ports/65013: [PATCH] net/samba-devel: fix winbind ads and kerberos issues
Jonathan Noack
noackj at concordiacrusaders.org
Thu Apr 1 00:20:10 UTC 2004
>Number: 65013
>Category: ports
>Synopsis: [PATCH] net/samba-devel: fix winbind ads and kerberos issues
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Mar 31 16:20:09 PST 2004
>Closed-Date:
>Last-Modified:
>Originator: Jonathan Noack
>Release: FreeBSD 5.2.1-RELEASE-p4 i386
>Organization:
Concordia Lutheran High School
>Environment:
System: FreeBSD optimator.noacks.org 5.2.1-RELEASE-p4 FreeBSD 5.2.1-RELEASE-p4 #22: Wed Mar 31 02:17:41 CST 2004
>Description:
- Fix winbindd core dump if AD is down:
https://bugzilla.samba.org/show_bug.cgi?id=1195
- Fix winbindd failing to acquire a new kerberos ticket upon expiration:
https://bugzilla.samba.org/show_bug.cgi?id=1208
Both fixes obtained from Samba CVS.
Port maintainer (timur at gnu.org) is cc'd.
Generated with FreeBSD Port Tools 0.50
>How-To-Repeat:
- ads:
Run Samba with security=ads but leave the AD powered down.
- kerberos:
Wait 10 hours for winbindd ticket to expire.
>Fix:
--- samba-3.0.2a_2,1.patch begins here ---
diff -ruN --exclude=CVS /usr/ports/net/samba-devel/Makefile /usr/home/noackjr/net/samba-devel/Makefile
--- /usr/ports/net/samba-devel/Makefile Wed Mar 31 16:14:49 2004
+++ /usr/home/noackjr/net/samba-devel/Makefile Wed Mar 31 18:01:15 2004
@@ -7,7 +7,7 @@
PORTNAME= samba
PORTVERSION= 3.0.2a
-PORTREVISION?= 1
+PORTREVISION?= 2
PORTEPOCH?= 1
CATEGORIES?= net
MASTER_SITES= ${MASTER_SITE_SAMBA}
diff -ruN --exclude=CVS /usr/ports/net/samba-devel/files/patch-ads /usr/home/noackjr/net/samba-devel/files/patch-ads
--- /usr/ports/net/samba-devel/files/patch-ads Wed Dec 31 18:00:00 1969
+++ /usr/home/noackjr/net/samba-devel/files/patch-ads Wed Mar 31 17:37:28 2004
@@ -0,0 +1,112 @@
+Index: include/ads.h
+===================================================================
+RCS file: /data/cvs/samba/source/include/ads.h,v
+retrieving revision 1.12.2.13
+diff -u -r1.12.2.13 ads.h
+--- include/ads.h 9 Jan 2004 14:54:33 -0000 1.12.2.13
++++ include/ads.h 22 Mar 2004 21:32:56 -0000
+@@ -10,6 +10,8 @@
+ time_t last_attempt; /* last attempt to reconnect */
+ int ldap_port;
+
++ int is_mine; /* do I own this structure's memory? */
++
+ /* info needed to find the server */
+ struct {
+ char *realm;
+Index: libads/ads_struct.c
+===================================================================
+RCS file: /data/cvs/samba/source/libads/ads_struct.c,v
+retrieving revision 1.13.2.7
+diff -u -r1.13.2.7 ads_struct.c
+--- libads/ads_struct.c 22 Oct 2003 23:38:19 -0000 1.13.2.7
++++ libads/ads_struct.c 22 Mar 2004 21:32:59 -0000
+@@ -102,13 +102,10 @@
+ ads->server.foreign = 1;
+ }
+
+- return ads;
+-}
++ /* the caller will own the memory by default */
++ ads->is_mine = 1;
+
+-/* a simpler ads_init() interface using all defaults */
+-ADS_STRUCT *ads_init_simple(void)
+-{
+- return ads_init(NULL, NULL, NULL);
++ return ads;
+ }
+
+ /*
+@@ -117,6 +114,9 @@
+ void ads_destroy(ADS_STRUCT **ads)
+ {
+ if (ads && *ads) {
++ BOOL is_mine;
++
++ is_mine = (*ads)->is_mine;
+ #if HAVE_LDAP
+ if ((*ads)->ld) ldap_unbind((*ads)->ld);
+ #endif
+@@ -133,8 +133,11 @@
+ SAFE_FREE((*ads)->config.realm);
+ SAFE_FREE((*ads)->config.bind_path);
+ SAFE_FREE((*ads)->config.ldap_server_name);
+-
++
++
+ ZERO_STRUCTP(*ads);
+- SAFE_FREE(*ads);
++
++ if ( is_mine )
++ SAFE_FREE(*ads);
+ }
+ }
+Index: nsswitch/winbindd_ads.c
+===================================================================
+RCS file: /data/cvs/samba/source/nsswitch/winbindd_ads.c,v
+retrieving revision 1.43.2.37
+diff -u -r1.43.2.37 winbindd_ads.c
+--- nsswitch/winbindd_ads.c 12 Jan 2004 14:26:50 -0000 1.43.2.37
++++ nsswitch/winbindd_ads.c 22 Mar 2004 21:33:01 -0000
+@@ -5,6 +5,7 @@
+
+ Copyright (C) Andrew Tridgell 2001
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2003
++ Copyright (C) Gerald (Jerry) Carter 2004
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -39,7 +40,18 @@
+ ADS_STATUS status;
+
+ if (domain->private) {
+- return (ADS_STRUCT *)domain->private;
++ ads = (ADS_STRUCT *)domain->private;
++
++ /* check for a valid structure */
++ if ( ads->config.realm ) {
++ return ads;
++ }
++ else {
++ /* we own this ADS_STRUCT so make sure it goes away */
++ ads->is_mine = True;
++ ads_destroy( &ads );
++ domain->private = NULL;
++ }
+ }
+
+ /* we don't want this to affect the users ccache */
+@@ -78,6 +90,12 @@
+ }
+ return NULL;
+ }
++
++ /* set the flag that says we don't own the memory even
++ though we do so that ads_destroy() won't destroy the
++ structure we pass back by reference */
++
++ ads->is_mine = False;
+
+ domain->private = (void *)ads;
+ return ads;
diff -ruN --exclude=CVS /usr/ports/net/samba-devel/files/patch-kerberos /usr/home/noackjr/net/samba-devel/files/patch-kerberos
--- /usr/ports/net/samba-devel/files/patch-kerberos Wed Dec 31 18:00:00 1969
+++ /usr/home/noackjr/net/samba-devel/files/patch-kerberos Wed Mar 31 17:37:28 2004
@@ -0,0 +1,163 @@
+Index: include/ads.h
+===================================================================
+RCS file: /home/cvs/samba/source/include/ads.h,v
+retrieving revision 1.12.2.14
+diff -u -r1.12.2.14 ads.h
+--- include/ads.h 22 Mar 2004 22:49:40 -0000 1.12.2.14
++++ include/ads.h 23 Mar 2004 20:28:08 -0000
+@@ -29,6 +29,7 @@
+ char *kdc_server;
+ unsigned flags;
+ int time_offset;
++ time_t expire;
+ } auth;
+
+ /* info derived from the servers config */
+Index: libads/kerberos.c
+===================================================================
+RCS file: /home/cvs/samba/source/libads/kerberos.c,v
+retrieving revision 1.12.2.5
+diff -u -r1.12.2.5 kerberos.c
+--- libads/kerberos.c 24 Oct 2002 01:05:30 -0000 1.12.2.5
++++ libads/kerberos.c 23 Mar 2004 20:28:08 -0000
+@@ -54,7 +54,7 @@
+ simulate a kinit, putting the tgt in the default cache location
+ remus at snapserver.com
+ */
+-int kerberos_kinit_password(const char *principal, const char *password, int time_offset)
++int kerberos_kinit_password(const char *principal, const char *password, int time_offset, time_t *expire_time)
+ {
+ krb5_context ctx;
+ krb5_error_code code = 0;
+@@ -102,6 +102,9 @@
+ return code;
+ }
+
++ if (expire_time)
++ *expire_time = (time_t) my_creds.times.endtime;
++
+ krb5_cc_close(ctx, cc);
+ krb5_free_cred_contents(ctx, &my_creds);
+ krb5_free_principal(ctx, me);
+@@ -126,7 +129,7 @@
+ return KRB5_LIBOS_CANTREADPWD;
+ }
+
+- ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset);
++ ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset, &ads->auth.expire);
+
+ if (ret) {
+ DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
+@@ -136,5 +139,37 @@
+ return ret;
+ }
+
++int ads_kdestroy(const char *cc_name)
++{
++ krb5_error_code code;
++ krb5_context ctx;
++ krb5_ccache cc;
++
++ if ((code = krb5_init_context (&ctx))) {
++ DEBUG(3, ("ads_kdestroy: kdb5_init_context rc=%d\n", code));
++ return code;
++ }
++
++ if (!cc_name) {
++ if ((code = krb5_cc_default(ctx, &cc))) {
++ krb5_free_context(ctx);
++ return code;
++ }
++ } else {
++ if ((code = krb5_cc_resolve(ctx, cc_name, &cc))) {
++ DEBUG(3, ("ads_kdestroy: krb5_cc_resolve rc=%d\n",
++ code));
++ krb5_free_context(ctx);
++ return code;
++ }
++ }
++
++ if ((code = krb5_cc_destroy (ctx, cc))) {
++ DEBUG(3, ("ads_kdestroy: krb5_cc_destroy rc=%d\n", code));
++ }
++
++ krb5_free_context (ctx);
++ return code;
++}
+
+ #endif
+Index: libads/krb5_setpw.c
+===================================================================
+RCS file: /home/cvs/samba/source/libads/krb5_setpw.c,v
+retrieving revision 1.7.2.14
+diff -u -r1.7.2.14 krb5_setpw.c
+--- libads/krb5_setpw.c 19 Aug 2003 22:47:10 -0000 1.7.2.14
++++ libads/krb5_setpw.c 23 Mar 2004 20:28:08 -0000
+@@ -642,7 +642,7 @@
+ {
+ int ret;
+
+- if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset))) {
++ if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) {
+ DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
+ return ADS_ERROR_KRB5(ret);
+ }
+Index: libsmb/cliconnect.c
+===================================================================
+RCS file: /home/cvs/samba/source/libsmb/cliconnect.c,v
+retrieving revision 1.71.2.54
+diff -u -r1.71.2.54 cliconnect.c
+--- libsmb/cliconnect.c 19 Mar 2004 16:22:47 -0000 1.71.2.54
++++ libsmb/cliconnect.c 23 Mar 2004 20:28:09 -0000
+@@ -718,7 +718,7 @@
+ int ret;
+
+ use_in_memory_ccache();
+- ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */);
++ ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL);
+
+ if (ret){
+ DEBUG(0, ("Kinit failed: %s\n", error_message(ret)));
+Index: nsswitch/winbindd_ads.c
+===================================================================
+RCS file: /home/cvs/samba/source/nsswitch/winbindd_ads.c,v
+retrieving revision 1.43.2.39
+diff -u -r1.43.2.39 winbindd_ads.c
+--- nsswitch/winbindd_ads.c 22 Mar 2004 22:57:21 -0000 1.43.2.39
++++ nsswitch/winbindd_ads.c 23 Mar 2004 20:28:10 -0000
+@@ -43,13 +43,17 @@
+ ads = (ADS_STRUCT *)domain->private;
+
+ /* check for a valid structure */
+- if ( ads->config.realm ) {
++
++ DEBUG(7, ("Current tickets expire at %d\n, time is now %d\n",
++ (uint32) ads->auth.expire, (uint32) time(NULL)));
++ if ( ads->config.realm && (ads->auth.expire > time(NULL))) {
+ return ads;
+ }
+ else {
+ /* we own this ADS_STRUCT so make sure it goes away */
+ ads->is_mine = True;
+ ads_destroy( &ads );
++ ads_kdestroy("MEMORY:winbind_ccache");
+ domain->private = NULL;
+ }
+ }
+Index: utils/ntlm_auth.c
+===================================================================
+RCS file: /home/cvs/samba/source/utils/ntlm_auth.c,v
+retrieving revision 1.6.2.43
+diff -u -r1.6.2.43 ntlm_auth.c
+--- utils/ntlm_auth.c 11 Mar 2004 22:48:24 -0000 1.6.2.43
++++ utils/ntlm_auth.c 23 Mar 2004 20:28:11 -0000
+@@ -1111,7 +1111,8 @@
+
+ pstr_sprintf(user, "%s@%s", opt_username, opt_domain);
+
+- if ((retval = kerberos_kinit_password(user, opt_password, 0))) {
++ if ((retval = kerberos_kinit_password(user, opt_password,
++ 0, NULL))) {
+ DEBUG(10, ("Requesting TGT failed: %s\n", error_message(retval)));
+ x_fprintf(x_stdout, "NA\n");
+ return True;
--- samba-3.0.2a_2,1.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list