[PATCH] libads: record service ticket endtime for sealed ldap connections

Uri Simchoni urisimchoni at gmail.com
Sat May 9 13:59:17 MDT 2015


When a ticket is obtained for binding a signed/sealed ldap connection,
its liftime should be recorded in the ads struct, in order to enable
reuse of the connection.

Signed-off-by: Uri Simchoni <urisimchoni at gmail.com>
---
 source3/libads/sasl.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index ce3740f..14afbc3 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -458,6 +458,8 @@ static ADS_STATUS ads_sasl_spnego_gsskrb5_bind(ADS_STRUCT *ads, const gss_name_t
 	DATA_BLOB unwrapped;
 	DATA_BLOB wrapped;
 	struct berval cred, *scred = NULL;
+	uint32_t context_validity;
+	time_t context_endtime = 0;
 
 	status = ads_init_gssapi_cred(ads, &gss_cred);
 	if (!ADS_ERR_OK(status)) {
@@ -652,6 +654,18 @@ static ADS_STATUS ads_sasl_spnego_gsskrb5_bind(ADS_STRUCT *ads, const gss_name_t
 		goto failed;
 	}
 
+	gss_rc =
+	    gss_context_time(&minor_status, context_handle, &context_validity);
+	if (gss_rc == 0) {
+		context_endtime = time(NULL) + context_validity;
+		DEBUG(10, ("context (service ticket) valid for %u seconds\n",
+			   context_validity));
+	} else {
+		DEBUG(1, ("gss_context_time failed (%d,%u) -"
+			  " this will be a one-time context\n",
+			  gss_rc, minor_status));
+	}
+
 	if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
 		uint32_t max_msg_size = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED;
 
@@ -677,6 +691,7 @@ static ADS_STATUS ads_sasl_spnego_gsskrb5_bind(ADS_STRUCT *ads, const gss_name_t
 		context_handle = GSS_C_NO_CONTEXT;
 	}
 
+	ads->auth.tgs_expire = context_endtime;
 	status = ADS_SUCCESS;
 
 failed:
-- 
1.9.1



More information about the samba-technical mailing list