Date: Wed, 31 Mar 2004 18:14:16 -0600 (CST) From: Jonathan Noack <noackj@concordiacrusaders.org> To: FreeBSD-gnats-submit@FreeBSD.org Cc: timur@gnu.org Subject: ports/65013: [PATCH] net/samba-devel: fix winbind ads and kerberos issues Message-ID: <20040401001416.51C8E610C@optimator.noacks.org> Resent-Message-ID: <200404010020.i310K9q8057754@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 65013 >Category: ports >Synopsis: [PATCH] net/samba-devel: fix winbind ads and kerberos issues >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Mar 31 16:20:09 PST 2004 >Closed-Date: >Last-Modified: >Originator: Jonathan Noack >Release: FreeBSD 5.2.1-RELEASE-p4 i386 >Organization: Concordia Lutheran High School >Environment: System: FreeBSD optimator.noacks.org 5.2.1-RELEASE-p4 FreeBSD 5.2.1-RELEASE-p4 #22: Wed Mar 31 02:17:41 CST 2004 >Description: - Fix winbindd core dump if AD is down: https://bugzilla.samba.org/show_bug.cgi?id=1195 - Fix winbindd failing to acquire a new kerberos ticket upon expiration: https://bugzilla.samba.org/show_bug.cgi?id=1208 Both fixes obtained from Samba CVS. Port maintainer (timur@gnu.org) is cc'd. Generated with FreeBSD Port Tools 0.50 >How-To-Repeat: - ads: Run Samba with security=ads but leave the AD powered down. - kerberos: Wait 10 hours for winbindd ticket to expire. >Fix: --- samba-3.0.2a_2,1.patch begins here --- diff -ruN --exclude=CVS /usr/ports/net/samba-devel/Makefile /usr/home/noackjr/net/samba-devel/Makefile --- /usr/ports/net/samba-devel/Makefile Wed Mar 31 16:14:49 2004 +++ /usr/home/noackjr/net/samba-devel/Makefile Wed Mar 31 18:01:15 2004 @@ -7,7 +7,7 @@ PORTNAME= samba PORTVERSION= 3.0.2a -PORTREVISION?= 1 +PORTREVISION?= 2 PORTEPOCH?= 1 CATEGORIES?= net MASTER_SITES= ${MASTER_SITE_SAMBA} diff -ruN --exclude=CVS /usr/ports/net/samba-devel/files/patch-ads /usr/home/noackjr/net/samba-devel/files/patch-ads --- /usr/ports/net/samba-devel/files/patch-ads Wed Dec 31 18:00:00 1969 +++ /usr/home/noackjr/net/samba-devel/files/patch-ads Wed Mar 31 17:37:28 2004 @@ -0,0 +1,112 @@ +Index: include/ads.h +=================================================================== +RCS file: /data/cvs/samba/source/include/ads.h,v +retrieving revision 1.12.2.13 +diff -u -r1.12.2.13 ads.h +--- include/ads.h 9 Jan 2004 14:54:33 -0000 1.12.2.13 ++++ include/ads.h 22 Mar 2004 21:32:56 -0000 +@@ -10,6 +10,8 @@ + time_t last_attempt; /* last attempt to reconnect */ + int ldap_port; + ++ int is_mine; /* do I own this structure's memory? */ ++ + /* info needed to find the server */ + struct { + char *realm; +Index: libads/ads_struct.c +=================================================================== +RCS file: /data/cvs/samba/source/libads/ads_struct.c,v +retrieving revision 1.13.2.7 +diff -u -r1.13.2.7 ads_struct.c +--- libads/ads_struct.c 22 Oct 2003 23:38:19 -0000 1.13.2.7 ++++ libads/ads_struct.c 22 Mar 2004 21:32:59 -0000 +@@ -102,13 +102,10 @@ + ads->server.foreign = 1; + } + +- return ads; +-} ++ /* the caller will own the memory by default */ ++ ads->is_mine = 1; + +-/* a simpler ads_init() interface using all defaults */ +-ADS_STRUCT *ads_init_simple(void) +-{ +- return ads_init(NULL, NULL, NULL); ++ return ads; + } + + /* +@@ -117,6 +114,9 @@ + void ads_destroy(ADS_STRUCT **ads) + { + if (ads && *ads) { ++ BOOL is_mine; ++ ++ is_mine = (*ads)->is_mine; + #if HAVE_LDAP + if ((*ads)->ld) ldap_unbind((*ads)->ld); + #endif +@@ -133,8 +133,11 @@ + SAFE_FREE((*ads)->config.realm); + SAFE_FREE((*ads)->config.bind_path); + SAFE_FREE((*ads)->config.ldap_server_name); +- ++ ++ + ZERO_STRUCTP(*ads); +- SAFE_FREE(*ads); ++ ++ if ( is_mine ) ++ SAFE_FREE(*ads); + } + } +Index: nsswitch/winbindd_ads.c +=================================================================== +RCS file: /data/cvs/samba/source/nsswitch/winbindd_ads.c,v +retrieving revision 1.43.2.37 +diff -u -r1.43.2.37 winbindd_ads.c +--- nsswitch/winbindd_ads.c 12 Jan 2004 14:26:50 -0000 1.43.2.37 ++++ nsswitch/winbindd_ads.c 22 Mar 2004 21:33:01 -0000 +@@ -5,6 +5,7 @@ + + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003 ++ Copyright (C) Gerald (Jerry) Carter 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -39,7 +40,18 @@ + ADS_STATUS status; + + if (domain->private) { +- return (ADS_STRUCT *)domain->private; ++ ads = (ADS_STRUCT *)domain->private; ++ ++ /* check for a valid structure */ ++ if ( ads->config.realm ) { ++ return ads; ++ } ++ else { ++ /* we own this ADS_STRUCT so make sure it goes away */ ++ ads->is_mine = True; ++ ads_destroy( &ads ); ++ domain->private = NULL; ++ } + } + + /* we don't want this to affect the users ccache */ +@@ -78,6 +90,12 @@ + } + return NULL; + } ++ ++ /* set the flag that says we don't own the memory even ++ though we do so that ads_destroy() won't destroy the ++ structure we pass back by reference */ ++ ++ ads->is_mine = False; + + domain->private = (void *)ads; + return ads; diff -ruN --exclude=CVS /usr/ports/net/samba-devel/files/patch-kerberos /usr/home/noackjr/net/samba-devel/files/patch-kerberos --- /usr/ports/net/samba-devel/files/patch-kerberos Wed Dec 31 18:00:00 1969 +++ /usr/home/noackjr/net/samba-devel/files/patch-kerberos Wed Mar 31 17:37:28 2004 @@ -0,0 +1,163 @@ +Index: include/ads.h +=================================================================== +RCS file: /home/cvs/samba/source/include/ads.h,v +retrieving revision 1.12.2.14 +diff -u -r1.12.2.14 ads.h +--- include/ads.h 22 Mar 2004 22:49:40 -0000 1.12.2.14 ++++ include/ads.h 23 Mar 2004 20:28:08 -0000 +@@ -29,6 +29,7 @@ + char *kdc_server; + unsigned flags; + int time_offset; ++ time_t expire; + } auth; + + /* info derived from the servers config */ +Index: libads/kerberos.c +=================================================================== +RCS file: /home/cvs/samba/source/libads/kerberos.c,v +retrieving revision 1.12.2.5 +diff -u -r1.12.2.5 kerberos.c +--- libads/kerberos.c 24 Oct 2002 01:05:30 -0000 1.12.2.5 ++++ libads/kerberos.c 23 Mar 2004 20:28:08 -0000 +@@ -54,7 +54,7 @@ + simulate a kinit, putting the tgt in the default cache location + remus@snapserver.com + */ +-int kerberos_kinit_password(const char *principal, const char *password, int time_offset) ++int kerberos_kinit_password(const char *principal, const char *password, int time_offset, time_t *expire_time) + { + krb5_context ctx; + krb5_error_code code = 0; +@@ -102,6 +102,9 @@ + return code; + } + ++ if (expire_time) ++ *expire_time = (time_t) my_creds.times.endtime; ++ + krb5_cc_close(ctx, cc); + krb5_free_cred_contents(ctx, &my_creds); + krb5_free_principal(ctx, me); +@@ -126,7 +129,7 @@ + return KRB5_LIBOS_CANTREADPWD; + } + +- ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset); ++ ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset, &ads->auth.expire); + + if (ret) { + DEBUG(0,("kerberos_kinit_password %s failed: %s\n", +@@ -136,5 +139,37 @@ + return ret; + } + ++int ads_kdestroy(const char *cc_name) ++{ ++ krb5_error_code code; ++ krb5_context ctx; ++ krb5_ccache cc; ++ ++ if ((code = krb5_init_context (&ctx))) { ++ DEBUG(3, ("ads_kdestroy: kdb5_init_context rc=%d\n", code)); ++ return code; ++ } ++ ++ if (!cc_name) { ++ if ((code = krb5_cc_default(ctx, &cc))) { ++ krb5_free_context(ctx); ++ return code; ++ } ++ } else { ++ if ((code = krb5_cc_resolve(ctx, cc_name, &cc))) { ++ DEBUG(3, ("ads_kdestroy: krb5_cc_resolve rc=%d\n", ++ code)); ++ krb5_free_context(ctx); ++ return code; ++ } ++ } ++ ++ if ((code = krb5_cc_destroy (ctx, cc))) { ++ DEBUG(3, ("ads_kdestroy: krb5_cc_destroy rc=%d\n", code)); ++ } ++ ++ krb5_free_context (ctx); ++ return code; ++} + + #endif +Index: libads/krb5_setpw.c +=================================================================== +RCS file: /home/cvs/samba/source/libads/krb5_setpw.c,v +retrieving revision 1.7.2.14 +diff -u -r1.7.2.14 krb5_setpw.c +--- libads/krb5_setpw.c 19 Aug 2003 22:47:10 -0000 1.7.2.14 ++++ libads/krb5_setpw.c 23 Mar 2004 20:28:08 -0000 +@@ -642,7 +642,7 @@ + { + int ret; + +- if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset))) { ++ if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) { + DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret))); + return ADS_ERROR_KRB5(ret); + } +Index: libsmb/cliconnect.c +=================================================================== +RCS file: /home/cvs/samba/source/libsmb/cliconnect.c,v +retrieving revision 1.71.2.54 +diff -u -r1.71.2.54 cliconnect.c +--- libsmb/cliconnect.c 19 Mar 2004 16:22:47 -0000 1.71.2.54 ++++ libsmb/cliconnect.c 23 Mar 2004 20:28:09 -0000 +@@ -718,7 +718,7 @@ + int ret; + + use_in_memory_ccache(); +- ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */); ++ ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL); + + if (ret){ + DEBUG(0, ("Kinit failed: %s\n", error_message(ret))); +Index: nsswitch/winbindd_ads.c +=================================================================== +RCS file: /home/cvs/samba/source/nsswitch/winbindd_ads.c,v +retrieving revision 1.43.2.39 +diff -u -r1.43.2.39 winbindd_ads.c +--- nsswitch/winbindd_ads.c 22 Mar 2004 22:57:21 -0000 1.43.2.39 ++++ nsswitch/winbindd_ads.c 23 Mar 2004 20:28:10 -0000 +@@ -43,13 +43,17 @@ + ads = (ADS_STRUCT *)domain->private; + + /* check for a valid structure */ +- if ( ads->config.realm ) { ++ ++ DEBUG(7, ("Current tickets expire at %d\n, time is now %d\n", ++ (uint32) ads->auth.expire, (uint32) time(NULL))); ++ if ( ads->config.realm && (ads->auth.expire > time(NULL))) { + return ads; + } + else { + /* we own this ADS_STRUCT so make sure it goes away */ + ads->is_mine = True; + ads_destroy( &ads ); ++ ads_kdestroy("MEMORY:winbind_ccache"); + domain->private = NULL; + } + } +Index: utils/ntlm_auth.c +=================================================================== +RCS file: /home/cvs/samba/source/utils/ntlm_auth.c,v +retrieving revision 1.6.2.43 +diff -u -r1.6.2.43 ntlm_auth.c +--- utils/ntlm_auth.c 11 Mar 2004 22:48:24 -0000 1.6.2.43 ++++ utils/ntlm_auth.c 23 Mar 2004 20:28:11 -0000 +@@ -1111,7 +1111,8 @@ + + pstr_sprintf(user, "%s@%s", opt_username, opt_domain); + +- if ((retval = kerberos_kinit_password(user, opt_password, 0))) { ++ if ((retval = kerberos_kinit_password(user, opt_password, ++ 0, NULL))) { + DEBUG(10, ("Requesting TGT failed: %s\n", error_message(retval))); + x_fprintf(x_stdout, "NA\n"); + return True; --- samba-3.0.2a_2,1.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040401001416.51C8E610C>