key_data is unused. Presumably this was copypasta from DB_seq in
hdb/db.c, where it is used for the Heimdal database format in which
the value may be missing a principal but it can be recovered from the
key. In contrast, the mit-krb5 format appears to always store the
principal in the value and _hdb_mdb_value2entry always retrieves it,
with no need for a key2principal fallback.
fix https://github.com/heimdal/heimdal/issues/1102
Excluded: libtomath and libedit files, most of which appear to be
testing or example code not involved in production, and which are
derived from an upstream that should perhaps have patches submitted
upstream instead.
fix https://github.com/heimdal/heimdal/issues/1111
Heimdal's HDB plugin interface, and hence Samba's KDC that depends upon
it, doesn't work on 32-bit builds due to structure fields being arranged
in the wrong order. This problem presents itself in the form of
segmentation faults on 32-bit systems, but goes unnoticed on 64-bit
builds thanks to extra structure padding absorbing the errant fields.
This commit reorders the HDB plugin structure fields to prevent crashes
and introduces a common macro to ensure every plugin presents a
consistent interface.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15110
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Without the change the build fails as:
CC hdb-ldap.lo
hdb-ldap.c:2109:5: warning: initialization of 'unsigned char:1' from 'krb5_error_code (*)(struct krb5_context_data *, void **)' {aka 'int (*)(struct krb5_context_data *, void **)'} makes integer from pointer without a cast [-Wint-conversion]
2109 | init,
| ^~~~
hdb-ldap.c:2109:5: note: (near initialization for 'hdb_ldapi_interface.is_file_based')
hdb-ldap.c:2109:5: error: initializer element is not computable at load time
hdb-ldap.c:2109:5: note: (near initialization for 'hdb_ldapi_interface.is_file_based')
hdb-ldap.c:2110:5: warning: initialization of 'unsigned char:1' from 'void (*)(void *)' makes integer from pointer without a cast [-Wint-conversion]
2110 | fini,
| ^~~~
hdb-ldap.c:2110:5: note: (near initialization for 'hdb_ldapi_interface.can_taste')
hdb-ldap.c:2110:5: error: initializer element is not computable at load time
hdb-ldap.c:2110:5: note: (near initialization for 'hdb_ldapi_interface.can_taste')
hdb-ldap.c:2111:5: warning: initialization of 'krb5_error_code (*)(struct krb5_context_data *, void **)' {aka 'int (*)(struct krb5_context_data *, void **)'} from incompatible pointer type 'char *' [-Wincompatible-pointer-types]
2111 | "ldapi",
| ^~~~~~~
hdb-ldap.c:2111:5: note: (near initialization for 'hdb_ldapi_interface.init')
hdb-ldap.c:2112:5: warning: initialization of 'void (*)(void *)' from incompatible pointer type 'krb5_error_code (*)(struct krb5_context_data *, HDB **, const char *)' {aka 'int (*)(struct krb5_context_data *, HDB **, const char *)'} [-Wincompatible-pointer-types]
2112 | hdb_ldapi_create
| ^~~~~~~~~~~~~~~~
hdb-ldap.c:2112:5: note: (near initialization for 'hdb_ldapi_interface.fini')
hdb-ldap.c:2113:1: warning: missing initializer for field 'prefix' of 'struct hdb_method' [-Wmissing-field-initializers]
2113 | };
| ^
Started failing when commit 93ada1fbf ("hdb: Remove default HDB backend
footgun") added extra fields to 'struct hdb_method'.
Noticed missing target directory dependency as a build failure in
`make --shuffle` mode (added in https://savannah.gnu.org/bugs/index.php?62100):
make[2]: Leaving directory '/build/heimdal/lib/gss_preauth'
Making all in hdb
make[2]: Entering directory '/build/heimdal/lib/hdb'
../../lib/asn1/asn1_compile --option-file=./hdb.opt ./hdb.asn1 hdb_asn1
for genfile in 'asn1_Event.c asn1_GENERATION.c asn1_HDB_EncTypeList.c asn1_HDB_Ext_Aliases.c asn1_HDB_Ext_Constrained_delegation_acl.c asn1_HDB_Ext_KeyRotation.c asn1_HDB_Ext_KeySet.c asn1_HDB_Ext_Lan_Manager_OWF.c asn1_HDB_Ext_Password.c asn1_HDB_Ext_PKINIT_acl.c asn1_HDB_Ext_PKINIT_cert.c asn1_HDB_Ext_PKINIT_hash.c asn1_HDB_EntryOrAlias.c asn1_HDB_entry_alias.c asn1_HDB_entry.c asn1_HDB_extension.c asn1_HDB_extensions.c asn1_HDB_keyset.c asn1_HDBFlags.c asn1_Key.c asn1_KeyRotation.c asn1_KeyRotationFlags.c asn1_Keys.c asn1_Salt.c'; do \
true -style='{BasedOnStyle: Mozilla, AlwaysBreakAfterReturnType: TopLevelDefinitions, IndentWidth: 4, SortIncludes: false}' -i ${genfile}; \
done
../../lib/com_err/compile_et hdb_err.et
make all-am
make[3]: Entering directory '/build/heimdal/lib/hdb'
CC hdb-ldap.lo
In file included from hdb_locl.h:67,
from hdb-ldap.c:36:
./hdb.h:337:10: fatal error: hdb-protos.h: No such file or directory
337 | #include <hdb-protos.h>
| ^~~~~~~~~~~~~~
compilation terminated.
The change moves hdb-protos.ha and hdb-private.h to BUILT_SOURCES
to guarantee their presence when main build starts.
We derive keysets for virtual host-based service principals, and that
includes the `set_time` field of keys. But applications using the kadm5
API lose that information. Our httpkadmind wants to set a Cache-Control
header with an appropriate max-age so that clients know when to re-fetch
keytabs.
We could extract some of the lib/hdb/common.c functions so that
httpkadmind could re-create an HDB_entry from a kadm5 entry then compute
the desired time, but ultimately we already have an appropriate field in
the HDB_entry and kadm5_principal_ent_rec types: "password expiration".
So let's set the `pw_end` of a virtual host-based service's HDB entry to
the time when a client should next fetch the principal's keys, and we'll
use that in httpkadmind as the `pw_expiration` field of the kadm5 entry
type.
If a virtual host-based service namespace is disabled, then the virtual
services below it cease existing.
This will be useful in a later commit where we'll use virtual host-based
service namespace for providing default attributes for new concrete
host-based service principals created via httpkadmind, whether the
namespace be enabled or disabled.
One user had an entry with duplicate aliases. This happened with an
earlier version of Heimdal.
This commit does not remove the duplicates, but it does tolerate them.
We introduce a notion of soft vs. hard aliases.
Soft aliases are aliases of WELLKNOWN/REFERRALS/TARGET@$some_realm,
where $some_realm is the realm we want the KDC to issue referrals to.
Hard aliases are all other aliases, where if the client requested
canonicalization then the KDC should update the names in the responses,
or else if the client did not request canonicalization, then the KDC
should treat the alias as a distinct principal with the same keys as the
alias' canonical name.
The logic for dealing with these is entirely located in the HDB
backends.
An HDB backend can implement hard aliases by replacing a found
HDB_entry's principal with the name used to look it up.
An HDB backend can implement soft aliases by returning
HDB_ERR_WRONG_REALM to trigger the AS or TGS to return a referral.
Currently only in-tree HDB backends support this feature that use
_hdb_fetch_kvno() as their hdb_fetch_kvno() method implementation.
That's all HDB backends other than SQLite3.
Out-of-tree backends should be unaffected.
We've added a decoration field to HDB_entry: aliased -- an int
(boolean). This is only used internally in libhdb at this time.
Out-of-tree HDB backends could have a use for this decoration, but we
have not decided whether it is a public interface yet.
With HDB_ERR_WRONG_REALM the backend needs to expose the
principal, so we should not free the entry otherwise
the main kdc code will crash.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
instead of testing both cb_ctx.h and cb_ctx.h->prefix
for non-NULL, ensure that cb_ctx.h is NULL after each
failed for() loop. This also ensures that cb_ctx.h
is never left pointing to an invalid non-NULL value.
Change-Id: I3264577b0fbf1d620b00f87d251e8c43b81e0f29
In order to resolve some shift/reduce conflicts in the ASn.1 compiler's
grammar we need to be strict about value names starting with lower case
and type names starting with upper-case.
asprintf() return code must be checked because in case of failure
the value of the output buffer variable is undefined.
Change-Id: I75e06fffe2330ec10dbe4f678479ded479ab5931
krb5_kt_get_entry() allows a NULL principal to be given ("match all").
The get method of the HDB-as-keytab keytab did not know this, and could
dereference a NULL as a result.
Alphabetically sorted the $(spnego_files), $(gssapi_files), and $(gen_files_hdb)
lists.
Added rules to execute clang-format when available on the included files.
Change-Id: If3cde862f3237bc7cd100bc82d4fbbf568f1a354
When an unsigned char is shifted << 24 bits its type will be
promoted to signed 32-bits. If the value is then assigned to
an unsigned 64-bit value sign extension will occur.
Prevent the unwanted sign extension by explicitly casting the
value to unsigned long before shifting.
Change-Id: Iabeac0f17dc3229a2dc89abe71960a8ffbf523f8
Remove hdb_entry_ex and revert to the original design of hdb_entry (except with
an additional context member in hdb_entry which is managed by the free_entry
method in HDB).
Decorate HDB_entry with context and move free_entry callback into HDB structure
itself. Requires updating hdb_free_entry() signature to include HDB parameter.
A follow-up commit will consolidate hdb_entry_ex (which has a single hdb_entry
member) into hdb_entry.
This is not a very good fix, though the warnings remain. Such errors
can in principle be a problem because in C there is no standard enum
sizing.
In this case we have two enums with the same elements and so the same
size, so it's clearly not a problem.
The generated .x source and .hx header files are plain C source files.
Generate them as .c source files and avoid unnecessary file copying
and special makefile rules.
Change-Id: Ifc4bbe3c46dd357fdd642040ad964c7cfe1d395c
The LIB_ASN1 definition instructs the library objects to access
exported ASN1 generated DATA symbols as internal symbols.
Change-Id: I58b055808893c6f3af48fc2dd997e0dedea2ffcb
Instead of having distinct preauth success/failure events for different
mechanisms, have a single event; the mechanism can be disambiguated by querying
the HDB_REQUEST_KV_PA_NAME key.
Note: there is still an explicit event for long-term key-based success/failure
in order to help the backend implement lockout.
Audit failure (HDB_AUTH_EVENT_PREAUTH_FAILED) in the main preauth loop, rather
than in each mechanism. Success is still audited in the mechanism to allow
client pre-authentication success to be noted even if something subsequent
(e.g. encoding a reply, memory allocation) fails. The generic catch-all for
success remains.
Add a new method for issuing referrals for entire namespaces of hostnames.
An alias of the form WELLKNOWN/HOSTBASED-NAMESPACE/service/namespace-fqdn@REALM
will cause all requests for host-based principals in the given namespace to be
referred to the given realm.
The auth event details audit key (formerly, parameter to auth_status)
contained, variously, an encryption type name; a PKINIT client certificate
name; or, a GSS initiator name. Audit these instead using individual keys that
reflect the values' contents.
Make Samba-specific HDB auth status API a wrapper on the existing auditing API,
with a view towards unifying the two APIs in a future commit.
The term "auth status" is replaced with "auth event", and the HDB auth_status
method is replaced with a more general purpose audit method which has access to
the entire request structure.
