[PATCHSET] add support for DIR: based credential caches

Guenther Deschner gd at samba.org
Mon Jul 22 06:03:44 MDT 2013


Hi,

attached find some patches to add support for DIR: based krb5 credential
caches in kerberized pam_winbind logons. The pam_winbind.conf
configuration file now also allows to define custom patterns for DIR:
and FILE: paths including numeric uid substitution using "%u".

Guenther
-- 
Günther Deschner                    GPG-ID: 8EE11688
Red Hat                         gdeschner at redhat.com
Samba Team                              gd at samba.org
-------------- next part --------------
From ff54a2b825bf855b4b26113a7369d45f6c02c99d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
Date: Thu, 18 Jul 2013 19:04:29 +0200
Subject: [PATCH 1/3] wbinfo: allow to define a custom krb5ccname for
 kerberized pam auth.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd at samba.org>
---
 nsswitch/wbinfo.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index a1ca7fc..cba469e 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -2097,6 +2097,7 @@ int main(int argc, char **argv, char **envp)
 	bool use_lanman = false;
 	char *logoff_user = getenv("USER");
 	int logoff_uid = geteuid();
+	const char *opt_krb5ccname = "FILE";
 
 	struct poptOption long_options[] = {
 		POPT_AUTOHELP
@@ -2178,6 +2179,7 @@ int main(int argc, char **argv, char **envp)
 		{ "krb5auth", 'K', POPT_ARG_STRING, &string_arg, 'K', "authenticate user using Kerberos", "user%password" },
 			/* destroys wbinfo --help output */
 			/* "user%password,DOM\\user%password,user at EXAMPLE.COM,EXAMPLE.COM\\user%password" }, */
+		{ "krb5ccname", 0, POPT_ARG_STRING, &opt_krb5ccname, '0', "authenticate user using Kerberos and specific credential cache type", "krb5ccname" },
 #endif
 		{ "separator", 0, POPT_ARG_NONE, 0, OPT_SEPARATOR, "Get the active winbind separator", NULL },
 		{ "verbose", 0, POPT_ARG_NONE, 0, OPT_VERBOSE, "Print additional information per command", NULL },
@@ -2547,13 +2549,13 @@ int main(int argc, char **argv, char **envp)
 						 WBFLAG_PAM_INFO3_TEXT |
 						 WBFLAG_PAM_CONTACT_TRUSTDOM;
 
-				if (!wbinfo_auth_krb5(string_arg, "FILE",
+				if (!wbinfo_auth_krb5(string_arg, opt_krb5ccname,
 						      flags)) {
 					d_fprintf(stderr,
 						"Could not authenticate user "
 						"[%s] with Kerberos "
 						"(ccache: %s)\n", string_arg,
-						"FILE");
+						opt_krb5ccname);
 					goto done;
 				}
 				break;
-- 
1.8.3.1


From 30e55f807eaf7d5f28afda1d352c723d81dfc924 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
Date: Thu, 18 Jul 2013 19:05:51 +0200
Subject: [PATCH 2/3] s3-winbindd: support the DIR pragma for raw kerberos user
 pam authentication.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It is currently only available in MIT. In addition, allow to define custom
filepaths for FILE, WRFILE and DIR pragmas and substitute one occurence of the
%u pattern.

Guenther

Signed-off-by: Günther Deschner <gd at samba.org>
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
---
 source3/winbindd/winbindd_pam.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index aed4741..7b67154 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -492,6 +492,29 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
 			gen_cc = talloc_asprintf(
 				mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
 		}
+		if (strequal(type, "DIR")) {
+			gen_cc = talloc_asprintf(
+				mem_ctx, "DIR:/run/user/%d/krb5cc", uid);
+		}
+
+		if (strnequal(type, "FILE:/", 6) ||
+		    strnequal(type, "WRFILE:/", 8) ||
+		    strnequal(type, "DIR:/", 5)) {
+
+			/* we allow only one "%u" substitution */
+
+			char *p;
+
+			p = strchr(type, '%');
+			if (p != NULL) {
+
+				p++;
+
+				if (p != NULL && *p == 'u' && strchr(p, '%') == NULL) {
+					gen_cc = talloc_asprintf(mem_ctx, type, uid);
+				}
+			}
+		}
 	}
 
 	*user_ccache_file = gen_cc;
-- 
1.8.3.1


From da338cd6209616c6da2751216f1e0dfc578ad2d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
Date: Thu, 18 Jul 2013 19:09:14 +0200
Subject: [PATCH 3/3] pam_winbind: update documentation for "DIR" krb5ccname
 pragma.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd at samba.org>
---
 docs-xml/manpages/pam_winbind.conf.5.xml | 39 ++++++++++++++++++++++++--------
 examples/pam_winbind/pam_winbind.conf    |  3 ++-
 2 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 8c36719..020cb67 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -106,16 +106,35 @@
 		<term>krb5_ccache_type = [type]</term>
 		<listitem><para>
 
-		When pam_winbind is configured to try kerberos authentication
-		by enabling the <parameter>krb5_auth</parameter> option, it can
-		store the retrieved Ticket Granting Ticket (TGT) in a
-		credential cache. The type of credential cache can be set with
-		this option. Currently the only supported value is:
-		<parameter>FILE</parameter>. In that case a credential cache in
-		the form of /tmp/krb5cc_UID will be created, where UID is
-		replaced with the numeric user id.  Leave empty to just do
-		kerberos authentication without having a ticket cache after the
-		logon has succeeded. This setting is empty by default.
+		When pam_winbind is configured to try kerberos authentication by
+		enabling the <parameter>krb5_auth</parameter> option, it can
+		store the retrieved Ticket Granting Ticket (TGT) in a credential
+		cache. The type of credential cache can be controlled with this
+		option.  The supported values are: <parameter>FILE</parameter>
+		and <parameter>DIR</parameter> (when the DIR type is supported
+		by the system's Kerberos library). In case of FILE a credential
+		cache in the form of /tmp/krb5cc_UID will be created -  in case
+		of DIR it will be located under the /run/user/UID/krb5cc
+		directory.  UID is replaced with the numeric user id.</para>
+
+		<para>It is also possible to define custom filepaths and use the "%u"
+		pattern in order to substitue the numeric user id.
+		Examples:</para>
+
+		<variablelist>
+			<varlistentry>
+				<term>krb5_ccache_type = DIR:/run/user/%u/krb5cc</term>
+					<listitem><para>This will create a credential cache file in the specified directory.</para></listitem>
+			</varlistentry>
+			<varlistentry>
+				<term>krb5_ccache_type = FILE:/tmp/krb5cc_%u</term>
+					<listitem><para>This will create a credential cache file.</para></listitem>
+			</varlistentry>
+		</variablelist>
+
+		<para> Leave empty to just do kerberos authentication without
+			having a ticket cache after the logon has succeeded.
+			This setting is empty by default.
 
 		</para></listitem>
 		</varlistentry>
diff --git a/examples/pam_winbind/pam_winbind.conf b/examples/pam_winbind/pam_winbind.conf
index dd0b112..87bc388 100644
--- a/examples/pam_winbind/pam_winbind.conf
+++ b/examples/pam_winbind/pam_winbind.conf
@@ -3,6 +3,7 @@
 #
 # /etc/security/pam_winbind.conf
 #
+# For more details see man pam_winbind.conf(5)
 
 [global]
 
@@ -19,7 +20,7 @@
 # authenticate using kerberos
 ;krb5_auth = no
 
-# when using kerberos, request a "FILE" krb5 credential cache type
+# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type
 # (leave empty to just do krb5 authentication but not have a ticket
 # afterwards)
 ;krb5_ccache_type =
-- 
1.8.3.1


More information about the samba-technical mailing list