2 Unix SMB/CIFS implementation.
3 kerberos utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Nalin Dahyabhai <nalin@redhat.com> 2004.
7 Copyright (C) Jeremy Allison 2004.
8 Copyright (C) Gerald Carter 2006.
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #define DEFAULT_KRB5_PORT 88
30 #define LIBADS_CCACHE_NAME "MEMORY:libads"
33 we use a prompter to avoid a crash bug in the kerberos libs when
34 dealing with empty passwords
35 this prompter is just a string copy ...
37 static krb5_error_code
38 kerb_prompter(krb5_context ctx, void *data,
42 krb5_prompt prompts[])
44 if (num_prompts == 0) return 0;
46 memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
47 if (prompts[0].reply->length > 0) {
49 strncpy(prompts[0].reply->data, (const char *)data,
50 prompts[0].reply->length-1);
51 prompts[0].reply->length = strlen(prompts[0].reply->data);
53 prompts[0].reply->length = 0;
59 static bool smb_krb5_err_io_nstatus(TALLOC_CTX *mem_ctx,
60 DATA_BLOB *edata_blob,
61 KRB5_EDATA_NTSTATUS *edata)
66 if (!mem_ctx || !edata_blob || !edata)
69 if (!prs_init(&ps, edata_blob->length, mem_ctx, UNMARSHALL))
72 if (!prs_copy_data_in(&ps, (char *)edata_blob->data, edata_blob->length))
75 prs_set_offset(&ps, 0);
77 if (!prs_ntstatus("ntstatus", &ps, 1, &edata->ntstatus))
80 if (!prs_uint32("unknown1", &ps, 1, &edata->unknown1))
83 if (!prs_uint32("unknown2", &ps, 1, &edata->unknown2)) /* only seen 00000001 here */
93 static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error,
97 DATA_BLOB unwrapped_edata;
99 KRB5_EDATA_NTSTATUS parsed_edata;
101 #ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
102 edata = data_blob(error->e_data->data, error->e_data->length);
104 edata = data_blob(error->e_data.data, error->e_data.length);
105 #endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
108 dump_data(10, edata.data, edata.length);
109 #endif /* DEVELOPER */
111 mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error");
112 if (mem_ctx == NULL) {
113 data_blob_free(&edata);
117 if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) {
118 data_blob_free(&edata);
119 TALLOC_FREE(mem_ctx);
123 data_blob_free(&edata);
125 if (!smb_krb5_err_io_nstatus(mem_ctx, &unwrapped_edata, &parsed_edata)) {
126 data_blob_free(&unwrapped_edata);
127 TALLOC_FREE(mem_ctx);
131 data_blob_free(&unwrapped_edata);
134 *nt_status = parsed_edata.ntstatus;
137 TALLOC_FREE(mem_ctx);
142 static bool smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(krb5_context ctx,
143 krb5_get_init_creds_opt *opt,
147 krb5_error *error = NULL;
149 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR
150 ret = krb5_get_init_creds_opt_get_error(ctx, opt, &error);
152 DEBUG(1,("krb5_get_init_creds_opt_get_error gave: %s\n",
153 error_message(ret)));
156 #endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR */
159 DEBUG(1,("no krb5_error\n"));
163 #ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
164 if (!error->e_data) {
166 if (error->e_data.data == NULL) {
167 #endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
168 DEBUG(1,("no edata in krb5_error\n"));
169 krb5_free_error(ctx, error);
173 ret = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status);
175 krb5_free_error(ctx, error);
181 simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
182 place in default cache location.
185 int kerberos_kinit_password_ext(const char *principal,
186 const char *password,
189 time_t *renew_till_time,
190 const char *cache_name,
192 bool add_netbios_addr,
193 time_t renewable_time,
196 krb5_context ctx = NULL;
197 krb5_error_code code = 0;
198 krb5_ccache cc = NULL;
199 krb5_principal me = NULL;
201 krb5_get_init_creds_opt *opt = NULL;
202 smb_krb5_addresses *addr = NULL;
204 ZERO_STRUCT(my_creds);
206 initialize_krb5_error_table();
207 if ((code = krb5_init_context(&ctx)))
210 if (time_offset != 0) {
211 krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
214 DEBUG(10,("kerberos_kinit_password: as %s using [%s] as ccache and config [%s]\n",
216 cache_name ? cache_name: krb5_cc_default_name(ctx),
217 getenv("KRB5_CONFIG")));
219 if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) {
223 if ((code = smb_krb5_parse_name(ctx, principal, &me))) {
227 if ((code = smb_krb5_get_init_creds_opt_alloc(ctx, &opt))) {
231 krb5_get_init_creds_opt_set_renew_life(opt, renewable_time);
232 krb5_get_init_creds_opt_set_forwardable(opt, True);
235 krb5_get_init_creds_opt_set_tkt_life(opt, 60);
238 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
240 if ((code = krb5_get_init_creds_opt_set_pac_request(ctx, opt, (krb5_boolean)request_pac))) {
245 if (add_netbios_addr) {
246 if ((code = smb_krb5_gen_netbios_krb5_address(&addr))) {
249 krb5_get_init_creds_opt_set_address_list(opt, addr->addrs);
252 if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password),
253 kerb_prompter, CONST_DISCARD(char *,password),
258 if ((code = krb5_cc_initialize(ctx, cc, me))) {
262 if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
267 *expire_time = (time_t) my_creds.times.endtime;
270 if (renew_till_time) {
271 *renew_till_time = (time_t) my_creds.times.renew_till;
280 *ntstatus = NT_STATUS_OK;
284 /* try to get ntstatus code out of krb5_error when we have it
285 * inside the krb5_get_init_creds_opt - gd */
287 if (opt && smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(ctx, opt, &status)) {
292 /* fall back to self-made-mapping */
293 *ntstatus = krb5_to_nt_status(code);
297 krb5_free_cred_contents(ctx, &my_creds);
299 krb5_free_principal(ctx, me);
302 smb_krb5_free_addresses(ctx, addr);
305 smb_krb5_get_init_creds_opt_free(ctx, opt);
308 krb5_cc_close(ctx, cc);
311 krb5_free_context(ctx);
318 /* run kinit to setup our ccache */
319 int ads_kinit_password(ADS_STRUCT *ads)
323 const char *account_name;
327 /* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */
328 account_name = lp_workgroup();
330 /* always use the sAMAccountName for security = domain */
331 /* global_myname()$@REA.LM */
332 if ( lp_security() == SEC_DOMAIN ) {
333 fstr_sprintf( acct_name, "%s$", global_myname() );
334 account_name = acct_name;
337 /* This looks like host/global_myname()@REA.LM */
338 account_name = ads->auth.user_name;
341 if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
342 return KRB5_CC_NOMEM;
345 if (!ads->auth.password) {
347 return KRB5_LIBOS_CANTREADPWD;
350 ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset,
351 &ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable,
355 DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
356 s, error_message(ret)));
362 int ads_kdestroy(const char *cc_name)
364 krb5_error_code code;
365 krb5_context ctx = NULL;
366 krb5_ccache cc = NULL;
368 initialize_krb5_error_table();
369 if ((code = krb5_init_context (&ctx))) {
370 DEBUG(3, ("ads_kdestroy: kdb5_init_context failed: %s\n",
371 error_message(code)));
376 if ((code = krb5_cc_default(ctx, &cc))) {
377 krb5_free_context(ctx);
381 if ((code = krb5_cc_resolve(ctx, cc_name, &cc))) {
382 DEBUG(3, ("ads_kdestroy: krb5_cc_resolve failed: %s\n",
383 error_message(code)));
384 krb5_free_context(ctx);
389 if ((code = krb5_cc_destroy (ctx, cc))) {
390 DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
391 error_message(code)));
394 krb5_free_context (ctx);
398 /************************************************************************
399 Routine to fetch the salting principal for a service. Active
400 Directory may use a non-obvious principal name to generate the salt
401 when it determines the key to use for encrypting tickets for a service,
402 and hopefully we detected that when we joined the domain.
403 ************************************************************************/
405 static char *kerberos_secrets_fetch_salting_principal(const char *service, int enctype)
410 if (asprintf(&key, "%s/%s/enctype=%d",
411 SECRETS_SALTING_PRINCIPAL, service, enctype) == -1) {
414 ret = (char *)secrets_fetch(key, NULL);
419 /************************************************************************
420 Return the standard DES salt key
421 ************************************************************************/
423 char* kerberos_standard_des_salt( void )
427 fstr_sprintf( salt, "host/%s.%s@", global_myname(), lp_realm() );
429 fstrcat( salt, lp_realm() );
431 return SMB_STRDUP( salt );
434 /************************************************************************
435 ************************************************************************/
437 static char* des_salt_key( void )
441 if (asprintf(&key, "%s/DES/%s", SECRETS_SALTING_PRINCIPAL,
449 /************************************************************************
450 ************************************************************************/
452 bool kerberos_secrets_store_des_salt( const char* salt )
457 if ( (key = des_salt_key()) == NULL ) {
458 DEBUG(0,("kerberos_secrets_store_des_salt: failed to generate key!\n"));
463 DEBUG(8,("kerberos_secrets_store_des_salt: deleting salt\n"));
464 secrets_delete( key );
468 DEBUG(3,("kerberos_secrets_store_des_salt: Storing salt \"%s\"\n", salt));
470 ret = secrets_store( key, salt, strlen(salt)+1 );
477 /************************************************************************
478 ************************************************************************/
480 char* kerberos_secrets_fetch_des_salt( void )
484 if ( (key = des_salt_key()) == NULL ) {
485 DEBUG(0,("kerberos_secrets_fetch_des_salt: failed to generate key!\n"));
489 salt = (char*)secrets_fetch( key, NULL );
496 /************************************************************************
497 Routine to get the default realm from the kerberos credentials cache.
498 Caller must free if the return value is not NULL.
499 ************************************************************************/
501 char *kerberos_get_default_realm_from_ccache( void )
504 krb5_context ctx = NULL;
505 krb5_ccache cc = NULL;
506 krb5_principal princ = NULL;
508 initialize_krb5_error_table();
509 if (krb5_init_context(&ctx)) {
513 DEBUG(5,("kerberos_get_default_realm_from_ccache: "
514 "Trying to read krb5 cache: %s\n",
515 krb5_cc_default_name(ctx)));
516 if (krb5_cc_default(ctx, &cc)) {
517 DEBUG(0,("kerberos_get_default_realm_from_ccache: "
518 "failed to read default cache\n"));
521 if (krb5_cc_get_principal(ctx, cc, &princ)) {
522 DEBUG(0,("kerberos_get_default_realm_from_ccache: "
523 "failed to get default principal\n"));
527 #if defined(HAVE_KRB5_PRINCIPAL_GET_REALM)
528 realm = SMB_STRDUP(krb5_principal_get_realm(ctx, princ));
529 #elif defined(HAVE_KRB5_PRINC_REALM)
531 krb5_data *realm_data = krb5_princ_realm(ctx, princ);
532 realm = SMB_STRNDUP(realm_data->data, realm_data->length);
539 krb5_free_principal(ctx, princ);
542 krb5_cc_close(ctx, cc);
545 krb5_free_context(ctx);
552 /************************************************************************
553 Routine to get the salting principal for this service. This is
554 maintained for backwards compatibilty with releases prior to 3.0.24.
555 Since we store the salting principal string only at join, we may have
556 to look for the older tdb keys. Caller must free if return is not null.
557 ************************************************************************/
559 krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context,
560 krb5_principal host_princ,
563 char *unparsed_name = NULL, *salt_princ_s = NULL;
564 krb5_principal ret_princ = NULL;
566 /* lookup new key first */
568 if ( (salt_princ_s = kerberos_secrets_fetch_des_salt()) == NULL ) {
570 /* look under the old key. If this fails, just use the standard key */
572 if (smb_krb5_unparse_name(context, host_princ, &unparsed_name) != 0) {
573 return (krb5_principal)NULL;
575 if ((salt_princ_s = kerberos_secrets_fetch_salting_principal(unparsed_name, enctype)) == NULL) {
576 /* fall back to host/machine.realm@REALM */
577 salt_princ_s = kerberos_standard_des_salt();
581 if (smb_krb5_parse_name(context, salt_princ_s, &ret_princ) != 0) {
585 SAFE_FREE(unparsed_name);
586 SAFE_FREE(salt_princ_s);
591 /************************************************************************
592 Routine to set the salting principal for this service. Active
593 Directory may use a non-obvious principal name to generate the salt
594 when it determines the key to use for encrypting tickets for a service,
595 and hopefully we detected that when we joined the domain.
596 Setting principal to NULL deletes this entry.
597 ************************************************************************/
599 bool kerberos_secrets_store_salting_principal(const char *service,
601 const char *principal)
605 krb5_context context = NULL;
606 krb5_principal princ = NULL;
607 char *princ_s = NULL;
608 char *unparsed_name = NULL;
610 krb5_init_context(&context);
614 if (strchr_m(service, '@')) {
615 if (asprintf(&princ_s, "%s", service) == -1) {
619 if (asprintf(&princ_s, "%s@%s", service, lp_realm()) == -1) {
624 if (smb_krb5_parse_name(context, princ_s, &princ) != 0) {
628 if (smb_krb5_unparse_name(context, princ, &unparsed_name) != 0) {
632 if (asprintf(&key, "%s/%s/enctype=%d",
633 SECRETS_SALTING_PRINCIPAL, unparsed_name, enctype)
638 if ((principal != NULL) && (strlen(principal) > 0)) {
639 ret = secrets_store(key, principal, strlen(principal) + 1);
641 ret = secrets_delete(key);
648 SAFE_FREE(unparsed_name);
651 krb5_free_context(context);
658 /************************************************************************
659 ************************************************************************/
661 int kerberos_kinit_password(const char *principal,
662 const char *password,
664 const char *cache_name)
666 return kerberos_kinit_password_ext(principal,
678 /************************************************************************
679 ************************************************************************/
681 static char *print_kdc_line(char *mem_ctx,
682 const char *prev_line,
683 const struct sockaddr_storage *pss)
685 char *kdc_str = NULL;
687 if (pss->ss_family == AF_INET) {
688 kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
690 print_canonical_sockaddr(mem_ctx, pss));
692 char addr[INET6_ADDRSTRLEN];
693 uint16_t port = get_sockaddr_port(pss);
695 if (port != 0 && port != DEFAULT_KRB5_PORT) {
696 /* Currently for IPv6 we can't specify a non-default
697 krb5 port with an address, as this requires a ':'.
698 Resolve to a name. */
699 char hostname[MAX_DNS_NAME_LENGTH];
700 int ret = sys_getnameinfo((const struct sockaddr *)pss,
702 hostname, sizeof(hostname),
706 DEBUG(0,("print_kdc_line: can't resolve name "
707 "for kdc with non-default port %s. "
709 print_canonical_sockaddr(mem_ctx, pss),
712 /* Success, use host:port */
713 kdc_str = talloc_asprintf(mem_ctx,
719 kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
729 /************************************************************************
730 Create a string list of available kdc's, possibly searching by sitename.
732 ************************************************************************/
734 static char *get_kdc_ip_string(char *mem_ctx,
736 const char *sitename,
737 struct sockaddr_storage *pss)
740 struct ip_service *ip_srv_site = NULL;
741 struct ip_service *ip_srv_nonsite = NULL;
744 char *kdc_str = print_kdc_line(mem_ctx, "", pss);
746 if (kdc_str == NULL) {
750 /* Get the KDC's only in this site. */
754 get_kdc_list(realm, sitename, &ip_srv_site, &count_site);
756 for (i = 0; i < count_site; i++) {
757 if (addr_equal(&ip_srv_site[i].ss, pss)) {
760 /* Append to the string - inefficient
761 * but not done often. */
762 kdc_str = print_kdc_line(mem_ctx,
766 SAFE_FREE(ip_srv_site);
774 get_kdc_list(realm, NULL, &ip_srv_nonsite, &count_nonsite);
776 for (i = 0; i < count_nonsite; i++) {
779 if (addr_equal(&ip_srv_nonsite[i].ss, pss)) {
783 /* Ensure this isn't an IP already seen (YUK! this is n*n....) */
784 for (j = 0; j < count_site; j++) {
785 if (addr_equal(&ip_srv_nonsite[i].ss,
786 &ip_srv_site[j].ss)) {
789 /* As the lists are sorted we can break early if nonsite > site. */
790 if (ip_service_compare(&ip_srv_nonsite[i], &ip_srv_site[j]) > 0) {
798 /* Append to the string - inefficient but not done often. */
799 kdc_str = print_kdc_line(mem_ctx,
801 &ip_srv_nonsite[i].ss);
803 SAFE_FREE(ip_srv_site);
804 SAFE_FREE(ip_srv_nonsite);
810 SAFE_FREE(ip_srv_site);
811 SAFE_FREE(ip_srv_nonsite);
813 DEBUG(10,("get_kdc_ip_string: Returning %s\n",
819 /************************************************************************
820 Create a specific krb5.conf file in the private directory pointing
821 at a specific kdc for a realm. Keyed off domain name. Sets
822 KRB5_CONFIG environment variable to point to this file. Must be
823 run as root or will fail (which is a good thing :-).
824 ************************************************************************/
826 bool create_local_private_krb5_conf_for_domain(const char *realm,
828 const char *sitename,
829 struct sockaddr_storage *pss)
831 char *dname = talloc_asprintf(NULL, "%s/smb_krb5", lp_lockdir());
832 char *tmpname = NULL;
834 char *file_contents = NULL;
835 char *kdc_ip_string = NULL;
839 char *realm_upper = NULL;
844 if ((mkdir(dname, 0755)==-1) && (errno != EEXIST)) {
845 DEBUG(0,("create_local_private_krb5_conf_for_domain: "
846 "failed to create directory %s. Error was %s\n",
847 dname, strerror(errno) ));
852 tmpname = talloc_asprintf(dname, "%s/smb_tmp_krb5.XXXXXX", lp_lockdir());
858 fname = talloc_asprintf(dname, "%s/krb5.conf.%s", dname, domain);
864 DEBUG(10,("create_local_private_krb5_conf_for_domain: fname = %s, realm = %s, domain = %s\n",
865 fname, realm, domain ));
867 realm_upper = talloc_strdup(fname, realm);
868 strupper_m(realm_upper);
870 kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss);
871 if (!kdc_ip_string) {
876 file_contents = talloc_asprintf(fname,
877 "[libdefaults]\n\tdefault_realm = %s\n"
878 "default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
879 "default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
880 "preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
881 "[realms]\n\t%s = {\n"
883 realm_upper, realm_upper, kdc_ip_string);
885 if (!file_contents) {
890 flen = strlen(file_contents);
892 fd = smb_mkstemp(tmpname);
894 DEBUG(0,("create_local_private_krb5_conf_for_domain: smb_mkstemp failed,"
895 " for file %s. Errno %s\n",
896 tmpname, strerror(errno) ));
899 if (fchmod(fd, 0644)==-1) {
900 DEBUG(0,("create_local_private_krb5_conf_for_domain: fchmod failed for %s."
902 tmpname, strerror(errno) ));
909 ret = write(fd, file_contents, flen);
911 DEBUG(0,("create_local_private_krb5_conf_for_domain: write failed,"
912 " returned %d (should be %u). Errno %s\n",
913 (int)ret, (unsigned int)flen, strerror(errno) ));
920 DEBUG(0,("create_local_private_krb5_conf_for_domain: close failed."
921 " Errno %s\n", strerror(errno) ));
927 if (rename(tmpname, fname) == -1) {
928 DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
929 "of %s to %s failed. Errno %s\n",
930 tmpname, fname, strerror(errno) ));
936 DEBUG(5,("create_local_private_krb5_conf_for_domain: wrote "
937 "file %s with realm %s KDC list = %s\n",
938 fname, realm_upper, kdc_ip_string));
940 /* Set the environment variable to this file. */
941 setenv("KRB5_CONFIG", fname, 1);
943 #if defined(OVERWRITE_SYSTEM_KRB5_CONF)
945 #define SYSTEM_KRB5_CONF_PATH "/etc/krb5.conf"
946 /* Insanity, sheer insanity..... */
948 if (strequal(realm, lp_realm())) {
949 char linkpath[PATH_MAX+1];
952 lret = readlink(SYSTEM_KRB5_CONF_PATH, linkpath, sizeof(linkpath)-1);
954 linkpath[lret] = '\0';
957 if (lret != -1 || strcmp(linkpath, fname) == 0) {
958 /* Symlink already exists. */
963 /* Try and replace with a symlink. */
964 if (symlink(fname, SYSTEM_KRB5_CONF_PATH) == -1) {
965 const char *newpath = SYSTEM_KRB5_CONF_PATH ## ".saved";
966 if (errno != EEXIST) {
967 DEBUG(0,("create_local_private_krb5_conf_for_domain: symlink "
968 "of %s to %s failed. Errno %s\n",
969 fname, SYSTEM_KRB5_CONF_PATH, strerror(errno) ));
971 return True; /* Not a fatal error. */
974 /* Yes, this is a race conditon... too bad. */
975 if (rename(SYSTEM_KRB5_CONF_PATH, newpath) == -1) {
976 DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
977 "of %s to %s failed. Errno %s\n",
978 SYSTEM_KRB5_CONF_PATH, newpath,
981 return True; /* Not a fatal error. */
984 if (symlink(fname, SYSTEM_KRB5_CONF_PATH) == -1) {
985 DEBUG(0,("create_local_private_krb5_conf_for_domain: "
986 "forced symlink of %s to /etc/krb5.conf failed. Errno %s\n",
987 fname, strerror(errno) ));
989 return True; /* Not a fatal error. */
git.samba.org / kai / samba-autobuild / .git / blob