The branch, v4-24-test has been updated
via 0a6726fb834 s3:libads: Set NT_STATUS_UNSUCCESSFUL for IP address
entry
via 0dd9253861f manpages: Update NET ADS KERBEROS KINIT manpage
via 10bd9b650d5 s3:utils: 'net ads kerberos kinit' should use also
default ccache name from krb5.conf
from 258392a6a10 VERSION: Bump version up to Samba 4.24.0rc3...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-24-test
- Log -----------------------------------------------------------------
commit 0a6726fb83466f750a66aa41b2c304e592522864
Author: Andreas Schneider <[email protected]>
Date: Wed Jan 14 15:50:26 2026 +0100
s3:libads: Set NT_STATUS_UNSUCCESSFUL for IP address entry
This is what we do in libads/ldap.c too.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15975
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Pavel Filipenský <[email protected]>
(cherry picked from commit 9e1bcf84d8a8386fb00aedf88e71b28504e449b4)
Autobuild-User(v4-24-test): Björn Jacke <[email protected]>
Autobuild-Date(v4-24-test): Sat Feb 7 16:14:24 UTC 2026 on atb-devel-224
commit 0dd9253861f905e071086dce4efaf6782afc4dfd
Author: Pavel Filipenský <[email protected]>
Date: Thu Feb 5 16:04:25 2026 +0100
manpages: Update NET ADS KERBEROS KINIT manpage
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15993
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Autobuild-User(master): Pavel Filipensky <[email protected]>
Autobuild-Date(master): Thu Feb 5 21:11:13 UTC 2026 on atb-devel-224
(cherry picked from commit 9d083a28fe45afd8f82441c6e24255e4c64c113b)
commit 10bd9b650d5b1dcc16f9258c0ab6579299089d9c
Author: Pavel Filipenský <[email protected]>
Date: Tue Feb 3 12:53:10 2026 +0100
s3:utils: 'net ads kerberos kinit' should use also default ccache name from
krb5.conf
This is re-introducing the behavior from samba-4.20 where both these
commands operated on the same ccache (default_ccache_name in
[libdefaults] section of krb5.conf)
'net ads kerberos kinit -P'
'klist'
With samba-4.21 it no longer works, 'net ads kerberos kinit -P'
fallbacks to 'MEMORY:net' (which is of a very limited use, ticket
cannot be used by other process) and klist finds no ticket.
The order is changed from:
--use-krb5-ccache
env "KRB5CCNAME"
"MEMORY:net"
to ("MEMORY:net" is removed):
--use-krb5-ccache
env "KRB5CCNAME"
default_ccache_name
'--use-krb5-ccache=MEMORY:net' can be used to validate the credentials.
Use smb_force_krb5_cc_default_name() instead of krb5_cc_default_name()
because of commit:
1ca6fb5 make sure krb5_cc_default[_name]() is no longer used directly
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15993
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 4cc6a13590434f6a3aa1add663728188970d727e)
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/net.8.xml | 36 ++++++++++++++++++++++++++++--------
source3/libads/kerberos.c | 5 ++++-
source3/utils/net.c | 36 ++++++++++++++++++++++++++----------
3 files changed, 58 insertions(+), 19 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index 65ff0fa41c1..c9541bcefe1 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1823,17 +1823,37 @@ the following entry types;
<title>ADS KERBEROS KINIT</title>
<para>
- Issue a kinit request for a given user. When no other options are
- defined the ticket granting ticket (TGT) will be stored in a memory
cache.
+ Issue a kinit request for a given user. The following methods can be
used
+ to specify where to store the ticket granting ticket (TGT) (in order of
+ precedence):
</para>
-<para>
- To store the TGT in a different location either use the
- <option>--krb5-ccache</option> option or set the
- <replaceable>KRB5CCNAME</replaceable> environment variable.
-</para>
+<itemizedlist>
+ <listitem>
+ <para>option <option>--use-krb5-ccache</option></para>
+ </listitem>
+ <listitem>
+ <para><replaceable>KRB5CCNAME</replaceable> environment
variable</para>
+ </listitem>
+ <listitem>
+ <para><parameter>default_ccache_name</parameter> setting in
<filename>krb5.conf</filename></para>
+ </listitem>
+</itemizedlist>
-<para>Example: <userinput>net ads kerberos kinit -P
--krb5-ccache=/tmp/krb5cache</userinput></para>
+<variablelist><title>Examples:</title>
+<varlistentry>
+<term>Use file based cache (FILE:/tmp/krb5cache)</term>
+<listitem><literallayout>
+net ads kerberos kinit -P --use-krb5-ccache=/tmp/krb5cache
+</literallayout></listitem>
+</varlistentry>
+<varlistentry>
+<term>Use memory cache (MEMORY:net) to verify the authentication</term>
+<listitem><literallayout>
+net ads kerberos kinit -P --use-krb5-ccache=MEMORY:net
+</literallayout></listitem>
+</varlistentry>
+</variablelist>
</refsect2>
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index ed8d52f7866..ebad5056751 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -1264,7 +1264,10 @@ static char *get_kdc_ip_string(char *mem_ctx,
cldap_reply->pdc_dns_name);
if (has_entry) {
/* propagate blacklisting from name to ip */
- add_failed_connection_entry(realm, addr,
status);
+ add_failed_connection_entry(
+ realm,
+ addr,
+ NT_STATUS_UNSUCCESSFUL);
continue;
}
}
diff --git a/source3/utils/net.c b/source3/utils/net.c
index 271c96cf804..0ce03f8213d 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -54,6 +54,7 @@
#include "source3/utils/passwd_proto.h"
#include "auth/gensec/gensec.h"
#include "lib/param/param.h"
+#include "lib/krb5_wrap/krb5_samba.h"
#ifdef WITH_FAKE_KASERVER
#include "utils/net_afs.h"
@@ -1414,18 +1415,33 @@ static struct functable net_func[] = {
CRED_SPECIFIED);
}
- /* cli_credentials_get_ccache_name_obtained() would not work
- * here but we can now access the content of the
- * --use-krb5-ccache option via cli credentials. Fallback to
- * KRB5CCNAME environment variable to get 'net ads kerberos'
- * functions to work at all - gd */
-
+ /*
+ * Priority order for krb5 credential cache name
+ *
+ * via cli_credentials_get_out_ccache_name() :
+ *
+ * 1. '--use-krb5-ccache' option
+ *
+ * via krb5_cc_default_name() :
+ *
+ * 2. KRB5CCNAME environment variable
+ * 3. default_ccache_name in [libdefaults] section of krb5.conf
+ * 4. ...more - krb5_cc_default_name() always returns something
+ * - see documentation
+ */
krb5ccname = cli_credentials_get_out_ccache_name(c->creds);
if (krb5ccname == NULL || krb5ccname[0] == '\0') {
- krb5ccname = getenv("KRB5CCNAME");
- }
- if (krb5ccname == NULL || krb5ccname[0] == '\0') {
- krb5ccname = talloc_strdup(c, "MEMORY:net");
+ krb5_context ct = NULL;
+ krb5_error_code ret = smb_krb5_init_context_common(&ct);
+
+ if (ret == 0) {
+ krb5ccname = smb_force_krb5_cc_default_name(ct);
+ if (krb5ccname != NULL) {
+ krb5ccname = talloc_strdup(c,
+ krb5ccname);
+ }
+ krb5_free_context(ct);
+ }
}
if (krb5ccname == NULL) {
DBG_ERR("Not able to setup krb5 ccache");
--
Samba Shared Repository
