diff options
author | Simo Sorce <idra@samba.org> | 2012-09-07 14:14:08 -0400 |
---|---|---|
committer | Alexander Bokovoy <ab@samba.org> | 2012-09-12 21:18:09 +0200 |
commit | 893b21387665a7b644355d60f6fbccaf48ffaedb (patch) | |
tree | 91721ee23469a110630937c14efbdc2b62ae5412 /source3/include | |
parent | a11e45f1c5268e798124fe9e0716b7b9d0557014 (diff) | |
download | samba-893b21387665a7b644355d60f6fbccaf48ffaedb.tar.gz samba-893b21387665a7b644355d60f6fbccaf48ffaedb.tar.bz2 samba-893b21387665a7b644355d60f6fbccaf48ffaedb.zip |
Avoid overriding default ccache for ads operations.
Avoid overriding default ccache for ads operations.
Nowadays various samba components may need to use GSSAPI and a default cred
cache to perform their tasks.
This code was completely overriding the whole process default ccache name, thus
altering the current credentials and sometimes hijacking them (or getting
preemptively hijaked).
By using gss_krb5_import_cred we can instead use a private ccache (necessary
sometimes to use a different set of credentials fromt he default
cifs/fqdn@realm one, for example when contacting foreign DCs using trust
credentials) that does not affect the rest of the process.
For the kerberos versions which don't have gss_krb5_import_cred
we fallback to temp override of KRB5CCNAME and gss_acquire_cred.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104
Diffstat (limited to 'source3/include')
-rw-r--r-- | source3/include/ads.h | 1 | ||||
-rw-r--r-- | source3/include/proto.h | 2 |
2 files changed, 2 insertions, 1 deletions
diff --git a/source3/include/ads.h b/source3/include/ads.h index 91a0f8162f..3de1d8b199 100644 --- a/source3/include/ads.h +++ b/source3/include/ads.h @@ -45,6 +45,7 @@ typedef struct ads_struct { char *kdc_server; unsigned flags; int time_offset; + char *ccache_name; time_t tgt_expire; time_t tgs_expire; time_t renewable; diff --git a/source3/include/proto.h b/source3/include/proto.h index 6dbdf4eae1..b3fa55a914 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -768,7 +768,7 @@ int spnego_gen_krb5_negTokenInit(TALLOC_CTX *ctx, const char *principal, int time_offset, DATA_BLOB *targ, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, - time_t *expire_time); + const char *ccname, time_t *expire_time); bool spnego_parse_challenge(TALLOC_CTX *ctx, const DATA_BLOB blob, DATA_BLOB *chal1, DATA_BLOB *chal2); DATA_BLOB spnego_gen_auth(TALLOC_CTX *ctx, DATA_BLOB blob); |