summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/libcli/auth/gensec_krb5.c27
1 files changed, 21 insertions, 6 deletions
diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c
index 9d4a2f6b0e..c01520bb2f 100644
--- a/source4/libcli/auth/gensec_krb5.c
+++ b/source4/libcli/auth/gensec_krb5.c
@@ -234,10 +234,7 @@ static int gensec_krb5_destory(void *ptr)
struct gensec_krb5_state *gensec_krb5_state = ptr;
if (gensec_krb5_state->ticket.length) {
- /* Hmm, early heimdal dooesn't have this - correct call would be krb5_data_free */
-#ifdef HAVE_KRB5_FREE_DATA_CONTENTS
- krb5_free_data_contents(gensec_krb5_state->krb5_context, &gensec_krb5_state->ticket);
-#endif
+ kerberos_free_data_contents(gensec_krb5_state->krb5_context, &gensec_krb5_state->ticket);
}
if (gensec_krb5_state->krb5_ccache) {
/* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
@@ -334,7 +331,10 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
gensec_krb5_state = gensec_security->private_data;
gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
- /* TODO: This is effecivly a static/global variable... */
+ /* TODO: This is effecivly a static/global variable...
+
+ TODO: If the user set a username, we should use an in-memory CCACHE (see below)
+ */
ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->krb5_ccache);
if (ret) {
DEBUG(1,("krb5_cc_default failed (%s)\n",
@@ -391,6 +391,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
case ENOENT:
{
char *password;
+ char *ccache_string;
time_t kdc_time = 0;
nt_status = gensec_get_password(gensec_security,
gensec_security,
@@ -398,9 +399,23 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
+
+ /* this string should be unique */
+ ccache_string = talloc_asprintf(gensec_krb5_state, "MEMORY:%s:%s:%s",
+ gensec_get_client_principal(gensec_security, gensec_krb5_state),
+ gensec_get_target_principal(gensec_security, gensec_krb5_state),
+ generate_random_str(gensec_krb5_state, 16));
+
+ ret = krb5_cc_resolve(gensec_krb5_state->krb5_context, ccache_string, &gensec_krb5_state->krb5_ccache);
+ if (ret) {
+ DEBUG(1,("failed to generate a new krb5 keytab (%s): %s\n",
+ ccache_string,
+ error_message(ret)));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
ret = kerberos_kinit_password_cc(gensec_krb5_state->krb5_context, gensec_krb5_state->krb5_ccache,
- gensec_get_client_principal(gensec_security, gensec_security),
+ gensec_get_client_principal(gensec_security, gensec_krb5_state),
password, NULL, &kdc_time);
/* cope with ticket being in the future due to clock skew */