[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Tue Jul 12 01:24:02 UTC 2016


The branch, master has been updated
       via  a1743de libads: ensure the right ccache is used during spnego bind
       via  2672968 libads: ensure the right ccache is used during gssapi bind
      from  a391e92 s3-messaging: use messaging_ctdbd_reinit() in messaging_reinit()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit a1743de74f09d5bf695f077f5127d02352a014e2
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Jul 6 12:44:11 2016 +0200

    libads: ensure the right ccache is used during spnego bind
    
    When doing spnego sasl bind:
    1. Try working without kinit only if a password is not
       provided
    2. When using kinit, ensure the KRB5CCNAME env var is set
       to a private memory ccache, so that the bind is on behalf
       of the requested user.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Tue Jul 12 03:23:33 CEST 2016 on sn-devel-144

commit 2672968851966e5c01e4fc4d906b45b5c047e655
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Jul 6 12:48:11 2016 +0200

    libads: ensure the right ccache is used during gssapi bind
    
    When doing gssapi sasl bind:
    1. Try working without kinit only if a password is not
       provided
    2. When using kinit, ensure the KRB5CCNAME env var is set
       to a private memory ccache, so that the bind is on behalf
       of the requested user.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Uri Simchoni <uri at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/libads/sasl.c | 52 +++++++++++++++++++++++++++++++++++----------------
 1 file changed, 36 insertions(+), 16 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index d76d872..85a2eb0 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -26,6 +26,7 @@
 #include "smb_krb5.h"
 #include "system/gssapi.h"
 #include "lib/param/loadparm.h"
+#include "krb5_env.h"
 
 #ifdef HAVE_LDAP
 
@@ -748,18 +749,29 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 	if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
 	    got_kerberos_mechanism) 
 	{
-		status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
-						     CRED_MUST_USE_KERBEROS,
-						     p.service, p.hostname,
-						     blob);
-		if (ADS_ERR_OK(status)) {
-			ads_free_service_principal(&p);
-			goto done;
+		const char *ccache_name = "MEMORY:ads_sasl_spnego_bind";
+		if (ads->auth.ccache_name != NULL) {
+			ccache_name = ads->auth.ccache_name;
 		}
 
-		DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
-			  "calling kinit\n", ads_errstr(status)));
+		if (ads->auth.password == NULL ||
+		    ads->auth.password[0] == '\0')
+		{
 
+			status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+							     CRED_MUST_USE_KERBEROS,
+							     p.service, p.hostname,
+							     blob);
+			if (ADS_ERR_OK(status)) {
+				ads_free_service_principal(&p);
+				goto done;
+			}
+
+			DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
+				  "calling kinit\n", ads_errstr(status)));
+		}
+
+		setenv(KRB5_ENV_CCNAME, ccache_name, 1);
 		status = ADS_ERROR_KRB5(ads_kinit_password(ads)); 
 
 		if (ADS_ERR_OK(status)) {
@@ -1015,21 +1027,29 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
 {
 	ADS_STATUS status;
 	struct ads_service_principal p;
+	const char *ccache_name = "MEMORY:ads_sasl_gssapi_do_bind";
 
 	status = ads_generate_service_principal(ads, &p);
 	if (!ADS_ERR_OK(status)) {
 		return status;
 	}
 
-	status = ads_sasl_gssapi_do_bind(ads, p.name);
-	if (ADS_ERR_OK(status)) {
-		ads_free_service_principal(&p);
-		return status;
-	}
+	if (ads->auth.password == NULL ||
+	    ads->auth.password[0] == '\0') {
+		status = ads_sasl_gssapi_do_bind(ads, p.name);
+		if (ADS_ERR_OK(status)) {
+			ads_free_service_principal(&p);
+			return status;
+		}
 
-	DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
-		  "calling kinit\n", ads_errstr(status)));
+		DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
+			  "calling kinit\n", ads_errstr(status)));
+	}
 
+	if (ads->auth.ccache_name != NULL) {
+		ccache_name = ads->auth.ccache_name;
+	}
+	setenv(KRB5_ENV_CCNAME, ccache_name, 1);
 	status = ADS_ERROR_KRB5(ads_kinit_password(ads));
 
 	if (ADS_ERR_OK(status)) {


-- 
Samba Shared Repository



More information about the samba-cvs mailing list