svn commit: samba r14611 - branches/SAMBA_3_0/source/libads branches/SAMBA_3_0/source/nsswitch trunk/source/libads trunk/source/nsswitch

gd at samba.org gd at samba.org
Tue Mar 21 11:14:29 GMT 2006 

Author: gd
Date: 2006-03-21 11:14:29 +0000 (Tue, 21 Mar 2006)
New Revision: 14611

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=14611

Log:
Fix init_creds_opts issue jerry discovered when using MIT krb5 1.3: 

We were using a far too short renewable_time in the request; newer MIT
releases take care interally that the renewable time is never shorter
then the default ticket lifetime.

Guenther

Modified:
   branches/SAMBA_3_0/source/libads/kerberos.c
   branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c
   trunk/source/libads/kerberos.c
   trunk/source/nsswitch/winbindd_ads.c


Changeset:
Modified: branches/SAMBA_3_0/source/libads/kerberos.c
===================================================================
--- branches/SAMBA_3_0/source/libads/kerberos.c	2006-03-21 10:57:02 UTC (rev 14610)
+++ branches/SAMBA_3_0/source/libads/kerberos.c	2006-03-21 11:14:29 UTC (rev 14611)
@@ -72,9 +72,7 @@
 	krb5_ccache cc = NULL;
 	krb5_principal me;
 	krb5_creds my_creds;
-#if 0
 	krb5_get_init_creds_opt opt;
-#endif
 
 	initialize_krb5_error_table();
 	if ((code = krb5_init_context(&ctx)))
@@ -97,12 +95,9 @@
 		return code;
 	}
 
-#if 0	/* This code causes problems with MIT krb5 1.3 when asking for a 
-	   TGT for the machine account */
 	krb5_get_init_creds_opt_init(&opt);
 	krb5_get_init_creds_opt_set_renew_life(&opt, renewable_time);
 	krb5_get_init_creds_opt_set_forwardable(&opt, 1);
-#endif
 	
 	if (request_pac) {
 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
@@ -110,13 +105,8 @@
 #endif
 	}
 
-#if 0
 	if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password), 
 						 kerb_prompter, NULL, 0, NULL, &opt)))
-#else
-	if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password), 
-						 kerb_prompter, NULL, 0, NULL, NULL))) 
-#endif
 	{
 		krb5_free_principal(ctx, me);
 		krb5_free_context(ctx);		

Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c	2006-03-21 10:57:02 UTC (rev 14610)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_ads.c	2006-03-21 11:14:29 UTC (rev 14611)
@@ -102,7 +102,7 @@
 			ads->auth.realm = SMB_STRDUP( lp_realm() );
 	}
 
-	ads->auth.renewable = 1;
+	ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
 
 	status = ads_connect(ads);
 	if (!ADS_ERR_OK(status) || !ads->config.realm) {

Modified: trunk/source/libads/kerberos.c
===================================================================
--- trunk/source/libads/kerberos.c	2006-03-21 10:57:02 UTC (rev 14610)
+++ trunk/source/libads/kerberos.c	2006-03-21 11:14:29 UTC (rev 14611)
@@ -72,9 +72,7 @@
 	krb5_ccache cc = NULL;
 	krb5_principal me;
 	krb5_creds my_creds;
-#if 0
 	krb5_get_init_creds_opt opt;
-#endif
 
 	initialize_krb5_error_table();
 	if ((code = krb5_init_context(&ctx)))
@@ -97,12 +95,9 @@
 		return code;
 	}
 
-#if 0	/* This code causes problems with MIT krb5 1.3 when asking for a 
-	   TGT for the machine account */
 	krb5_get_init_creds_opt_init(&opt);
 	krb5_get_init_creds_opt_set_renew_life(&opt, renewable_time);
 	krb5_get_init_creds_opt_set_forwardable(&opt, 1);
-#endif
 	
 	if (request_pac) {
 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
@@ -110,13 +105,8 @@
 #endif
 	}
 
-#if 0
 	if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password), 
 						 kerb_prompter, NULL, 0, NULL, &opt)))
-#else
-	if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password), 
-						 kerb_prompter, NULL, 0, NULL, NULL))) 
-#endif
 	{
 		krb5_free_principal(ctx, me);
 		krb5_free_context(ctx);		

Modified: trunk/source/nsswitch/winbindd_ads.c
===================================================================
--- trunk/source/nsswitch/winbindd_ads.c	2006-03-21 10:57:02 UTC (rev 14610)
+++ trunk/source/nsswitch/winbindd_ads.c	2006-03-21 11:14:29 UTC (rev 14611)
@@ -102,7 +102,7 @@
 			ads->auth.realm = SMB_STRDUP( lp_realm() );
 	}
 
-	ads->auth.renewable = 1;
+	ads->auth.renewable = WINBINDD_PAM_AUTH_KRB5_RENEW_TIME;
 
 	status = ads_connect(ads);
 	if (!ADS_ERR_OK(status) || !ads->config.realm) {

More information about the samba-cvs mailing list