1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

410 Commits

Author SHA1 Message Date
Noel Power
e8fec94827 PY3: fix "TabError: inconsistent use of tabs and spaces"
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-09-27 01:54:27 +02:00
Noel Power
2e59a3343f PY3: make sure print stmt is enclosed by '(' & ')'
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-09-19 22:25:05 +02:00
Noel Power
e2c0af6bcd PY3: xrange->range
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-09-16 06:16:20 +02:00
Noel Power
899ef5d186 PY3: string.upper not in PY3
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-09-16 06:16:20 +02:00
Noel Power
a0c8c8c833 PY3: string.translate string.upper don't exist in PY3
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-09-16 06:16:19 +02:00
Noel Power
b342e6f038 PY3: bytes.maketrans, string.maketrans is a PY2 only function
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-09-16 06:16:19 +02:00
Noel Power
0358d57db4 PY3: dict_keys doesn't have a sort method
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-09-16 06:16:19 +02:00
Noel Power
82c8451333 PY3: dict doesn't have has_key
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-09-16 06:16:19 +02:00
Noel Power
b2b0f8191d PY3: iterkeys -> keys
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-09-16 06:16:19 +02:00
Noel Power
d20e85d008 PY3: iterkeys -> keys
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-09-16 06:16:19 +02:00
Noel Power
c6884138e4 PY3: dict has no iterkeys method
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-09-16 06:16:19 +02:00
Andrew Bartlett
41473daf09 heimdal: Change KDC to respect HDB server name type if f.canonicalize is set
This changes behaviour flagged as being for Java 1.6.  My hope is that this does not
set f.canonicalize

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-09-05 11:42:26 +02:00
Andrew Bartlett
a6182bd951 Revert "s4/heimdal: allow SPNs in AS-REQ"
This reverts commit 20dc68050d.

Tests (the krb5.kdc testsuite) show this behaviour is incorrect.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-09-05 11:42:24 +02:00
Andrew Bartlett
1bb2a1c6b3 auth: For NTLM and KDC authentication, log the authentication duration
This is not a general purpose profiling solution, but these JSON logs are already being
generated and stored, so this is worth adding.

Some administrators are very keen to know how long authentication
takes, particularly due to long replication transactions in other
processes.

This complements a similar patch set to log the transaction duration.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-06-25 08:32:14 +02:00
Björn Baumbach
defc1ced39 heimdal: remove include/includedir directives for krb5.conf
The original heimdal code introduces a segmentation fault, due to an
uninitialized pointer. This code does not seem to be tested very well.

Revert "heimdal: Add include/includedir directives for krb5.conf"

This reverts commit 0a6e9b6c0e.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Björn Baumbach <bbaumbach@samba.org>
Autobuild-Date(master): Wed Jun 20 17:48:16 CEST 2018 on sn-devel-144
2018-06-20 17:48:16 +02:00
Nicolas Williams
0a6e9b6c0e heimdal: Add include/includedir directives for krb5.conf
Cherry-pick of Heimdal commit fe43be85587f834266623adb0ecf2793d212a7ca

Removed tests and documentation from original commit by
Björn Baumbach <bb@sernet.de>, since we do not ship them.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11573

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Björn Baumbach <bbaumbach@samba.org>
Autobuild-Date(master): Mon Jun 18 15:52:26 CEST 2018 on sn-devel-144
2018-06-18 15:52:26 +02:00
Björn Baumbach
88cac23e2b heimdal: small code adaption to cherry-pick heimdal commit
Check asprintf() return value.
Make use of krb5_enomem().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11573

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2018-06-18 13:01:11 +02:00
Jeffrey Altman
f05a1554b7 heimdal: lib/krb5: do not fail set_config_files due to parse error
Follow Apple's lead and do not fail krb5_set_config_files() simply
because one of the files in the profile list fails to parse correctly.
Doing so can lead to hard to find failures and could lead to an end
user shooting themselves in the foot and no longer be able to login
to their system to fix it.

Parse as many of the files as we can.  Only fail krb5_set_config_files()
if init_context_from_config_file() fails.

Change-Id: I122664c6d707a5f926643808ba414bf4f681f8b8

Cherry-pick of Heimdal commit b7cf5e7caf9b270f4d4151d2690177b11a7a1bdf

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11573

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2018-06-18 13:01:11 +02:00
Günther Deschner
7ddbf6035d s4-heimdal: Fix the format-truncation errors.
../source4/heimdal/lib/com_err/compile_et.c: In function ‘generate_h’:
../source4/heimdal/lib/com_err/compile_et.c:138:33: error: ‘%s’ directive output may be truncated writing up to 127 bytes into a region of size 126 [-Werror=format-truncation=]
     snprintf(fn, sizeof(fn), "__%s__", hfn);
                                 ^~     ~~~
../source4/heimdal/lib/com_err/compile_et.c:138:5: note: ‘snprintf’ output between 5 and 132 bytes into a destination of size 128
     snprintf(fn, sizeof(fn), "__%s__", hfn);
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../source4/heimdal/lib/com_err/compile_et.c: In function ‘main’:
../source4/heimdal/lib/com_err/compile_et.c:234:35: error: ‘.h’ directive output may be truncated writing 2 bytes into a region of size between 1 and 128 [-Werror=format-truncation=]
     snprintf(hfn, sizeof(hfn), "%s.h", Basename);
                                   ^~
../source4/heimdal/lib/com_err/compile_et.c:234:5: note: ‘snprintf’ output between 3 and 130 bytes into a destination of size 128
     snprintf(hfn, sizeof(hfn), "%s.h", Basename);
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../source4/heimdal/lib/com_err/compile_et.c:235:35: error: ‘.c’ directive output may be truncated writing 2 bytes into a region of size between 1 and 128 [-Werror=format-truncation=]
     snprintf(cfn, sizeof(cfn), "%s.c", Basename);
                                   ^~
../source4/heimdal/lib/com_err/compile_et.c:235:5: note: ‘snprintf’ output between 3 and 130 bytes into a destination of size 128
     snprintf(cfn, sizeof(cfn), "%s.c", Basename);
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jun  8 13:23:51 CEST 2018 on sn-devel-144
2018-06-08 13:23:51 +02:00
Noel Power
521bc6056e Bulk: enclose .keys() method with list where list (from python2) expected
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-12 21:38:17 +02:00
Andreas Schneider
aa17db1f40 heimdal: Fix size types and array access
This fixes compilation with -Wstrict-overflow=2.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-03 20:20:10 +02:00
Andreas Schneider
72979d1d60 heimdal: Fix size types
This fixes compilation with -Wstrict-overflow=2

Upstream pull request:
https://github.com/heimdal/heimdal/pull/354

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:14 +01:00
Stefan Metzmacher
183e5d1e3d HEIMDAL:kdc: fix dh->q allocation check in get_dh_param()
Thanks to Doug Nazar <nazard@nazar.ca> for spotting this!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from heimdal commit a79b59ba27070a015479e8d981b7e685dbe34310)
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-12-06 19:06:21 +01:00
Love Hornquist Astrand
dd3e06f14e HEIMDAL: don't bother seeing q if not sent
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986

Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from heimdal commit 19f9fdbcea11013cf13ac72c416f161ee55dee2b)

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Aug 28 15:10:54 CEST 2017 on sn-devel-144
2017-08-28 15:10:54 +02:00
Love Hornquist Astrand
9f245aafdc HEIMDAL: allow optional q in DH DomainParameters
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986

Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from heimdal commit e8317b955f5a390c4f296871ba6987ad05478c95)
2017-08-28 11:18:15 +02:00
Andreas Schneider
abd74c3ba5 heimdal: Fix printing a short int into a string
The size of portstr is too small to print an integer and we should print
a short anyway.

This fixes building with GCC 7.1

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12930

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Aug 11 18:08:04 CEST 2017 on sn-devel-144
2017-08-11 18:08:04 +02:00
Jeffrey Altman
3799a32e41 CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'.  Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.

Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.

Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894
(based on heimdal commit 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul 12 17:44:50 CEST 2017 on sn-devel-144
2017-07-12 17:44:50 +02:00
Gary Lockyer
378ae342c4 strerror_r: provide XSI-compliant strerror_r
Provide a XSI-compliant strerror_r on GNU based systems.
The default GNU strerror_r is not XSI-compliant, this patch wraps the
GNU-specific call in an XSI-compliant wrapper.

This reverts 18ed32ce0821d11c0c06d82c07ba1c27b0c2b886 which tried to
make Heimdal use roken, rather than libreplace for strerror_r.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-13 18:38:14 +02:00
Andrew Bartlett
f498ba77df heimdal: Pass extra information to hdb_auth_status() to log success and failures
We now pass on the original client name and the client address to allow
consistent audit logging in Samba across multiple protocols.

We use config->db[0] to find the first database to record incorrect
users.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:28 +02:00
Andrew Bartlett
a998c0073f heimdal: Add initializer for stack pointers
This helps ensure we know these are NULL until set

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-03-27 20:08:18 +02:00
Stefan Metzmacher
209886e95c HEIMDAL:kdc: make it possible to disable the principal based referral detection
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-03-10 11:37:22 +01:00
Chris Lamb
fccdf34a0f Correct "updateing" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:23 +01:00
Chris Lamb
5c20790272 Correct "unavaible" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:23 +01:00
Chris Lamb
8fcc49ecd4 Correct "allignment" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:23 +01:00
Chris Lamb
e0366ea49d Correct "paramaters" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:23 +01:00
Chris Lamb
45b14b18fe Correct "explicity" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:23 +01:00
Chris Lamb
6e2869ab10 Correct "encyption" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:23 +01:00
Chris Lamb
a4e8f8aa44 Correct "relase" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:23 +01:00
Chris Lamb
5482e5426e Correct "existence" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:22 +01:00
Chris Lamb
afa9bb4ac5 Correct "extention" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:22 +01:00
Chris Lamb
c4feed0b8c Correct "doesnt" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:21 +01:00
Volker Lendecke
afd8c389c9 HEIMDAL:lib/krb5: Harden _krb5_derive_key()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 07:51:14 +01:00
Volker Lendecke
c15464f886 HEIMDAL:lib/krb5: Harden ARCFOUR_sub{en,de}crypt()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 07:51:14 +01:00
Stefan Metzmacher
fb318ab020 HEIMDAL:lib/krb5: use krb5_verify_checksum() in krb5_c_verify_checksum()
This allows the optimized checksum->verify() function to be used.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-20 07:51:14 +01:00
Stefan Metzmacher
05cc099499 HEIMDAL:lib/krb5: move checksum vs. enctype checks into get_checksum_key()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-20 07:51:14 +01:00
Stefan Metzmacher
2abc3710a8 HEIMDAL:lib/krb5: destroy a memory ccache on reinit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-10-12 20:54:08 +02:00
Uri Simchoni
3f1f6e03cd heimdal: revert 1f90983324
A different version has gone upstream, fixing the problem
elsewhere.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Mon Oct  3 11:12:29 CEST 2016 on sn-devel-144
2016-10-03 11:12:29 +02:00
Uri Simchoni
0b61d9e02e heimdal-lib/krb5: keep a copy of config etypes in the context
When reading configuration file, keep an extra copy of
the encryption types, and use this when resetting the
encryption types to default.

GSSAPI always resets the enctypes to default before obtaining
a TGS, because the enctypes might have previously altered,
so this prevents changing the etypes from the configured ones
to the full set of supported etypes.

The same patch has gone into upstream heimdal as commit
a3bece1. It is a different solution to the problem fixed
here by commit 1f90983, so this commit will be reverted next
to keep compatibility with uptream.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-10-03 07:27:13 +02:00
Andreas Schneider
b3e324aad5 heimdal: Fix reauthentication after password change
If the KDC requires a password change kinit will ask after the initial
authentication for a new password. After the password has been changed
it does reauthentication and for that it needs to use the new password
we just set.

It is needed for the a new kpasswd service test.

This is already fixed upstream with:
    911c99375741281adae305f6ec3a3317023eba3e

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-11 02:58:21 +02:00
Andreas Schneider
e4f82de771 s4-heimdal: Export krb5_init_creds_* functions
The function krb5_get_init_creds_opt_get_error() is deprecated and
krb5_init_creds_init() and krb5_init_creds_get_error() should be used
now.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:17 +02:00