[PATCH] record session lifetime for gensec-authenticated ldap connections
Uri Simchoni
uri at samba.org
Mon Apr 18 21:02:34 UTC 2016
Hi,
This is a fix to a regression due to latest security fix - not recording
the session lifetime in ads struct.
Review appreciated,
Uri.
-------------- next part --------------
From 13d7085e7f1cb47a2c6283a0774101bbc68a8b98 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri at samba.org>
Date: Mon, 18 Apr 2016 23:08:38 +0300
Subject: [PATCH] libads: record session expiry for spnego sasl binds
With the move to gensec-based spnego, record the session expiry
in tgs_expire, so that libads users such as winbindd can use this info
to determine how long to keep the connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11852
Signed-off-by: Uri Simchoni <uri at samba.org>
---
source3/libads/sasl.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 22aa9cf..b8d4527 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -134,6 +134,7 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads,
struct auth_generic_state *auth_generic_state;
bool use_spnego_principal = lp_client_use_spnego_principal();
const char *sasl_list[] = { sasl, NULL };
+ NTTIME end_nt_time;
nt_status = auth_generic_client_prepare(NULL, &auth_generic_state);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -307,6 +308,14 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads,
}
}
+ ads->auth.tgs_expire = LONG_MAX;
+ end_nt_time = gensec_expire_time(auth_generic_state->gensec_security);
+ if (end_nt_time != GENSEC_EXPIRE_TIME_INFINITY) {
+ struct timeval tv;
+ nttime_to_timeval(&tv, end_nt_time);
+ ads->auth.tgs_expire = tv.tv_sec;
+ }
+
if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
size_t max_wrapped = gensec_max_wrapped_size(auth_generic_state->gensec_security);
ads->ldap.out.max_unwrapped = gensec_max_input_size(auth_generic_state->gensec_security);
--
2.5.5
More information about the samba-technical
mailing list