diff options
| -rw-r--r-- | auth/credentials/credentials.c | 6 | ||||
| -rw-r--r-- | auth/credentials/credentials_krb5.c | 14 | ||||
| -rwxr-xr-x | testprogs/blackbox/test_kinit.sh | 1 |
3 files changed, 7 insertions, 14 deletions
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index 3eaccde25e..05f0a624db 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -483,7 +483,11 @@ _PUBLIC_ bool cli_credentials_set_domain(struct cli_credentials *cred, * calculations */ cred->domain = strupper_talloc(cred, val); cred->domain_obtained = obtained; - cli_credentials_invalidate_ccache(cred, cred->domain_obtained); + /* setting domain does not mean we have to invalidate ccache + * because domain in not used for Kerberos operations. + * If ccache invalidation is required, one will anyway specify + * a password to kinit, and that will force invalidation of the ccache + */ return true; } diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index 2c93a8febc..2a23688ffd 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -486,18 +486,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, } } - - if (cred->ccache_obtained == CRED_UNINITIALISED) { - /* Only attempt to re-acquire ccache if it is not already in place. - * this is important for client-side use within frameworks with already acquired tickets - * like Apache+mod_auth_kerb+Python - */ - ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx, - &ccache, error_string); - } else { - ccache = cred->ccache; - } - + ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx, + &ccache, error_string); if (ret) { if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) { DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string)); diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh index 14f1e62c9e..981987d03f 100755 --- a/testprogs/blackbox/test_kinit.sh +++ b/testprogs/blackbox/test_kinit.sh @@ -174,7 +174,6 @@ rm -f $KRB5CCNAME testit "kinit with machineaccountccache script" $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=`expr $failed + 1` test_smbclient "Test machine account login with kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1` -rm -f $KRB5CCNAME testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings $PWSETCONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1` rm -f $PREFIX/tmpccache tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript |