diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-10-11 16:53:08 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-10-11 13:02:16 +0000 |
commit | 42127cdbb040a260c2c745e9114b600f2186794a (patch) | |
tree | 348783a93d8fd3efe162470678ae1cc128edb6f6 /source4/auth/kerberos/kerberos_util.c | |
parent | 5cd9495fb3f74d8e896c81e5c060a1643722870e (diff) | |
download | samba-42127cdbb040a260c2c745e9114b600f2186794a.tar.gz samba-42127cdbb040a260c2c745e9114b600f2186794a.tar.bz2 samba-42127cdbb040a260c2c745e9114b600f2186794a.zip |
s4-credentials Add explicit event context handling to Kerberos calls (only)
By setting the event context to use for this operation (only) onto
the krb5_context just before we call that operation, we can try
and emulate the specification of an event context to the actual send_to_kdc()
This eliminates the specification of an event context to many other
cli_credentials calls, and the last use of event_context_find()
Special care is taken to restore the event context in the event of
nesting in the send_to_kdc function.
Andrew Bartlett
Diffstat (limited to 'source4/auth/kerberos/kerberos_util.c')
-rw-r--r-- | source4/auth/kerberos/kerberos_util.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index 3020e978bd..c5079123ef 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -332,6 +332,7 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx, krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx, struct cli_credentials *credentials, struct smb_krb5_context *smb_krb5_context, + struct tevent_context *event_ctx, krb5_ccache ccache, enum credentials_obtained *obtained, const char **error_string) @@ -392,6 +393,13 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx, tries = 2; while (tries--) { + struct tevent_context *previous_ev; + /* Do this every time, in case we have weird recursive issues here */ + ret = smb_krb5_context_set_event_ctx(smb_krb5_context, event_ctx, &previous_ev); + if (ret) { + talloc_free(mem_ctx); + return ret; + } if (password) { ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache, princ, password, @@ -399,6 +407,7 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx, krb_options, NULL, &kdc_time); } else if (impersonate_principal) { + talloc_free(mem_ctx); (*error_string) = "INTERNAL error: Cannot impersonate principal with just a keyblock. A password must be specified in the credentials"; return EINVAL; } else { @@ -411,6 +420,7 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx, talloc_free(mem_ctx); (*error_string) = "kinit_to_ccache: No password available for kinit\n"; krb5_get_init_creds_opt_free(smb_krb5_context->krb5_context, krb_options); + smb_krb5_context_remove_event_ctx(smb_krb5_context, previous_ev, event_ctx); return EINVAL; } ret = krb5_keyblock_init(smb_krb5_context->krb5_context, @@ -427,6 +437,8 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx, } } + smb_krb5_context_remove_event_ctx(smb_krb5_context, previous_ev, event_ctx); + if (ret == KRB5KRB_AP_ERR_SKEW || ret == KRB5_KDCREP_SKEW) { /* Perhaps we have been given an invalid skew, so try again without it */ time_t t = time(NULL); @@ -460,6 +472,7 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx, ret = kinit_to_ccache(parent_ctx, credentials, smb_krb5_context, + event_ctx, ccache, obtained, error_string); } |