,7 +228,7 @@ int main(const int argc, char *const argv[]) > uid_t uid; > int kernel_upcall_version; > int c, use_cifs_service_prefix = 0; >- char *buf, *hostname = NULL; >+ char *buf, *hostname = NULL, *mic = NULL; > > openlog(prog, 0, LOG_DAEMON); > if (argc < 1) { >@@ -261,7 +275,7 @@ int main(const int argc, char *const argv[]) > } > > rc = decode_key_description(buf, &kernel_upcall_version, §ype, >- &hostname, &uid); >+ &hostname, &mic, &uid); > if ((rc & DKD_MUSTHAVE_SET) != DKD_MUSTHAVE_SET) { > syslog(LOG_WARNING, > "unable to get from description necessary params"); >@@ -271,6 +285,16 @@ int main(const int argc, char *const argv[]) > } > SAFE_FREE(buf); > >+ if (sectype == MS_KRB5 && !(rc & DKD_HAVE_MIC)) { >+ syslog(LOG_ERR, "mskrb5 requires missing mic option"); >+ goto out; >+ } >+ >+ if (sectype == KRB5 && !(rc & DKD_HAVE_HOSTNAME)) { >+ syslog(LOG_ERR, "krb5 requires missing host option"); >+ goto out; >+ } >+ > if (kernel_upcall_version != CIFS_SPNEGO_UPCALL_VERSION) { > syslog(LOG_WARNING, > "incompatible kernel upcall version: 0x%x", >@@ -292,6 +316,11 @@ int main(const int argc, char *const argv[]) > > // do mech specific authorization > switch (sectype) { >+ case MS_KRB5:{ >+ rc = handle_krb5_mech(OID_KERBEROS5_OLD, mic, >+ &secblob, &sess_key); >+ break; >+ } > case KRB5:{ > char *princ; > size_t len; >@@ -357,6 +386,7 @@ int main(const int argc, char *const argv[]) > data_blob_free(&secblob); > data_blob_free(&sess_key); > SAFE_FREE(hostname); >+ SAFE_FREE(mic); > SAFE_FREE(keydata); > return rc; > } >-- >1.5.3.7 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3483">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 5614
:
3408
|
3409
|
3411
|
3414
|
3418
|
3450
|
3483
|
3484
|
3487