cli_credentials ccache semantics and test changes

Alexander Bokovoy ab at
Thu May 24 05:35:31 MDT 2012

On Thu, May 24, 2012 at 2:05 PM, Alexander Bokovoy <ab at> wrote:
> On Thu, May 24, 2012 at 8:26 AM, Andrew Bartlett <abartlet at> wrote:
>> On Thu, 2012-05-24 at 01:02 -0400, simo wrote:
>>> On Thu, 2012-05-24 at 13:39 +1000, Andrew Bartlett wrote:
>>> Something doesn't click here,
>>> are you saying that if I use samba libraries in a program and user/pas
>>> are specified within it, it will just merrily go and blow away my
>>> ccache ?
>> No, Samba always creates an in-memory ccache for it's own operations.
>> We are very careful not to touch a credentials cache unless we are
>> actually using it.
>>> That sounds quite wrong, especially if that happens with utilities like
>>> the net or samba-tool utilities. Can you elaborate on this ?
>> What it means is that if you use samba libraries in a program and
>> user/pass are specified within it, that these are used, irrespective of
>> if any kerberos credentials cache is in the environment.
> After extensive debugging I've found the actual cause of the problem.
> In my python code I'm creating several credentials objects:
> 1. For accessing local server (kerberos only)
> 2. for accessing AD CLDAP (anonymous only) for discovery purposes
> 3. for accessing remote AD DC server (username/password specified or
> using shared secret and domain account)
> Due to way Python bindings in Samba 4 are implemented and credentials
> library relying on an environment state to properly guess the
> credentials I want to use, I have to use seprate loadparm objects in
> each case, define or undefine certain parameters, most notably
> 'workgroup = MYDOMAIN' in case (3). Python bindings to loadparm use
> lpcfg_set_cmdline() to set the values. The template I use for it is
> basically an empty smb.conf file, to separate system-wide and
> FreeIPA-specific one.
> Now, when lpcfg_set_cmdline() used, credentials library prioritises
> the value of workgroup and realm as if they were set on the command
> line, thus ignoring ccache. To make it more complex, Python bindings
> to loadparm provide the same global instance of loadparm each time I
> create new loadparm Python object. All this means I cannot have
> independent loadparm objects in Python code.
> So next time I connect to FreeIPA server, if the same process serves
> the request, its global loadparm instance already has 'workgroup'
> value set and marked as FLAG_CMDLINE. No matter what I do, the entry
> for 'workgroup' will be tainted with FLAG_CMDLINE and will override
> everything.
> So, how to solve this?
> 1. Make Python loadparm object possible to create private instances of
> loadparm. One additional argument to param.LoadParm() constructor will
> make it. As this is client code and empty smb.conf template is not
> going to change over time, reloading it is not needed.
> 2. Allow cleaning flags for loadparm entries from Python code.
> 3. Devise better logic in cli_credentials_set_conf() on finding out
> whether particular parameter (there are three of them there:
> workgroup, netbios name, and realm) is enforced via command line.
We discussed this with Andrew and came to following solution:

1. cli_credentials_set_conf() will not use workgroup setting to affect
how domain value was obtained for beta1.

2. We'll work after beta1 on use of realm (--realm command line
argument) to override ccache use. If the ticket we have in existing
ccache has the same realm as specified via command line, we continue
using ccache, otherwise we'll invalidate its use.

I'll do a patch for it and will revert bits
/ Alexander Bokovoy

More information about the samba-technical mailing list