summaryrefslogtreecommitdiffstats
path: root/source3
diff options
context:
space:
mode:
authorChristian Ambach <ambi@samba.org>2014-04-14 22:11:12 +0200
committerChristian Ambach <ambi@samba.org>2014-06-04 20:09:38 +0200
commit89961ca2972b087ae4a974ce223b75263ec1ee1f (patch)
tree804c2d2b6808b2f57987bcd0bd10a3ddde5d3549 /source3
parent62b4d442b9b43d40137ba82e9d00c864ef2d1c25 (diff)
downloadsamba-89961ca2972b087ae4a974ce223b75263ec1ee1f.tar.gz
samba-89961ca2972b087ae4a974ce223b75263ec1ee1f.tar.xz
samba-89961ca2972b087ae4a974ce223b75263ec1ee1f.zip
s3:lib/afs move afs.c to common lib dir
some of the code in afs.c is needed by wbinfo that lives in the toplevel nsswitch directory, so move the afs.c file to a new top-level lib/afs directory. Use the name afs_funcs to avoid collisions with the afs.h header from OpenAFS Signed-off-by: Christian Ambach <ambi@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source3')
-rw-r--r--source3/include/proto.h6
-rw-r--r--source3/lib/afs.c309
-rw-r--r--source3/smbd/service.c1
-rw-r--r--source3/utils/net_afs.c1
-rw-r--r--source3/winbindd/winbindd_pam.c1
-rwxr-xr-xsource3/wscript_build4
6 files changed, 3 insertions, 319 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h
index d401dfbef3e..14af2ad6030 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -35,12 +35,6 @@ bool allow_access(const char **deny_list,
/* The following definitions come from lib/adt_tree.c */
-
-/* The following definitions come from lib/afs.c */
-
-char *afs_createtoken_str(const char *username, const char *cell);
-bool afs_login(connection_struct *conn);
-
/* The following definitions come from lib/afs_settoken.c */
int afs_syscall(int subcall, const char *path, int cmd, char *cmarg, int follow);
diff --git a/source3/lib/afs.c b/source3/lib/afs.c
deleted file mode 100644
index 2d77526dec8..00000000000
--- a/source3/lib/afs.c
+++ /dev/null
@@ -1,309 +0,0 @@
-/*
- * Unix SMB/CIFS implementation.
- * Generate AFS tickets
- * Copyright (C) Volker Lendecke 2003
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "includes.h"
-
-#ifdef WITH_FAKE_KASERVER
-
-#define NO_ASN1_TYPEDEFS 1
-
-#include "secrets.h"
-#include "passdb.h"
-#include "auth.h"
-#include "../librpc/gen_ndr/ndr_netlogon.h"
-
-#include <afs/param.h>
-#include <afs/stds.h>
-#include <afs/afs.h>
-#include <afs/auth.h>
-#include <afs/venus.h>
-#include <asm/unistd.h>
-#include <openssl/des.h>
-
-struct ClearToken {
- uint32 AuthHandle;
- char HandShakeKey[8];
- uint32 ViceId;
- uint32 BeginTimestamp;
- uint32 EndTimestamp;
-};
-
-static char *afs_encode_token(const char *cell, const DATA_BLOB ticket,
- const struct ClearToken *ct)
-{
- char *base64_ticket;
- char *result = NULL;
-
- DATA_BLOB key = data_blob(ct->HandShakeKey, 8);
- char *base64_key;
- TALLOC_CTX *mem_ctx;
-
- mem_ctx = talloc_stackframe();
- if (mem_ctx == NULL)
- goto done;
-
- base64_ticket = base64_encode_data_blob(mem_ctx, ticket);
- if (base64_ticket == NULL)
- goto done;
-
- base64_key = base64_encode_data_blob(mem_ctx, key);
- if (base64_key == NULL)
- goto done;
-
- asprintf(&result, "%s\n%u\n%s\n%u\n%u\n%u\n%s\n", cell,
- ct->AuthHandle, base64_key, ct->ViceId, ct->BeginTimestamp,
- ct->EndTimestamp, base64_ticket);
-
- DEBUG(10, ("Got ticket string:\n%s\n", result));
-
-done:
- TALLOC_FREE(mem_ctx);
-
- return result;
-}
-
-/* Create a ClearToken and an encrypted ticket. ClearToken has not yet the
- * ViceId set, this should be set by the caller. */
-
-static bool afs_createtoken(const char *username, const char *cell,
- DATA_BLOB *ticket, struct ClearToken *ct)
-{
- fstring clear_ticket;
- char *p = clear_ticket;
- uint32 len;
- uint32 now;
-
- struct afs_key key;
- des_key_schedule key_schedule;
-
- if (!secrets_init())
- return false;
-
- if (!secrets_fetch_afs_key(cell, &key)) {
- DEBUG(1, ("Could not fetch AFS service key\n"));
- return false;
- }
-
- ct->AuthHandle = key.kvno;
-
- /* Build the ticket. This is going to be encrypted, so in our
- way we fill in ct while we still have the unencrypted
- form. */
-
- p = clear_ticket;
-
- /* The byte-order */
- *p = 1;
- p += 1;
-
- /* "Alice", the client username */
- strncpy(p, username, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
- p += strlen(p)+1;
- strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
- p += strlen(p)+1;
- strncpy(p, cell, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
- p += strlen(p)+1;
-
- /* Alice's network layer address. At least Openafs-1.2.10
- ignores this, so we fill in a dummy value here. */
- SIVAL(p, 0, 0);
- p += 4;
-
- /* We need to create a session key */
- generate_random_buffer((uint8_t *)p, 8);
-
- /* Our client code needs the the key in the clear, it does not
- know the server-key ... */
- memcpy(ct->HandShakeKey, p, 8);
-
- p += 8;
-
- /* This is a kerberos 4 life time. The life time is expressed
- * in units of 5 minute intervals up to 38400 seconds, after
- * that a table is used up to lifetime 0xBF. Values between
- * 0xC0 and 0xFF is undefined. 0xFF is defined to be the
- * infinite time that never expire.
- *
- * So here we cheat and use the infinite time */
- *p = 255;
- p += 1;
-
- /* Ticket creation time */
- now = time(NULL);
- SIVAL(p, 0, now);
- ct->BeginTimestamp = now;
-
- if(lp_afs_token_lifetime() == 0)
- ct->EndTimestamp = NEVERDATE;
- else
- ct->EndTimestamp = now + lp_afs_token_lifetime();
-
- if (((ct->EndTimestamp - ct->BeginTimestamp) & 1) == 1) {
- ct->BeginTimestamp += 1; /* Lifetime must be even */
- }
- p += 4;
-
- /* And here comes Bob's name and instance, in this case the
- AFS server. */
- strncpy(p, "afs", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
- p += strlen(p)+1;
- strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
- p += strlen(p)+1;
-
- /* And zero-pad to a multiple of 8 bytes */
- len = PTR_DIFF(p, clear_ticket);
- if (len & 7) {
- uint32 extra_space = 8-(len & 7);
- memset(p, 0, extra_space);
- p+=extra_space;
- }
- len = PTR_DIFF(p, clear_ticket);
-
- des_key_sched((const_des_cblock *)key.key, key_schedule);
- des_pcbc_encrypt((const unsigned char*) clear_ticket,
- (unsigned char*) clear_ticket,
- len, key_schedule, (C_Block *)key.key, 1);
-
- ZERO_STRUCT(key);
-
- *ticket = data_blob(clear_ticket, len);
-
- return true;
-}
-
-char *afs_createtoken_str(const char *username, const char *cell)
-{
- DATA_BLOB ticket;
- struct ClearToken ct;
- char *result;
-
- if (!afs_createtoken(username, cell, &ticket, &ct))
- return NULL;
-
- result = afs_encode_token(cell, ticket, &ct);
-
- data_blob_free(&ticket);
-
- return result;
-}
-
-/*
- This routine takes a radical approach completely bypassing the
- Kerberos idea of security and using AFS simply as an intelligent
- file backend. Samba has persuaded itself somehow that the user is
- actually correctly identified and then we create a ticket that the
- AFS server hopefully accepts using its KeyFile that the admin has
- kindly stored to our secrets.tdb.
-
- Thanks to the book "Network Security -- PRIVATE Communication in a
- PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner
- Kerberos 4 tickets are not really hard to construct.
-
- For the comments "Alice" is the User to be auth'ed, and "Bob" is the
- AFS server. */
-
-bool afs_login(connection_struct *conn)
-{
- DATA_BLOB ticket;
- char *afs_username = NULL;
- char *cell = NULL;
- bool result;
- char *ticket_str = NULL;
- const struct dom_sid *user_sid;
- TALLOC_CTX *ctx = talloc_tos();
-
- struct ClearToken ct;
-
- afs_username = talloc_strdup(ctx,
- lp_afs_username_map());
- if (!afs_username) {
- return false;
- }
-
- afs_username = talloc_sub_advanced(ctx,
- lp_servicename(ctx, SNUM(conn)),
- conn->session_info->unix_info->unix_name,
- conn->connectpath,
- conn->session_info->unix_token->gid,
- conn->session_info->unix_info->sanitized_username,
- conn->session_info->info->domain_name,
- afs_username);
- if (!afs_username) {
- return false;
- }
-
- user_sid = &conn->session_info->security_token->sids[0];
- afs_username = talloc_string_sub(talloc_tos(),
- afs_username,
- "%s",
- sid_string_tos(user_sid));
- if (!afs_username) {
- return false;
- }
-
- /* The pts command always generates completely lower-case user
- * names. */
- if (!strlower_m(afs_username)) {
- return false;
- }
-
- cell = strchr(afs_username, '@');
-
- if (cell == NULL) {
- DEBUG(1, ("AFS username doesn't contain a @, "
- "could not find cell\n"));
- return false;
- }
-
- *cell = '\0';
- cell += 1;
-
- DEBUG(10, ("Trying to log into AFS for user %s@%s\n",
- afs_username, cell));
-
- if (!afs_createtoken(afs_username, cell, &ticket, &ct))
- return false;
-
- /* For which Unix-UID do we want to set the token? */
- ct.ViceId = getuid();
-
- ticket_str = afs_encode_token(cell, ticket, &ct);
-
- result = afs_settoken_str(ticket_str);
-
- SAFE_FREE(ticket_str);
-
- data_blob_free(&ticket);
-
- return result;
-}
-
-#else
-
-bool afs_login(connection_struct *conn)
-{
- return true;
-}
-
-char *afs_createtoken_str(const char *username, const char *cell)
-{
- return NULL;
-}
-
-#endif /* WITH_FAKE_KASERVER */
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index a9ad8477b0f..d3eabf8e360 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -30,6 +30,7 @@
#include "auth.h"
#include "lib/param/loadparm.h"
#include "messages.h"
+#include "lib/afs/afs_funcs.h"
static bool canonicalize_connect_path(connection_struct *conn)
{
diff --git a/source3/utils/net_afs.c b/source3/utils/net_afs.c
index 3c7f28242ce..44e5193c884 100644
--- a/source3/utils/net_afs.c
+++ b/source3/utils/net_afs.c
@@ -22,6 +22,7 @@
#include "utils/net_afs.h"
#include "secrets.h"
#include "system/filesys.h"
+#include "lib/afs/afs_funcs.h"
int net_afs_usage(struct net_context *c, int argc, const char **argv)
{
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 415dc79974c..65f27dfcadb 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -41,6 +41,7 @@
#include "auth/kerberos/pac_utils.h"
#include "auth/gensec/gensec.h"
#include "librpc/crypto/gse_krb5.h"
+#include "lib/afs/afs_funcs.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
diff --git a/source3/wscript_build b/source3/wscript_build
index d319e5e7ac3..1f1b75049aa 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -472,10 +472,6 @@ bld.SAMBA3_SUBSYSTEM('LIBAFS_SETTOKEN',
source='lib/afs_settoken.c',
deps='samba-util')
-bld.SAMBA3_SUBSYSTEM('LIBAFS',
- source='lib/afs.c',
- deps='samba-util LIBAFS_SETTOKEN')
-
bld.SAMBA3_LIBRARY('smbconf',
source='''lib/smbconf/smbconf_init.c
lib/smbconf/smbconf_reg.c''',