From: Stefan Metzmacher Date: Tue, 5 Mar 2024 16:55:14 +0000 (+0100) Subject: s3:libads: finally remove unused ads_connect[_user_creds]() and related code X-Git-Tag: tdb-1.4.11~725 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fc92025ecb2c43305bde43f0c2a9856abed654c4;p=thirdparty%2Fsamba.git s3:libads: finally remove unused ads_connect[_user_creds]() and related code That was a long way, but now we're cli_credentials/gensec only :-) Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h index 2de0377b240..23692bc7870 100644 --- a/source3/libads/ads_proto.h +++ b/source3/libads/ads_proto.h @@ -78,10 +78,6 @@ bool ads_setspn_delete(ADS_STRUCT *ads, const char *machine_name, /* The following definitions come from libads/krb5_errs.c */ -/* The following definitions come from libads/kerberos_util.c */ - -int ads_kinit_password(ADS_STRUCT *ads); - /* The following definitions come from libads/ldap.c */ bool ads_sitename_match(ADS_STRUCT *ads); @@ -212,9 +208,6 @@ NTSTATUS ads_simple_creds(TALLOC_CTX *mem_ctx, const char *account_name, const char *password, struct cli_credentials **_creds); -NTSTATUS ads_legacy_creds(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - struct cli_credentials **_creds); ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads, struct cli_credentials *creds); /* The following definitions come from libads/sasl_wrapping.c */ diff --git a/source3/libads/kerberos_util.c b/source3/libads/kerberos_util.c deleted file mode 100644 index 0e98c3acca6..00000000000 --- a/source3/libads/kerberos_util.c +++ /dev/null @@ -1,80 +0,0 @@ -/* - Unix SMB/CIFS implementation. - krb5 set password implementation - Copyright (C) Andrew Tridgell 2001 - Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com) - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ - -#include "includes.h" -#include "smb_krb5.h" -#include "ads.h" -#include "lib/param/loadparm.h" - -#ifdef HAVE_KRB5 - -/* run kinit to setup our ccache */ -int ads_kinit_password(ADS_STRUCT *ads) -{ - char *s; - int ret; - const char *account_name; - fstring acct_name; - - if (ads->auth.password == NULL || ads->auth.password[0] == '\0') { - return KRB5_LIBOS_CANTREADPWD; - } - - if (ads->auth.flags & ADS_AUTH_USER_CREDS) { - account_name = ads->auth.user_name; - goto got_accountname; - } - - if ( IS_DC ) { - /* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */ - account_name = lp_workgroup(); - } else { - /* always use the sAMAccountName for security = domain */ - /* lp_netbios_name()$@REA.LM */ - if ( lp_security() == SEC_DOMAIN ) { - fstr_sprintf( acct_name, "%s$", lp_netbios_name() ); - account_name = acct_name; - } - else - /* This looks like host/lp_netbios_name()@REA.LM */ - account_name = ads->auth.user_name; - } - - got_accountname: - if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) { - return KRB5_CC_NOMEM; - } - - ret = kerberos_kinit_password_ext(s, ads->auth.password, - 0, - NULL, NULL, - ads->auth.ccache_name, false, false, - 0, - NULL, NULL, NULL, NULL); - - if (ret) { - DEBUG(0,("kerberos_kinit_password %s failed: %s\n", - s, error_message(ret))); - } - SAFE_FREE(s); - return ret; -} - -#endif diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 86d2e813ba6..08f3a138e82 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -1203,41 +1203,6 @@ ADS_STATUS ads_connect_machine(ADS_STRUCT *ads) } /* - * Connect to the LDAP server - * @param ads Pointer to an existing ADS_STRUCT - * @return status of connection - **/ -ADS_STATUS ads_connect(ADS_STRUCT *ads) -{ - TALLOC_CTX *frame = talloc_stackframe(); - struct cli_credentials *creds = NULL; - ADS_STATUS status; - NTSTATUS ntstatus; - - ntstatus = ads_legacy_creds(ads, frame, &creds); - if (!NT_STATUS_IS_OK(ntstatus)) { - TALLOC_FREE(frame); - return ADS_ERROR_NT(ntstatus); - } - - status = ads_connect_internal(ads, creds); - TALLOC_FREE(frame); - return status; -} - -/** - * Connect to the LDAP server using given credentials - * @param ads Pointer to an existing ADS_STRUCT - * @return status of connection - **/ -ADS_STATUS ads_connect_user_creds(ADS_STRUCT *ads) -{ - ads->auth.flags |= ADS_AUTH_USER_CREDS; - - return ads_connect(ads); -} - -/** * Zero out the internal ads->ldap struct and initialize the address to zero IP. * @param ads Pointer to an existing ADS_STRUCT * diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 64372f08b58..efb2d880305 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -175,193 +175,6 @@ static const struct ads_saslwrap_ops ads_sasl_gensec_ops = { .disconnect = ads_sasl_gensec_disconnect }; -NTSTATUS ads_legacy_creds(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - struct cli_credentials **_creds) -{ - TALLOC_CTX *frame = talloc_stackframe(); - struct cli_credentials *creds = NULL; - struct loadparm_context *lp_ctx = NULL; - const char *account_name = NULL; - fstring acct_name; - enum credentials_use_kerberos krb5_state; - uint32_t gensec_features; - bool ok; - - if (ads->auth.flags & (ADS_AUTH_NO_BIND|ADS_AUTH_ANON_BIND)) { - SMB_ASSERT(!(ads->auth.flags & ADS_AUTH_USER_CREDS)); - - creds = cli_credentials_init_anon(mem_ctx); - if (creds == NULL) { - TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; - } - talloc_steal(frame, creds); - goto done; - } - - if (ads->auth.user_name == NULL) { - /* - * Must use the userPrincipalName value here or sAMAccountName - * and not servicePrincipalName; found by Guenther Deschner - */ - ads->auth.user_name = talloc_asprintf(ads, - "%s$", - lp_netbios_name()); - if (ads->auth.user_name == NULL) { - TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; - } - } - - if (ads->auth.realm == NULL) { - if (ads->server.realm != NULL) { - ads->auth.realm = talloc_strdup(ads, ads->server.realm); - if (ads->auth.realm == NULL) { - TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; - } - } else { - ads->auth.realm = talloc_strdup(ads, lp_realm()); - if (ads->auth.realm == NULL) { - TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; - } - } - } - - lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers()); - if (lp_ctx == NULL) { - DBG_ERR("loadparm_init_s3 failed\n"); - TALLOC_FREE(frame); - return NT_STATUS_INVALID_SERVER_STATE; - } - - creds = cli_credentials_init(mem_ctx); - if (creds == NULL) { - TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; - } - talloc_steal(frame, creds); - - ok = cli_credentials_guess(creds, lp_ctx); - if (!ok) { - TALLOC_FREE(frame); - return NT_STATUS_INTERNAL_ERROR; - } - - /* - * This logic was taken from ads_kinit_password() - */ - if (ads->auth.flags & ADS_AUTH_USER_CREDS) { - account_name = ads->auth.user_name; - } else if (IS_DC) { - /* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */ - account_name = lp_workgroup(); - } else if (lp_security() == SEC_DOMAIN ) { - fstr_sprintf( acct_name, "%s$", lp_netbios_name() ); - account_name = acct_name; - } else { - /* This looks like host/lp_netbios_name()@REA.LM */ - account_name = ads->auth.user_name; - } - - ok = cli_credentials_set_username(creds, - account_name, - CRED_SPECIFIED); - if (!ok) { - TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; - } - ok = cli_credentials_set_domain(creds, - ads->auth.realm, - CRED_SPECIFIED); - if (!ok) { - TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; - } - ok = cli_credentials_set_password(creds, - ads->auth.password, - CRED_SPECIFIED); - if (!ok) { - TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; - } - -#define __ADS_AUTH_BOTH (ADS_AUTH_ALLOW_NTLMSSP|ADS_AUTH_DISABLE_KERBEROS) - if ((ads->auth.flags & __ADS_AUTH_BOTH) == __ADS_AUTH_BOTH) { - krb5_state = CRED_USE_KERBEROS_DISABLED; - } else if (ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP) { - krb5_state = CRED_USE_KERBEROS_DESIRED; - } else if (ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) { - TALLOC_FREE(frame); - return NT_STATUS_INCOMPATIBLE_DRIVER_BLOCKED; - } else { - krb5_state = CRED_USE_KERBEROS_REQUIRED; - } - cli_credentials_set_kerberos_state(creds, krb5_state, CRED_SPECIFIED); - - gensec_features = cli_credentials_get_gensec_features(creds); - if (ads->auth.flags & ADS_AUTH_SASL_LDAPS) { - gensec_features &= ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL); - } else if (ads->auth.flags & ADS_AUTH_SASL_STARTTLS) { - gensec_features &= ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL); - } else if (ads->auth.flags & ADS_AUTH_SASL_SEAL) { - gensec_features |= GENSEC_FEATURE_SIGN; - gensec_features |= GENSEC_FEATURE_SEAL; - } else if (ads->auth.flags & ADS_AUTH_SASL_SIGN) { - gensec_features |= GENSEC_FEATURE_SIGN; - } - cli_credentials_set_gensec_features(creds, gensec_features, CRED_SPECIFIED); - -#ifdef HAVE_KRB5 - if (krb5_state != CRED_USE_KERBEROS_DISABLED && - ads->auth.password != NULL && - ads->auth.password[0] != '\0') - { - ADS_STATUS ads_status; - const char *error_string = NULL; - int rc; - - ads->auth.flags |= ADS_AUTH_GENERATE_KRB5_CONFIG; - ads_status = ads_connect_cldap_only(ads); - ads->auth.flags &= ~ADS_AUTH_NO_BIND; - if (!ADS_ERR_OK(ads_status)) { - TALLOC_FREE(frame); - return ads_ntstatus(ads_status); - } - - rc = ads_kinit_password(ads); - if (rc == 0) { - rc = cli_credentials_set_ccache(creds, - lp_ctx, - ads->auth.ccache_name, - CRED_SPECIFIED, - &error_string); - if (rc != 0) { - ads_status = ADS_ERROR_KRB5(rc); - TALLOC_FREE(frame); - return ads_ntstatus(ads_status); - } - } else if (krb5_state == CRED_USE_KERBEROS_REQUIRED) { - /* - * Only fail if kerberos is required, - * otherwise we ignore the kinit failure - * and assume NTLMSSP will make it - */ - ads_status = ADS_ERROR_KRB5(rc); - TALLOC_FREE(frame); - return ads_ntstatus(ads_status); - } - } -#endif /* HAVE_KRB5 */ - -done: - *_creds = talloc_move(mem_ctx, &creds); - TALLOC_FREE(frame); - return NT_STATUS_OK; -} - /* perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can we fit on one socket??) diff --git a/source3/librpc/idl/ads.idl b/source3/librpc/idl/ads.idl index 82b4c1fc172..381447a1a29 100644 --- a/source3/librpc/idl/ads.idl +++ b/source3/librpc/idl/ads.idl @@ -22,14 +22,11 @@ interface ads /* ads auth control flags */ typedef [public] bitmap { - ADS_AUTH_DISABLE_KERBEROS = 0x0001, ADS_AUTH_NO_BIND = 0x0002, ADS_AUTH_ANON_BIND = 0x0004, - ADS_AUTH_ALLOW_NTLMSSP = 0x0010, ADS_AUTH_SASL_SIGN = 0x0020, ADS_AUTH_SASL_SEAL = 0x0040, ADS_AUTH_SASL_FORCE = 0x0080, - ADS_AUTH_USER_CREDS = 0x0100, ADS_AUTH_SASL_STARTTLS = 0x0200, ADS_AUTH_SASL_LDAPS = 0x0400, ADS_AUTH_GENERATE_KRB5_CONFIG = 0x0800 @@ -47,12 +44,8 @@ interface ads } ads_server; typedef [nopull,nopush] struct { - string realm; - string password; - string user_name; string kdc_server; ads_auth_flags flags; - string ccache_name; NTTIME expire_time; [ignore] struct ads_reconnect_state *reconnect_state; } ads_auth; diff --git a/source3/wscript_build b/source3/wscript_build index 8bb7f4e26d9..59b65f41239 100644 --- a/source3/wscript_build +++ b/source3/wscript_build @@ -499,7 +499,6 @@ bld.SAMBA3_LIBRARY('ads', libads/sasl_wrapping.c libads/tls_wrapping.c libads/krb5_setpw.c - libads/kerberos_util.c libads/ldap_user.c libads/ads_struct.c libads/kerberos_keytab.c