Changeset 989 for vendor/current/source3/libads

Timestamp:

Nov 25, 2016, 8:04:54 PM (9 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: update vendor to version 4.4.7

Location:

vendor/current/source3/libads

Files:

• cldap.c (modified) (1 diff)
• kerberos.c (modified) (1 diff)
• kerberos_keytab.c (modified) (1 diff)
• sasl.c (modified) (5 diffs)

vendor/current/source3/libads/cldap.c

@@ -118 +118 @@
                                            state->servers[i],
                                            &state->cldap[i]);
-                if (tevent_req_nterror(req, status)) {
-                        return tevent_req_post(req, ev);
+                if (!NT_STATUS_IS_OK(status)) {
+                        /*
+                         * Don't error out all sends just
+                         * because one cldap_socket_init() failed.
+                         * Log it here, and the cldap_netlogon_send()
+                         * will catch it (with in.dest_address == NULL)
+                         * and correctly error out in
+                         * cldap_multi_netlogon_done(). This still allows
+                         * the other requests to be concurrently sent.
+                         */
+                        DBG_NOTICE("cldap_socket_init failed for %s "
+                                " error %s\n",
+                                tsocket_address_string(state->servers[i],
+                                        req),
+                                nt_errstr(status));
                 }
 

vendor/current/source3/libads/kerberos.c

@@ -48 +48 @@
 {
         if (num_prompts == 0) return 0;
-#if HAVE_KRB5_PROMPT_TYPE
-
-        /*
-         * only heimdal has a prompt type and we need to deal with it here to
-         * avoid loops.
-         *
-         * removing the prompter completely is not an option as at least these
-         * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal
-         * version have looping detection and return with a proper error code.
-         */
-
-        if ((num_prompts == 2) &&
-            (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD) &&
-            (prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) {
+        if (num_prompts == 2) {
                 /*
-                 * We don't want to change passwords here. We're
-                 * called from heimal when the KDC returns
-                 * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
-                 * have the chance to ask the user for a new
-                 * password. If we return 0 (i.e. success), we will be
-                 * spinning in the endless for-loop in
-                 * change_password() in
-                 * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+                 * only heimdal has a prompt type and we need to deal with it here to
+                 * avoid loops.
+                 *
+                 * removing the prompter completely is not an option as at least these
+                 * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal
+                 * version have looping detection and return with a proper error code.
                  */
-                return KRB5KDC_ERR_KEY_EXPIRED;
-        }
-#endif /* HAVE_KRB5_PROMPT_TYPE */
+
+#if HAVE_KRB5_PROMPT_TYPE /* Heimdal */
+                 if (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD &&
+                     prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
+                        /*
+                         * We don't want to change passwords here. We're
+                         * called from heimal when the KDC returns
+                         * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
+                         * have the chance to ask the user for a new
+                         * password. If we return 0 (i.e. success), we will be
+                         * spinning in the endless for-loop in
+                         * change_password() in
+                         * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+                         */
+                        return KRB5KDC_ERR_KEY_EXPIRED;
+                }
+#elif defined(HAVE_KRB5_GET_PROMPT_TYPES) /* MIT */
+                krb5_prompt_type *prompt_types = NULL;
+
+                prompt_types = krb5_get_prompt_types(ctx);
+                if (prompt_types != NULL) {
+                        if (prompt_types[0] == KRB5_PROMPT_TYPE_NEW_PASSWORD &&
+                            prompt_types[1] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
+                                return KRB5KDC_ERR_KEY_EXP;
+                        }
+                }
+#endif
+        }
+
         memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
         if (prompts[0].reply->length > 0) {

vendor/current/source3/libads/kerberos_keytab.c

@@ -745 +745 @@
         TALLOC_FREE(frame);
 
-        {
+        if (context) {
                 krb5_keytab_entry zero_kt_entry;
+                krb5_kt_cursor zero_csr;
+
                 ZERO_STRUCT(zero_kt_entry);
+                ZERO_STRUCT(zero_csr);
+
                 if (memcmp(&zero_kt_entry, &kt_entry,
                                 sizeof(krb5_keytab_entry))) {
                         smb_krb5_kt_free_entry(context, &kt_entry);
                 }
-        }
-        {
-                krb5_kt_cursor zero_csr;
-                ZERO_STRUCT(zero_csr);
                 if ((memcmp(&cursor, &zero_csr,
                                 sizeof(krb5_kt_cursor)) != 0) && keytab) {
                         krb5_kt_end_seq_get(context, keytab, &cursor);
                 }
-        }
-        if (keytab) {
-                krb5_kt_close(context, keytab);
-        }
-        if (context) {
+                if (keytab) {
+                        krb5_kt_close(context, keytab);
+                }
                 krb5_free_context(context);
         }

vendor/current/source3/libads/sasl.c

@@ -27 +27 @@
 #include "system/gssapi.h"
 #include "lib/param/loadparm.h"
+#include "krb5_env.h"
 
 #ifdef HAVE_LDAP
@@ -697 +698 @@
         int rc, i;
         ADS_STATUS status;
-        DATA_BLOB blob;
+        DATA_BLOB blob = data_blob_null;
         char *given_principal = NULL;
         char *OIDs[ASN1_MAX_OIDS];
@@ -749 +750 @@
             got_kerberos_mechanism) 
         {
-                status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
-                                                     CRED_MUST_USE_KERBEROS,
-                                                     p.service, p.hostname,
-                                                     blob);
-                if (ADS_ERR_OK(status)) {
-                        ads_free_service_principal(&p);
-                        goto done;
-                }
-
-                DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
-                          "calling kinit\n", ads_errstr(status)));
+                if (ads->auth.password == NULL ||
+                    ads->auth.password[0] == '\0')
+                {
+
+                        status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+                                                             CRED_MUST_USE_KERBEROS,
+                                                             p.service, p.hostname,
+                                                             blob);
+                        if (ADS_ERR_OK(status)) {
+                                ads_free_service_principal(&p);
+                                goto done;
+                        }
+
+                        DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
+                                  "calling kinit\n", ads_errstr(status)));
+                }
 
                 status = ADS_ERROR_KRB5(ads_kinit_password(ads)); 
@@ -793 +799 @@
         ads_free_service_principal(&p);
         TALLOC_FREE(frame);
+        if (blob.data != NULL) {
+                data_blob_free(&blob);
+        }
         return status;
 }
@@ -1019 +1028 @@
         }
 
-        status = ads_sasl_gssapi_do_bind(ads, p.name);
-        if (ADS_ERR_OK(status)) {
-                ads_free_service_principal(&p);
-                return status;
-        }
-
-        DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
-                  "calling kinit\n", ads_errstr(status)));
+        if (ads->auth.password == NULL ||
+            ads->auth.password[0] == '\0') {
+                status = ads_sasl_gssapi_do_bind(ads, p.name);
+                if (ADS_ERR_OK(status)) {
+                        ads_free_service_principal(&p);
+                        return status;
+                }
+
+                DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
+                          "calling kinit\n", ads_errstr(status)));
+        }
 
         status = ADS_ERROR_KRB5(ads_kinit_password(ads));