From ec989e7c402e9868d45d7764175f2b44d85bb244 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 18 May 2012 10:05:38 +0300 Subject: auth-credentials: Support using pre-fetched ccache when obtaining kerberos credentials When credentials API is used by a client-side program that already as fetched required tickets into a ccache, we need to skip re-initializing ccache. This is used in FreeIPA when Samba 4 Python bindings are run after mod_auth_kerb has obtained user tickets already. --- auth/credentials/credentials_krb5.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'auth') diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index 2a23688ffd..2c93a8febc 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -486,8 +486,18 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, } } - ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx, - &ccache, error_string); + + if (cred->ccache_obtained == CRED_UNINITIALISED) { + /* Only attempt to re-acquire ccache if it is not already in place. + * this is important for client-side use within frameworks with already acquired tickets + * like Apache+mod_auth_kerb+Python + */ + ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx, + &ccache, error_string); + } else { + ccache = cred->ccache; + } + if (ret) { if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) { DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string)); -- cgit