Avoid overriding default ccache for ads operations.

Andrew Bartlett abartlet at samba.org
Wed Sep 12 15:41:19 MDT 2012

On Wed, 2012-09-12 at 21:19 +0200, Alexander Bokovoy wrote:
> The branch, master has been updated
>        via  893b213 Avoid overriding default ccache for ads operations.
>       from  a11e45f selftest: let provision_plugin_s4_dc use SMB3
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> - Log -----------------------------------------------------------------
> commit 893b21387665a7b644355d60f6fbccaf48ffaedb
> Author: Simo Sorce <idra at samba.org>
> Date:   Fri Sep 7 14:14:08 2012 -0400
>     Avoid overriding default ccache for ads operations.
>     Avoid overriding default ccache for ads operations.
>     Nowadays various samba components may need to use GSSAPI and a default cred
>     cache to perform their tasks.
>     This code was completely overriding the whole process default ccache name, thus
>     altering the current credentials and sometimes hijacking them (or getting
>     preemptively hijaked).
>     By using gss_krb5_import_cred we can instead use a private ccache (necessary
>     sometimes to use a different set of credentials fromt he default
>     cifs/fqdn at realm one, for example when contacting foreign DCs using trust
>     credentials) that does not affect the rest of the process.
>     For the kerberos versions which don't have gss_krb5_import_cred
>     we fallback to temp override of KRB5CCNAME and gss_acquire_cred.
>     Signed-off-by: Alexander Bokovoy <ab at samba.org>
>     Signed-off-by: Günther Deschner <gd at samba.org>
>     Autobuild-User(master): Alexander Bokovoy <ab at samba.org>
>     Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104

Does the DNS register command at 'net ads join' time using a specified
password still run with this patch?  As I read it, this will now need to
be passed the output of ads_init_gssapi_cred().

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list