mirror of
https://github.com/samba-team/samba.git
synced 2025-12-07 20:23:50 +03:00
r1221: Added the last of the system keytab patch from "Dan Perry" <dperry@pppl.gov>,
fixed valgrind detected mem corruption in libads/kerberos_keytab.c. Jeremy.
This commit is contained in:
Jeremy Allison
committed by
Gerald (Jerry) Carter
Gerald (Jerry) Carter
parent
0ca894d5cf
commit
286f4c809c
@@ -225,7 +225,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
|
||||
DEBUG(3,("ads_keytab_add_entry: adding keytab entry for (%s) with encryption type (%d) and version (%d)\n",
|
||||
princ_s, enctypes[i], kt_entry.vno));
|
||||
ret = krb5_kt_add_entry(context, keytab, &kt_entry);
|
||||
krb5_free_keyblock(context, keyp);
|
||||
krb5_free_keyblock_contents(context, keyp);
|
||||
ZERO_STRUCT(kt_entry);
|
||||
if (ret) {
|
||||
DEBUG(1,("ads_keytab_add_entry: adding entry to keytab failed (%s)\n", error_message(ret)));
|
||||
|
||||
@@ -55,6 +55,8 @@ int net_ads_usage(int argc, const char **argv)
|
||||
"\n\tperform a raw LDAP search and dump the results\n"
|
||||
"\nnet ads dn"\
|
||||
"\n\tperform a raw LDAP search and dump attributes of a particular DN\n"
|
||||
"\nnet ads keytab"\
|
||||
"\n\tcreates and updates the kerberos system keytab file\n"
|
||||
);
|
||||
return -1;
|
||||
}
|
||||
@@ -738,9 +740,9 @@ int net_ads_join(int argc, const char **argv)
|
||||
d_printf("Using the name [%s] from the server.\n", short_domain_name);
|
||||
d_printf("You should set \"workgroup = %s\" in smb.conf.\n", short_domain_name);
|
||||
}
|
||||
}
|
||||
else
|
||||
} else {
|
||||
short_domain_name = lp_workgroup();
|
||||
}
|
||||
|
||||
d_printf("Using short domain name -- %s\n", short_domain_name);
|
||||
|
||||
@@ -769,12 +771,18 @@ int net_ads_join(int argc, const char **argv)
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Now build the keytab, using the same ADS connection */
|
||||
if (lp_use_kerberos_keytab() && ads_keytab_create_default(ads)) {
|
||||
DEBUG(1,("Error creating host keytab!\n"));
|
||||
}
|
||||
|
||||
d_printf("Joined '%s' to realm '%s'\n", global_myname(), ads->config.realm);
|
||||
|
||||
SAFE_FREE(password);
|
||||
SAFE_FREE(machine_account);
|
||||
if ( ctx )
|
||||
if ( ctx ) {
|
||||
talloc_destroy(ctx);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -1015,14 +1023,13 @@ static int net_ads_password(int argc, const char **argv)
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
if (argc < 1) {
|
||||
d_printf("ERROR: You must say which username to change password for\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
user = argv[0];
|
||||
if (!strchr(user, '@')) {
|
||||
if (!strchr_m(user, '@')) {
|
||||
asprintf(&c, "%s@%s", argv[0], lp_realm());
|
||||
user = c;
|
||||
}
|
||||
@@ -1037,7 +1044,9 @@ static int net_ads_password(int argc, const char **argv)
|
||||
|
||||
/* use the realm so we can eventually change passwords for users
|
||||
in realms other than default */
|
||||
if (!(ads = ads_init(realm, NULL, NULL))) return -1;
|
||||
if (!(ads = ads_init(realm, NULL, NULL))) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* we don't actually need a full connect, but it's the easy way to
|
||||
fill in the KDC's addresss */
|
||||
@@ -1070,12 +1079,11 @@ static int net_ads_password(int argc, const char **argv)
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int net_ads_changetrustpw(int argc, const char **argv)
|
||||
{
|
||||
ADS_STRUCT *ads;
|
||||
char *host_principal;
|
||||
char *hostname;
|
||||
fstring my_fqdn;
|
||||
ADS_STATUS ret;
|
||||
|
||||
if (!secrets_init()) {
|
||||
@@ -1091,10 +1099,9 @@ int net_ads_changetrustpw(int argc, const char **argv)
|
||||
return -1;
|
||||
}
|
||||
|
||||
hostname = strdup(global_myname());
|
||||
strlower_m(hostname);
|
||||
asprintf(&host_principal, "%s@%s", hostname, ads->config.realm);
|
||||
SAFE_FREE(hostname);
|
||||
name_to_fqdn(my_fqdn, global_myname());
|
||||
strlower_m(my_fqdn);
|
||||
asprintf(&host_principal, "%s@%s", my_fqdn, ads->config.realm);
|
||||
d_printf("Changing password for principal: HOST/%s\n", host_principal);
|
||||
|
||||
ret = ads_change_trust_account_password(ads, host_principal);
|
||||
@@ -1107,6 +1114,14 @@ int net_ads_changetrustpw(int argc, const char **argv)
|
||||
}
|
||||
|
||||
d_printf("Password change for principal HOST/%s succeeded.\n", host_principal);
|
||||
|
||||
if (lp_use_kerberos_keytab()) {
|
||||
d_printf("Attempting to update system keytab with new password.\n");
|
||||
if (ads_keytab_create_default(ads)) {
|
||||
d_printf("Failed to update system keytab.\n");
|
||||
}
|
||||
}
|
||||
|
||||
ads_destroy(&ads);
|
||||
SAFE_FREE(host_principal);
|
||||
|
||||
@@ -1230,6 +1245,86 @@ static int net_ads_dn(int argc, const char **argv)
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int net_ads_keytab_usage(int argc, const char **argv)
|
||||
{
|
||||
d_printf(
|
||||
"net ads keytab <COMMAND>\n"\
|
||||
"<COMMAND> can be either:\n"\
|
||||
" CREATE Creates a fresh keytab\n"\
|
||||
" ADD Adds new service principal\n"\
|
||||
" FLUSH Flushes out all keytab entries\n"\
|
||||
" HELP Prints this help message\n"\
|
||||
"The ADD command will take arguments, the other commands\n"\
|
||||
"will not take any arguments. The arguments given to ADD\n"\
|
||||
"should be a list of principals to add. For example, \n"\
|
||||
" net ads keytab add srv1 srv2\n"\
|
||||
"will add principals for the services srv1 and srv2 to the\n"\
|
||||
"system's keytab.\n"\
|
||||
"\n"
|
||||
);
|
||||
return -1;
|
||||
}
|
||||
|
||||
static int net_ads_keytab_flush(int argc, const char **argv)
|
||||
{
|
||||
int ret;
|
||||
ADS_STRUCT *ads;
|
||||
|
||||
if (!(ads = ads_startup())) {
|
||||
return -1;
|
||||
}
|
||||
ret = ads_keytab_flush(ads);
|
||||
ads_destroy(&ads);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int net_ads_keytab_add(int argc, const char **argv)
|
||||
{
|
||||
int i;
|
||||
int ret = 0;
|
||||
ADS_STRUCT *ads;
|
||||
|
||||
d_printf("Processing principals to add...\n");
|
||||
if (!(ads = ads_startup())) {
|
||||
return -1;
|
||||
}
|
||||
for (i = 0; i < argc; i++) {
|
||||
ret |= ads_keytab_add_entry(ads, argv[i]);
|
||||
}
|
||||
ads_destroy(&ads);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int net_ads_keytab_create(int argc, const char **argv)
|
||||
{
|
||||
ADS_STRUCT *ads;
|
||||
int ret;
|
||||
|
||||
if (!(ads = ads_startup())) {
|
||||
return -1;
|
||||
}
|
||||
ret = ads_keytab_create_default(ads);
|
||||
ads_destroy(&ads);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int net_ads_keytab(int argc, const char **argv)
|
||||
{
|
||||
struct functable func[] = {
|
||||
{"CREATE", net_ads_keytab_create},
|
||||
{"ADD", net_ads_keytab_add},
|
||||
{"FLUSH", net_ads_keytab_flush},
|
||||
{"HELP", net_ads_keytab_usage},
|
||||
{NULL, NULL}
|
||||
};
|
||||
|
||||
if (!lp_use_kerberos_keytab()) {
|
||||
d_printf("\nWarning: \"use kerberos keytab\" must be set to \"true\" in order to \
|
||||
use keytab functions.\n");
|
||||
}
|
||||
|
||||
return net_run_function(argc, argv, func, net_ads_keytab_usage);
|
||||
}
|
||||
|
||||
int net_ads_help(int argc, const char **argv)
|
||||
{
|
||||
@@ -1269,6 +1364,7 @@ int net_ads(int argc, const char **argv)
|
||||
{"DN", net_ads_dn},
|
||||
{"WORKGROUP", net_ads_workgroup},
|
||||
{"LOOKUP", net_ads_lookup},
|
||||
{"KEYTAB", net_ads_keytab},
|
||||
{"HELP", net_ads_help},
|
||||
{NULL, NULL}
|
||||
};
|
||||
@@ -1278,12 +1374,17 @@ int net_ads(int argc, const char **argv)
|
||||
|
||||
#else
|
||||
|
||||
static int net_ads_noads(void)
|
||||
static int net_ads_noads(int argc, const char **argv)
|
||||
{
|
||||
d_printf("ADS support not compiled in\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
int net_ads_keytab(int argc, const char **argv)
|
||||
{
|
||||
return net_ads_noads();
|
||||
}
|
||||
|
||||
int net_ads_usage(int argc, const char **argv)
|
||||
{
|
||||
return net_ads_noads();
|
||||
|
||||
Reference in New Issue
Block a user