svn commit: samba r14611 - branches/SAMBA_3_0/source/libads
branches/SAMBA_3_0/source/nsswitch trunk/source/libads
trunk/source/nsswitch
gd at samba.org
gd at samba.org
Tue Mar 21 11:14:29 GMT 2006
Author: gd
Date: 2006-03-21 11:14:29 +0000 (Tue, 21 Mar 2006)
New Revision: 14611
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=14611
Log:
Fix init_creds_opts issue jerry discovered when using MIT krb5 1.3:
We were using a far too short renewable_time in the request; newer MIT
releases take care interally that the renewable time is never shorter
then the default ticket lifetime.
Guenther
Modified:
branches/SAMBA_3_0/source/libads/kerberos.c
branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c
trunk/source/libads/kerberos.c
trunk/source/nsswitch/winbindd_ads.c
Changeset:
Modified: branches/SAMBA_3_0/source/libads/kerberos.c
===================================================================
--- branches/SAMBA_3_0/source/libads/kerberos.c 2006-03-21 10:57:02 UTC (rev 14610)
+++ branches/SAMBA_3_0/source/libads/kerberos.c 2006-03-21 11:14:29 UTC (rev 14611)
@@ -72,9 +72,7 @@
krb5_ccache cc = NULL;
krb5_principal me;
krb5_creds my_creds;
-#if 0
krb5_get_init_creds_opt opt;
-#endif
initialize_krb5_error_table();
if ((code = krb5_init_context(&ctx)))
@@ -97,12 +95,9 @@
return code;
}
-#if 0 /* This code causes problems with MIT krb5 1.3 when asking for a
- TGT for the machine account */
krb5_get_init_creds_opt_init(&opt);
krb5_get_init_creds_opt_set_renew_life(&opt, renewable_time);
krb5_get_init_creds_opt_set_forwardable(&opt, 1);
-#endif
if (request_pac) {
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
@@ -110,13 +105,8 @@
#endif
}
-#if 0
if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password),
kerb_prompter, NULL, 0, NULL, &opt)))
-#else
- if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password),
- kerb_prompter, NULL, 0, NULL, NULL)))
-#endif
{
krb5_free_principal(ctx, me);
krb5_free_context(ctx);
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c 2006-03-21 10:57:02 UTC (rev 14610)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c 2006-03-21 11:14:29 UTC (rev 14611)
@@ -102,7 +102,7 @@
ads->auth.realm = SMB_STRDUP( lp_realm() );
}
- ads->auth.renewable = 1;
+ ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
status = ads_connect(ads);
if (!ADS_ERR_OK(status) || !ads->config.realm) {
Modified: trunk/source/libads/kerberos.c
===================================================================
--- trunk/source/libads/kerberos.c 2006-03-21 10:57:02 UTC (rev 14610)
+++ trunk/source/libads/kerberos.c 2006-03-21 11:14:29 UTC (rev 14611)
@@ -72,9 +72,7 @@
krb5_ccache cc = NULL;
krb5_principal me;
krb5_creds my_creds;
-#if 0
krb5_get_init_creds_opt opt;
-#endif
initialize_krb5_error_table();
if ((code = krb5_init_context(&ctx)))
@@ -97,12 +95,9 @@
return code;
}
-#if 0 /* This code causes problems with MIT krb5 1.3 when asking for a
- TGT for the machine account */
krb5_get_init_creds_opt_init(&opt);
krb5_get_init_creds_opt_set_renew_life(&opt, renewable_time);
krb5_get_init_creds_opt_set_forwardable(&opt, 1);
-#endif
if (request_pac) {
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
@@ -110,13 +105,8 @@
#endif
}
-#if 0
if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password),
kerb_prompter, NULL, 0, NULL, &opt)))
-#else
- if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password),
- kerb_prompter, NULL, 0, NULL, NULL)))
-#endif
{
krb5_free_principal(ctx, me);
krb5_free_context(ctx);
Modified: trunk/source/nsswitch/winbindd_ads.c
===================================================================
--- trunk/source/nsswitch/winbindd_ads.c 2006-03-21 10:57:02 UTC (rev 14610)
+++ trunk/source/nsswitch/winbindd_ads.c 2006-03-21 11:14:29 UTC (rev 14611)
@@ -102,7 +102,7 @@
ads->auth.realm = SMB_STRDUP( lp_realm() );
}
- ads->auth.renewable = 1;
+ ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
status = ads_connect(ads);
if (!ADS_ERR_OK(status) || !ads->config.realm) {
More information about the samba-cvs
mailing list