Avoid overriding default ccache for ads operations.
Andrew Bartlett
abartlet at samba.org
Wed Sep 12 15:41:19 MDT 2012
On Wed, 2012-09-12 at 21:19 +0200, Alexander Bokovoy wrote:
> The branch, master has been updated
> via 893b213 Avoid overriding default ccache for ads operations.
> from a11e45f selftest: let provision_plugin_s4_dc use SMB3
>
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
>
>
> - Log -----------------------------------------------------------------
> commit 893b21387665a7b644355d60f6fbccaf48ffaedb
> Author: Simo Sorce <idra at samba.org>
> Date: Fri Sep 7 14:14:08 2012 -0400
>
> Avoid overriding default ccache for ads operations.
>
> Avoid overriding default ccache for ads operations.
>
> Nowadays various samba components may need to use GSSAPI and a default cred
> cache to perform their tasks.
> This code was completely overriding the whole process default ccache name, thus
> altering the current credentials and sometimes hijacking them (or getting
> preemptively hijaked).
>
> By using gss_krb5_import_cred we can instead use a private ccache (necessary
> sometimes to use a different set of credentials fromt he default
> cifs/fqdn at realm one, for example when contacting foreign DCs using trust
> credentials) that does not affect the rest of the process.
>
> For the kerberos versions which don't have gss_krb5_import_cred
> we fallback to temp override of KRB5CCNAME and gss_acquire_cred.
>
> Signed-off-by: Alexander Bokovoy <ab at samba.org>
> Signed-off-by: Günther Deschner <gd at samba.org>
>
> Autobuild-User(master): Alexander Bokovoy <ab at samba.org>
> Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104
Does the DNS register command at 'net ads join' time using a specified
password still run with this patch? As I read it, this will now need to
be passed the output of ads_init_gssapi_cred().
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list