svn commit: samba r4441 - in branches/SAMBA_4_0/source/libcli/auth: .

abartlet at samba.org abartlet at samba.org
Fri Dec 31 07:43:12 GMT 2004


Author: abartlet
Date: 2004-12-31 07:43:08 +0000 (Fri, 31 Dec 2004)
New Revision: 4441

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=4441

Log:
gensec_krb5 update:

 - Use more of the clikrb5.c wrapper calls

 - Don't use the session keytab if we kinit for the user.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c


Changeset:
Modified: branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c
===================================================================
--- branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c	2004-12-31 07:42:57 UTC (rev 4440)
+++ branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c	2004-12-31 07:43:08 UTC (rev 4441)
@@ -234,10 +234,7 @@
 	struct gensec_krb5_state *gensec_krb5_state = ptr;
 
 	if (gensec_krb5_state->ticket.length) { 
-	/* Hmm, early heimdal dooesn't have this - correct call would be krb5_data_free */
-#ifdef HAVE_KRB5_FREE_DATA_CONTENTS
-		krb5_free_data_contents(gensec_krb5_state->krb5_context, &gensec_krb5_state->ticket); 
-#endif
+		kerberos_free_data_contents(gensec_krb5_state->krb5_context, &gensec_krb5_state->ticket); 
 	}
 	if (gensec_krb5_state->krb5_ccache) {
 		/* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
@@ -334,7 +331,10 @@
 	gensec_krb5_state = gensec_security->private_data;
 	gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
 
-	/* TODO: This is effecivly a static/global variable... */ 
+	/* TODO: This is effecivly a static/global variable... 
+	 
+	   TODO: If the user set a username, we should use an in-memory CCACHE (see below)
+	*/ 
 	ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->krb5_ccache);
 	if (ret) {
 		DEBUG(1,("krb5_cc_default failed (%s)\n",
@@ -391,6 +391,7 @@
 		case ENOENT:
 		{
 			char *password;
+			char *ccache_string;
 			time_t kdc_time = 0;
 			nt_status = gensec_get_password(gensec_security, 
 							gensec_security, 
@@ -398,9 +399,23 @@
 			if (!NT_STATUS_IS_OK(nt_status)) {
 				return nt_status;
 			}
+			
+			/* this string should be unique */
+			ccache_string = talloc_asprintf(gensec_krb5_state, "MEMORY:%s:%s:%s", 
+							gensec_get_client_principal(gensec_security, gensec_krb5_state), 
+							gensec_get_target_principal(gensec_security, gensec_krb5_state), 
+							generate_random_str(gensec_krb5_state, 16));
 
+			ret = krb5_cc_resolve(gensec_krb5_state->krb5_context, ccache_string, &gensec_krb5_state->krb5_ccache);
+			if (ret) {
+				DEBUG(1,("failed to generate a new krb5 keytab (%s): %s\n", 
+					 ccache_string,
+					 error_message(ret)));
+				return NT_STATUS_INTERNAL_ERROR;
+			}
+
 			ret = kerberos_kinit_password_cc(gensec_krb5_state->krb5_context, gensec_krb5_state->krb5_ccache, 
-						      gensec_get_client_principal(gensec_security, gensec_security), 
+						      gensec_get_client_principal(gensec_security, gensec_krb5_state), 
 						      password, NULL, &kdc_time);
 
 			/* cope with ticket being in the future due to clock skew */



More information about the samba-cvs mailing list