Bug#396672: libnss-ldap: Fails on unreadable KerberosV cache for GSSAPI auth

Wed, 01 Nov 2006 23:21:25 -0800 

Package: libnss-ldap
Version: 251-5.2
Severity: normal
Tags: patch


Suppose I want to use krb5_ccname and SASL, so I can have a host
authenticate with its host principal from a keytab. However, I don't want
normal users to be able to read the host principal keytab; I just want
libnss-ldap to use their own kerberos credentials. If I specify krb5_ccname
in /etc/libnss-ldap.conf, and the file is not readable to the user, it just
fails. This patch makes libnss-ldap attempt to try authenticating again with
the unchanged ccache if the modified ccache fails for whatever reason. It
appears to work on a test machine. (I.e. it falls back to user credentials if
the krb5_ccname credentials fail.)

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-3-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages libnss-ldap depends on:
ii  debconf [debconf-2.0]       1.5.7        Debian configuration management sy
ii  libc6                       2.3.6.ds1-4  GNU C Library: Shared libraries
ii  libkrb53                    1.4.4-3      MIT Kerberos runtime libraries
ii  libldap2                    2.1.30-13+b1 OpenLDAP libraries

Versions of packages libnss-ldap recommends:
ii  libpam-ldap                   180-1.2    Pluggable Authentication Module al
pn  nscd                          <none>     (no description available)

-- debconf information excluded

diff -Nru libnss-ldap-251.orig/ldap-nss.c libnss-ldap-251/ldap-nss.c
--- libnss-ldap-251.orig/ldap-nss.c	2006-10-28 23:56:13.000000000 -0500
+++ libnss-ldap-251/ldap-nss.c	2006-10-28 23:57:00.942203744 -0500
@@ -1879,6 +1879,20 @@
       rc = ldap_sasl_interactive_bind_s (ld, dn, "GSSAPI", NULL, NULL,
 					 LDAP_SASL_QUIET,
 					 do_sasl_interact, (void *) pw);
+# if defined(CONFIGURE_KRB5_CCNAME) && defined(CONFIGURE_KRB5_CCNAME_GSSAPI)
+      if (rc != LDAP_SUCCESS && oldccname != NULL)
+        {
+	  if (gss_krb5_ccache_name (&retval, oldccname, NULL) !=
+	      GSS_S_COMPLETE)
+	    {
+	      debug ("do_bind: unable to set default credential cache");
+	      return -1;
+	    }
+	  rc = ldap_sasl_interactive_bind_s (ld, dn, "GSSAPI", NULL, NULL,
+	                                     LDAP_SASL_QUIET,
+					     do_sasl_interact, (void *)pw);
+	}
+# endif
       
 # ifdef CONFIGURE_KRB5_CCNAME
       /* Restore default Kerberos ticket cache. */

Reply via email to