cli_credentials ccache semantics and test changes

Thu May 24 05:05:58 MDT 2012

On Thu, May 24, 2012 at 8:26 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Thu, 2012-05-24 at 01:02 -0400, simo wrote:
>> On Thu, 2012-05-24 at 13:39 +1000, Andrew Bartlett wrote:
>>
>> Something doesn't click here,
>> are you saying that if I use samba libraries in a program and user/pas
>> are specified within it, it will just merrily go and blow away my
>> ccache ?
>
> No, Samba always creates an in-memory ccache for it's own operations.
> We are very careful not to touch a credentials cache unless we are
> actually using it.
>
>> That sounds quite wrong, especially if that happens with utilities like
>> the net or samba-tool utilities. Can you elaborate on this ?
>
> What it means is that if you use samba libraries in a program and
> user/pass are specified within it, that these are used, irrespective of
> if any kerberos credentials cache is in the environment.
After extensive debugging I've found the actual cause of the problem.

In my python code I'm creating several credentials objects:
1. For accessing local server (kerberos only)
2. for accessing AD CLDAP (anonymous only) for discovery purposes
3. for accessing remote AD DC server (username/password specified or
using shared secret and domain account)

Due to way Python bindings in Samba 4 are implemented and credentials
library relying on an environment state to properly guess the
credentials I want to use, I have to use seprate loadparm objects in
each case, define or undefine certain parameters, most notably
'workgroup = MYDOMAIN' in case (3). Python bindings to loadparm use
lpcfg_set_cmdline() to set the values. The template I use for it is
basically an empty smb.conf file, to separate system-wide and
FreeIPA-specific one.

Now, when lpcfg_set_cmdline() used, credentials library prioritises
the value of workgroup and realm as if they were set on the command
line, thus ignoring ccache. To make it more complex, Python bindings
to loadparm provide the same global instance of loadparm each time I
create new loadparm Python object. All this means I cannot have
independent loadparm objects in Python code.

So next time I connect to FreeIPA server, if the same process serves
the request, its global loadparm instance already has 'workgroup'
value set and marked as FLAG_CMDLINE. No matter what I do, the entry
for 'workgroup' will be tainted with FLAG_CMDLINE and will override
everything.

So, how to solve this?

1. Make Python loadparm object possible to create private instances of
loadparm. One additional argument to param.LoadParm() constructor will
make it. As this is client code and empty smb.conf template is not
going to change over time, reloading it is not needed.

2. Allow cleaning flags for loadparm entries from Python code.

3. Devise better logic in cli_credentials_set_conf() on finding out
whether particular parameter (there are three of them there:
workgroup, netbios name, and realm) is enforced via command line.
-- 
/ Alexander Bokovoy