diff options
author | Andrew Bartlett <abartlet@samba.org> | 2007-05-22 05:21:59 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:52:46 -0500 |
commit | c83c39909ed4979d455f94c9b842b542fb38e76b (patch) | |
tree | c26cf00184128652c2f35e8895c6602d7b17be43 /source4/auth/credentials/credentials_krb5.c | |
parent | 5bb0dcd0511d5a1fa1a255c11f14a5e0b9100d7c (diff) | |
download | samba-c83c39909ed4979d455f94c9b842b542fb38e76b.tar.gz samba-c83c39909ed4979d455f94c9b842b542fb38e76b.tar.bz2 samba-c83c39909ed4979d455f94c9b842b542fb38e76b.zip |
r23063: Make sure to invalidate the ccache when we set a
username/password/realm/etc from the command line.
Also make sure it can't 'come back' from a later call to
cli_credentials_guess(), buy setting a threshold.
This should fix the issues with the build farm...
Andrew Bartlett
(This used to be commit 3b1dfb9306beb9f40d85d38cf6786ef161ec63f1)
Diffstat (limited to 'source4/auth/credentials/credentials_krb5.c')
-rw-r--r-- | source4/auth/credentials/credentials_krb5.c | 55 |
1 files changed, 49 insertions, 6 deletions
diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c index 2188bf6ad8..2f0ca35d76 100644 --- a/source4/auth/credentials/credentials_krb5.c +++ b/source4/auth/credentials/credentials_krb5.c @@ -101,7 +101,9 @@ int cli_credentials_set_from_ccache(struct cli_credentials *cred, krb5_free_principal(cred->ccache->smb_krb5_context->krb5_context, princ); + /* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */ cred->ccache_obtained = obtained; + cli_credentials_invalidate_client_gss_creds(cred, cred->ccache_obtained); return 0; } @@ -262,9 +264,7 @@ int cli_credentials_get_ccache(struct cli_credentials *cred, cli_credentials_set_machine_account(cred); } - if (cred->ccache_obtained >=(MAX(MAX(cred->principal_obtained, - cred->username_obtained), - cred->password_obtained))) { + if (cred->ccache_obtained >= cred->ccache_threshold) { *ccc = cred->ccache; return 0; } @@ -289,6 +289,49 @@ int cli_credentials_get_ccache(struct cli_credentials *cred, return ret; } +void cli_credentials_invalidate_client_gss_creds(struct cli_credentials *cred, + enum credentials_obtained obtained) +{ + /* If the caller just changed the username/password etc, then + * any cached credentials are now invalid */ + if (obtained >= cred->client_gss_creds_obtained) { + if (cred->client_gss_creds_obtained > CRED_UNINITIALISED) { + talloc_free(cred->client_gss_creds); + } + cred->client_gss_creds_obtained = CRED_UNINITIALISED; + } + /* Now that we know that the data is 'this specified', then + * don't allow something less 'known' to be returned as a + * ccache. Ie, if the username is on the commmand line, we + * don't want to later guess to use a file-based ccache */ + if (obtained > cred->client_gss_creds_threshold) { + cred->client_gss_creds_threshold = obtained; + } +} + +void cli_credentials_invalidate_ccache(struct cli_credentials *cred, + enum credentials_obtained obtained) +{ + /* If the caller just changed the username/password etc, then + * any cached credentials are now invalid */ + if (obtained >= cred->ccache_obtained) { + if (cred->ccache_obtained > CRED_UNINITIALISED) { + talloc_free(cred->ccache); + } + cred->ccache_obtained = CRED_UNINITIALISED; + } + /* Now that we know that the data is 'this specified', then + * don't allow something less 'known' to be returned as a + * ccache. Ie, if the username is on the commmand line, we + * don't want to later guess to use a file-based ccache */ + if (obtained > cred->ccache_threshold) { + cred->ccache_threshold = obtained; + } + + cli_credentials_invalidate_client_gss_creds(cred, + obtained); +} + static int free_gssapi_creds(struct gssapi_creds_container *gcc) { OM_uint32 min_stat, maj_stat; @@ -303,9 +346,7 @@ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, OM_uint32 maj_stat, min_stat; struct gssapi_creds_container *gcc; struct ccache_container *ccache; - if (cred->client_gss_creds_obtained >= (MAX(cred->ccache_obtained, - MAX(cred->principal_obtained, - cred->username_obtained)))) { + if (cred->client_gss_creds_obtained >= cred->client_gss_creds_threshold) { *_gcc = cred->client_gss_creds; return 0; } @@ -389,6 +430,8 @@ int cli_credentials_set_client_gss_creds(struct cli_credentials *cred, gcc->creds = gssapi_cred; talloc_set_destructor(gcc, free_gssapi_creds); + /* set the clinet_gss_creds_obtained here, as it just + got set to UNINITIALISED by the calls above */ cred->client_gss_creds_obtained = obtained; cred->client_gss_creds = gcc; } |