diff options
| author | Volker Lendecke <vlendec@samba.org> | 2004-05-02 12:13:36 +0000 |
|---|---|---|
| committer | Volker Lendecke <vlendec@samba.org> | 2004-05-02 12:13:36 +0000 |
| commit | 9e3bb76c573b7e54a99b83afcf2f418ded6f804a (patch) | |
| tree | 5113e78f9d7cf0e7283017205181f8addc42d224 | |
| parent | 9dfac75a44da72732c397ca9fb56b29f347d3ffe (diff) | |
| download | samba-9e3bb76c573b7e54a99b83afcf2f418ded6f804a.tar.gz | |
r450: Two AFS-related things:
Split off the non-crypto related parts of lib/afs.c into
lib/afs_settoken.c. This makes wbinfo link without -lcrypto.
Commit vfs_afsacl.c, display & set AFS acls via the NT security editor.
Volker
| -rw-r--r-- | source/Makefile.in | 15 | ||||
| -rw-r--r-- | source/configure.in | 27 | ||||
| -rw-r--r-- | source/lib/afs.c | 232 |
3 files changed, 39 insertions, 235 deletions
diff --git a/source/Makefile.in b/source/Makefile.in index 2fbea27db05..d1007e4e484 100644 --- a/source/Makefile.in +++ b/source/Makefile.in @@ -328,6 +328,7 @@ VFS_READONLY_OBJ = modules/vfs_readonly.o modules/getdate.o VFS_CAP_OBJ = modules/vfs_cap.o VFS_EXPAND_MSDFS_OBJ = modules/vfs_expand_msdfs.o VFS_SHADOW_COPY_OBJ = modules/vfs_shadow_copy.o +VFS_AFSACL_OBJ = modules/vfs_afsacl.o PLAINTEXT_AUTH_OBJ = auth/pampass.o auth/pass_check.o @@ -370,6 +371,7 @@ SMBD_OBJ_SRV = smbd/files.o smbd/chgpasswd.o smbd/connection.o \ lib/sysquotas_xfs.o lib/sysquotas_4A.o \ smbd/change_trust_pw.o smbd/fake_file.o \ smbd/quotas.o smbd/ntquotas.o lib/afs.o smbd/msdfs.o \ + lib/afs_settoken.o \ $(MANGLE_OBJ) @VFS_STATIC@ SMBD_OBJ_BASE = $(PARAM_OBJ) $(SMBD_OBJ_SRV) $(LIBSMB_OBJ) \ @@ -523,7 +525,8 @@ NET_OBJ = $(NET_OBJ1) $(PARAM_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \ $(KRBCLIENT_OBJ) $(UBIQX_OBJ) $(LIB_NONSMBD_OBJ) \ $(LIBMSRPC_OBJ) $(IDMAP_OBJ) \ $(LIBADS_OBJ) $(LIBADS_SERVER_OBJ) $(POPT_LIB_OBJ) \ - $(SMBLDAP_OBJ) $(DCUTIL_OBJ) lib/dummyroot.o lib/server_mutex.o lib/afs.o + $(SMBLDAP_OBJ) $(DCUTIL_OBJ) lib/dummyroot.o lib/server_mutex.o \ + lib/afs.o lib/afs_settoken.o CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) \ $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) $(SECRETS_OBJ) @@ -647,10 +650,11 @@ WINBINDD_OBJ = \ $(LIBSMB_OBJ) $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) \ $(PROFILE_OBJ) $(SLCACHE_OBJ) $(SMBLDAP_OBJ) \ $(SECRETS_OBJ) $(LIBADS_OBJ) $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) \ - $(DCUTIL_OBJ) $(IDMAP_OBJ) lib/dummyroot.o lib/afs.o + $(DCUTIL_OBJ) $(IDMAP_OBJ) lib/dummyroot.o \ + lib/afs.o lib/afs_settoken.o WBINFO_OBJ = nsswitch/wbinfo.o $(LIBSAMBA_OBJ) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \ - $(UBIQX_OBJ) $(SECRETS_OBJ) $(POPT_LIB_OBJ) lib/afs.o + $(UBIQX_OBJ) $(SECRETS_OBJ) $(POPT_LIB_OBJ) lib/afs_settoken.o WINBIND_NSS_OBJ = nsswitch/wb_common.o lib/replace1.o @WINBIND_NSS_EXTRA_OBJS@ @@ -1203,6 +1207,11 @@ bin/config_ldap.@SHLIBEXT@: $(CONFIG_LDAP_OBJ:.o=.@PICSUFFIX@) @$(SHLD) $(LDSHFLAGS) -o $@ $(CONFIG_LDAP_OBJ:.o=.@PICSUFFIX@) \ @SMBLDAP@ @LDAP_LIBS@ @SONAMEFLAG@`basename $@` +bin/afsacl.@SHLIBEXT@: $(VFS_AFSACL_OBJ:.o=.po) + @echo "Building plugin $@" + @$(SHLD) $(LDSHFLAGS) -o $@ $(VFS_AFSACL_OBJ:.o=.po) \ + @SONAMEFLAG@`basename $@` + bin/wbinfo@EXEEXT@: $(WBINFO_OBJ) @BUILD_POPT@ bin/.dummy @echo Linking $@ @$(LINK) -o $@ $(WBINFO_OBJ) $(LIBS) @POPTLIBS@ diff --git a/source/configure.in b/source/configure.in index ce8de1460bd..f23f60626a7 100644 --- a/source/configure.in +++ b/source/configure.in @@ -2378,13 +2378,31 @@ if test x"$samba_cv_WITH_AFS" != x"no" || fi fi -if test x"$samba_cv_WITH_FAKE_KASERVER" != x"no"; then - AC_CHECK_LIB( crypto, DES_pcbc_encrypt, LIBS="$LIBS -lcrypto" ) -fi - if test x"$samba_cv_WITH_FAKE_KASERVER" != x"no" && test x"$have_afs_headers" == x"yes"; then AC_DEFINE(WITH_FAKE_KASERVER,1,[Whether to include AFS fake-kaserver support]) fi + +################################################# +# check whether to compile AFS/NT ACL mapping module +samba_cv_WITH_VFS_AFSACL=no +AC_MSG_CHECKING(whether to use AFS fake-kaserver) +AC_ARG_WITH(vfs-afsacl, +[ --with-vfs-afsacl Include AFS to NT ACL mapping module (default=no) ], +[ case "$withval" in + yes|auto) + AC_MSG_RESULT($withval) + samba_cv_WITH_VFS_AFSACL=yes + ;; + *) + AC_MSG_RESULT(no) + ;; + esac ], + AC_MSG_RESULT(no) +) + +if test x"$samba_cv_WITH_VFS_AFSACL" == x"yes"; then + default_shared_modules="$default_shared_modules vfs_afsacl" +fi if test x"$samba_cv_WITH_AFS" != x"no" && test x"$have_afs_headers" = x"yes"; then AC_DEFINE(WITH_AFS,1,[Whether to include AFS clear-text auth support]) @@ -4348,6 +4366,7 @@ SMB_MODULE(vfs_readonly, \$(VFS_READONLY_OBJ), "bin/readonly.$SHLIBEXT", VFS) SMB_MODULE(vfs_cap, \$(VFS_CAP_OBJ), "bin/cap.$SHLIBEXT", VFS) SMB_MODULE(vfs_expand_msdfs, \$(VFS_EXPAND_MSDFS_OBJ), "bin/expand_msdfs.$SHLIBEXT", VFS) SMB_MODULE(vfs_shadow_copy, \$(VFS_SHADOW_COPY_OBJ), "bin/shadow_copy.$SHLIBEXT", VFS) +SMB_MODULE(vfs_afsacl, \$(VFS_AFSACL_OBJ), "bin/afsacl.$SHLIBEXT", VFS) SMB_SUBSYSTEM(VFS,smbd/vfs.o) SMB_MODULE(config_ldap, param/config_ldap.o, "bin/config_ldap.$SHLIBEXT", CONFIG, [ CONFIG_LIBS="$CONFIG_LIBS $LDAP_LIBS" "$SMBLDAP" ]) diff --git a/source/lib/afs.c b/source/lib/afs.c index ce972ec27b7..0830a3a0e7f 100644 --- a/source/lib/afs.c +++ b/source/lib/afs.c @@ -29,12 +29,6 @@ #include <asm/unistd.h> #include <openssl/des.h> -_syscall5(int, afs_syscall, int, subcall, - char *, path, - int, cmd, - char *, cmarg, - int, follow); - struct ClearToken { uint32 AuthHandle; char HandShakeKey[8]; @@ -74,186 +68,6 @@ static char *afs_encode_token(const char *cell, const DATA_BLOB ticket, return result; } -static BOOL afs_decode_token(const char *string, char **cell, - DATA_BLOB *ticket, struct ClearToken *ct) -{ - DATA_BLOB blob; - struct ClearToken result_ct; - - char *s = strdup(string); - - char *t; - - if ((t = strtok(s, "\n")) == NULL) { - DEBUG(10, ("strtok failed\n")); - return False; - } - - *cell = strdup(t); - - if ((t = strtok(NULL, "\n")) == NULL) { - DEBUG(10, ("strtok failed\n")); - return False; - } - - if (sscanf(t, "%u", &result_ct.AuthHandle) != 1) { - DEBUG(10, ("sscanf AuthHandle failed\n")); - return False; - } - - if ((t = strtok(NULL, "\n")) == NULL) { - DEBUG(10, ("strtok failed\n")); - return False; - } - - blob = base64_decode_data_blob(t); - - if ( (blob.data == NULL) || - (blob.length != sizeof(result_ct.HandShakeKey) )) { - DEBUG(10, ("invalid key: %x/%d\n", (uint32)blob.data, - blob.length)); - return False; - } - - memcpy(result_ct.HandShakeKey, blob.data, blob.length); - - data_blob_free(&blob); - - if ((t = strtok(NULL, "\n")) == NULL) { - DEBUG(10, ("strtok failed\n")); - return False; - } - - if (sscanf(t, "%u", &result_ct.ViceId) != 1) { - DEBUG(10, ("sscanf ViceId failed\n")); - return False; - } - - if ((t = strtok(NULL, "\n")) == NULL) { - DEBUG(10, ("strtok failed\n")); - return False; - } - - if (sscanf(t, "%u", &result_ct.BeginTimestamp) != 1) { - DEBUG(10, ("sscanf BeginTimestamp failed\n")); - return False; - } - - if ((t = strtok(NULL, "\n")) == NULL) { - DEBUG(10, ("strtok failed\n")); - return False; - } - - if (sscanf(t, "%u", &result_ct.EndTimestamp) != 1) { - DEBUG(10, ("sscanf EndTimestamp failed\n")); - return False; - } - - if ((t = strtok(NULL, "\n")) == NULL) { - DEBUG(10, ("strtok failed\n")); - return False; - } - - blob = base64_decode_data_blob(t); - - if (blob.data == NULL) { - DEBUG(10, ("Could not get ticket\n")); - return False; - } - - *ticket = blob; - *ct = result_ct; - - return True; -} - -/* - Put an AFS token into the Kernel so that it can authenticate against - the AFS server. This assumes correct local uid settings. - - This is currently highly Linux and OpenAFS-specific. The correct API - call for this would be ktc_SetToken. But to do that we would have to - import a REALLY big bunch of libraries which I would currently like - to avoid. -*/ - -static BOOL afs_settoken(const char *cell, - const struct ClearToken *ctok, - DATA_BLOB ticket) -{ - int ret; - struct { - char *in, *out; - uint16 in_size, out_size; - } iob; - - char buf[1024]; - char *p = buf; - int tmp; - - memcpy(p, &ticket.length, sizeof(uint32)); - p += sizeof(uint32); - memcpy(p, ticket.data, ticket.length); - p += ticket.length; - - tmp = sizeof(struct ClearToken); - memcpy(p, &tmp, sizeof(uint32)); - p += sizeof(uint32); - memcpy(p, ctok, tmp); - p += tmp; - - tmp = 0; - - memcpy(p, &tmp, sizeof(uint32)); - p += sizeof(uint32); - - tmp = strlen(cell); - if (tmp >= MAXKTCREALMLEN) { - DEBUG(1, ("Realm too long\n")); - return False; - } - - strncpy(p, cell, tmp); - p += tmp; - *p = 0; - p +=1; - - iob.in = buf; - iob.in_size = PTR_DIFF(p,buf); - iob.out = buf; - iob.out_size = sizeof(buf); - -#if 0 - file_save("/tmp/ioctlbuf", iob.in, iob.in_size); -#endif - - ret = afs_syscall(AFSCALL_PIOCTL, 0, VIOCSETTOK, (char *)&iob, 0); - - DEBUG(10, ("afs VIOCSETTOK returned %d\n", ret)); - return (ret == 0); -} - -BOOL afs_settoken_str(const char *token_string) -{ - DATA_BLOB ticket; - struct ClearToken ct; - BOOL result; - char *cell; - - if (!afs_decode_token(token_string, &cell, &ticket, &ct)) - return False; - - if (geteuid() != 0) - ct.ViceId = getuid(); - - result = afs_settoken(cell, &ct, ticket); - - SAFE_FREE(cell); - data_blob_free(&ticket); - - return result; - } - /* Create a ClearToken and an encrypted ticket. ClearToken has not yet the * ViceId set, this should be set by the caller. */ @@ -391,6 +205,7 @@ BOOL afs_login(connection_struct *conn) pstring afs_username; char *cell; BOOL result; + char *ticket_str; struct ClearToken ct; @@ -421,45 +236,11 @@ BOOL afs_login(connection_struct *conn) /* For which Unix-UID do we want to set the token? */ ct.ViceId = getuid(); - { - char *str, *new_cell; - DATA_BLOB test_ticket; - struct ClearToken test_ct; - - hex_encode(ct.HandShakeKey, sizeof(ct.HandShakeKey), &str); - DEBUG(10, ("Key: %s\n", str)); - free(str); - - str = afs_encode_token(cell, ticket, &ct); + ticket_str = afs_encode_token(cell, ticket, &ct); - if (!afs_decode_token(str, &new_cell, &test_ticket, - &test_ct)) { - DEBUG(0, ("Could not decode token")); - goto decode_failed; - } + result = afs_settoken_str(ticket_str); - if (strcmp(cell, new_cell) != 0) { - DEBUG(0, ("cell changed\n")); - } - - if ((ticket.length != test_ticket.length) || - (memcmp(ticket.data, test_ticket.data, - ticket.length) != 0)) { - DEBUG(0, ("Ticket changed\n")); - } - - if (memcmp(&ct, &test_ct, sizeof(ct)) != 0) { - DEBUG(0, ("ClearToken changed\n")); - } - - data_blob_free(&test_ticket); - - decode_failed: - SAFE_FREE(str); - SAFE_FREE(new_cell); - } - - result = afs_settoken(cell, &ct, ticket); + SAFE_FREE(ticket_str); data_blob_free(&ticket); @@ -473,11 +254,6 @@ BOOL afs_login(connection_struct *conn) return True; } -BOOL afs_settoken_str(const char *token_string) -{ - return False; -} - char *afs_createtoken_str(const char *username, const char *cell) { return False; |