Avoid overriding default ccache for ads operations.
simo
idra at samba.org
Wed Sep 12 18:03:10 MDT 2012
On Thu, 2012-09-13 at 01:16 +0300, Alexander Bokovoy wrote:
> On Thu, Sep 13, 2012 at 12:41 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> > On Wed, 2012-09-12 at 21:19 +0200, Alexander Bokovoy wrote:
> >> The branch, master has been updated
> >> via 893b213 Avoid overriding default ccache for ads operations.
> >> from a11e45f selftest: let provision_plugin_s4_dc use SMB3
> >>
> >> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> >>
> >>
> >> - Log -----------------------------------------------------------------
> >> commit 893b21387665a7b644355d60f6fbccaf48ffaedb
> >> Author: Simo Sorce <idra at samba.org>
> >> Date: Fri Sep 7 14:14:08 2012 -0400
> >>
> >> Avoid overriding default ccache for ads operations.
> >>
> >> Avoid overriding default ccache for ads operations.
> >>
> >> Nowadays various samba components may need to use GSSAPI and a default cred
> >> cache to perform their tasks.
> >> This code was completely overriding the whole process default ccache name, thus
> >> altering the current credentials and sometimes hijacking them (or getting
> >> preemptively hijaked).
> >>
> >> By using gss_krb5_import_cred we can instead use a private ccache (necessary
> >> sometimes to use a different set of credentials fromt he default
> >> cifs/fqdn at realm one, for example when contacting foreign DCs using trust
> >> credentials) that does not affect the rest of the process.
> >>
> >> For the kerberos versions which don't have gss_krb5_import_cred
> >> we fallback to temp override of KRB5CCNAME and gss_acquire_cred.
> >>
> >> Signed-off-by: Alexander Bokovoy <ab at samba.org>
> >> Signed-off-by: Günther Deschner <gd at samba.org>
> >>
> >> Autobuild-User(master): Alexander Bokovoy <ab at samba.org>
> >> Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104
> >
> > Does the DNS register command at 'net ads join' time using a specified
> > password still run with this patch? As I read it, this will now need to
> > be passed the output of ads_init_gssapi_cred().
> Since net_ads.c uses ads_kinit_password(), it calls into
> kerberos_kinit_password_ext() with ads->auth.ccache_name.
> kerberos_kinit_password_ext() checks if ccache_name is NULL, then it
> uses default one already and net_ads.c actually ensures the default
> name is set in the environment with use_in_memory_ccache().
>
> If ads->auth.ccache_name is not set, ads_init_gssapi_cred() will
> return ADS_SUCCESS and will not touch the cred itself. This means
> gss_init_sec_context() will be called with GSS_C_NO_CREDENTIAL and
> will rely on the default credential discovery.
>
> So I believe it still works.
Yes this is how this patch has been engineered, previous uses are not
affected except for the ads code where we explicitly changed to rely on
the new, optional, behavior.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
More information about the samba-technical
mailing list