sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-03 13:47:25 +03:00
Code

r10286: This patch is ugly and disgusting, but for now it works better than the other

Browse Source 
ideas I have had.

When I get a full list of things I want to do to a krb5_context I'll
either add gsskrb5_ wrappers, or a way of speicfying the krb5 context
per gssapi context.

(I want to ensure that the only krb5_context variables created while
executing Samba4 are via our wrapper).

Andrew Bartlett
(This used to be commit 8a22d46e70e9f863831aba0c9913d195f833d625)
This commit is contained in:
Andrew Bartlett 2005-09-17 01:11:50 +00:00 committed by Gerald (Jerry) Carter
parent 3a4da8c0db
commit f3bce652c8
7 changed files with 189 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
source4/auth/kerberos/clikrb5.c
View File

@ -385,107 +385,4 @@ cleanup_princ:
return ret;
}
static int smb_krb5_context_destory_1(void *ptr)
{
struct smb_krb5_context *ctx = ptr;
krb5_free_context(ctx->krb5_context);
return 0;
}
#ifdef HAVE_KRB5_LOG_CONTROL
static int smb_krb5_context_destory_2(void *ptr)
{
struct smb_krb5_context *ctx = ptr;
/* Otherwise krb5_free_context will try and close what we have already free()ed */
krb5_set_warn_dest(ctx->krb5_context, NULL);
krb5_closelog(ctx->krb5_context, ctx->logf);
smb_krb5_context_destory_1(ptr);
return 0;
}
/* We never close down the DEBUG system, and no need to unreference the use */
static void smb_krb5_debug_close(void *private) {
return;
}
static void smb_krb5_debug_wrapper(const char *timestr, const char *msg, void *private)
{
DEBUG(3, ("Kerberos: %s\n", msg));
}
#endif
krb5_error_code smb_krb5_init_context(TALLOC_CTX *parent_ctx,
struct smb_krb5_context **smb_krb5_context)
{
krb5_error_code ret;
TALLOC_CTX *tmp_ctx;
initialize_krb5_error_table();
tmp_ctx = talloc_new(parent_ctx);
*smb_krb5_context = talloc(tmp_ctx, struct smb_krb5_context);
if (!*smb_krb5_context || !tmp_ctx) {
talloc_free(*smb_krb5_context);
talloc_free(tmp_ctx);
return ENOMEM;
}
ret = krb5_init_context(&(*smb_krb5_context)->krb5_context);
if (ret) {
DEBUG(1,("krb5_init_context failed (%s)\n",
error_message(ret)));
return ret;
}
talloc_set_destructor(*smb_krb5_context, smb_krb5_context_destory_1);
if (lp_realm() && *lp_realm()) {
char *upper_realm = strupper_talloc(tmp_ctx, lp_realm());
if (!upper_realm) {
DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm()));
talloc_free(tmp_ctx);
return ENOMEM;
}
ret = krb5_set_default_realm((*smb_krb5_context)->krb5_context, lp_realm());
if (ret) {
DEBUG(1,("krb5_set_default_realm failed (%s)\n",
smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
talloc_free(tmp_ctx);
return ret;
}
}
#ifdef HAVE_KRB5_LOG_CONTROL
/* TODO: Should we have a different name here? */
ret = krb5_initlog((*smb_krb5_context)->krb5_context, "Samba", &(*smb_krb5_context)->logf);
if (ret) {
DEBUG(1,("krb5_initlog failed (%s)\n",
smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
talloc_free(tmp_ctx);
return ret;
}
talloc_set_destructor(*smb_krb5_context, smb_krb5_context_destory_2);
ret = krb5_addlog_func((*smb_krb5_context)->krb5_context, (*smb_krb5_context)->logf, 0 /* min */, -1 /* max */,
smb_krb5_debug_wrapper, smb_krb5_debug_close, NULL);
if (ret) {
DEBUG(1,("krb5_addlog_func failed (%s)\n",
smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
talloc_free(tmp_ctx);
return ret;
}
krb5_set_warn_dest((*smb_krb5_context)->krb5_context, (*smb_krb5_context)->logf);
#endif
talloc_steal(parent_ctx, *smb_krb5_context);
talloc_free(tmp_ctx);
return 0;
}
#endif

3
source4/auth/kerberos/config.mk
View File

@ -7,7 +7,8 @@ ADD_OBJ_FILES = \
auth/kerberos/kerberos_verify.o \
auth/kerberos/kerberos_util.o \
auth/kerberos/kerberos_pac.o \
auth/kerberos/gssapi_parse.o
auth/kerberos/gssapi_parse.o \
auth/kerberos/krb5_init_context.o
REQUIRED_SUBSYSTEMS = KERBEROS_LIB NDR_KRB5PAC
# End SUBSYSTEM KERBEROS
#################################

15
source4/auth/kerberos/kerberos.h
View File

@ -21,18 +21,7 @@
#if defined(HAVE_KRB5)
#if defined(HAVE_KRB5_INITLOG) && defined(HAVE_KRB5_ADDLOG_FUNC) && defined (HAVE_KRB5_SET_WARN_DEST) && defined(HAVE_KRB5_LOG_FACILITY)
#define HAVE_KRB5_LOG_CONTROL
#else
#undef HAVE_KRB5_LOG_CONTROL
#endif
struct smb_krb5_context {
krb5_context krb5_context;
#ifdef HAVE_KRB5_LOG_CONTROL
krb5_log_facility *logf;
#endif
};
#include "auth/kerberos/krb5_init_context.h"
struct ccache_container {
struct smb_krb5_context *smb_krb5_context;
@ -118,8 +107,6 @@ char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TAL
struct cli_credentials *credentials,
struct smb_krb5_context *smb_krb5_context,
krb5_ccache ccache);
krb5_error_code smb_krb5_init_context(TALLOC_CTX *parent_ctx,
struct smb_krb5_context **smb_krb5_context);
krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
struct cli_credentials *machine_account,
struct smb_krb5_context *smb_krb5_context,

126
source4/auth/kerberos/krb5_init_context.c Normal file
View File

@ -0,0 +1,126 @@
/*
Unix SMB/CIFS implementation.
Wrapper for krb5_init_context
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
static int smb_krb5_context_destroy_1(void *ptr)
{
struct smb_krb5_context *ctx = ptr;
krb5_free_context(ctx->krb5_context);
return 0;
}
static int smb_krb5_context_destroy_2(void *ptr)
{
struct smb_krb5_context *ctx = ptr;
/* Otherwise krb5_free_context will try and close what we have already free()ed */
krb5_set_warn_dest(ctx->krb5_context, NULL);
krb5_closelog(ctx->krb5_context, ctx->logf);
smb_krb5_context_destroy_1(ptr);
return 0;
}
/* We never close down the DEBUG system, and no need to unreference the use */
static void smb_krb5_debug_close(void *private) {
return;
}
static void smb_krb5_debug_wrapper(const char *timestr, const char *msg, void *private)
{
DEBUG(3, ("Kerberos: %s\n", msg));
}
krb5_error_code smb_krb5_init_context(void *parent_ctx,
struct smb_krb5_context **smb_krb5_context)
{
krb5_error_code ret;
TALLOC_CTX *tmp_ctx;
initialize_krb5_error_table();
tmp_ctx = talloc_new(parent_ctx);
*smb_krb5_context = talloc(tmp_ctx, struct smb_krb5_context);
if (!*smb_krb5_context || !tmp_ctx) {
talloc_free(*smb_krb5_context);
talloc_free(tmp_ctx);
return ENOMEM;
}
ret = krb5_init_context(&(*smb_krb5_context)->krb5_context);
if (ret) {
DEBUG(1,("krb5_init_context failed (%s)\n",
error_message(ret)));
return ret;
}
talloc_set_destructor(*smb_krb5_context, smb_krb5_context_destroy_1);
if (lp_realm() && *lp_realm()) {
char *upper_realm = strupper_talloc(tmp_ctx, lp_realm());
if (!upper_realm) {
DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm()));
talloc_free(tmp_ctx);
return ENOMEM;
}
ret = krb5_set_default_realm((*smb_krb5_context)->krb5_context, lp_realm());
if (ret) {
DEBUG(1,("krb5_set_default_realm failed (%s)\n",
smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
talloc_free(tmp_ctx);
return ret;
}
}
/* TODO: Should we have a different name here? */
ret = krb5_initlog((*smb_krb5_context)->krb5_context, "Samba", &(*smb_krb5_context)->logf);
if (ret) {
DEBUG(1,("krb5_initlog failed (%s)\n",
smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
talloc_free(tmp_ctx);
return ret;
}
talloc_set_destructor(*smb_krb5_context, smb_krb5_context_destroy_2);
ret = krb5_addlog_func((*smb_krb5_context)->krb5_context, (*smb_krb5_context)->logf, 0 /* min */, -1 /* max */,
smb_krb5_debug_wrapper, smb_krb5_debug_close, NULL);
if (ret) {
DEBUG(1,("krb5_addlog_func failed (%s)\n",
smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
talloc_free(tmp_ctx);
return ret;
}
krb5_set_warn_dest((*smb_krb5_context)->krb5_context, (*smb_krb5_context)->logf);
talloc_steal(parent_ctx, *smb_krb5_context);
talloc_free(tmp_ctx);
return 0;
}
void smb_krb5_free_context(struct smb_krb5_context *smb_krb5_context)
{
talloc_free(smb_krb5_context);
}

29
source4/auth/kerberos/krb5_init_context.h Normal file
View File

@ -0,0 +1,29 @@
/*
Unix SMB/CIFS implementation.
simple kerberos5 routines for active directory
Copyright (C) Andrew Bartlett 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
struct smb_krb5_context {
krb5_context krb5_context;
krb5_log_facility *logf;
};
krb5_error_code smb_krb5_init_context(void *parent_ctx,
struct smb_krb5_context **smb_krb5_context);
void smb_krb5_free_context(struct smb_krb5_context *smb_krb5_context);

32
source4/heimdal/lib/gssapi/init.c
View File

@ -35,6 +35,10 @@
RCSID("$Id: init.c,v 1.7 2003/07/22 19:50:11 lha Exp $");
#ifdef _SAMBA_BUILD_
#include "auth/kerberos/krb5_init_context.h"
#endif
static HEIMDAL_MUTEX gssapi_krb5_context_mutex = HEIMDAL_MUTEX_INITIALIZER;
static int created_key;
static HEIMDAL_thread_key gssapi_context_key;
@ -89,11 +93,35 @@ krb5_error_code
gssapi_krb5_init (void)
{
krb5_error_code ret = 0;
#ifdef _SAMBA_BUILD_
static struct smb_krb5_context *smb_krb5_context;
HEIMDAL_MUTEX_lock(&gssapi_krb5_context_mutex);
if(gssapi_krb5_context == NULL)
if(smb_krb5_context == NULL) {
ret = smb_krb5_init_context(NULL, &smb_krb5_context);
}
if (ret == 0 && !created_key) {
HEIMDAL_key_create(&gssapi_context_key,
gssapi_destroy_thread_context,
ret);
if (ret) {
smb_krb5_free_context(smb_krb5_context);
smb_krb5_context = NULL;
} else
created_key = 1;
}
if (ret == 0) {
gssapi_krb5_context = smb_krb5_context->krb5_context;
}
HEIMDAL_MUTEX_unlock(&gssapi_krb5_context_mutex);
#else
HEIMDAL_MUTEX_lock(&gssapi_krb5_context_mutex);
if(gssapi_krb5_context == NULL) {
ret = krb5_init_context (&gssapi_krb5_context);
}
if (ret == 0 && !created_key) {
HEIMDAL_key_create(&gssapi_context_key,
gssapi_destroy_thread_context,
@ -106,6 +134,6 @@ gssapi_krb5_init (void)
}
HEIMDAL_MUTEX_unlock(&gssapi_krb5_context_mutex);
#endif
return ret;
}

2
source4/rpc_server/drsuapi/dcesrv_drsuapi.c
View File

@ -239,7 +239,7 @@ static WERROR DRSUAPI_REMOVE_DS_DOMAIN(struct dcesrv_call_state *dce_call, TALLO
drsuapi_DsGetDomainControllerInfo
*/
static WERROR drsuapi_DsGetDomainControllerInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct drsuapi_DsGetDomainControllerInfo *r)
struct drsuapi_DsGetDomainControllerInfo *r)
{
DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
}