Avoid overriding default ccache for ads operations.

Alexander Bokovoy ab at samba.org
Wed Sep 12 16:16:36 MDT 2012

On Thu, Sep 13, 2012 at 12:41 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Wed, 2012-09-12 at 21:19 +0200, Alexander Bokovoy wrote:
>> The branch, master has been updated
>>        via  893b213 Avoid overriding default ccache for ads operations.
>>       from  a11e45f selftest: let provision_plugin_s4_dc use SMB3
>> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
>> - Log -----------------------------------------------------------------
>> commit 893b21387665a7b644355d60f6fbccaf48ffaedb
>> Author: Simo Sorce <idra at samba.org>
>> Date:   Fri Sep 7 14:14:08 2012 -0400
>>     Avoid overriding default ccache for ads operations.
>>     Avoid overriding default ccache for ads operations.
>>     Nowadays various samba components may need to use GSSAPI and a default cred
>>     cache to perform their tasks.
>>     This code was completely overriding the whole process default ccache name, thus
>>     altering the current credentials and sometimes hijacking them (or getting
>>     preemptively hijaked).
>>     By using gss_krb5_import_cred we can instead use a private ccache (necessary
>>     sometimes to use a different set of credentials fromt he default
>>     cifs/fqdn at realm one, for example when contacting foreign DCs using trust
>>     credentials) that does not affect the rest of the process.
>>     For the kerberos versions which don't have gss_krb5_import_cred
>>     we fallback to temp override of KRB5CCNAME and gss_acquire_cred.
>>     Signed-off-by: Alexander Bokovoy <ab at samba.org>
>>     Signed-off-by: Günther Deschner <gd at samba.org>
>>     Autobuild-User(master): Alexander Bokovoy <ab at samba.org>
>>     Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104
> Does the DNS register command at 'net ads join' time using a specified
> password still run with this patch?  As I read it, this will now need to
> be passed the output of ads_init_gssapi_cred().
Since net_ads.c uses ads_kinit_password(), it calls into
kerberos_kinit_password_ext() with ads->auth.ccache_name.
kerberos_kinit_password_ext() checks if ccache_name is NULL, then it
uses default one already and net_ads.c actually ensures the default
name is set in the environment with use_in_memory_ccache().

If ads->auth.ccache_name is not set, ads_init_gssapi_cred() will
return ADS_SUCCESS and will not touch the cred itself. This means
gss_init_sec_context() will be called with GSS_C_NO_CREDENTIAL and
will rely on the default credential discovery.

So I believe it still works.
/ Alexander Bokovoy

More information about the samba-technical mailing list