summaryrefslogtreecommitdiff
path: root/source3/libads
diff options
context:
space:
mode:
authorJim McDonough <jmcd@samba.org>2004-03-24 17:32:55 +0000
committerJim McDonough <jmcd@samba.org>2004-03-24 17:32:55 +0000
commit9a8e30d04b1cfc53e8c8949a56d4f1cf5aa26501 (patch)
treee483ee3c5a38bfd45503d3bd18c0b25904949edc /source3/libads
parent7d7b6190b0d07441ded54f096e7f95f51dc31024 (diff)
downloadsamba-9a8e30d04b1cfc53e8c8949a56d4f1cf5aa26501.tar.gz
samba-9a8e30d04b1cfc53e8c8949a56d4f1cf5aa26501.tar.bz2
samba-9a8e30d04b1cfc53e8c8949a56d4f1cf5aa26501.zip
Fix bugzilla # 1208
Winbind tickets expired. We now check the expiration time, and acquire new tickets. We couln't rely on renewing them, because if we didn't get a request before they expired, we wouldn't have renewed them. Also, there is a one-week limit in MS on renewal life, so new tickets would have been needed after a week anyway. Default is 10 hours, so we should only be acquiring them that often, unless the configuration on the DC is changed (and the minimum is 1 hour). (This used to be commit c2436c433afaab4006554a86307f76b6689d6929)
Diffstat (limited to 'source3/libads')
-rw-r--r--source3/libads/kerberos.c39
-rw-r--r--source3/libads/krb5_setpw.c2
2 files changed, 38 insertions, 3 deletions
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index bef2febaef..70f6f3386c 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -54,7 +54,7 @@ kerb_prompter(krb5_context ctx, void *data,
simulate a kinit, putting the tgt in the default cache location
remus@snapserver.com
*/
-int kerberos_kinit_password(const char *principal, const char *password, int time_offset)
+int kerberos_kinit_password(const char *principal, const char *password, int time_offset, time_t *expire_time)
{
krb5_context ctx;
krb5_error_code code = 0;
@@ -102,6 +102,9 @@ int kerberos_kinit_password(const char *principal, const char *password, int tim
return code;
}
+ if (expire_time)
+ *expire_time = (time_t) my_creds.times.endtime;
+
krb5_cc_close(ctx, cc);
krb5_free_cred_contents(ctx, &my_creds);
krb5_free_principal(ctx, me);
@@ -126,7 +129,7 @@ int ads_kinit_password(ADS_STRUCT *ads)
return KRB5_LIBOS_CANTREADPWD;
}
- ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset);
+ ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset, &ads->auth.expire);
if (ret) {
DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
@@ -136,5 +139,37 @@ int ads_kinit_password(ADS_STRUCT *ads)
return ret;
}
+int ads_kdestroy(const char *cc_name)
+{
+ krb5_error_code code;
+ krb5_context ctx;
+ krb5_ccache cc;
+
+ if ((code = krb5_init_context (&ctx))) {
+ DEBUG(3, ("ads_kdestroy: kdb5_init_context rc=%d\n", code));
+ return code;
+ }
+
+ if (!cc_name) {
+ if ((code = krb5_cc_default(ctx, &cc))) {
+ krb5_free_context(ctx);
+ return code;
+ }
+ } else {
+ if ((code = krb5_cc_resolve(ctx, cc_name, &cc))) {
+ DEBUG(3, ("ads_kdestroy: krb5_cc_resolve rc=%d\n",
+ code));
+ krb5_free_context(ctx);
+ return code;
+ }
+ }
+
+ if ((code = krb5_cc_destroy (ctx, cc))) {
+ DEBUG(3, ("ads_kdestroy: krb5_cc_destroy rc=%d\n", code));
+ }
+
+ krb5_free_context (ctx);
+ return code;
+}
#endif
diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index 9cf15221a8..16d3df83e9 100644
--- a/source3/libads/krb5_setpw.c
+++ b/source3/libads/krb5_setpw.c
@@ -642,7 +642,7 @@ ADS_STATUS kerberos_set_password(const char *kpasswd_server,
{
int ret;
- if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset))) {
+ if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) {
DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
return ADS_ERROR_KRB5(ret);
}