kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred (bug #12369)
Stefan Metzmacher
metze at samba.org
Mon Oct 10 20:03:58 UTC 2016
Hi,
here's the correct patch (I forgot to pass the hash to "git format-patch
--stdout -3" ...)
metze
Am 10.10.2016 um 18:08 schrieb Stefan Metzmacher:
> Hi Uri,
>
> it seems the patches for https://bugzilla.samba.org/show_bug.cgi?id=12007
> introduced a regression (at least when using Heimdal).
> See https://bugzilla.samba.org/show_bug.cgi?id=12369
>
> The problem is that an kinit into a MEMORY: ccache doesn't imply
> a kdestroy.
>
> So while doing a new kinit to get a TGT, we still have the
> expired service tickets in the cache. And gss_init_sec_context()
> tries to use the old ticket.
>
> With the patches for #12007 we now use MEMORY:ads_sasl_spnego_bind
> instead of MEMORY:winbind_ccache. Which means the explicit
> ads_kdestroy(WINBIND_CCACHE_NAME); has no effect.
>
> With MIT krb5 a kinit to MEMORY ccache clear the existing cache,
> I've added that to Heimdal too now.
>
> I've tested the following patches just with heimdal
> and the problem went away.
>
> Please have a look and test.
>
> Thanks!
> metze
>
-------------- next part --------------
From 29e3c4e295078f9b4748c4fa2b4b7455d433f83d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 10 Oct 2016 15:53:26 +0200
Subject: [PATCH 1/3] HEIMDAL:lib/krb5: destroy a memory ccache on reinit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
---
source4/heimdal/lib/krb5/mcache.c | 52 ++++++++++++++++++++++++++-------------
1 file changed, 35 insertions(+), 17 deletions(-)
diff --git a/source4/heimdal/lib/krb5/mcache.c b/source4/heimdal/lib/krb5/mcache.c
index e4b90c1..dc79b87 100644
--- a/source4/heimdal/lib/krb5/mcache.c
+++ b/source4/heimdal/lib/krb5/mcache.c
@@ -155,13 +155,47 @@ mcc_gen_new(krb5_context context, krb5_ccache *id)
return 0;
}
+static void KRB5_CALLCONV
+mcc_destroy_internal(krb5_context context,
+ krb5_mcache *m)
+{
+ struct link *l;
+
+ if (m->primary_principal != NULL) {
+ krb5_free_principal (context, m->primary_principal);
+ m->primary_principal = NULL;
+ }
+ m->dead = 1;
+
+ l = m->creds;
+ while (l != NULL) {
+ struct link *old;
+
+ krb5_free_cred_contents (context, &l->cred);
+ old = l;
+ l = l->next;
+ free (old);
+ }
+
+ m->creds = NULL;
+ return;
+}
+
static krb5_error_code KRB5_CALLCONV
mcc_initialize(krb5_context context,
krb5_ccache id,
krb5_principal primary_principal)
{
krb5_mcache *m = MCACHE(id);
+ /*
+ * It's important to destroy any existing
+ * creds here, that matches the baheviour
+ * of all other backends and also the
+ * MEMORY: backend in MIT.
+ */
+ mcc_destroy_internal(context, m);
m->dead = 0;
+ m->kdc_offset = 0;
m->mtime = time(NULL);
return krb5_copy_principal (context,
primary_principal,
@@ -195,7 +229,6 @@ mcc_destroy(krb5_context context,
krb5_ccache id)
{
krb5_mcache **n, *m = MCACHE(id);
- struct link *l;
if (m->refcnt == 0)
krb5_abortx(context, "mcc_destroy: refcnt already 0");
@@ -211,22 +244,7 @@ mcc_destroy(krb5_context context,
}
}
HEIMDAL_MUTEX_unlock(&mcc_mutex);
- if (m->primary_principal != NULL) {
- krb5_free_principal (context, m->primary_principal);
- m->primary_principal = NULL;
- }
- m->dead = 1;
-
- l = m->creds;
- while (l != NULL) {
- struct link *old;
-
- krb5_free_cred_contents (context, &l->cred);
- old = l;
- l = l->next;
- free (old);
- }
- m->creds = NULL;
+ mcc_destroy_internal(context, m);
}
return 0;
}
--
1.9.1
From f9b611fcefc35524ca5e975f3e4a9935fbaaae76 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 10 Oct 2016 17:07:12 +0200
Subject: [PATCH 2/3] s3:libads: don't use MEMORY:ads_sasl_gssapi_do_bind nor
set "KRB5CCNAME"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
---
source3/libads/sasl.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 85a2eb0..4e4486f 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -1027,7 +1027,6 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
{
ADS_STATUS status;
struct ads_service_principal p;
- const char *ccache_name = "MEMORY:ads_sasl_gssapi_do_bind";
status = ads_generate_service_principal(ads, &p);
if (!ADS_ERR_OK(status)) {
@@ -1046,10 +1045,6 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
"calling kinit\n", ads_errstr(status)));
}
- if (ads->auth.ccache_name != NULL) {
- ccache_name = ads->auth.ccache_name;
- }
- setenv(KRB5_ENV_CCNAME, ccache_name, 1);
status = ADS_ERROR_KRB5(ads_kinit_password(ads));
if (ADS_ERR_OK(status)) {
--
1.9.1
From 1672cf9ea680ce7d0b537828c036c703041e6d4f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 10 Oct 2016 17:07:12 +0200
Subject: [PATCH 3/3] s3:libads: don't use MEMORY:ads_sasl_spnego_bind nor set
"KRB5CCNAME"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
---
source3/libads/sasl.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 4e4486f..39c60c3 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -749,11 +749,6 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
got_kerberos_mechanism)
{
- const char *ccache_name = "MEMORY:ads_sasl_spnego_bind";
- if (ads->auth.ccache_name != NULL) {
- ccache_name = ads->auth.ccache_name;
- }
-
if (ads->auth.password == NULL ||
ads->auth.password[0] == '\0')
{
@@ -771,7 +766,6 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
"calling kinit\n", ads_errstr(status)));
}
- setenv(KRB5_ENV_CCNAME, ccache_name, 1);
status = ADS_ERROR_KRB5(ads_kinit_password(ads));
if (ADS_ERR_OK(status)) {
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161010/45fee564/signature.sig>
More information about the samba-technical
mailing list