[PATCH] libads: record service ticket endtime for sealed ldap connections

Sat May 9 22:39:43 MDT 2015

Also opened a bug to record the behavior this fixs:
https://bugzilla.samba.org/show_bug.cgi?id=11267

On Sat, May 9, 2015 at 10:59 PM, Uri Simchoni <urisimchoni at gmail.com> wrote:

> When a ticket is obtained for binding a signed/sealed ldap connection,
> its liftime should be recorded in the ads struct, in order to enable
> reuse of the connection.
>
> Signed-off-by: Uri Simchoni <urisimchoni at gmail.com>
> ---
>  source3/libads/sasl.c | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
>
> diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
> index ce3740f..14afbc3 100644
> --- a/source3/libads/sasl.c
> +++ b/source3/libads/sasl.c
> @@ -458,6 +458,8 @@ static ADS_STATUS
> ads_sasl_spnego_gsskrb5_bind(ADS_STRUCT *ads, const gss_name_t
>         DATA_BLOB unwrapped;
>         DATA_BLOB wrapped;
>         struct berval cred, *scred = NULL;
> +       uint32_t context_validity;
> +       time_t context_endtime = 0;
>
>         status = ads_init_gssapi_cred(ads, &gss_cred);
>         if (!ADS_ERR_OK(status)) {
> @@ -652,6 +654,18 @@ static ADS_STATUS
> ads_sasl_spnego_gsskrb5_bind(ADS_STRUCT *ads, const gss_name_t
>                 goto failed;
>         }
>
> +       gss_rc =
> +           gss_context_time(&minor_status, context_handle,
> &context_validity);
> +       if (gss_rc == 0) {
> +               context_endtime = time(NULL) + context_validity;
> +               DEBUG(10, ("context (service ticket) valid for %u
> seconds\n",
> +                          context_validity));
> +       } else {
> +               DEBUG(1, ("gss_context_time failed (%d,%u) -"
> +                         " this will be a one-time context\n",
> +                         gss_rc, minor_status));
> +       }
> +
>         if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
>                 uint32_t max_msg_size = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED;
>
> @@ -677,6 +691,7 @@ static ADS_STATUS
> ads_sasl_spnego_gsskrb5_bind(ADS_STRUCT *ads, const gss_name_t
>                 context_handle = GSS_C_NO_CONTEXT;
>         }
>
> +       ads->auth.tgs_expire = context_endtime;
>         status = ADS_SUCCESS;
>
>  failed:
> --
> 1.9.1
>
>