[OpenAFS-devel] FW: Fix broken krb5 support, add support for krb5 w/ afs, small patch
Neulinger, Nathan
nneul@umr.edu
Fri, 8 Mar 2002 12:46:22 -0600
FYI, in case this is useful to anyone on here. I finally got around to
looking at version of samba more recent than 2.0.x.=20
-- Nathan
------------------------------------------------------------
Nathan Neulinger EMail: nneul@umr.edu
University of Missouri - Rolla Phone: (573) 341-4841
Computing Services Fax: (573) 341-4216
-----Original Message-----
From: Neulinger, Nathan=20
Sent: Friday, March 08, 2002 12:43 PM
To: samba-patches@samba.org
Subject: Fix broken krb5 support, add support for krb5 w/ afs, small
patch
This patch fixes the broken krb5 support in samba, and adds support for
krb5'ized AFS (aklog).
Also has the afs support clean up tokens when smbd exits since by
default, it
will accumulate tokens endlessly on some platforms.
-- Nathan
------------------------------------------------------------
Nathan Neulinger EMail: nneul@umr.edu
University of Missouri - Rolla Phone: (573) 341-4841
Computing Services Fax: (573) 341-4216
diff --exclude=3Dconfigure -ur samba-2.2.3a-orig/source/configure.in
samba-2.2.3a/source/configure.in
--- samba-2.2.3a-orig/source/configure.in Wed Feb 6 20:56:47 2002
+++ samba-2.2.3a/source/configure.in Fri Mar 8 12:31:38 2002
@@ -1768,7 +1768,10 @@
AC_ARG_WITH(krb4,
[ --with-krb4=3Dbase-dir Include Kerberos IV support =
(default=3Dno)],
[ case "$withval" in
- yes)
+ no)
+ AC_MSG_RESULT(no)
+ ;;
+ *)
AC_MSG_RESULT(yes)
AC_DEFINE(KRB4_AUTH)
AC_CHECK_LIB(resolv, dn_expand)
@@ -1776,9 +1779,6 @@
CFLAGS=3D"$CFLAGS -I$withval/include"
LDFLAGS=3D"$LDFLAGS -L$withval/lib"
;;
- *)
- AC_MSG_RESULT(no)
- ;;
esac ],
AC_MSG_RESULT(no)
)
@@ -1789,19 +1789,56 @@
AC_ARG_WITH(krb5,
[ --with-krb5=3Dbase-dir Include Kerberos 5 support =
(default=3Dno)],
[ case "$withval" in
- yes)
+ no)
+ AC_MSG_RESULT(no)
+ ;;
+ *)
AC_MSG_RESULT(yes)
AC_DEFINE(KRB5_AUTH)
- LIBS=3D"$LIBS -ldes425 -lkrb5 -lcrypto -lcom_err"
+ AC_CHECK_LIB(resolv, dn_expand)
+ LIBS=3D"$LIBS -ldes425 -lkrb5 -lk5crypto -lcom_err"
CFLAGS=3D"$CFLAGS -I$withval/include"
LDFLAGS=3D"$LDFLAGS -L$withval/lib"
;;
- *)
- AC_MSG_RESULT(no)
- ;;
esac ],
AC_MSG_RESULT(no)
)
+
+#################################################
+# check for AFS+Kerberos 5 (also need --with-krb5)
+AC_MSG_CHECKING(whether to use Kerberos 5+AFS)
+AC_ARG_WITH(krb5afs,
+[ --with-krb5afs=3Dafs-base-dir Include Kerberos 5+AFS support
+ --without-krb5afs Don't include Kerberos 5+AFS support
(default)],
+[ =20
+ if test "x$withval" !=3D x; then
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(KRB5AFS_AUTH)
+ LIBS=3D"$LIBS -lsys -lrx -llwp -lauth $withval/lib/afs/util.a"
+ LDFLAGS=3D"$LDFLAGS -L$withval/lib -L$withval/lib/afs"
+ else
+ AC_MSG_RESULT(no)
+ fi ],
+ AC_MSG_RESULT(no)
+)
+
+##################################################
+# check for path to aklog
+AC_ARG_WITH(aklog,
+[ --with-aklog=3Dfile Path to aklog for use with --with-krb5afs],
+[ AC_MSG_CHECKING(for aklog)
+ if test "x$withval" !=3D x; then
+ PATH_AKLOG=3D"$withval"
+ AC_MSG_RESULT($withval)
+ else
+ AC_MSG_RESULT(not found)
+ fi
+],
+[
+ AC_PATH_PROG(PATH_AKLOG, aklog, no)
+])
+AC_DEFINE_UNQUOTED(PATH_AKLOG, "$PATH_AKLOG")
+
=20
#################################################
# check for automount support
diff --exclude=3Dconfigure -ur
samba-2.2.3a-orig/source/include/config.h.in
samba-2.2.3a/source/include/config.h.in
--- samba-2.2.3a-orig/source/include/config.h.in Mon Feb 4
21:36:59 2002
+++ samba-2.2.3a/source/include/config.h.in Fri Mar 8 12:12:26 2002
@@ -159,6 +159,8 @@
#undef HAVE_UINT32_FROM_RPC_RPC_H
#undef KRB4_AUTH
#undef KRB5_AUTH
+#undef KRB5AFS_AUTH
+#undef PATH_AKLOG
#undef SEEKDIR_RETURNS_VOID
#undef HAVE_DIRENT_D_OFF
#undef HAVE_GETSPNAM
diff --exclude=3Dconfigure -ur
samba-2.2.3a-orig/source/passdb/pass_check.c
samba-2.2.3a/source/passdb/pass_check.c
--- samba-2.2.3a-orig/source/passdb/pass_check.c Sat Feb 2
18:46:48 2002
+++ samba-2.2.3a/source/passdb/pass_check.c Fri Mar 8 12:35:25 2002
@@ -29,6 +29,16 @@
static fstring this_salt;
static fstring this_crypted;
=20
+#if defined(WITH_AFS) || defined(KRB5AFS_AUTH)
+/*******************************************************************
+clean up AFS tokens so they don't get left around after we exit
+********************************************************************/
+void cleanup_afs_tokens(void)
+{
+ ktc_ForgetAllTokens();
+}
+#endif
+
#ifdef WITH_AFS
=20
#include <afs/stds.h>
@@ -45,6 +55,11 @@
/* For versions of AFS prior to 3.3, this routine has few
arguments, */
/* but since I can't find the old documentation... :-)
*/
setpag();
+
+ /* Make sure we clean up tokens when we exit */
+ atexit(cleanup_afs_tokens);
+
+ /* Check password */
if (ka_UserAuthenticateGeneral
(KA_USERAUTH_VERSION + KA_USERAUTH_DOSETPAG, user, (char
*)0, /* instance */
(char *)0, /* cell */
@@ -391,10 +406,26 @@
krb5_preauthtype *preauth =3D NULL;
krb5_keytab keytab =3D NULL;
krb5_timestamp now;
+#ifdef KRB5AFS_AUTH
krb5_ccache ccache =3D NULL;
+#endif
int retval;
char *name;
=20
+#ifdef KRB5AFS_AUTH
+ static char ccname[100];
+=09
+ /* Use a ccache so we can run aklog */
+ snprintf(ccname, 100, "KRB5CCNAME=3D/tmp/krb5cc_samba_%d_p%d",
getuid(), getpid());
+ putenv(ccname);
+
+ /* Create a new PAG */
+ setpag();
+
+ /* Make sure we clean up tokens when we exit */
+ atexit(cleanup_afs_tokens);
+#endif
+
if (retval =3D krb5_init_context(&kcontext))
{
return (False);
@@ -405,10 +436,12 @@
return (False);
}
=20
+#ifdef KRB5AFS_AUTH
if (retval =3D krb5_cc_default(kcontext, &ccache))
{
return (False);
}
+#endif
=20
if (retval =3D krb5_parse_name(kcontext, user, &kprinc))
{
@@ -436,6 +469,13 @@
return (False);
}
=20
+#ifdef KRB5AFS_AUTH
+ if ((retval =3D krb5_cc_initialize(kcontext, ccache, kprinc)) ) {
+ krb5_cc_destroy(kcontext, ccache);
+ return(False);
+ }
+#endif
+
kcreds.server =3D server;
=20
retval =3D krb5_get_in_tkt_with_password(kcontext,
@@ -443,12 +483,27 @@
addrs,
NULL,
preauth,
- password, 0, &kcreds, 0);
+ password,
+#ifdef KRB5AFS_AUTH
+ ccache,
+#else
+ 0,
+#endif
+ &kcreds,
+ 0);
=20
if (retval)
{
+#ifdef KRB5AFS_AUTH
+ krb5_cc_destroy(kcontext, ccache);
+#endif
return (False);
}
+
+#ifdef KRB5AFS_AUTH
+ system(PATH_AKLOG);
+ krb5_cc_destroy(kcontext, ccache);
+#endif
=20
return (True);
}