svn commit: samba r4441 - in branches/SAMBA_4_0/source/libcli/auth:
.
abartlet at samba.org
abartlet at samba.org
Fri Dec 31 07:43:12 GMT 2004
Author: abartlet
Date: 2004-12-31 07:43:08 +0000 (Fri, 31 Dec 2004)
New Revision: 4441
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=4441
Log:
gensec_krb5 update:
- Use more of the clikrb5.c wrapper calls
- Don't use the session keytab if we kinit for the user.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c
Changeset:
Modified: branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c
===================================================================
--- branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c 2004-12-31 07:42:57 UTC (rev 4440)
+++ branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c 2004-12-31 07:43:08 UTC (rev 4441)
@@ -234,10 +234,7 @@
struct gensec_krb5_state *gensec_krb5_state = ptr;
if (gensec_krb5_state->ticket.length) {
- /* Hmm, early heimdal dooesn't have this - correct call would be krb5_data_free */
-#ifdef HAVE_KRB5_FREE_DATA_CONTENTS
- krb5_free_data_contents(gensec_krb5_state->krb5_context, &gensec_krb5_state->ticket);
-#endif
+ kerberos_free_data_contents(gensec_krb5_state->krb5_context, &gensec_krb5_state->ticket);
}
if (gensec_krb5_state->krb5_ccache) {
/* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
@@ -334,7 +331,10 @@
gensec_krb5_state = gensec_security->private_data;
gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
- /* TODO: This is effecivly a static/global variable... */
+ /* TODO: This is effecivly a static/global variable...
+
+ TODO: If the user set a username, we should use an in-memory CCACHE (see below)
+ */
ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->krb5_ccache);
if (ret) {
DEBUG(1,("krb5_cc_default failed (%s)\n",
@@ -391,6 +391,7 @@
case ENOENT:
{
char *password;
+ char *ccache_string;
time_t kdc_time = 0;
nt_status = gensec_get_password(gensec_security,
gensec_security,
@@ -398,9 +399,23 @@
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
+
+ /* this string should be unique */
+ ccache_string = talloc_asprintf(gensec_krb5_state, "MEMORY:%s:%s:%s",
+ gensec_get_client_principal(gensec_security, gensec_krb5_state),
+ gensec_get_target_principal(gensec_security, gensec_krb5_state),
+ generate_random_str(gensec_krb5_state, 16));
+ ret = krb5_cc_resolve(gensec_krb5_state->krb5_context, ccache_string, &gensec_krb5_state->krb5_ccache);
+ if (ret) {
+ DEBUG(1,("failed to generate a new krb5 keytab (%s): %s\n",
+ ccache_string,
+ error_message(ret)));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
ret = kerberos_kinit_password_cc(gensec_krb5_state->krb5_context, gensec_krb5_state->krb5_ccache,
- gensec_get_client_principal(gensec_security, gensec_security),
+ gensec_get_client_principal(gensec_security, gensec_krb5_state),
password, NULL, &kdc_time);
/* cope with ticket being in the future due to clock skew */
More information about the samba-cvs
mailing list