[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher Mon, 11 Jul 2016 18:25:37 -0700

The branch, master has been updated
       via  a1743de libads: ensure the right ccache is used during spnego bind
       via  2672968 libads: ensure the right ccache is used during gssapi bind
      from  a391e92 s3-messaging: use messaging_ctdbd_reinit() in 
messaging_reinit()


https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit a1743de74f09d5bf695f077f5127d02352a014e2
Author: Stefan Metzmacher <[email protected]>
Date:   Wed Jul 6 12:44:11 2016 +0200

    libads: ensure the right ccache is used during spnego bind
    
    When doing spnego sasl bind:
    1. Try working without kinit only if a password is not
       provided
    2. When using kinit, ensure the KRB5CCNAME env var is set
       to a private memory ccache, so that the bind is on behalf
       of the requested user.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007
    
    Signed-off-by: Stefan Metzmacher <[email protected]>
    Reviewed-by: Uri Simchoni <[email protected]>
    
    Autobuild-User(master): Stefan Metzmacher <[email protected]>
    Autobuild-Date(master): Tue Jul 12 03:23:33 CEST 2016 on sn-devel-144

commit 2672968851966e5c01e4fc4d906b45b5c047e655
Author: Stefan Metzmacher <[email protected]>
Date:   Wed Jul 6 12:48:11 2016 +0200

    libads: ensure the right ccache is used during gssapi bind
    
    When doing gssapi sasl bind:
    1. Try working without kinit only if a password is not
       provided
    2. When using kinit, ensure the KRB5CCNAME env var is set
       to a private memory ccache, so that the bind is on behalf
       of the requested user.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007
    
    Signed-off-by: Stefan Metzmacher <[email protected]>
    Reviewed-by: Uri Simchoni <[email protected]>

-----------------------------------------------------------------------

Summary of changes:
 source3/libads/sasl.c | 52 +++++++++++++++++++++++++++++++++++----------------
 1 file changed, 36 insertions(+), 16 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index d76d872..85a2eb0 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -26,6 +26,7 @@
 #include "smb_krb5.h"
 #include "system/gssapi.h"
 #include "lib/param/loadparm.h"
+#include "krb5_env.h"
 
 #ifdef HAVE_LDAP
 
@@ -748,18 +749,29 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
        if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
            got_kerberos_mechanism) 
        {
-               status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
-                                                    CRED_MUST_USE_KERBEROS,
-                                                    p.service, p.hostname,
-                                                    blob);
-               if (ADS_ERR_OK(status)) {
-                       ads_free_service_principal(&p);
-                       goto done;
+               const char *ccache_name = "MEMORY:ads_sasl_spnego_bind";
+               if (ads->auth.ccache_name != NULL) {
+                       ccache_name = ads->auth.ccache_name;
                }
 
-               DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
-                         "calling kinit\n", ads_errstr(status)));
+               if (ads->auth.password == NULL ||
+                   ads->auth.password[0] == '\0')
+               {
 
+                       status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+                                                            
CRED_MUST_USE_KERBEROS,
+                                                            p.service, 
p.hostname,
+                                                            blob);
+                       if (ADS_ERR_OK(status)) {
+                               ads_free_service_principal(&p);
+                               goto done;
+                       }
+
+                       DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed 
with: %s, "
+                                 "calling kinit\n", ads_errstr(status)));
+               }
+
+               setenv(KRB5_ENV_CCNAME, ccache_name, 1);
                status = ADS_ERROR_KRB5(ads_kinit_password(ads)); 
 
                if (ADS_ERR_OK(status)) {
@@ -1015,21 +1027,29 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
 {
        ADS_STATUS status;
        struct ads_service_principal p;
+       const char *ccache_name = "MEMORY:ads_sasl_gssapi_do_bind";
 
        status = ads_generate_service_principal(ads, &p);
        if (!ADS_ERR_OK(status)) {
                return status;
        }
 
-       status = ads_sasl_gssapi_do_bind(ads, p.name);
-       if (ADS_ERR_OK(status)) {
-               ads_free_service_principal(&p);
-               return status;
-       }
+       if (ads->auth.password == NULL ||
+           ads->auth.password[0] == '\0') {
+               status = ads_sasl_gssapi_do_bind(ads, p.name);
+               if (ADS_ERR_OK(status)) {
+                       ads_free_service_principal(&p);
+                       return status;
+               }
 
-       DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
-                 "calling kinit\n", ads_errstr(status)));
+               DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
+                         "calling kinit\n", ads_errstr(status)));
+       }
 
+       if (ads->auth.ccache_name != NULL) {
+               ccache_name = ads->auth.ccache_name;
+       }
+       setenv(KRB5_ENV_CCNAME, ccache_name, 1);
        status = ADS_ERROR_KRB5(ads_kinit_password(ads));
 
        if (ADS_ERR_OK(status)) {


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

Reply via email to