[RFC] fix bug 12007 (libads and kinit only as fallback)
Uri Simchoni
uri at samba.org
Wed Jul 6 20:55:23 UTC 2016
On 07/06/2016 02:15 PM, Stefan Metzmacher wrote:
>> As a short term fix we may use a similar the logic in libads as in libsmb.
>>
>> The attached patches may need more work.
>>
I'm for the approach of those patches as a short term fix (and let's not
forget - a fix for stable versions).
I've tested and made slight modifications to your patch - beside build
issues the original patch broke "net ads join -Uuser%password", because
the kinit was populating a different ccache - the one pointed to by
ads->auth.ccache_name (yeah, what a mess...).
Please review and push if happy.
Thanks,
Uri.
-------------- next part --------------
From 6d5cd96d39b79d0054b923a2a5aea1dddce9d8d6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 6 Jul 2016 12:48:11 +0200
Subject: [PATCH 1/2] libads: ensure the right ccache is used during gssapi
bind
When doing gssapi sasl bind:
1. Try working without kinit only if a password is not
provided
2. When using kinit, ensure the KRB5CCNAME env var is set
to a private memory ccache, so that the bind is on behalf
of the requested user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Uri Simchoni <uri at samba.org>
---
source3/libads/sasl.c | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index d76d872..6c054cd 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -26,6 +26,7 @@
#include "smb_krb5.h"
#include "system/gssapi.h"
#include "lib/param/loadparm.h"
+#include "krb5_env.h"
#ifdef HAVE_LDAP
@@ -1015,21 +1016,29 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
{
ADS_STATUS status;
struct ads_service_principal p;
+ const char *ccache_name = "MEMORY:ads_sasl_gssapi_do_bind";
status = ads_generate_service_principal(ads, &p);
if (!ADS_ERR_OK(status)) {
return status;
}
- status = ads_sasl_gssapi_do_bind(ads, p.name);
- if (ADS_ERR_OK(status)) {
- ads_free_service_principal(&p);
- return status;
- }
+ if (ads->auth.password == NULL ||
+ ads->auth.password[0] == '\0') {
+ status = ads_sasl_gssapi_do_bind(ads, p.name);
+ if (ADS_ERR_OK(status)) {
+ ads_free_service_principal(&p);
+ return status;
+ }
- DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
- "calling kinit\n", ads_errstr(status)));
+ DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
+ "calling kinit\n", ads_errstr(status)));
+ }
+ if (ads->auth.ccache_name != NULL) {
+ ccache_name = ads->auth.ccache_name;
+ }
+ setenv(KRB5_ENV_CCNAME, ccache_name, 1);
status = ADS_ERROR_KRB5(ads_kinit_password(ads));
if (ADS_ERR_OK(status)) {
--
2.5.5
From 4ad9af428885b5c1b45de386b8f5899439b68ef2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 6 Jul 2016 12:44:11 +0200
Subject: [PATCH 2/2] libads: ensure the right ccache is used during spnego
bind
When doing spnego sasl bind:
1. Try working without kinit only if a password is not
provided
2. When using kinit, ensure the KRB5CCNAME env var is set
to a private memory ccache, so that the bind is on behalf
of the requested user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Uri Simchoni <uri at samba.org>
---
source3/libads/sasl.c | 29 ++++++++++++++++++++---------
1 file changed, 20 insertions(+), 9 deletions(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 6c054cd..85a2eb0 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -749,18 +749,29 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
got_kerberos_mechanism)
{
- status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
- CRED_MUST_USE_KERBEROS,
- p.service, p.hostname,
- blob);
- if (ADS_ERR_OK(status)) {
- ads_free_service_principal(&p);
- goto done;
+ const char *ccache_name = "MEMORY:ads_sasl_spnego_bind";
+ if (ads->auth.ccache_name != NULL) {
+ ccache_name = ads->auth.ccache_name;
}
- DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
- "calling kinit\n", ads_errstr(status)));
+ if (ads->auth.password == NULL ||
+ ads->auth.password[0] == '\0')
+ {
+
+ status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+ CRED_MUST_USE_KERBEROS,
+ p.service, p.hostname,
+ blob);
+ if (ADS_ERR_OK(status)) {
+ ads_free_service_principal(&p);
+ goto done;
+ }
+
+ DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
+ "calling kinit\n", ads_errstr(status)));
+ }
+ setenv(KRB5_ENV_CCNAME, ccache_name, 1);
status = ADS_ERROR_KRB5(ads_kinit_password(ads));
if (ADS_ERR_OK(status)) {
--
2.5.5
More information about the samba-technical
mailing list