Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 31 Mar 2004 18:14:16 -0600 (CST)
From:      Jonathan Noack <noackj@concordiacrusaders.org>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        timur@gnu.org
Subject:   ports/65013: [PATCH] net/samba-devel: fix winbind ads and kerberos issues
Message-ID:  <20040401001416.51C8E610C@optimator.noacks.org>
Resent-Message-ID: <200404010020.i310K9q8057754@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         65013
>Category:       ports
>Synopsis:       [PATCH] net/samba-devel: fix winbind ads and kerberos issues
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 31 16:20:09 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     Jonathan Noack
>Release:        FreeBSD 5.2.1-RELEASE-p4 i386
>Organization:
Concordia Lutheran High School
>Environment:
System: FreeBSD optimator.noacks.org 5.2.1-RELEASE-p4 FreeBSD 5.2.1-RELEASE-p4 #22: Wed Mar 31 02:17:41 CST 2004
>Description:
- Fix winbindd core dump if AD is down:
  https://bugzilla.samba.org/show_bug.cgi?id=1195
- Fix winbindd failing to acquire a new kerberos ticket upon expiration:
  https://bugzilla.samba.org/show_bug.cgi?id=1208

Both fixes obtained from Samba CVS.
Port maintainer (timur@gnu.org) is cc'd.

Generated with FreeBSD Port Tools 0.50
>How-To-Repeat:
- ads:
  Run Samba with security=ads but leave the AD powered down.
- kerberos:
  Wait 10 hours for winbindd ticket to expire.
>Fix:

--- samba-3.0.2a_2,1.patch begins here ---
diff -ruN --exclude=CVS /usr/ports/net/samba-devel/Makefile /usr/home/noackjr/net/samba-devel/Makefile
--- /usr/ports/net/samba-devel/Makefile	Wed Mar 31 16:14:49 2004
+++ /usr/home/noackjr/net/samba-devel/Makefile	Wed Mar 31 18:01:15 2004
@@ -7,7 +7,7 @@
 
 PORTNAME=	samba
 PORTVERSION=	3.0.2a
-PORTREVISION?=	1
+PORTREVISION?=	2
 PORTEPOCH?=	1
 CATEGORIES?=	net
 MASTER_SITES=	${MASTER_SITE_SAMBA}
diff -ruN --exclude=CVS /usr/ports/net/samba-devel/files/patch-ads /usr/home/noackjr/net/samba-devel/files/patch-ads
--- /usr/ports/net/samba-devel/files/patch-ads	Wed Dec 31 18:00:00 1969
+++ /usr/home/noackjr/net/samba-devel/files/patch-ads	Wed Mar 31 17:37:28 2004
@@ -0,0 +1,112 @@
+Index: include/ads.h
+===================================================================
+RCS file: /data/cvs/samba/source/include/ads.h,v
+retrieving revision 1.12.2.13
+diff -u -r1.12.2.13 ads.h
+--- include/ads.h	9 Jan 2004 14:54:33 -0000	1.12.2.13
++++ include/ads.h	22 Mar 2004 21:32:56 -0000
+@@ -10,6 +10,8 @@
+ 	time_t last_attempt; /* last attempt to reconnect */
+ 	int ldap_port;
+ 	
++	int is_mine;	/* do I own this structure's memory? */
++	
+ 	/* info needed to find the server */
+ 	struct {
+ 		char *realm;
+Index: libads/ads_struct.c
+===================================================================
+RCS file: /data/cvs/samba/source/libads/ads_struct.c,v
+retrieving revision 1.13.2.7
+diff -u -r1.13.2.7 ads_struct.c
+--- libads/ads_struct.c	22 Oct 2003 23:38:19 -0000	1.13.2.7
++++ libads/ads_struct.c	22 Mar 2004 21:32:59 -0000
+@@ -102,13 +102,10 @@
+ 		ads->server.foreign = 1;
+ 	}
+ 
+-	return ads;
+-}
++	/* the caller will own the memory by default */
++	ads->is_mine = 1;
+ 
+-/* a simpler ads_init() interface using all defaults */
+-ADS_STRUCT *ads_init_simple(void)
+-{
+-	return ads_init(NULL, NULL, NULL);
++	return ads;
+ }
+ 
+ /*
+@@ -117,6 +114,9 @@
+ void ads_destroy(ADS_STRUCT **ads)
+ {
+ 	if (ads && *ads) {
++		BOOL is_mine;
++
++		is_mine = (*ads)->is_mine;
+ #if HAVE_LDAP
+ 		if ((*ads)->ld) ldap_unbind((*ads)->ld);
+ #endif
+@@ -133,8 +133,11 @@
+ 		SAFE_FREE((*ads)->config.realm);
+ 		SAFE_FREE((*ads)->config.bind_path);
+ 		SAFE_FREE((*ads)->config.ldap_server_name);
+-
++		
++		
+ 		ZERO_STRUCTP(*ads);
+-		SAFE_FREE(*ads);
++
++		if ( is_mine )
++			SAFE_FREE(*ads);
+ 	}
+ }
+Index: nsswitch/winbindd_ads.c
+===================================================================
+RCS file: /data/cvs/samba/source/nsswitch/winbindd_ads.c,v
+retrieving revision 1.43.2.37
+diff -u -r1.43.2.37 winbindd_ads.c
+--- nsswitch/winbindd_ads.c	12 Jan 2004 14:26:50 -0000	1.43.2.37
++++ nsswitch/winbindd_ads.c	22 Mar 2004 21:33:01 -0000
+@@ -5,6 +5,7 @@
+ 
+    Copyright (C) Andrew Tridgell 2001
+    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
++   Copyright (C) Gerald (Jerry) Carter 2004
+    
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+@@ -39,7 +40,18 @@
+ 	ADS_STATUS status;
+ 
+ 	if (domain->private) {
+-		return (ADS_STRUCT *)domain->private;
++		ads = (ADS_STRUCT *)domain->private;
++
++		/* check for a valid structure */
++		if ( ads->config.realm ) {
++			return ads;
++		}
++		else {
++			/* we own this ADS_STRUCT so make sure it goes away */
++			ads->is_mine = True;
++			ads_destroy( &ads );
++			domain->private = NULL;
++		}
+ 	}
+ 
+ 	/* we don't want this to affect the users ccache */
+@@ -78,6 +90,12 @@
+ 		}
+ 		return NULL;
+ 	}
++
++	/* set the flag that says we don't own the memory even 
++	   though we do so that ads_destroy() won't destroy the 
++	   structure we pass back by reference */
++
++	ads->is_mine = False;
+ 
+ 	domain->private = (void *)ads;
+ 	return ads;
diff -ruN --exclude=CVS /usr/ports/net/samba-devel/files/patch-kerberos /usr/home/noackjr/net/samba-devel/files/patch-kerberos
--- /usr/ports/net/samba-devel/files/patch-kerberos	Wed Dec 31 18:00:00 1969
+++ /usr/home/noackjr/net/samba-devel/files/patch-kerberos	Wed Mar 31 17:37:28 2004
@@ -0,0 +1,163 @@
+Index: include/ads.h
+===================================================================
+RCS file: /home/cvs/samba/source/include/ads.h,v
+retrieving revision 1.12.2.14
+diff -u -r1.12.2.14 ads.h
+--- include/ads.h	22 Mar 2004 22:49:40 -0000	1.12.2.14
++++ include/ads.h	23 Mar 2004 20:28:08 -0000
+@@ -29,6 +29,7 @@
+ 		char *kdc_server;
+ 		unsigned flags;
+ 		int time_offset;
++		time_t expire;
+ 	} auth;
+ 
+ 	/* info derived from the servers config */
+Index: libads/kerberos.c
+===================================================================
+RCS file: /home/cvs/samba/source/libads/kerberos.c,v
+retrieving revision 1.12.2.5
+diff -u -r1.12.2.5 kerberos.c
+--- libads/kerberos.c	24 Oct 2002 01:05:30 -0000	1.12.2.5
++++ libads/kerberos.c	23 Mar 2004 20:28:08 -0000
+@@ -54,7 +54,7 @@
+   simulate a kinit, putting the tgt in the default cache location
+   remus@snapserver.com
+ */
+-int kerberos_kinit_password(const char *principal, const char *password, int time_offset)
++int kerberos_kinit_password(const char *principal, const char *password, int time_offset, time_t *expire_time)
+ {
+ 	krb5_context ctx;
+ 	krb5_error_code code = 0;
+@@ -102,6 +102,9 @@
+ 		return code;
+ 	}
+ 	
++	if (expire_time)
++		*expire_time = (time_t) my_creds.times.endtime;
++
+ 	krb5_cc_close(ctx, cc);
+ 	krb5_free_cred_contents(ctx, &my_creds);
+ 	krb5_free_principal(ctx, me);
+@@ -126,7 +129,7 @@
+ 		return KRB5_LIBOS_CANTREADPWD;
+ 	}
+ 	
+-	ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset);
++	ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset, &ads->auth.expire);
+ 
+ 	if (ret) {
+ 		DEBUG(0,("kerberos_kinit_password %s failed: %s\n", 
+@@ -136,5 +139,37 @@
+ 	return ret;
+ }
+ 
++int ads_kdestroy(const char *cc_name)
++{
++	krb5_error_code code;
++	krb5_context ctx;
++	krb5_ccache cc;
++
++	if ((code = krb5_init_context (&ctx))) {
++		DEBUG(3, ("ads_kdestroy: kdb5_init_context rc=%d\n", code));
++		return code;
++	}
++  
++	if (!cc_name) {
++		if ((code = krb5_cc_default(ctx, &cc))) {
++			krb5_free_context(ctx);
++			return code;
++		}
++	} else {
++		if ((code = krb5_cc_resolve(ctx, cc_name, &cc))) {
++			DEBUG(3, ("ads_kdestroy: krb5_cc_resolve rc=%d\n",
++				  code));
++			krb5_free_context(ctx);
++			return code;
++		}
++	}
++
++	if ((code = krb5_cc_destroy (ctx, cc))) {
++		DEBUG(3, ("ads_kdestroy: krb5_cc_destroy rc=%d\n", code));
++	}
++
++	krb5_free_context (ctx);
++	return code;
++}
+ 
+ #endif
+Index: libads/krb5_setpw.c
+===================================================================
+RCS file: /home/cvs/samba/source/libads/krb5_setpw.c,v
+retrieving revision 1.7.2.14
+diff -u -r1.7.2.14 krb5_setpw.c
+--- libads/krb5_setpw.c	19 Aug 2003 22:47:10 -0000	1.7.2.14
++++ libads/krb5_setpw.c	23 Mar 2004 20:28:08 -0000
+@@ -642,7 +642,7 @@
+ {
+     int ret;
+ 
+-    if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset))) {
++    if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) {
+ 	DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
+ 	return ADS_ERROR_KRB5(ret);
+     }
+Index: libsmb/cliconnect.c
+===================================================================
+RCS file: /home/cvs/samba/source/libsmb/cliconnect.c,v
+retrieving revision 1.71.2.54
+diff -u -r1.71.2.54 cliconnect.c
+--- libsmb/cliconnect.c	19 Mar 2004 16:22:47 -0000	1.71.2.54
++++ libsmb/cliconnect.c	23 Mar 2004 20:28:09 -0000
+@@ -718,7 +718,7 @@
+ 			int ret;
+ 			
+ 			use_in_memory_ccache();
+-			ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */);
++			ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL);
+ 			
+ 			if (ret){
+ 				DEBUG(0, ("Kinit failed: %s\n", error_message(ret)));
+Index: nsswitch/winbindd_ads.c
+===================================================================
+RCS file: /home/cvs/samba/source/nsswitch/winbindd_ads.c,v
+retrieving revision 1.43.2.39
+diff -u -r1.43.2.39 winbindd_ads.c
+--- nsswitch/winbindd_ads.c	22 Mar 2004 22:57:21 -0000	1.43.2.39
++++ nsswitch/winbindd_ads.c	23 Mar 2004 20:28:10 -0000
+@@ -43,13 +43,17 @@
+ 		ads = (ADS_STRUCT *)domain->private;
+ 
+ 		/* check for a valid structure */
+-		if ( ads->config.realm ) {
++
++		DEBUG(7, ("Current tickets expire at %d\n, time is now %d\n",
++			  (uint32) ads->auth.expire, (uint32) time(NULL)));
++		if ( ads->config.realm && (ads->auth.expire > time(NULL))) {
+ 			return ads;
+ 		}
+ 		else {
+ 			/* we own this ADS_STRUCT so make sure it goes away */
+ 			ads->is_mine = True;
+ 			ads_destroy( &ads );
++			ads_kdestroy("MEMORY:winbind_ccache");
+ 			domain->private = NULL;
+ 		}
+ 	}
+Index: utils/ntlm_auth.c
+===================================================================
+RCS file: /home/cvs/samba/source/utils/ntlm_auth.c,v
+retrieving revision 1.6.2.43
+diff -u -r1.6.2.43 ntlm_auth.c
+--- utils/ntlm_auth.c	11 Mar 2004 22:48:24 -0000	1.6.2.43
++++ utils/ntlm_auth.c	23 Mar 2004 20:28:11 -0000
+@@ -1111,7 +1111,8 @@
+ 
+ 		pstr_sprintf(user, "%s@%s", opt_username, opt_domain);
+ 
+-		if ((retval = kerberos_kinit_password(user, opt_password, 0))) {
++		if ((retval = kerberos_kinit_password(user, opt_password, 
++						      0, NULL))) {
+ 			DEBUG(10, ("Requesting TGT failed: %s\n", error_message(retval)));
+ 			x_fprintf(x_stdout, "NA\n");
+ 			return True;
--- samba-3.0.2a_2,1.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040401001416.51C8E610C>