From 893b21387665a7b644355d60f6fbccaf48ffaedb Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 7 Sep 2012 14:14:08 -0400 Subject: Avoid overriding default ccache for ads operations. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Avoid overriding default ccache for ads operations. Nowadays various samba components may need to use GSSAPI and a default cred cache to perform their tasks. This code was completely overriding the whole process default ccache name, thus altering the current credentials and sometimes hijacking them (or getting preemptively hijaked). By using gss_krb5_import_cred we can instead use a private ccache (necessary sometimes to use a different set of credentials fromt he default cifs/fqdn@realm one, for example when contacting foreign DCs using trust credentials) that does not affect the rest of the process. For the kerberos versions which don't have gss_krb5_import_cred we fallback to temp override of KRB5CCNAME and gss_acquire_cred. Signed-off-by: Alexander Bokovoy Signed-off-by: Günther Deschner Autobuild-User(master): Alexander Bokovoy Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104 --- source3/libsmb/cliconnect.c | 2 +- source3/libsmb/clispnego.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/libsmb') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index b74faa6fd9..9ce013ee64 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1461,7 +1461,7 @@ static struct tevent_req *cli_session_setup_kerberos_send( * we have to acquire a ticket. To be fixed later :-) */ rc = spnego_gen_krb5_negTokenInit(state, principal, 0, &state->negTokenTarg, - &state->session_key_krb5, 0, NULL); + &state->session_key_krb5, 0, NULL, NULL); if (rc) { DEBUG(1, ("cli_session_setup_kerberos: " "spnego_gen_krb5_negTokenInit failed: %s\n", diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c index 81f9dfb20c..a17efbf75b 100644 --- a/source3/libsmb/clispnego.c +++ b/source3/libsmb/clispnego.c @@ -255,7 +255,7 @@ int spnego_gen_krb5_negTokenInit(TALLOC_CTX *ctx, const char *principal, int time_offset, DATA_BLOB *targ, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, - time_t *expire_time) + const char *ccname, time_t *expire_time) { int retval; DATA_BLOB tkt, tkt_wrapped; @@ -264,7 +264,7 @@ int spnego_gen_krb5_negTokenInit(TALLOC_CTX *ctx, /* get a kerberos ticket for the service and extract the session key */ retval = cli_krb5_get_ticket(ctx, principal, time_offset, &tkt, session_key_krb5, - extra_ap_opts, NULL, + extra_ap_opts, ccname, expire_time, NULL); if (retval) { return retval; -- cgit