* [PATCH] cifs.upcall: use krb5_sname_to_principal to construct principal name
@ 2012-03-28 11:42 Jeff Layton
[not found] ` <1332934967-1768-1-git-send-email-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
0 siblings, 1 reply; 2+ messages in thread
From: Jeff Layton @ 2012-03-28 11:42 UTC (permalink / raw)
To: linux-cifs-u79uwXL29TY76Z2rM5mHXA
Currently, we build the string by hand then then construct the
principal name with krb5_parse_name. That bypasses the domain_realm
section in krb5.conf however.
Switch the code to use krb5_sname_to_principal instead which is more
suited to this task. In order for that to work, we change a couple of
calling functions to pass down a hostname instead of a principal
name, and then pass in "cifs" as the service name.
Signed-off-by: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
---
cifs.upcall.c | 47 ++++++++++++++++++++---------------------------
1 files changed, 20 insertions(+), 27 deletions(-)
diff --git a/cifs.upcall.c b/cifs.upcall.c
index 0d222cb..9e7f7e2 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -324,7 +324,7 @@ static char *find_krb5_cc(const char *dirname, uid_t uid)
}
static int
-cifs_krb5_get_req(const char *principal, const char *ccname,
+cifs_krb5_get_req(const char *host, const char *ccname,
DATA_BLOB * mechtoken, DATA_BLOB * sess_key)
{
krb5_error_code ret;
@@ -360,10 +360,11 @@ cifs_krb5_get_req(const char *principal, const char *ccname,
goto out_free_ccache;
}
- ret = krb5_parse_name(context, principal, &in_creds.server);
+ ret = krb5_sname_to_principal(context, host, "cifs", KRB5_NT_UNKNOWN,
+ &in_creds.server);
if (ret) {
- syslog(LOG_DEBUG, "%s: unable to parse principal (%s).",
- __func__, principal);
+ syslog(LOG_DEBUG, "%s: unable to convert sname to princ (%s).",
+ __func__, host);
goto out_free_principal;
}
@@ -371,7 +372,7 @@ cifs_krb5_get_req(const char *principal, const char *ccname,
krb5_free_principal(context, in_creds.server);
if (ret) {
syslog(LOG_DEBUG, "%s: unable to get credentials for %s",
- __func__, principal);
+ __func__, host);
goto out_free_principal;
}
@@ -428,14 +429,14 @@ cifs_krb5_get_req(const char *principal, const char *ccname,
&in_data, out_creds, &apreq_pkt);
if (ret) {
syslog(LOG_DEBUG, "%s: unable to make AP-REQ for %s",
- __func__, principal);
+ __func__, host);
goto out_free_auth;
}
ret = krb5_auth_con_getsendsubkey(context, auth_context, &tokb);
if (ret) {
syslog(LOG_DEBUG, "%s: unable to get session key for %s",
- __func__, principal);
+ __func__, host);
goto out_free_auth;
}
@@ -480,17 +481,16 @@ out_free_context:
* ret: 0 - success, others - failure
*/
static int
-handle_krb5_mech(const char *oid, const char *principal, DATA_BLOB * secblob,
+handle_krb5_mech(const char *oid, const char *host, DATA_BLOB * secblob,
DATA_BLOB * sess_key, const char *ccname)
{
int retval;
DATA_BLOB tkt, tkt_wrapped;
- syslog(LOG_DEBUG, "%s: getting service ticket for %s", __func__,
- principal);
+ syslog(LOG_DEBUG, "%s: getting service ticket for %s", __func__, host);
/* get a kerberos ticket for the service and extract the session key */
- retval = cifs_krb5_get_req(principal, ccname, &tkt, sess_key);
+ retval = cifs_krb5_get_req(host, ccname, &tkt, sess_key);
if (retval) {
syslog(LOG_DEBUG, "%s: failed to obtain service ticket (%d)",
__func__, retval);
@@ -782,7 +782,6 @@ int main(const int argc, char *const argv[])
int c, try_dns = 0, legacy_uid = 0;
char *buf, *ccname = NULL;
char hostbuf[NI_MAXHOST], *host;
- char princ[NI_MAXHOST + 5]; /* 5 == len of "cifs/" */
struct decoded_args arg;
const char *oid;
uid_t uid;
@@ -921,29 +920,23 @@ int main(const int argc, char *const argv[])
retry_new_hostname:
lowercase_string(host);
- /* try "cifs/hostname" first */
- rc = snprintf(princ, sizeof(princ), "cifs/%s", host);
- if (rc < 0 || (size_t)rc >= sizeof(princ)) {
- syslog(LOG_ERR,"Unable to set hostname %s in buffer.", host);
- goto out;
- }
-
- rc = handle_krb5_mech(oid, princ, &secblob, &sess_key, ccname);
+ rc = handle_krb5_mech(oid, host, &secblob, &sess_key, ccname);
if (!rc)
break;
/*
- * If hostname has a '.', assume it's a FQDN, otherwise we want to
- * guess the domainname.
+ * If hostname has a '.', assume it's a FQDN, otherwise we
+ * want to guess the domainname.
*/
if (!strchr(host, '.')) {
struct addrinfo hints;
struct addrinfo *ai;
char *domainname;
+ char fqdn[NI_MAXHOST];
/*
- * use getaddrinfo() to resolve the hostname of the server
- * and set ai_canonname.
+ * use getaddrinfo() to resolve the hostname of the
+ * server and set ai_canonname.
*/
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
@@ -963,16 +956,16 @@ retry_new_hostname:
break;
}
lowercase_string(domainname);
- rc = snprintf(princ, sizeof(princ), "cifs/%s%s",
+ rc = snprintf(fqdn, sizeof(fqdn), "%s%s",
host, domainname);
freeaddrinfo(ai);
- if (rc < 0 || (size_t)rc >= sizeof(princ)) {
+ if (rc < 0 || (size_t)rc >= sizeof(fqdn)) {
syslog(LOG_ERR, "Problem setting hostname in string: %ld", rc);
rc = -EINVAL;
break;
}
- rc = handle_krb5_mech(oid, princ, &secblob, &sess_key, ccname);
+ rc = handle_krb5_mech(oid, fqdn, &secblob, &sess_key, ccname);
if (!rc)
break;
}
--
1.7.7.6
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] cifs.upcall: use krb5_sname_to_principal to construct principal name
[not found] ` <1332934967-1768-1-git-send-email-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
@ 2012-03-29 13:49 ` Jeff Layton
0 siblings, 0 replies; 2+ messages in thread
From: Jeff Layton @ 2012-03-29 13:49 UTC (permalink / raw)
To: linux-cifs-u79uwXL29TY76Z2rM5mHXA
On Wed, 28 Mar 2012 07:42:47 -0400
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org> wrote:
> Currently, we build the string by hand then then construct the
> principal name with krb5_parse_name. That bypasses the domain_realm
> section in krb5.conf however.
>
> Switch the code to use krb5_sname_to_principal instead which is more
> suited to this task. In order for that to work, we change a couple of
> calling functions to pass down a hostname instead of a principal
> name, and then pass in "cifs" as the service name.
>
> Signed-off-by: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
> ---
> cifs.upcall.c | 47 ++++++++++++++++++++---------------------------
> 1 files changed, 20 insertions(+), 27 deletions(-)
>
> diff --git a/cifs.upcall.c b/cifs.upcall.c
> index 0d222cb..9e7f7e2 100644
> --- a/cifs.upcall.c
> +++ b/cifs.upcall.c
> @@ -324,7 +324,7 @@ static char *find_krb5_cc(const char *dirname, uid_t uid)
> }
>
> static int
> -cifs_krb5_get_req(const char *principal, const char *ccname,
> +cifs_krb5_get_req(const char *host, const char *ccname,
> DATA_BLOB * mechtoken, DATA_BLOB * sess_key)
> {
> krb5_error_code ret;
> @@ -360,10 +360,11 @@ cifs_krb5_get_req(const char *principal, const char *ccname,
> goto out_free_ccache;
> }
>
> - ret = krb5_parse_name(context, principal, &in_creds.server);
> + ret = krb5_sname_to_principal(context, host, "cifs", KRB5_NT_UNKNOWN,
> + &in_creds.server);
> if (ret) {
> - syslog(LOG_DEBUG, "%s: unable to parse principal (%s).",
> - __func__, principal);
> + syslog(LOG_DEBUG, "%s: unable to convert sname to princ (%s).",
> + __func__, host);
> goto out_free_principal;
> }
>
> @@ -371,7 +372,7 @@ cifs_krb5_get_req(const char *principal, const char *ccname,
> krb5_free_principal(context, in_creds.server);
> if (ret) {
> syslog(LOG_DEBUG, "%s: unable to get credentials for %s",
> - __func__, principal);
> + __func__, host);
> goto out_free_principal;
> }
>
> @@ -428,14 +429,14 @@ cifs_krb5_get_req(const char *principal, const char *ccname,
> &in_data, out_creds, &apreq_pkt);
> if (ret) {
> syslog(LOG_DEBUG, "%s: unable to make AP-REQ for %s",
> - __func__, principal);
> + __func__, host);
> goto out_free_auth;
> }
>
> ret = krb5_auth_con_getsendsubkey(context, auth_context, &tokb);
> if (ret) {
> syslog(LOG_DEBUG, "%s: unable to get session key for %s",
> - __func__, principal);
> + __func__, host);
> goto out_free_auth;
> }
>
> @@ -480,17 +481,16 @@ out_free_context:
> * ret: 0 - success, others - failure
> */
> static int
> -handle_krb5_mech(const char *oid, const char *principal, DATA_BLOB * secblob,
> +handle_krb5_mech(const char *oid, const char *host, DATA_BLOB * secblob,
> DATA_BLOB * sess_key, const char *ccname)
> {
> int retval;
> DATA_BLOB tkt, tkt_wrapped;
>
> - syslog(LOG_DEBUG, "%s: getting service ticket for %s", __func__,
> - principal);
> + syslog(LOG_DEBUG, "%s: getting service ticket for %s", __func__, host);
>
> /* get a kerberos ticket for the service and extract the session key */
> - retval = cifs_krb5_get_req(principal, ccname, &tkt, sess_key);
> + retval = cifs_krb5_get_req(host, ccname, &tkt, sess_key);
> if (retval) {
> syslog(LOG_DEBUG, "%s: failed to obtain service ticket (%d)",
> __func__, retval);
> @@ -782,7 +782,6 @@ int main(const int argc, char *const argv[])
> int c, try_dns = 0, legacy_uid = 0;
> char *buf, *ccname = NULL;
> char hostbuf[NI_MAXHOST], *host;
> - char princ[NI_MAXHOST + 5]; /* 5 == len of "cifs/" */
> struct decoded_args arg;
> const char *oid;
> uid_t uid;
> @@ -921,29 +920,23 @@ int main(const int argc, char *const argv[])
>
> retry_new_hostname:
> lowercase_string(host);
> - /* try "cifs/hostname" first */
> - rc = snprintf(princ, sizeof(princ), "cifs/%s", host);
> - if (rc < 0 || (size_t)rc >= sizeof(princ)) {
> - syslog(LOG_ERR,"Unable to set hostname %s in buffer.", host);
> - goto out;
> - }
> -
> - rc = handle_krb5_mech(oid, princ, &secblob, &sess_key, ccname);
> + rc = handle_krb5_mech(oid, host, &secblob, &sess_key, ccname);
> if (!rc)
> break;
>
> /*
> - * If hostname has a '.', assume it's a FQDN, otherwise we want to
> - * guess the domainname.
> + * If hostname has a '.', assume it's a FQDN, otherwise we
> + * want to guess the domainname.
> */
> if (!strchr(host, '.')) {
> struct addrinfo hints;
> struct addrinfo *ai;
> char *domainname;
> + char fqdn[NI_MAXHOST];
>
> /*
> - * use getaddrinfo() to resolve the hostname of the server
> - * and set ai_canonname.
> + * use getaddrinfo() to resolve the hostname of the
> + * server and set ai_canonname.
> */
> memset(&hints, 0, sizeof(hints));
> hints.ai_family = AF_UNSPEC;
> @@ -963,16 +956,16 @@ retry_new_hostname:
> break;
> }
> lowercase_string(domainname);
> - rc = snprintf(princ, sizeof(princ), "cifs/%s%s",
> + rc = snprintf(fqdn, sizeof(fqdn), "%s%s",
> host, domainname);
> freeaddrinfo(ai);
> - if (rc < 0 || (size_t)rc >= sizeof(princ)) {
> + if (rc < 0 || (size_t)rc >= sizeof(fqdn)) {
> syslog(LOG_ERR, "Problem setting hostname in string: %ld", rc);
> rc = -EINVAL;
> break;
> }
>
> - rc = handle_krb5_mech(oid, princ, &secblob, &sess_key, ccname);
> + rc = handle_krb5_mech(oid, fqdn, &secblob, &sess_key, ccname);
> if (!rc)
> break;
> }
Merged...
--
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-03-29 13:49 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-03-28 11:42 [PATCH] cifs.upcall: use krb5_sname_to_principal to construct principal name Jeff Layton
[not found] ` <1332934967-1768-1-git-send-email-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2012-03-29 13:49 ` Jeff Layton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.