search for: krb5_error_code

...6-pc-linux-gnu LIBREPLACE_LOCATION_CHECKS: START LIBREPLACE_LOCATION_CHECKS: END LIBREPLACE_CC_CHECKS: START checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out ... ... ... checking for krb5_addresses type... no checking for krb5_error_code krb5_enctype_to_string(krb5_context context, krb5_enctype enctype, char **str)... no checking for krb5_error_code krb5_enctype_to_string(krb5_enctype enctype, char *str, size_t len)... yes checking for krb5_principal_get_realm... no checking for krb5_princ_realm... yes checking for KRB5_PDU_NONE de...

...h/auth-krb5.c,v retrieving revision 1.25 diff -u -r1.25 auth-krb5.c --- auth-krb5.c 11 Sep 2004 13:32:09 -0000 1.25 +++ auth-krb5.c 6 Jul 2005 10:31:51 -0000 @@ -67,9 +67,6 @@ #ifndef HEIMDAL krb5_creds creds; krb5_principal server; - char ccname[40]; - int tmpfd; - mode_t old_umask; #endif krb5_error_code problem; krb5_ccache ccache = NULL; @@ -146,28 +143,7 @@ goto out; } - snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); - - old_umask = umask(0177); - tmpfd = mkstemp(ccname + strlen("FILE:")); - umask(old_umask); - if (tmpfd == -1) { - logit(&qu...

...lib -R/usr/local/kerberos/lib -R/usr/local/Be rkeleyDB.4.1/lib -R/usr/local/openssl/lib'\" I get the following error trying to compile libads/kerberos_verify.c "libads/kerberos_verify.c", line 77: improper member use: keyblock The relevant code below looks okay to me static krb5_error_code create_keytab(krb5_context context, krb5_principal host_princ, char *host_princ_s, krb5_data password, krb5_enctype *enctypes,...

..._kdc_as_rep () #4 0x00000000005922ec in kdc_as_req () #5 0x000000000059258e in krb5_kdc_process_krb5_request () #6 0x00000000005fc1dc in kdc_process () #7 0x00000000005fc4bb in kdc_tcp_call_loop () ... Looking at the code, the error is quite easy to find: source4/kdc/wdc-samba4.c: krb5_error_code samba_wdc_get_pac() calls 1.) source4/kdc/pac-glue.c: samba_kdc_get_pac_blob() /* The user account may be set not to want the PAC */ ... *_pac_blob = NULL; and then calls 2. source4/kdc/pac-glue.c: samba_make_krb5_pac() which tries to use uninitalized "pac_blob" an...

...gt; LIBREPLACE_LOCATION_CHECKS: END > LIBREPLACE_CC_CHECKS: START > checking for gcc... gcc > checking whether the C compiler works... yes > checking for C compiler default output file name... a.out > ... > ... > ... > checking for krb5_addresses type... no > checking for krb5_error_code krb5_enctype_to_string(krb5_context context, krb5_enctype enctype, char **str)... no > checking for krb5_error_code krb5_enctype_to_string(krb5_enctype enctype, char *str, size_t len)... yes > checking for krb5_principal_get_realm... no > checking for krb5_princ_realm... yes > checking...

...h-krb5.c Thu Oct 30 15:02:44 2003 @@ -34,6 +34,7 @@ #include "ssh1.h" #include "packet.h" #include "xmalloc.h" +#include "canohost.h" #include "log.h" #include "servconf.h" #include "uidswap.h" @@ -71,12 +72,23 @@ #endif krb5_error_code problem; krb5_ccache ccache = NULL; + char localname[MAXHOSTNAMELEN]; + char *socketname; if (authctxt->pw == NULL) return (0); temporarily_use_uid(authctxt->pw); + socketname = get_local_name(packet_get_connection_in()); + if (socketname) { + strlcpy(localname, socketname, MAXHO...

First thing - I'd like to say a big "THANK YOU" to the developers. I just upgraded to samba-3.0.23 and I've noticed an alarming issue with respect to my configuration. I've been using the built-in keytab management and it looks like the updated code no longer creates the userPrincipal in Active Directory. Whether this is an issue for others or not, it would be nice to have

...nBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $"); +RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -208,6 +208,7 @@ int auth_krb5_password(Authctxt *authctxt, const char *password) { krb5_error_code problem; + krb5_ccache ccache = NULL; if (authctxt->pw == NULL) return (0); @@ -223,30 +224,46 @@ auth_krb5_password(Authctxt *authctxt, c if (problem) goto out; - problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, - &authctxt->krb5_fwd_ccache); + proble...

...Thanks & regards, Senthil Kumar. Test Program: /* Senthil test program for Kerberos */ /* To compile cc -o check_valid Test_krb5.c -lkrb5 */ /* To run ./check_valid <username> <kerberos passwd> */ #include <stdio.h> #include <krb5.h> int main(int argc,char **argv) { krb5_error_code problem; krb5_context context=NULL; krb5_principal client = NULL; krb5_creds creds; char *str=argv[1]; char *mypassword=NULL; if (context == NULL) { problem = krb5_init_context(&context); if(problem) { printf("\nproblem in initialization and krb5_init_cont...

On Thu, 2017-02-09 at 14:45 -0600, Chad William Seys wrote: > Hi Jeff, > Could you look at the following mailing list posting? > > https://lists.samba.org/archive/samba/2017-February/206468.html > > It looks like cifs.upcall has changed its behavior. As described in > that post, I can mount with root / kerberos, but then cannot access with > another user who has

...yslog(LOG_DEBUG, "%s: cachename = %s\n", + __func__, cachename); + break; + } + buflen -= (len + 1); + pos += (len + 1); + } + free(buf); +out_close: + close(fd); + return cachename; +} + static krb5_ccache -get_default_cc(void) +get_existing_cc(const char *env_cachename) { krb5_error_code ret; krb5_ccache cc; + char *cachename; + + if (env_cachename) { + if (setenv(ENV_NAME, env_cachename, 1)) + syslog(LOG_DEBUG, "%s: failed to setenv %d\n", __func__, errno); + } ret = krb5_cc_default(context, &cc); if (ret) { @@ -166,6 +282,14 @@ get_default_cc(void) ret...

...found. Signed-off-by: Jeff Layton <jlayton at samba.org> --- cifs.upcall.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/cifs.upcall.c b/cifs.upcall.c index 8f146c92b4a5..dd0843e358b1 100644 --- a/cifs.upcall.c +++ b/cifs.upcall.c @@ -159,6 +159,7 @@ get_default_cc(void) { krb5_error_code ret; krb5_ccache cc; + char *cachename; ret = krb5_cc_default(context, &cc); if (ret) { @@ -166,6 +167,14 @@ get_default_cc(void) return NULL; } + ret = krb5_cc_get_full_name(context, cc, &cachename); + if (ret) { + syslog(LOG_DEBUG, "%s: krb5_cc_get_full_name failed: %...

....4p1/auth-krb5.c.krb Sun Jun 9 21:41:48 2002 +++ openssh-3.4p1/auth-krb5.c Tue Jul 23 15:15:43 2002 @@ -73,18 +73,17 @@ * from the ticket */ int -auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client) +auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply) { krb5_error_code problem; krb5_principal server; - krb5_data reply; krb5_ticket *ticket; int fd, ret; ret = 0; server = NULL; ticket = NULL; - reply.length = 0; + reply->length = 0; problem = krb5_init(authctxt); if (problem) @@ -131,7 +130,7 @@ /* if client wants mutual auth */ problem...

Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop capabilities before doing most of its work. This may help reduce the attack surface of the program. Jeff Layton (4): cifs.upcall: convert

...- ENV_PREFIX_LEN); + syslog(LOG_DEBUG, "%s: cachename = %s\n", __func__, cachename); + break; + } + buflen -= (len + 1); + pos += (len + 1); + } + free(buf); +out_close: + close(fd); + return cachename; +} + static krb5_ccache -get_default_cc(void) +get_existing_cc(pid_t pid) { krb5_error_code ret; krb5_ccache cc; - char *cachename; + char *cachename = NULL; + + cachename = get_cachename_from_process_env(pid); + if (cachename) { + if (setenv(ENV_NAME, cachename, 1)) + syslog(LOG_DEBUG, "%s: failed to setenv %d\n", __func__, errno); + free(cachename); + } ret = krb5_cc...

Small respin of the patches that I posted a few days ago. The main difference is the reordering of the series to make it do the group and grouplist manipulation first, and then the patch that makes it grab the KRB5CCNAME from the initiating process. I think the code is sound, my main question is whether we really need the command-line switch for this. Should this just be the default mode of

Apologies for v3 series, I had some extra patches in there. This is the one that should have been sent. Relabeled as v4 for clarity. Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop

...g.h" +#include "servconf.h" + +#include "ssh-gss.h" + +extern ServerOptions options; + +#include <krb5.h> + +static krb5_context krb_context = NULL; + +/* Initialise the krb5 library, for the stuff that GSSAPI won't do */ + +static int +ssh_gssapi_krb5_init() +{ + krb5_error_code problem; + + if (krb_context != NULL) + return 1; + + problem = krb5_init_context(&krb_context); + if (problem) { + logit("Cannot initialize krb5 context"); + return 0; + } + krb5_init_ets(krb_context); + + return 1; +} + +/* Check if this user is OK to login. This only works with...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

...b5_keytab_entry... no checking for magic in krb5_address... yes checking for WRFILE: keytab support... yes checking for krb5_princ_realm returns krb5_realm or krb5_data... no checking for krb5_addresses type... no checking whether krb5_mk_error takes 3 arguments MIT or 9 Heimdal... yes checking for krb5_error_code krb5_enctype_to_string(krb5_context context, krb5_enctype enctype, char **str)... no checking for krb5_error_code krb5_enctype_to_string(krb5_enctype enctype, char *str, size_t len)... yes checking for krb5_principal_get_realm... no checking for krb5_princ_realm... yes checking whether Active Dir...