kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred (bug #12369)

Stefan Metzmacher metze at samba.org
Mon Oct 10 20:03:58 UTC 2016 

Hi,

here's the correct patch (I forgot to pass the hash to "git format-patch
--stdout -3" ...)

metze
Am 10.10.2016 um 18:08 schrieb Stefan Metzmacher:
> Hi Uri,
> 
> it seems the patches for https://bugzilla.samba.org/show_bug.cgi?id=12007
> introduced a regression (at least when using Heimdal).
> See https://bugzilla.samba.org/show_bug.cgi?id=12369
> 
> The problem is that an kinit into a MEMORY: ccache doesn't imply
> a kdestroy.
> 
> So while doing a new kinit to get a TGT, we still have the
> expired service tickets in the cache. And gss_init_sec_context()
> tries to use the old ticket.
> 
> With the patches for #12007 we now use MEMORY:ads_sasl_spnego_bind
> instead of MEMORY:winbind_ccache. Which means the explicit
> ads_kdestroy(WINBIND_CCACHE_NAME); has no effect.
> 
> With MIT krb5 a kinit to MEMORY ccache clear the existing cache,
> I've added that to Heimdal too now.
> 
> I've tested the following patches just with heimdal
> and the problem went away.
> 
> Please have a look and test.
> 
> Thanks!
> metze
> 
-------------- next part --------------
From 29e3c4e295078f9b4748c4fa2b4b7455d433f83d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 10 Oct 2016 15:53:26 +0200
Subject: [PATCH 1/3] HEIMDAL:lib/krb5: destroy a memory ccache on reinit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
---
 source4/heimdal/lib/krb5/mcache.c | 52 ++++++++++++++++++++++++++-------------
 1 file changed, 35 insertions(+), 17 deletions(-)

diff --git a/source4/heimdal/lib/krb5/mcache.c b/source4/heimdal/lib/krb5/mcache.c
index e4b90c1..dc79b87 100644
--- a/source4/heimdal/lib/krb5/mcache.c
+++ b/source4/heimdal/lib/krb5/mcache.c
@@ -155,13 +155,47 @@ mcc_gen_new(krb5_context context, krb5_ccache *id)
     return 0;
 }
 
+static void KRB5_CALLCONV
+mcc_destroy_internal(krb5_context context,
+		     krb5_mcache *m)
+{
+    struct link *l;
+
+    if (m->primary_principal != NULL) {
+	krb5_free_principal (context, m->primary_principal);
+	m->primary_principal = NULL;
+    }
+    m->dead = 1;
+
+    l = m->creds;
+    while (l != NULL) {
+	struct link *old;
+
+	krb5_free_cred_contents (context, &l->cred);
+	old = l;
+	l = l->next;
+	free (old);
+    }
+
+    m->creds = NULL;
+    return;
+}
+
 static krb5_error_code KRB5_CALLCONV
 mcc_initialize(krb5_context context,
 	       krb5_ccache id,
 	       krb5_principal primary_principal)
 {
     krb5_mcache *m = MCACHE(id);
+    /*
+     * It's important to destroy any existing
+     * creds here, that matches the baheviour
+     * of all other backends and also the
+     * MEMORY: backend in MIT.
+     */
+    mcc_destroy_internal(context, m);
     m->dead = 0;
+    m->kdc_offset = 0;
     m->mtime = time(NULL);
     return krb5_copy_principal (context,
 				primary_principal,
@@ -195,7 +229,6 @@ mcc_destroy(krb5_context context,
 	    krb5_ccache id)
 {
     krb5_mcache **n, *m = MCACHE(id);
-    struct link *l;
 
     if (m->refcnt == 0)
 	krb5_abortx(context, "mcc_destroy: refcnt already 0");
@@ -211,22 +244,7 @@ mcc_destroy(krb5_context context,
 	    }
 	}
 	HEIMDAL_MUTEX_unlock(&mcc_mutex);
-	if (m->primary_principal != NULL) {
-	    krb5_free_principal (context, m->primary_principal);
-	    m->primary_principal = NULL;
-	}
-	m->dead = 1;
-
-	l = m->creds;
-	while (l != NULL) {
-	    struct link *old;
-
-	    krb5_free_cred_contents (context, &l->cred);
-	    old = l;
-	    l = l->next;
-	    free (old);
-	}
-	m->creds = NULL;
+	mcc_destroy_internal(context, m);
     }
     return 0;
 }
-- 
1.9.1


From f9b611fcefc35524ca5e975f3e4a9935fbaaae76 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 10 Oct 2016 17:07:12 +0200
Subject: [PATCH 2/3] s3:libads: don't use MEMORY:ads_sasl_gssapi_do_bind nor
 set "KRB5CCNAME"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
---
 source3/libads/sasl.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 85a2eb0..4e4486f 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -1027,7 +1027,6 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
 {
 	ADS_STATUS status;
 	struct ads_service_principal p;
-	const char *ccache_name = "MEMORY:ads_sasl_gssapi_do_bind";
 
 	status = ads_generate_service_principal(ads, &p);
 	if (!ADS_ERR_OK(status)) {
@@ -1046,10 +1045,6 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
 			  "calling kinit\n", ads_errstr(status)));
 	}
 
-	if (ads->auth.ccache_name != NULL) {
-		ccache_name = ads->auth.ccache_name;
-	}
-	setenv(KRB5_ENV_CCNAME, ccache_name, 1);
 	status = ADS_ERROR_KRB5(ads_kinit_password(ads));
 
 	if (ADS_ERR_OK(status)) {
-- 
1.9.1


From 1672cf9ea680ce7d0b537828c036c703041e6d4f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 10 Oct 2016 17:07:12 +0200
Subject: [PATCH 3/3] s3:libads: don't use MEMORY:ads_sasl_spnego_bind nor set
 "KRB5CCNAME"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
---
 source3/libads/sasl.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 4e4486f..39c60c3 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -749,11 +749,6 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 	if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
 	    got_kerberos_mechanism) 
 	{
-		const char *ccache_name = "MEMORY:ads_sasl_spnego_bind";
-		if (ads->auth.ccache_name != NULL) {
-			ccache_name = ads->auth.ccache_name;
-		}
-
 		if (ads->auth.password == NULL ||
 		    ads->auth.password[0] == '\0')
 		{
@@ -771,7 +766,6 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 				  "calling kinit\n", ads_errstr(status)));
 		}
 
-		setenv(KRB5_ENV_CCNAME, ccache_name, 1);
 		status = ADS_ERROR_KRB5(ads_kinit_password(ads)); 
 
 		if (ADS_ERR_OK(status)) {
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161010/45fee564/signature.sig>

More information about the samba-technical mailing list