Avoid overriding default ccache for ads operations.
Alexander Bokovoy
ab at samba.org
Wed Sep 12 16:16:36 MDT 2012
On Thu, Sep 13, 2012 at 12:41 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Wed, 2012-09-12 at 21:19 +0200, Alexander Bokovoy wrote:
>> The branch, master has been updated
>> via 893b213 Avoid overriding default ccache for ads operations.
>> from a11e45f selftest: let provision_plugin_s4_dc use SMB3
>>
>> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
>>
>>
>> - Log -----------------------------------------------------------------
>> commit 893b21387665a7b644355d60f6fbccaf48ffaedb
>> Author: Simo Sorce <idra at samba.org>
>> Date: Fri Sep 7 14:14:08 2012 -0400
>>
>> Avoid overriding default ccache for ads operations.
>>
>> Avoid overriding default ccache for ads operations.
>>
>> Nowadays various samba components may need to use GSSAPI and a default cred
>> cache to perform their tasks.
>> This code was completely overriding the whole process default ccache name, thus
>> altering the current credentials and sometimes hijacking them (or getting
>> preemptively hijaked).
>>
>> By using gss_krb5_import_cred we can instead use a private ccache (necessary
>> sometimes to use a different set of credentials fromt he default
>> cifs/fqdn at realm one, for example when contacting foreign DCs using trust
>> credentials) that does not affect the rest of the process.
>>
>> For the kerberos versions which don't have gss_krb5_import_cred
>> we fallback to temp override of KRB5CCNAME and gss_acquire_cred.
>>
>> Signed-off-by: Alexander Bokovoy <ab at samba.org>
>> Signed-off-by: Günther Deschner <gd at samba.org>
>>
>> Autobuild-User(master): Alexander Bokovoy <ab at samba.org>
>> Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104
>
> Does the DNS register command at 'net ads join' time using a specified
> password still run with this patch? As I read it, this will now need to
> be passed the output of ads_init_gssapi_cred().
Since net_ads.c uses ads_kinit_password(), it calls into
kerberos_kinit_password_ext() with ads->auth.ccache_name.
kerberos_kinit_password_ext() checks if ccache_name is NULL, then it
uses default one already and net_ads.c actually ensures the default
name is set in the environment with use_in_memory_ccache().
If ads->auth.ccache_name is not set, ads_init_gssapi_cred() will
return ADS_SUCCESS and will not touch the cred itself. This means
gss_init_sec_context() will be called with GSS_C_NO_CREDENTIAL and
will rely on the default credential discovery.
So I believe it still works.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list