1 files changed, 26 insertions, 14 deletions

diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 95dcd788d3..44af66022e 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -342,7 +342,7 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
 	goto done;
 
   memory_ccache:
-  	gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbind_cache");
+  	gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
 
   done:
   	if (gen_cc == NULL) {
@@ -495,7 +495,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 		DEBUG(1,("winbindd_raw_kerberos_login: kinit failed for '%s' with: %s (%d)\n", 
 			principal_s, error_message(krb5_ret), krb5_ret));
 		result = krb5_to_nt_status(krb5_ret);
-		goto done;
+		goto failed;
 	}
 
 	/* does http_timestring use heimdals libroken strftime?? - Guenther */
@@ -507,7 +507,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 	client_princ = talloc_strdup(state->mem_ctx, global_myname());
 	if (client_princ == NULL) {
 		result = NT_STATUS_NO_MEMORY;
-		goto done;
+		goto failed;
 	}
 	strlower_m(client_princ);
 
@@ -515,7 +515,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 	if (local_service == NULL) {
 		DEBUG(0,("winbindd_raw_kerberos_login: out of memory\n"));
 		result = NT_STATUS_NO_MEMORY;
-		goto done;
+		goto failed;
 	}
 
 	krb5_ret = cli_krb5_get_ticket(local_service, 
@@ -525,10 +525,10 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 				       0, 
 				       cc);
 	if (krb5_ret) {
-		DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for: %s\n", 
-			local_service));
+		DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for %s: %s\n", 
+			local_service, error_message(krb5_ret)));
 		result = krb5_to_nt_status(krb5_ret);
-		goto done;
+		goto failed;
 	}
 
 	if (!internal_ccache) {
@@ -547,7 +547,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 	if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(0,("winbindd_raw_kerberos_login: ads_verify_ticket failed: %s\n", 
 			nt_errstr(result)));
-		goto done;
+		goto failed;
 	}
 
 	DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", 
@@ -556,14 +556,14 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 	if (!pac_data) {
 		DEBUG(3,("winbindd_raw_kerberos_login: no pac data\n"));
 		result = NT_STATUS_INVALID_PARAMETER;
-		goto done;
+		goto failed;
 	}
 			
 	logon_info = get_logon_info_from_pac(pac_data);
 	if (logon_info == NULL) {
 		DEBUG(1,("winbindd_raw_kerberos_login: no logon info\n"));
 		result = NT_STATUS_INVALID_PARAMETER;
-		goto done;
+		goto failed;
 	}
 
 
@@ -599,6 +599,22 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 
 	result = NT_STATUS_OK;
 
+	goto done;
+
+failed:
+
+	/* we could have created a new credential cache with a valid tgt in it
+	 * but we werent able to get or verify the service ticket for this
+	 * local host and therefor didn't get the PAC, we need to remove that
+	 * cache entirely now */
+
+	krb5_ret = ads_kdestroy(cc);
+	if (krb5_ret) {
+		DEBUG(0,("winbindd_raw_kerberos_login: "
+			 "could not destroy krb5 credential cache: "
+			 "%s\n", error_message(krb5_ret)));
+	}
+
 done:
 	data_blob_free(&session_key);
 	data_blob_free(&session_key_krb5);
@@ -1802,12 +1818,8 @@ enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
 		goto process_result;
 	}
 
-	seteuid(entry->uid);
-
 	ret = ads_kdestroy(entry->ccname);
 
-	seteuid(0);
-
 	if (ret) {
 		DEBUG(0,("winbindd_pam_logoff: failed to destroy user ccache %s with: %s\n", 
 			entry->ccname, error_message(ret)));