[WIP PATCH] cli_session_setup_creds()

Andreas Schneider asn at samba.org
Tue Sep 20 22:03:31 UTC 2016 

Hello,

I'm working on a not so trivial patchset for libsmb. I've added a new function 
cli_session_setup_creds() do pass through a 'struct cli_credentials' down to 
gensec/gssapi.

I'm doing that for two reasons:

a) I need that to pass down the correct realm from winbind to gssapi to 
   correctly establish trusts with MIT Kerberos.
b) Metze started to dance when he heard that I will work on passing down
   cli_crendentials :-)

There popped up several issues while working on that patchset and I haven't 
sorted out all of them.

First, several tests use the system credential store and shouldn't do that. 
The first patches in the attached patchset address that. They could already be 
pushed.

Second, I move the "kinit" with username and password from cli_session_setup() 
to gensec. The new code correctly looks for existing tickets, checks 
expiration etc. if needed it acquires a new ticket. The first problem with the 
current heimdal we have, we mix krb5 and gssapi and this can lead to issues. 

Third some semantics we had before change. We are first checking for existing 
tickets and use them if they are still valid. If not we ask for a new krbtgt 
using the provided username/password. We didn't do that before.

An example is a password_settings test (see the FIXME commit). We changed the 
password and try to login with the old password using Kerberos. As we look for 
a valid ticket first and find one, we are able to login. The old code did not 
check for a valid ticket but forced a login. I would say it works now is 
correct ...

'make test' passed with that patchset.


Please review and comment. I will test with MIT Kerberos tomorrow.


Cheers,


	-- andreas

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cli_session_setup_creds.patch
Type: text/x-patch
Size: 124606 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160921/fcbf2950/cli_session_setup_creds.bin>

More information about the samba-technical mailing list