summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2004-12-31 07:43:08 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:07:50 -0500
commite6365b8950ccc986d1b4450148f1c837bb1cd2cb (patch)
treeced9022b5daabace119c206c1bee4614f3776a47
parent85b492bb5b90edd636611eb884c7bcfa9c45bd64 (diff)
downloadsamba-e6365b8950ccc986d1b4450148f1c837bb1cd2cb.tar.gz
samba-e6365b8950ccc986d1b4450148f1c837bb1cd2cb.tar.bz2
samba-e6365b8950ccc986d1b4450148f1c837bb1cd2cb.zip
r4441: gensec_krb5 update:
- Use more of the clikrb5.c wrapper calls - Don't use the session keytab if we kinit for the user. Andrew Bartlett (This used to be commit e15dbee00628475d5e1c1f329a7f9b199bc36360)
-rw-r--r--source4/libcli/auth/gensec_krb5.c27
1 files changed, 21 insertions, 6 deletions
diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c
index 9d4a2f6b0e..c01520bb2f 100644
--- a/source4/libcli/auth/gensec_krb5.c
+++ b/source4/libcli/auth/gensec_krb5.c
@@ -234,10 +234,7 @@ static int gensec_krb5_destory(void *ptr)
struct gensec_krb5_state *gensec_krb5_state = ptr;
if (gensec_krb5_state->ticket.length) {
- /* Hmm, early heimdal dooesn't have this - correct call would be krb5_data_free */
-#ifdef HAVE_KRB5_FREE_DATA_CONTENTS
- krb5_free_data_contents(gensec_krb5_state->krb5_context, &gensec_krb5_state->ticket);
-#endif
+ kerberos_free_data_contents(gensec_krb5_state->krb5_context, &gensec_krb5_state->ticket);
}
if (gensec_krb5_state->krb5_ccache) {
/* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
@@ -334,7 +331,10 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
gensec_krb5_state = gensec_security->private_data;
gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
- /* TODO: This is effecivly a static/global variable... */
+ /* TODO: This is effecivly a static/global variable...
+
+ TODO: If the user set a username, we should use an in-memory CCACHE (see below)
+ */
ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->krb5_ccache);
if (ret) {
DEBUG(1,("krb5_cc_default failed (%s)\n",
@@ -391,6 +391,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
case ENOENT:
{
char *password;
+ char *ccache_string;
time_t kdc_time = 0;
nt_status = gensec_get_password(gensec_security,
gensec_security,
@@ -398,9 +399,23 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
+
+ /* this string should be unique */
+ ccache_string = talloc_asprintf(gensec_krb5_state, "MEMORY:%s:%s:%s",
+ gensec_get_client_principal(gensec_security, gensec_krb5_state),
+ gensec_get_target_principal(gensec_security, gensec_krb5_state),
+ generate_random_str(gensec_krb5_state, 16));
+
+ ret = krb5_cc_resolve(gensec_krb5_state->krb5_context, ccache_string, &gensec_krb5_state->krb5_ccache);
+ if (ret) {
+ DEBUG(1,("failed to generate a new krb5 keytab (%s): %s\n",
+ ccache_string,
+ error_message(ret)));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
ret = kerberos_kinit_password_cc(gensec_krb5_state->krb5_context, gensec_krb5_state->krb5_ccache,
- gensec_get_client_principal(gensec_security, gensec_security),
+ gensec_get_client_principal(gensec_security, gensec_krb5_state),
password, NULL, &kdc_time);
/* cope with ticket being in the future due to clock skew */