1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

221 Commits

Author SHA1 Message Date
Volker Lendecke
cb00b78fa0 kerberos: Use netlogon_pings()
This also makes sure we've got a KDC via DS_KDC_REQUIRED

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-11-11 14:03:04 +00:00
Volker Lendecke
9e2b1c5f57 libads: Simplify get_kdc_ip_string with talloc_asprintf_addbuf
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-10-25 07:55:34 +00:00
Andreas Schneider
9dcc52d2a5 s3:libads: Do not fail if we don't get an IP passed down
The IP should be optional and we should look it up if not provided.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 19:49:36 +00:00
Andreas Schneider
28aa0b815b s3:libads: Allow get_kdc_ip_string() to lookup the KDCs IP
Remove the requirement to provide an IP address. We should look up the
IP of the KDC and use it for the specified realm/workgroup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 19:49:36 +00:00
Stefan Metzmacher
d49de77710 s3:libads: let kerberos_kinit_password_ext() require an explicit krb5 ccache
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
6f33e46c19 s3:libads: remove unused LIBADS_CCACHE_NAME define
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Stefan Metzmacher
e47f9415b7 s3:libads: don't allow ads_kdestroy(NULL) anymore
This should not happen, if we ever need that behaviour
we should add an ads_kdestroy_default() helper.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-14 10:18:31 +00:00
Joseph Sutton
1d6d21bdd8 s3:libads: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:37 +00:00
Joseph Sutton
301cc80b28 s3:libads: Update code reference in comment
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:37 +00:00
Andreas Schneider
939ec7ea46 s3:libads: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2023-07-13 05:41:36 +00:00
Volker Lendecke
14f761ec7d lib: Remove unused smb_mkstemp prototype
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-01-10 00:28:37 +00:00
Stefan Metzmacher
a683507e56 CVE-2022-37966 s3:libads: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-12-13 13:07:30 +00:00
Stefan Metzmacher
2bd27955ce CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-12-13 13:07:30 +00:00
Pavel Filipenský
70e8da4291 s3:libads: Fix debug message
652c8ce1 has introduced talloc_move() which zeroes kdc_str

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Dec  8 16:06:48 UTC 2022 on sn-devel-184
2022-12-08 16:06:48 +00:00
Andreas Schneider
68d181ee67 s3:libads: Fix creating local krb5.conf
We create an KDC ip string entry directly at the beginning, use it if we
don't have any additional DCs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 16 14:26:36 UTC 2022 on sn-devel-184
2022-03-16 14:26:36 +00:00
Andreas Schneider
12c843ad0a s3:libads: Check print_canonical_sockaddr_with_port() for NULL in get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2022-03-16 13:28:30 +00:00
Andreas Schneider
cca189d093 s3:libads: Remove obsolete free's of kdc_str
This is allocated on the stackframe now!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2022-03-16 13:28:30 +00:00
Andreas Schneider
652c8ce167 s3:libads: Allocate all memory on the talloc stackframe
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2022-03-16 13:28:30 +00:00
Andreas Schneider
812032833a s3:libads: Use talloc_asprintf_append() in get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2022-03-16 13:28:30 +00:00
Andreas Schneider
7f721dc2ee s3:libads: Improve debug messages for get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2022-03-16 13:28:30 +00:00
Andreas Schneider
313f03c784 s3:libads: Leave early on error in get_kdc_ip_string()
This avoids useless allocations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2022-03-16 13:28:30 +00:00
Andreas Schneider
567b199679 s3:libads: Remove trailing spaces in kerberos.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2022-03-16 13:28:30 +00:00
Volker Lendecke
4c1f61cb80 libads: Improve a debug message
"kdc_ip_string" is a multi-line string starting with a tab. It looks
better in the debug message when starting in a new line.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-02 21:30:32 +00:00
Volker Lendecke
f02e76d023 libads: Improve a debug message
"kdc_str" is a multi-line string starting with a tab. It looks
better in the debug message when starting in a new line.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-02 21:30:32 +00:00
Jeremy Allison
1eecdd9401 s3: libsmb: Rename get_kdc_list_sa() back to get_kdc_list().
The samba_sockaddr interface is now the only one.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2020-09-15 10:09:38 +00:00
Jeremy Allison
516d8734c7 s3: libads: Convert get_kdc_ip_string() to use get_kdc_list_sa().
No more callers of get_kdc_list().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2020-09-15 10:09:38 +00:00
Jeremy Allison
6deb23c618 s3: libads: Rename get_kdc_list_talloc() -> get_kdc_list().
It's the only version now.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2020-09-07 13:23:40 +00:00
Noel Power
5307b0e319 s3/libads: Cleanup() get_kdc_ip_string, free kdc_str on error
kdc_str will be cleaned up when the passed ctx is freed,
it just seems odd that we now return NULL without cleaning up allocated mem.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-09-07 13:23:40 +00:00
Noel Power
9d62c3e981 s3/libads: Only set result to kdc_str on success
Prior to this change result was set even when any or all errors
occured in the function.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-09-07 13:23:40 +00:00
Jeremy Allison
8e1b6602f5 s3: libads: Make get_kdc_ip_string() use get_kdc_list_talloc().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2020-09-07 13:23:40 +00:00
Jeremy Allison
c4c00d626c s3: libsmb: Cleanup - ensure we initialize all stack variables to 'safe' values when calling get_kdc_list() that may not touch returns on error.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2020-09-07 13:23:39 +00:00
Andreas Schneider
6444a74352 s3:libads: Also add a realm entry for the domain name
This is required if we try to authenticate as Administrator@DOMAIN so it
can find the KDC. This fixes 'net ads join' for ad_member_fips if we
require Kerberos auth.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14479

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Sep  7 09:25:33 UTC 2020 on sn-devel-184
2020-09-07 09:25:33 +00:00
Andreas Schneider
a530396728 s3:libads: Only add RC4 if weak crypto is allowed
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2020-09-07 08:03:38 +00:00
Andreas Schneider
9cf1aecd73 s3:libads: Remove DES legacy types for Kerberos
We already removed DES support for Kerberos in Samba 4.12.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2020-09-07 08:03:38 +00:00
Jeremy Allison
ce84521c7c s3: libads: Cleanup - Remove two more ugly const struct sockaddr * casts in get_kdc_ip_string().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
2020-08-25 16:21:33 +00:00
Stefan Metzmacher
c403fa1a7f krb5_wrap: move source3/libads/krb5_errs.c to lib/krb5_wrap/krb5_errs.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-02-10 16:32:37 +00:00
Stefan Metzmacher
0bced73bed s3:libads/kerberos: always use the canonicalized principal after kinit
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.

There's no reason to have a different logic between MIT and Heimdal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2019-09-24 18:30:37 +00:00
Stefan Metzmacher
bc473e5cf0 s3:libads: let kerberos_kinit_password_ext() return the canonicalized principal/realm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2019-09-24 18:30:37 +00:00
Noel Power
52d20087f6 s3/libads: clang: Fix Value stored to 'canon_princ' is never read
Fixes:

source3/libads/kerberos.c:192:2: warning: Value stored to 'canon_princ' is never read <--[clang]
        canon_princ = me;
        ^             ~~
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-08-28 01:47:40 +00:00
Andreas Schneider
c016afc832 s3:libads: Make sure we can lookup KDCs which are not configured
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-04-02 01:12:10 +00:00
Swen Schillig
3df7789e4b libads: Add kerberos tracing
Replace kerberos context initialization from
raw krb5_init_context() to smb_krb5_init_context_basic()
which is adding common tracing as well.

Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2018-12-19 21:49:29 +01:00
Andreas Schneider
3f3cc42b51 s3:libads: Use #ifdef instead of #if for config.h definitions
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-11-28 23:19:23 +01:00
Volker Lendecke
f2e939b65b libads: Give krb5_errs.c its own header
The protos were declared in lib/krb5_wrap but the functions are not
available there.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-11-27 07:13:14 +01:00
Volker Lendecke
f986a73b24 lib: Pass mem_ctx to lock_path()
Fix a confusing API: Many places TALLOC_FREE the path where it's not
clear you have to do it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-08-17 11:30:10 +02:00
Volker Lendecke
39bdd175e9 libsmb: Give namequery.c its own header
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-11 01:06:39 +02:00
Andreas Schneider
bbbe675a1a s3:libads: Fix size types in kerberos functions
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:14 +01:00
Stefan Metzmacher
504b446d8d s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c
These don't use any krb5_context related functions and they just
work on secrets.tdb, so they really belong to machine_account_secrets.c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Stefan Metzmacher
1a26805ad9 s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Stefan Metzmacher
5fe939e32c s3:libads: provide a simpler kerberos_fetch_salt_princ() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Stefan Metzmacher
487b4717b5 s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback
The handling for per encryption type salts was removed in
Samba 3.0.23a (Jul 21, 2006). It's very unlikely that someone
has such an installation that got constantly upgraded over 10 years
with an automatic password change nor rejoin. It also means
that the KDC only has salt-less arcfour-hmac-md5 key together
with the salted des keys. So there would only be a problem
if the client whould try to use a des key to contact the smb server.

Having this legacy code adds quite some complexity for no
good reason.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00