[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-2797-g5f41913

Tue Sep 9 23:12:20 GMT 2008

On Tue, Sep 09, 2008 at 12:09:38PM +0200, Andreas Schneider wrote:
> On Friday 08 August 2008 23:33:36 Jeremy Allison wrote:
> > commit 5f419135ba1acae6bc37692fa77ae1162b62e0e3
> > Author: Jeremy Allison <jra at samba.org>
> > Date:   Fri Aug 8 14:33:00 2008 -0700
> >
> >     Add Derrick Schommer's <dschommer at F5.com> kerberos delegation patch.
> > Some work by me and advice by Love.
> >     Jeremy.
> >
> 
> I'm sorry to say that this code breaks kerberos support of smbclient and 
> libsmbclient.
> 
> I see different errors. If you have a Windows 2008 Domain controller, you get:
> 
> smbclient -k //rupert/Profiles/
> ads_krb5_get_fwd_ticket: krb5_fwd_tgt_creds failed (Hostname cannot be 
> 
> If you have a Windows 2003 server or a Windows 2008 server with a 2003 domain 
> you will the the following error:
> 
> smbclient -k //foo/Profiles/
> ads_krb5_get_fwd_ticket: krb5_fwd_tgt_creds failed (KDC can't fulfill 
> requested option)
> 
> Jemery, could you please look at it

Andreas,

Please try this patch (after looking at the MIT source code).
Let me know if this works and I'll check into all branches.

Thanks,

Jeremy.
-------------- next part --------------

diff --git a/source/libsmb/clikrb5.c b/source/libsmb/clikrb5.c
index a7ca24f..66dd5f6 100644
--- a/source/libsmb/clikrb5.c
+++ b/source/libsmb/clikrb5.c
@@ -743,16 +743,21 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
 						ccache,
 						&in_data );
 		if (retval) {
-			DEBUG( 1, ("ads_krb5_get_fwd_ticket failed (%s)\n", error_message( retval ) ) );
-			goto cleanup_creds;
-		}
+			DEBUG( 3, ("ads_krb5_get_fwd_ticket failed (%s)\n", error_message( retval ) ) );
 
-		if (retval) {
-			DEBUG( 1, ("krb5_auth_con_set_req_cksumtype failed (%s)\n",
-				error_message( retval ) ) );
-			goto cleanup_creds;
-		}
+			/*
+			 * This is not fatal. Delete the *auth_context and continue
+			 * with krb5_mk_req_extended to get a non-forwardable ticket.
+			 */
 
+			if (in_data.data) {
+				free( in_data.data );
+				in_data.data = NULL;
+				in_data.length = 0;
+			}
+			krb5_auth_con_free(context, *auth_context);
+			*auth_context = NULL;
+		}
 	}
 #endif
 
