[SCM] Samba Shared Repository - branch master updated

Thu Dec 9 14:15:02 UTC 2021

The branch, master has been updated
       via  e2b7a2f7811 s4-auth: Remove unused headers
       via  1bacf26d30a auth/credentials: Fix cli_credentials_shallow_ccache error case
       via  ce293eb861b auth/credentials: Handle ENOENT when obtaining ccache lifetime
      from  102ad9ee6a0 librpc: match gensec_gssapi and call gsskrb5_set_dns_canonicalize() for Heimdal

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e2b7a2f78117e20739aa4f895ce68825e160d451
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Dec 8 15:30:02 2021 +1300

    s4-auth: Remove unused headers
    
    These changes were submitted in a patch by
    Stefan Metzmacher <metze at samba.org> in his lorikeet-heimdal
    import branch of patches to upgrade to a modern Heimdal.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Thu Dec  9 14:14:12 UTC 2021 on sn-devel-184

commit 1bacf26d30adc89348786bff7b9e2fe6d6f43856
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Apr 3 15:29:32 2020 +0200

    auth/credentials: Fix cli_credentials_shallow_ccache error case
    
    Avoid dangling values if something fails...
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit ce293eb861b2fc6c7a88cf67664c91735bf49d44
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Apr 3 15:27:45 2020 +0200

    auth/credentials: Handle ENOENT when obtaining ccache lifetime
    
    The new Heimdal may return ENOENT instead of KRB5_CC_END.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 auth/credentials/credentials_krb5.c       | 13 +++++++++----
 source4/auth/kerberos/kerberos.h          |  1 -
 source4/auth/kerberos/krb5_init_context.c |  1 -
 3 files changed, 9 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index d2e7a76a69e..e69e1a83b3c 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -686,7 +686,7 @@ _PUBLIC_ int cli_credentials_get_named_ccache(struct cli_credentials *cred,
 		bool expired = false;
 		ret = smb_krb5_cc_get_lifetime(cred->ccache->smb_krb5_context->krb5_context,
 					       cred->ccache->ccache, &lifetime);
-		if (ret == KRB5_CC_END) {
+		if (ret == KRB5_CC_END || ret == ENOENT) {
 			/* If we have a particular ccache set, without
 			 * an initial ticket, then assume there is a
 			 * good reason */
@@ -1060,15 +1060,22 @@ static int cli_credentials_shallow_ccache(struct cli_credentials *cred)
 {
 	krb5_error_code ret;
 	const struct ccache_container *old_ccc = NULL;
+	enum credentials_obtained old_obtained;
 	struct ccache_container *ccc = NULL;
 	char *ccache_name = NULL;
 	krb5_principal princ;
 
+	old_obtained = cred->ccache_obtained;
 	old_ccc = cred->ccache;
 	if (old_ccc == NULL) {
 		return 0;
 	}
 
+	cred->ccache = NULL;
+	cred->ccache_obtained = CRED_UNINITIALISED;
+	cred->client_gss_creds = NULL;
+	cred->client_gss_creds_obtained = CRED_UNINITIALISED;
+
 	ret = krb5_cc_get_principal(
 		old_ccc->smb_krb5_context->krb5_context,
 		old_ccc->ccache,
@@ -1077,7 +1084,6 @@ static int cli_credentials_shallow_ccache(struct cli_credentials *cred)
 		/*
 		 * This is an empty ccache. No point in copying anything.
 		 */
-		cred->ccache = NULL;
 		return 0;
 	}
 	krb5_free_principal(old_ccc->smb_krb5_context->krb5_context, princ);
@@ -1110,8 +1116,7 @@ static int cli_credentials_shallow_ccache(struct cli_credentials *cred)
 	}
 
 	cred->ccache = ccc;
-	cred->client_gss_creds = NULL;
-	cred->client_gss_creds_obtained = CRED_UNINITIALISED;
+	cred->ccache_obtained = old_obtained;
 	return ret;
 }
 
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 1dd63acc838..33ee4f301ed 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -27,7 +27,6 @@
 #include "auth/kerberos/krb5_init_context.h"
 #include "librpc/gen_ndr/krb5pac.h"
 #include "lib/krb5_wrap/krb5_samba.h"
-#include "lib/krb5_wrap/gss_samba.h"
 
 struct auth_user_info_dc;
 struct cli_credentials;
diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c
index 639718cb6a6..616eebc968e 100644
--- a/source4/auth/kerberos/krb5_init_context.c
+++ b/source4/auth/kerberos/krb5_init_context.c
@@ -22,7 +22,6 @@
 
 #include "includes.h"
 #include "system/kerberos.h"
-#include "system/gssapi.h"
 #include <tevent.h>
 #include "auth/kerberos/kerberos.h"
 #include "lib/socket/socket.h"


-- 
Samba Shared Repository

