[PATCH] libads: record service ticket endtime for sealed ldap connections

Jeremy Allison jra at samba.org
Mon May 11 12:00:52 MDT 2015


On Mon, May 11, 2015 at 10:28:20AM -0700, Jeremy Allison wrote:
> On Sat, May 09, 2015 at 10:59:17PM +0300, Uri Simchoni wrote:
> > When a ticket is obtained for binding a signed/sealed ldap connection,
> > its liftime should be recorded in the ads struct, in order to enable
> > reuse of the connection.
> 
> Oh that's a really smart catch - thanks !
> 
> However I think we should also handle the
> gss_context_time returns context_validity == 0
> case where the context has already expired.
> 
> Does the following also work for you ?

Can I get a second Team reviewer ?

Thanks !

Jeremy.

> From daa6c09b7a2931aacd531bb49daf6e47e843a059 Mon Sep 17 00:00:00 2001
> From: Uri Simchoni <urisimchoni at gmail.com>
> Date: Sat, 9 May 2015 22:59:17 +0300
> Subject: [PATCH] libads: record service ticket endtime for sealed ldap
>  connections
> 
> When a ticket is obtained for binding a signed/sealed ldap connection,
> its liftime should be recorded in the ads struct, in order to enable
> reuse of the connection.
> 
> Signed-off-by: Uri Simchoni <urisimchoni at gmail.com>
> Reviewed-by: Jeremy Allison <jra at samba.org>
> ---
>  source3/libads/sasl.c | 20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)
> 
> diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
> index ce3740f..af50186 100644
> --- a/source3/libads/sasl.c
> +++ b/source3/libads/sasl.c
> @@ -458,6 +458,8 @@ static ADS_STATUS ads_sasl_spnego_gsskrb5_bind(ADS_STRUCT *ads, const gss_name_t
>  	DATA_BLOB unwrapped;
>  	DATA_BLOB wrapped;
>  	struct berval cred, *scred = NULL;
> +	uint32_t context_validity;
> +	time_t context_endtime = 0;
>  
>  	status = ads_init_gssapi_cred(ads, &gss_cred);
>  	if (!ADS_ERR_OK(status)) {
> @@ -652,6 +654,23 @@ static ADS_STATUS ads_sasl_spnego_gsskrb5_bind(ADS_STRUCT *ads, const gss_name_t
>  		goto failed;
>  	}
>  
> +	gss_rc =
> +	    gss_context_time(&minor_status, context_handle, &context_validity);
> +	if (gss_rc == 0) {
> +		if (context_validity != 0) {
> +			context_endtime = time(NULL) + context_validity;
> +			DEBUG(10, ("context (service ticket) valid for "
> +				"%u seconds\n",
> +				context_validity));
> +		} else {
> +			DEBUG(10, ("context (service ticket) expired\n"));
> +		}
> +	} else {
> +		DEBUG(1, ("gss_context_time failed (%d,%u) -"
> +			  " this will be a one-time context\n",
> +			  gss_rc, minor_status));
> +	}
> +
>  	if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
>  		uint32_t max_msg_size = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED;
>  
> @@ -677,6 +696,7 @@ static ADS_STATUS ads_sasl_spnego_gsskrb5_bind(ADS_STRUCT *ads, const gss_name_t
>  		context_handle = GSS_C_NO_CONTEXT;
>  	}
>  
> +	ads->auth.tgs_expire = context_endtime;
>  	status = ADS_SUCCESS;
>  
>  failed:
> -- 
> 2.2.0.rc0.207.ga3a616c
> 



More information about the samba-technical mailing list