The Samba-Bugzilla – Attachment 5251 Details for
Bug 7079
cliconnect gets realm wrong with trusted domains
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am format patch for 3.5.0.
0001-Fix-bug-7079-cliconnect-gets-realm-wrong-with-truste.patch (text/plain), 5.69 KB, created by
Jeremy Allison
on 2010-02-01 17:23:15 UTC
(
hide
)
Description:
git-am format patch for 3.5.0.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2010-02-01 17:23:15 UTC
Size:
5.69 KB
patch
obsolete
>From eb37a93452631d29f57f2d1b20f8b8fd22e1a366 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Sat, 30 Jan 2010 19:24:28 -0800 >Subject: [PATCH] Fix bug #7079 - cliconnect gets realm wrong with trusted domains. > >Passing NULL as dest_realm for cli_session_setup_spnego() was >always using our own realm (as for a NetBIOS name). Change this >to look for the mapped realm using krb5_get_host_realm() if >the destination machine name is a DNS name (contains a '.'). >Could get fancier with DNS name detection (length, etc.) but >this will do for now. > >Jeremy. >--- > source3/configure.in | 15 ++++++++++++ > source3/include/proto.h | 2 + > source3/libads/kerberos.c | 52 +++++++++++++++++++++++++++++++++++++++++++ > source3/libsmb/cliconnect.c | 25 ++++++++++++++++++-- > 4 files changed, 91 insertions(+), 3 deletions(-) > >diff --git a/source3/configure.in b/source3/configure.in >index 89994af..142a898 100644 >--- a/source3/configure.in >+++ b/source3/configure.in >@@ -3605,6 +3605,9 @@ if test x"$with_ads_support" != x"no"; then > AC_CHECK_FUNC_EXT(krb5_get_creds_opt_set_impersonate, $KRB5_LIBS) > AC_CHECK_FUNC_EXT(krb5_get_creds, $KRB5_LIBS) > AC_CHECK_FUNC_EXT(krb5_get_credentials_for_user, $KRB5_LIBS) >+ AC_CHECK_FUNC_EXT(krb5_get_host_realm, $KRB5_LIBS) >+ AC_CHECK_FUNC_EXT(krb5_free_host_realm, $KRB5_LIBS) >+ > # MIT krb5 1.8 does not expose this call (yet) > AC_CHECK_DECLS(krb5_get_credentials_for_user, [], [], [#include <krb5.h>]) > >@@ -3947,6 +3950,18 @@ if test x"$with_ads_support" != x"no"; then > [Whether the WRFILE:-keytab is supported]) > fi > >+ AC_CACHE_CHECK([for krb5_realm type], >+ samba_cv_HAVE_KRB5_REALM_TYPE,[ >+ AC_TRY_COMPILE([#include <krb5.h>], >+ [krb5_realm realm;], >+ samba_cv_HAVE_KRB5_REALM_TYPE=yes, >+ samba_cv_HAVE_KRB5_REALM_TYPE=no)]) >+ >+ if test x"$samba_cv_HAVE_KRB5_REALM_TYPE" = x"yes"; then >+ AC_DEFINE(HAVE_KRB5_REALM_TYPE,1, >+ [Whether the type krb5_realm exists]) >+ fi >+ > AC_CACHE_CHECK([for krb5_princ_realm returns krb5_realm or krb5_data], > samba_cv_KRB5_PRINC_REALM_RETURNS_REALM,[ > AC_TRY_COMPILE([#include <krb5.h>], >diff --git a/source3/include/proto.h b/source3/include/proto.h >index 32f389d..37e6eb9 100644 >--- a/source3/include/proto.h >+++ b/source3/include/proto.h >@@ -1797,6 +1797,8 @@ char* kerberos_standard_des_salt( void ); > bool kerberos_secrets_store_des_salt( const char* salt ); > char* kerberos_secrets_fetch_des_salt( void ); > char *kerberos_get_default_realm_from_ccache( void ); >+char *kerberos_get_realm_from_hostname(const char *hostname); >+ > bool kerberos_secrets_store_salting_principal(const char *service, > int enctype, > const char *principal); >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index af8ea39..7fb4ec3 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -525,6 +525,58 @@ char *kerberos_get_default_realm_from_ccache( void ) > return realm; > } > >+/************************************************************************ >+ Routine to get the realm from a given DNS name. Returns malloc'ed memory. >+ Caller must free() if the return value is not NULL. >+************************************************************************/ >+ >+char *kerberos_get_realm_from_hostname(const char *hostname) >+{ >+#if defined(HAVE_KRB5_GET_HOST_REALM) && defined(HAVE_KRB5_FREE_HOST_REALM) >+#if defined(HAVE_KRB5_REALM_TYPE) >+ /* Heimdal. */ >+ krb5_realm *realm_list = NULL; >+#else >+ /* MIT */ >+ char **realm_list = NULL; >+#endif >+ char *realm = NULL; >+ krb5_error_code kerr; >+ krb5_context ctx = NULL; >+ >+ initialize_krb5_error_table(); >+ if (krb5_init_context(&ctx)) { >+ return NULL; >+ } >+ >+ kerr = krb5_get_host_realm(ctx, hostname, &realm_list); >+ if (kerr != 0) { >+ DEBUG(3,("kerberos_get_realm_from_hostname %s: " >+ "failed %s\n", >+ hostname ? hostname : "(NULL)", >+ error_message(kerr) )); >+ goto out; >+ } >+ >+ if (realm_list && realm_list[0]) { >+ realm = SMB_STRDUP(realm_list[0]); >+ } >+ >+ out: >+ >+ if (ctx) { >+ if (realm_list) { >+ krb5_free_host_realm(ctx, realm_list); >+ realm_list = NULL; >+ } >+ krb5_free_context(ctx); >+ ctx = NULL; >+ } >+ return realm; >+#else >+ return NULL; >+#endif >+} > > /************************************************************************ > Routine to get the salting principal for this service. This is >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index 6f4ae01..7aa8901 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -1074,6 +1074,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, > > host = strchr_m(cli->desthost, '.'); > if (host) { >+ /* We had a '.' in the name. */ > machine = SMB_STRNDUP(cli->desthost, > host - cli->desthost); > } else { >@@ -1087,11 +1088,29 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, > realm = SMB_STRDUP(dest_realm); > strupper_m(realm); > } else { >- realm = kerberos_get_default_realm_from_ccache(); >+ if (host) { >+ /* DNS name. */ >+ realm = kerberos_get_realm_from_hostname(cli->desthost); >+ } else { >+ /* NetBIOS name - use our realm. */ >+ realm = kerberos_get_default_realm_from_ccache(); >+ } > } >+ > if (realm && *realm) { >- principal = talloc_asprintf(NULL, "%s$@%s", >- machine, realm); >+ if (host) { >+ /* DNS name. */ >+ principal = talloc_asprintf(talloc_tos(), >+ "cifs/%s@%s", >+ cli->desthost, >+ realm); >+ } else { >+ /* NetBIOS name, use machine account. */ >+ principal = talloc_asprintf(talloc_tos(), >+ "%s$@%s", >+ machine, >+ realm); >+ } > if (!principal) { > SAFE_FREE(machine); > SAFE_FREE(realm); >-- >1.6.6 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 7079
:
5250
| 5251