1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

212 Commits

Author SHA1 Message Date
Andreas Schneider
939ec7ea46 s3:libads: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2023-07-13 05:41:36 +00:00
Volker Lendecke
14f761ec7d lib: Remove unused smb_mkstemp prototype
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-01-10 00:28:37 +00:00
Stefan Metzmacher
a683507e56 CVE-2022-37966 s3:libads: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-12-13 13:07:30 +00:00
Stefan Metzmacher
2bd27955ce CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-12-13 13:07:30 +00:00
Pavel Filipenský
70e8da4291 s3:libads: Fix debug message
652c8ce1 has introduced talloc_move() which zeroes kdc_str

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Dec  8 16:06:48 UTC 2022 on sn-devel-184
2022-12-08 16:06:48 +00:00
Andreas Schneider
68d181ee67 s3:libads: Fix creating local krb5.conf
We create an KDC ip string entry directly at the beginning, use it if we
don't have any additional DCs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 16 14:26:36 UTC 2022 on sn-devel-184
2022-03-16 14:26:36 +00:00
Andreas Schneider
12c843ad0a s3:libads: Check print_canonical_sockaddr_with_port() for NULL in get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2022-03-16 13:28:30 +00:00
Andreas Schneider
cca189d093 s3:libads: Remove obsolete free's of kdc_str
This is allocated on the stackframe now!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2022-03-16 13:28:30 +00:00
Andreas Schneider
652c8ce167 s3:libads: Allocate all memory on the talloc stackframe
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2022-03-16 13:28:30 +00:00
Andreas Schneider
812032833a s3:libads: Use talloc_asprintf_append() in get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2022-03-16 13:28:30 +00:00
Andreas Schneider
7f721dc2ee s3:libads: Improve debug messages for get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2022-03-16 13:28:30 +00:00
Andreas Schneider
313f03c784 s3:libads: Leave early on error in get_kdc_ip_string()
This avoids useless allocations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2022-03-16 13:28:30 +00:00
Andreas Schneider
567b199679 s3:libads: Remove trailing spaces in kerberos.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2022-03-16 13:28:30 +00:00
Volker Lendecke
4c1f61cb80 libads: Improve a debug message
"kdc_ip_string" is a multi-line string starting with a tab. It looks
better in the debug message when starting in a new line.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-02 21:30:32 +00:00
Volker Lendecke
f02e76d023 libads: Improve a debug message
"kdc_str" is a multi-line string starting with a tab. It looks
better in the debug message when starting in a new line.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-10-02 21:30:32 +00:00
Jeremy Allison
1eecdd9401 s3: libsmb: Rename get_kdc_list_sa() back to get_kdc_list().
The samba_sockaddr interface is now the only one.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2020-09-15 10:09:38 +00:00
Jeremy Allison
516d8734c7 s3: libads: Convert get_kdc_ip_string() to use get_kdc_list_sa().
No more callers of get_kdc_list().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2020-09-15 10:09:38 +00:00
Jeremy Allison
6deb23c618 s3: libads: Rename get_kdc_list_talloc() -> get_kdc_list().
It's the only version now.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2020-09-07 13:23:40 +00:00
Noel Power
5307b0e319 s3/libads: Cleanup() get_kdc_ip_string, free kdc_str on error
kdc_str will be cleaned up when the passed ctx is freed,
it just seems odd that we now return NULL without cleaning up allocated mem.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-09-07 13:23:40 +00:00
Noel Power
9d62c3e981 s3/libads: Only set result to kdc_str on success
Prior to this change result was set even when any or all errors
occured in the function.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-09-07 13:23:40 +00:00
Jeremy Allison
8e1b6602f5 s3: libads: Make get_kdc_ip_string() use get_kdc_list_talloc().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2020-09-07 13:23:40 +00:00
Jeremy Allison
c4c00d626c s3: libsmb: Cleanup - ensure we initialize all stack variables to 'safe' values when calling get_kdc_list() that may not touch returns on error.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2020-09-07 13:23:39 +00:00
Andreas Schneider
6444a74352 s3:libads: Also add a realm entry for the domain name
This is required if we try to authenticate as Administrator@DOMAIN so it
can find the KDC. This fixes 'net ads join' for ad_member_fips if we
require Kerberos auth.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14479

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Sep  7 09:25:33 UTC 2020 on sn-devel-184
2020-09-07 09:25:33 +00:00
Andreas Schneider
a530396728 s3:libads: Only add RC4 if weak crypto is allowed
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2020-09-07 08:03:38 +00:00
Andreas Schneider
9cf1aecd73 s3:libads: Remove DES legacy types for Kerberos
We already removed DES support for Kerberos in Samba 4.12.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2020-09-07 08:03:38 +00:00
Jeremy Allison
ce84521c7c s3: libads: Cleanup - Remove two more ugly const struct sockaddr * casts in get_kdc_ip_string().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
2020-08-25 16:21:33 +00:00
Stefan Metzmacher
c403fa1a7f krb5_wrap: move source3/libads/krb5_errs.c to lib/krb5_wrap/krb5_errs.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-02-10 16:32:37 +00:00
Stefan Metzmacher
0bced73bed s3:libads/kerberos: always use the canonicalized principal after kinit
We should always use krb5_get_init_creds_opt_set_canonicalize()
and krb5_get_init_creds_opt_set_win2k() for heimdal
and expect the client principal to be changed.

There's no reason to have a different logic between MIT and Heimdal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2019-09-24 18:30:37 +00:00
Stefan Metzmacher
bc473e5cf0 s3:libads: let kerberos_kinit_password_ext() return the canonicalized principal/realm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2019-09-24 18:30:37 +00:00
Noel Power
52d20087f6 s3/libads: clang: Fix Value stored to 'canon_princ' is never read
Fixes:

source3/libads/kerberos.c:192:2: warning: Value stored to 'canon_princ' is never read <--[clang]
        canon_princ = me;
        ^             ~~
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-08-28 01:47:40 +00:00
Andreas Schneider
c016afc832 s3:libads: Make sure we can lookup KDCs which are not configured
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-04-02 01:12:10 +00:00
Swen Schillig
3df7789e4b libads: Add kerberos tracing
Replace kerberos context initialization from
raw krb5_init_context() to smb_krb5_init_context_basic()
which is adding common tracing as well.

Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2018-12-19 21:49:29 +01:00
Andreas Schneider
3f3cc42b51 s3:libads: Use #ifdef instead of #if for config.h definitions
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-11-28 23:19:23 +01:00
Volker Lendecke
f2e939b65b libads: Give krb5_errs.c its own header
The protos were declared in lib/krb5_wrap but the functions are not
available there.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-11-27 07:13:14 +01:00
Volker Lendecke
f986a73b24 lib: Pass mem_ctx to lock_path()
Fix a confusing API: Many places TALLOC_FREE the path where it's not
clear you have to do it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-08-17 11:30:10 +02:00
Volker Lendecke
39bdd175e9 libsmb: Give namequery.c its own header
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-11 01:06:39 +02:00
Andreas Schneider
bbbe675a1a s3:libads: Fix size types in kerberos functions
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-20 23:16:14 +01:00
Stefan Metzmacher
504b446d8d s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c
These don't use any krb5_context related functions and they just
work on secrets.tdb, so they really belong to machine_account_secrets.c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Stefan Metzmacher
1a26805ad9 s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Stefan Metzmacher
5fe939e32c s3:libads: provide a simpler kerberos_fetch_salt_princ() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Stefan Metzmacher
487b4717b5 s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback
The handling for per encryption type salts was removed in
Samba 3.0.23a (Jul 21, 2006). It's very unlikely that someone
has such an installation that got constantly upgraded over 10 years
with an automatic password change nor rejoin. It also means
that the KDC only has salt-less arcfour-hmac-md5 key together
with the salted des keys. So there would only be a problem
if the client whould try to use a des key to contact the smb server.

Having this legacy code adds quite some complexity for no
good reason.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:44 +02:00
Stefan Metzmacher
c56043a94a s3:libads: remove unused kerberos_secrets_store_salting_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:43 +02:00
Andreas Schneider
e2028837b9 s3:libads: Remove obsolete smb_krb5_get_ntstatus_from_init_creds()
There is no way we can get a better error code out of this. The original
function called was krb5_get_init_creds_opt_get_error() which has been
deprecated in 2008.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-22 07:11:10 +01:00
Andreas Schneider
4ef772be3a s3:libads: Include system /etc/krb5.conf if we use MIT Kerberos
The system /etc/krb5.conf defines some defaults like:

    default_ccache_name = KEYRING:persistent:%{uid}

We need to respect that so should include it in our own created
krb5.conf file.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12441

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-12-02 09:36:07 +01:00
Andreas Schneider
943c6ee030 s3-libads: Fix canonicalization support with MIT Kerberos
This allows to authenticate using user@DOMAIN against an AD DC.

https://bugzilla.samba.org/show_bug.cgi?id=12457

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec  2 00:23:02 CET 2016 on sn-devel-144
2016-12-02 00:23:02 +01:00
Andreas Schneider
9d4f1b4d31 s3-libads: Support for MIT Kerberos ntstatus from init_creds
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:17 +02:00
Andreas Schneider
3cd4bc6446 s3-libads: Use non-deprecated function to get the error
krb5_get_init_creds_opt_get_error is deprecated.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:17 +02:00
Andreas Schneider
e135a13478 s3-libads: Rename smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:17 +02:00
Andreas Schneider
381ebd4af5 krb5_wrap: Move unwrap_edata_ntstatus() and make it static
This also removes the asn1util dependency from krb5_wrap and moves it to
libads which is the only user.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:17 +02:00
Andreas Schneider
bff77afd32 krb5_wrap: Remove unneeded smb_krb5_get_init_creds_opt_free()
Call the Kerberos function directly.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:14 +02:00