diff options
| author | Jeremy Allison <jra@samba.org> | 2012-08-21 11:24:58 -0700 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2012-08-21 22:01:15 +0200 |
| commit | c84e6aebc202838267d2a4b172f640b52a201bbb (patch) | |
| tree | b5ddb73455746c5a37fdc8fe2ebeaba85627c39c | |
| parent | ebb776f51f697ece62ed5c7ee6aa4865397347c2 (diff) | |
| download | samba-c84e6aebc202838267d2a4b172f640b52a201bbb.tar.gz samba-c84e6aebc202838267d2a4b172f640b52a201bbb.tar.bz2 samba-c84e6aebc202838267d2a4b172f640b52a201bbb.zip | |
Fix bug #9098 - winbind does not refresh kerberos tickets.
Based on work from Ian Gordon <ian.gordon@strath.ac.uk>.
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Aug 21 22:01:15 CEST 2012 on sn-devel-104
| -rw-r--r-- | source3/winbindd/winbindd_cred_cache.c | 29 | ||||
| -rw-r--r-- | source3/winbindd/winbindd_pam.c | 9 | ||||
| -rw-r--r-- | source3/winbindd/winbindd_proto.h | 1 |
3 files changed, 39 insertions, 0 deletions
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c index 5e79a96ca7..e8bbf9c824 100644 --- a/source3/winbindd/winbindd_cred_cache.c +++ b/source3/winbindd/winbindd_cred_cache.c @@ -490,6 +490,7 @@ NTSTATUS add_ccache_to_list(const char *princ_name, const char *ccname, const char *service, const char *username, + const char *pass, const char *realm, uid_t uid, time_t create_time, @@ -591,8 +592,22 @@ NTSTATUS add_ccache_to_list(const char *princ_name, } DEBUG(10,("add_ccache_to_list: added krb5_ticket handler\n")); + } + /* + * If we're set up to renew our krb5 tickets, we must + * cache the credentials in memory for the ticket + * renew function (or increase the reference count + * if we're logging in more than once). Fix inspired + * by patch from Ian Gordon <ian.gordon@strath.ac.uk> + * for bugid #9098. + */ + + ntret = winbindd_add_memory_creds(username, uid, pass); + DEBUG(10, ("winbindd_add_memory_creds returned: %s\n", + nt_errstr(ntret))); + return NT_STATUS_OK; } @@ -675,6 +690,20 @@ NTSTATUS add_ccache_to_list(const char *princ_name, "added ccache [%s] for user [%s] to the list\n", ccname, username)); + if (entry->event) { + /* + * If we're set up to renew our krb5 tickets, we must + * cache the credentials in memory for the ticket + * renew function. Fix inspired by patch from + * Ian Gordon <ian.gordon@strath.ac.uk> for + * bugid #9098. + */ + + ntret = winbindd_add_memory_creds(username, uid, pass); + DEBUG(10, ("winbindd_add_memory_creds returned: %s\n", + nt_errstr(ntret))); + } + return NT_STATUS_OK; no_mem: diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index d8febe6a5c..6ad0baf196 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -646,6 +646,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, cc, service, user, + pass, realm, uid, time(NULL), @@ -965,6 +966,7 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, cc, service, state->request->data.auth.user, + state->request->data.auth.pass, domain->alt_name, uid, time(NULL), @@ -2127,6 +2129,13 @@ enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain, goto process_result; } + /* + * Remove any mlock'ed memory creds in the child + * we might be using for krb5 ticket renewal. + */ + + winbindd_delete_memory_creds(state->request->data.logoff.user); + #else result = NT_STATUS_NOT_SUPPORTED; #endif diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 3746fe0268..ec5ec372d1 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -182,6 +182,7 @@ NTSTATUS add_ccache_to_list(const char *princ_name, const char *ccname, const char *service, const char *username, + const char *password, const char *realm, uid_t uid, time_t create_time, |