PR#11: Adapt samba to new MIT library v1.18 - rpms/samba

rpms / samba

#11 Adapt samba to new MIT library v1.18

Merged 4 years ago by abbra. Opened 4 years ago by iboukris.

rpms/ iboukris/samba new_mit_118 into master

Adapt samba to new MIT library v1.18

Isaac Boukris • 4 years ago

1af0af0

new_mit_118.patch

file added

+174

		`@@ -0,0 +1,174 @@`
		`+ From 04b262f686b5b16ba659ade1e4b5778e2b219f0a Mon Sep 17 00:00:00 2001`
		`+ From: Isaac Boukris <iboukris@gmail.com>`
		`+ Date: Mon, 16 Sep 2019 16:40:12 +0300`
		`+ Subject: [PATCH 1/2] Adapt sign_authdata in our KDB module for krb5 v1.18`
		`+`
		`+ Signed-off-by: Isaac Boukris <iboukris@samba.org>`
		`+ ---`
		`+ source4/kdc/mit-kdb/kdb_samba.c \| 2 +-`
		`+ source4/kdc/mit-kdb/kdb_samba.h \| 21 +++++++++++++++++++++`
		`+ source4/kdc/mit-kdb/kdb_samba_policies.c \| 24 ++++++++++++++++++++++++`
		`+ 3 files changed, 46 insertions(+), 1 deletion(-)`
		`+`
		`+ diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c`
		`+ index c5157d6ed1b..02bbdca9f54 100644`
		`+ --- a/source4/kdc/mit-kdb/kdb_samba.c`
		`+ +++ b/source4/kdc/mit-kdb/kdb_samba.c`
		`+ @@ -139,7 +139,7 @@ static void kdb_samba_db_free_principal_e_data(krb5_context context,`
		`+`
		`+ kdb_vftabl kdb_function_table = {`
		`+ .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,`
		`+ - .min_ver = 1,`
		`+ + .min_ver = KRB5_KDB_DAL_MAJOR_VERSION == 6 ? 1 : 0,`
		`+`
		`+ .init_library = kdb_samba_init_library,`
		`+ .fini_library = kdb_samba_fini_library,`
		`+ diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h`
		`+ index 22ef9085b6a..ad4f6e27573 100644`
		`+ --- a/source4/kdc/mit-kdb/kdb_samba.h`
		`+ +++ b/source4/kdc/mit-kdb/kdb_samba.h`
		`+ @@ -114,6 +114,7 @@ krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context,`
		`+`
		`+ /* from kdb_samba_policies.c */`
		`+`
		`+ +#if KRB5_KDB_API_VERSION < 10`
		`+ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,`
		`+ unsigned int flags,`
		`+ krb5_const_principal client_princ,`
		`+ @@ -127,6 +128,26 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,`
		`+ krb5_timestamp authtime,`
		`+ krb5_authdata **tgt_auth_data,`
		`+ krb5_authdata ***signed_auth_data);`
		`+ +#else`
		`+ +krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,`
		`+ + unsigned int flags,`
		`+ + krb5_const_principal client_princ,`
		`+ + krb5_const_principal server_princ,`
		`+ + krb5_db_entry *client,`
		`+ + krb5_db_entry *server,`
		`+ + krb5_db_entry *krbtgt,`
		`+ + krb5_db_entry *local_krbtgt,`
		`+ + krb5_keyblock *client_key,`
		`+ + krb5_keyblock *server_key,`
		`+ + krb5_keyblock *krbtgt_key,`
		`+ + krb5_keyblock *local_krbtgt_key,`
		`+ + krb5_keyblock *session_key,`
		`+ + krb5_timestamp authtime,`
		`+ + krb5_authdata **tgt_auth_data,`
		`+ + void *authdata_info,`
		`+ + krb5_data ***auth_indicators,`
		`+ + krb5_authdata ***signed_auth_data);`
		`+ +#endif`
		`+`
		`+ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,`
		`+ krb5_kdc_req *kdcreq,`
		`+ diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c`
		`+ index fc80329f221..e2f7174b0c2 100644`
		`+ --- a/source4/kdc/mit-kdb/kdb_samba_policies.c`
		`+ +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c`
		`+ @@ -287,6 +287,7 @@ done:`
		`+ return code;`
		`+ }`
		`+`
		`+ +#if KRB5_KDB_API_VERSION < 10`
		`+ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,`
		`+ unsigned int flags,`
		`+ krb5_const_principal client_princ,`
		`+ @@ -301,6 +302,29 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,`
		`+ krb5_authdata **tgt_auth_data,`
		`+ krb5_authdata ***signed_auth_data)`
		`+ {`
		`+ +#else`
		`+ +krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,`
		`+ + unsigned int flags,`
		`+ + krb5_const_principal client_princ,`
		`+ + krb5_const_principal server_princ,`
		`+ + krb5_db_entry *client,`
		`+ + krb5_db_entry *server,`
		`+ + krb5_db_entry *krbtgt,`
		`+ + krb5_db_entry *local_krbtgt,`
		`+ + krb5_keyblock *client_key,`
		`+ + krb5_keyblock *server_key,`
		`+ + krb5_keyblock *krbtgt_key,`
		`+ + krb5_keyblock *local_krbtgt_key,`
		`+ + krb5_keyblock *session_key,`
		`+ + krb5_timestamp authtime,`
		`+ + krb5_authdata **tgt_auth_data,`
		`+ + void *authdata_info,`
		`+ + krb5_data ***auth_indicators,`
		`+ + krb5_authdata ***signed_auth_data)`
		`+ +{`
		`+ + krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;`
		`+ + krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;`
		`+ +#endif`
		`+ krb5_const_principal ks_client_princ;`
		`+ krb5_authdata **authdata = NULL;`
		`+ krb5_boolean is_as_req;`
		`+ --`
		`+ 2.24.1`
		`+`
		`+`
		`+ From c968ec07fa403ed919dcda7b3087e0d10d1e7a32 Mon Sep 17 00:00:00 2001`
		`+ From: Isaac Boukris <iboukris@gmail.com>`
		`+ Date: Thu, 16 Jan 2020 22:00:21 +0100`
		`+ Subject: [PATCH 2/2] Sign and verify PAC with ticket principal instead of`
		`+ canon principal`
		`+`
		`+ With MIT library 1.18 the KDC no longer set`
		`+ KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows`
		`+ us to not canonicalize them (like in Windwos / Heimdal).`
		`+`
		`+ However, it now breaks the PAC signature verification as it was`
		`+ wrongly done using canonical client rather than ticket client name.`
		`+`
		`+ Signed-off-by: Isaac Boukris <iboukris@samba.org>`
		`+ ---`
		`+ source4/kdc/mit-kdb/kdb_samba_policies.c \| 12 ++----------`
		`+ 1 file changed, 2 insertions(+), 10 deletions(-)`
		`+`
		`+ diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c`
		`+ index e2f7174b0c2..6a5f06a8a8c 100644`
		`+ --- a/source4/kdc/mit-kdb/kdb_samba_policies.c`
		`+ +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c`
		`+ @@ -325,20 +325,12 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,`
		`+ krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;`
		`+ krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;`
		`+ #endif`
		`+ - krb5_const_principal ks_client_princ;`
		`+ krb5_authdata **authdata = NULL;`
		`+ krb5_boolean is_as_req;`
		`+ krb5_error_code code;`
		`+ krb5_pac pac = NULL;`
		`+ krb5_data pac_data;`
		`+`
		`+ - /* Prefer canonicalised name from client entry */`
		`+ - if (client != NULL) {`
		`+ - ks_client_princ = client->princ;`
		`+ - } else {`
		`+ - ks_client_princ = client_princ;`
		`+ - }`
		`+ -`
		`+ is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);`
		`+`
		`+ if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {`
		`+ @@ -351,7 +343,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,`
		`+ if (!is_as_req) {`
		`+ code = ks_verify_pac(context,`
		`+ flags,`
		`+ - ks_client_princ,`
		`+ + client_princ,`
		`+ client,`
		`+ server,`
		`+ krbtgt,`
		`+ @@ -378,7 +370,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,`
		`+ goto done;`
		`+ }`
		`+`
		`+ - code = krb5_pac_sign(context, pac, authtime, ks_client_princ,`
		`+ + code = krb5_pac_sign(context, pac, authtime, client_princ,`
		`+ server_key, krbtgt_key, &pac_data);`
		`+ if (code != 0) {`
		`+ DBG_ERR("krb5_pac_sign failed: %d\n", code);`
		`+ --`
		`+ 2.24.1`
		`+`

samba.spec

file modified

+2 -1

		`@@ -6,7 +6,7 @@`
		`# ctdb is enabled by default, you can disable it with: --without clustering`
		`%bcond_without clustering`

		`- %define main_release 0`
		`+ %define main_release 1`

		`%define samba_version 4.11.5`
		`%define talloc_version 2.2.0`
		`@@ -125,6 +125,7 @@`
		`Patch100: 0000-use-gnutls-for-des-cbc.patch`
		`Patch101: 0001-handle-removal-des-enctypes-from-krb5.patch`
		`Patch102: 0002-samba-tool-create-working-private-krb5.conf.patch`
		`+ Patch103: new_mit_118.patch`

		`Requires(pre): /usr/sbin/groupadd`
		`Requires(post): systemd`