mirror of
https://github.com/samba-team/samba.git
synced 2025-01-26 10:04:02 +03:00
Fix for a bug where the mutex could be left locked. Also remove the
memory keytab code which has no effect. Driven by bug report from "Rob J. Caskey" <rcaskey@uga.edu>. Jeremy. (This used to be commit 4cb8facbf9fa6fa5233fdb363ceac4b304d263d4)
This commit is contained in:
Jeremy Allison
parent
dac4fd693e
commit
160d3e2a9c
@ -2730,28 +2730,6 @@ if test x"$with_ads_support" != x"no"; then
|
||||
[Whether krb5_princ_component is available])
|
||||
fi
|
||||
|
||||
AC_CACHE_CHECK([for memory keytab support],
|
||||
samba_cv_HAVE_MEMORY_KEYTAB,[
|
||||
AC_TRY_RUN([
|
||||
#include<krb5.h>
|
||||
main()
|
||||
{
|
||||
krb5_context context;
|
||||
krb5_keytab keytab;
|
||||
|
||||
krb5_init_context(&context);
|
||||
if (krb5_kt_resolve(context, "MEMORY:", &keytab))
|
||||
exit(1);
|
||||
exit(0);
|
||||
}],
|
||||
samba_cv_HAVE_MEMORY_KEYTAB=yes,
|
||||
samba_cv_HAVE_MEMORY_KEYTAB=no)])
|
||||
|
||||
if test x"$samba_cv_HAVE_MEMORY_KEYTAB" = x"yes"; then
|
||||
AC_DEFINE(HAVE_MEMORY_KEYTAB,1,
|
||||
[Whether in-memory keytabs are supported])
|
||||
fi
|
||||
|
||||
AC_CACHE_CHECK([for key in krb5_keytab_entry],
|
||||
samba_cv_HAVE_KRB5_KEYTAB_ENTRY_KEY,[
|
||||
AC_TRY_COMPILE([#include <krb5.h>],
|
||||
|
||||
@ -26,135 +26,6 @@
|
||||
|
||||
#ifdef HAVE_KRB5
|
||||
|
||||
static void free_keytab(krb5_context context, krb5_keytab keytab)
|
||||
{
|
||||
int ret=0;
|
||||
|
||||
if (keytab)
|
||||
ret = krb5_kt_close(context, keytab);
|
||||
if (ret) {
|
||||
DEBUG(3, ("krb5_kt_close failed (%s)\n",
|
||||
error_message(ret)));
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef HAVE_MEMORY_KEYTAB
|
||||
static krb5_error_code create_keytab(krb5_context context,
|
||||
krb5_principal host_princ,
|
||||
char *host_princ_s,
|
||||
krb5_data password,
|
||||
krb5_enctype *enctypes,
|
||||
krb5_keytab *keytab,
|
||||
char *keytab_name)
|
||||
{
|
||||
krb5_keytab_entry entry;
|
||||
krb5_kvno kvno = 1;
|
||||
krb5_error_code ret;
|
||||
krb5_keyblock *key;
|
||||
int i;
|
||||
|
||||
DEBUG(10,("creating keytab: %s\n", keytab_name));
|
||||
ret = krb5_kt_resolve(context, keytab_name, keytab);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) {
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
/* add keytab entries for all encryption types */
|
||||
for ( i=0; enctypes[i]; i++ ) {
|
||||
|
||||
if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) {
|
||||
continue;
|
||||
}
|
||||
|
||||
entry.principal = host_princ;
|
||||
entry.vno = kvno;
|
||||
|
||||
#if !defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) && !defined(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK)
|
||||
#error krb5_keytab_entry has no key or keyblock member
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
|
||||
entry.key = *key;
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
|
||||
entry.keyblock = *key;
|
||||
#endif
|
||||
|
||||
DEBUG(10,("adding keytab-entry for (%s) with encryption type (%d)\n",
|
||||
host_princ_s, enctypes[i]));
|
||||
ret = krb5_kt_add_entry(context, *keytab, &entry);
|
||||
if (ret) {
|
||||
DEBUG(1,("adding entry to keytab failed (%s)\n",
|
||||
error_message(ret)));
|
||||
free_keytab(context, *keytab);
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
krb5_free_keyblock(context, key);
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
static BOOL setup_keytab(krb5_context context,
|
||||
krb5_principal host_princ,
|
||||
char *host_princ_s,
|
||||
krb5_data password,
|
||||
krb5_enctype *enctypes,
|
||||
krb5_keytab *keytab)
|
||||
{
|
||||
char *keytab_name = NULL;
|
||||
krb5_error_code ret;
|
||||
|
||||
/* check if we have to setup a keytab - not currently enabled
|
||||
I've put this in so that the else block below functions
|
||||
the same way that it will when this code is turned on */
|
||||
if (0 /* will later be *lp_keytab() */) {
|
||||
|
||||
/* use a file-keytab */
|
||||
asprintf(&keytab_name, "%s:%s",
|
||||
""
|
||||
/* KRB5_KT_FILE_PREFIX, "FILE" or
|
||||
"WRFILE" depending on HEeimdal or MIT */,
|
||||
"" /* will later be lp_keytab() */);
|
||||
|
||||
DEBUG(10,("will use filebased keytab: %s\n", keytab_name));
|
||||
ret = krb5_kt_resolve(context, keytab_name, keytab);
|
||||
if (ret) {
|
||||
DEBUG(3,("cannot resolve keytab name %s (%s)\n",
|
||||
keytab_name,
|
||||
error_message(ret)));
|
||||
SAFE_FREE(keytab_name);
|
||||
return False;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
#if defined(HAVE_MEMORY_KEYTAB)
|
||||
else {
|
||||
|
||||
/* setup a in-memory-keytab */
|
||||
asprintf(&keytab_name, "MEMORY:");
|
||||
|
||||
ret = create_keytab(context, host_princ, host_princ_s, password, enctypes,
|
||||
keytab, keytab_name);
|
||||
if (ret) {
|
||||
DEBUG(3,("unable to create MEMORY: keytab (%s)\n",
|
||||
error_message(ret)));
|
||||
SAFE_FREE(keytab_name);
|
||||
return False;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
SAFE_FREE(keytab_name);
|
||||
return True;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
verify an incoming ticket and parse out the principal name and
|
||||
authorization_data if available
|
||||
@ -167,7 +38,6 @@ NTSTATUS ads_verify_ticket(const char *realm, const DATA_BLOB *ticket,
|
||||
NTSTATUS sret = NT_STATUS_LOGON_FAILURE;
|
||||
krb5_context context = NULL;
|
||||
krb5_auth_context auth_context = NULL;
|
||||
krb5_keytab keytab = NULL;
|
||||
krb5_data packet;
|
||||
krb5_ticket *tkt = NULL;
|
||||
krb5_rcache rcache = NULL;
|
||||
@ -177,6 +47,7 @@ NTSTATUS ads_verify_ticket(const char *realm, const DATA_BLOB *ticket,
|
||||
krb5_principal host_princ;
|
||||
char *host_princ_s = NULL;
|
||||
BOOL free_host_princ = False;
|
||||
BOOL got_replay_mutex = False;
|
||||
|
||||
fstring myname;
|
||||
char *password_s = NULL;
|
||||
@ -280,13 +151,8 @@ NTSTATUS ads_verify_ticket(const char *realm, const DATA_BLOB *ticket,
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (!setup_keytab(context, host_princ, host_princ_s, password,
|
||||
enctypes, &keytab)) {
|
||||
DEBUG(3,("ads_verify_ticket: unable to setup keytab\n"));
|
||||
sret = NT_STATUS_LOGON_FAILURE;
|
||||
goto out;
|
||||
}
|
||||
|
||||
got_replay_mutex = True;
|
||||
|
||||
/* We need to setup a auth context with each possible encoding type in turn. */
|
||||
for (i=0;enctypes[i];i++) {
|
||||
if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) {
|
||||
@ -306,12 +172,8 @@ NTSTATUS ads_verify_ticket(const char *realm, const DATA_BLOB *ticket,
|
||||
packet.data = (krb5_pointer)ticket->data;
|
||||
|
||||
if (!(ret = krb5_rd_req(context, &auth_context, &packet,
|
||||
#ifdef HAVE_MEMORY_KEYTAB
|
||||
host_princ,
|
||||
#else
|
||||
NULL,
|
||||
#endif
|
||||
keytab, NULL, &tkt))) {
|
||||
NULL, NULL, &tkt))) {
|
||||
DEBUG(10,("ads_verify_ticket: enc type [%u] decrypted message !\n",
|
||||
(unsigned int)enctypes[i] ));
|
||||
auth_ok = True;
|
||||
@ -324,6 +186,7 @@ NTSTATUS ads_verify_ticket(const char *realm, const DATA_BLOB *ticket,
|
||||
}
|
||||
|
||||
release_server_mutex();
|
||||
got_replay_mutex = False;
|
||||
|
||||
if (!auth_ok) {
|
||||
DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n",
|
||||
@ -366,10 +229,6 @@ NTSTATUS ads_verify_ticket(const char *realm, const DATA_BLOB *ticket,
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
/* get rid of all resources associated with the keytab */
|
||||
if (keytab) free_keytab(context, keytab);
|
||||
|
||||
if ((ret = krb5_unparse_name(context, get_principal_from_tkt(tkt),
|
||||
principal))) {
|
||||
DEBUG(3,("ads_verify_ticket: krb5_unparse_name failed (%s)\n",
|
||||
@ -382,6 +241,9 @@ NTSTATUS ads_verify_ticket(const char *realm, const DATA_BLOB *ticket,
|
||||
|
||||
out:
|
||||
|
||||
if (got_replay_mutex)
|
||||
release_server_mutex();
|
||||
|
||||
if (!NT_STATUS_IS_OK(sret))
|
||||
data_blob_free(auth_data);
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user