diff options
author | Alexander Bokovoy <ab@samba.org> | 2012-05-18 10:05:38 +0300 |
---|---|---|
committer | Alexander Bokovoy <ab@samba.org> | 2012-05-23 17:51:50 +0300 |
commit | ec989e7c402e9868d45d7764175f2b44d85bb244 (patch) | |
tree | 9de0fa1f24c4767c4a972030070dcb1013c27d18 /auth | |
parent | 2d9a0d8d0c2587fcfdbab83c0a241830d2fcaafb (diff) | |
download | samba-ec989e7c402e9868d45d7764175f2b44d85bb244.tar.gz samba-ec989e7c402e9868d45d7764175f2b44d85bb244.tar.bz2 samba-ec989e7c402e9868d45d7764175f2b44d85bb244.zip |
auth-credentials: Support using pre-fetched ccache when obtaining kerberos credentials
When credentials API is used by a client-side program that already as fetched required
tickets into a ccache, we need to skip re-initializing ccache. This is used in FreeIPA
when Samba 4 Python bindings are run after mod_auth_kerb has obtained user tickets
already.
Diffstat (limited to 'auth')
-rw-r--r-- | auth/credentials/credentials_krb5.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index 2a23688ffd..2c93a8febc 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -486,8 +486,18 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, } } - ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx, - &ccache, error_string); + + if (cred->ccache_obtained == CRED_UNINITIALISED) { + /* Only attempt to re-acquire ccache if it is not already in place. + * this is important for client-side use within frameworks with already acquired tickets + * like Apache+mod_auth_kerb+Python + */ + ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx, + &ccache, error_string); + } else { + ccache = cred->ccache; + } + if (ret) { if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) { DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string)); |