summaryrefslogtreecommitdiff
path: root/auth
diff options
context:
space:
mode:
authorAlexander Bokovoy <ab@samba.org>2012-05-18 10:05:38 +0300
committerAlexander Bokovoy <ab@samba.org>2012-05-23 17:51:50 +0300
commitec989e7c402e9868d45d7764175f2b44d85bb244 (patch)
tree9de0fa1f24c4767c4a972030070dcb1013c27d18 /auth
parent2d9a0d8d0c2587fcfdbab83c0a241830d2fcaafb (diff)
downloadsamba-ec989e7c402e9868d45d7764175f2b44d85bb244.tar.gz
samba-ec989e7c402e9868d45d7764175f2b44d85bb244.tar.bz2
samba-ec989e7c402e9868d45d7764175f2b44d85bb244.zip
auth-credentials: Support using pre-fetched ccache when obtaining kerberos credentials
When credentials API is used by a client-side program that already as fetched required tickets into a ccache, we need to skip re-initializing ccache. This is used in FreeIPA when Samba 4 Python bindings are run after mod_auth_kerb has obtained user tickets already.
Diffstat (limited to 'auth')
-rw-r--r--auth/credentials/credentials_krb5.c14
1 files changed, 12 insertions, 2 deletions
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 2a23688ffd..2c93a8febc 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -486,8 +486,18 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
}
}
- ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
- &ccache, error_string);
+
+ if (cred->ccache_obtained == CRED_UNINITIALISED) {
+ /* Only attempt to re-acquire ccache if it is not already in place.
+ * this is important for client-side use within frameworks with already acquired tickets
+ * like Apache+mod_auth_kerb+Python
+ */
+ ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
+ &ccache, error_string);
+ } else {
+ ccache = cred->ccache;
+ }
+
if (ret) {
if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string));