/[smeserver]/rpms/samba/sme10/samba-4.4.7-fix_ads_krb5_ccname_handling.patch
ViewVC logotype

Annotation of /rpms/samba/sme10/samba-4.4.7-fix_ads_krb5_ccname_handling.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (hide annotations) (download)
Thu Mar 2 16:04:48 2017 UTC (7 years, 3 months ago) by unnilennium
Branch: MAIN
CVS Tags: samba-4_4_4-12_5_el7_sme, samba-4_4_4-12_6_el7_sme, samba-4_4_4-14_6_el7_sme, samba-4_4_4-12_el7_3 
update to samba-4.4.4-12 upstream version
1 unnilennium 1.1 From d29b108d879b4de27d235a1692e090c0993582df Mon Sep 17 00:00:00 2001
2     From: Stefan Metzmacher <metze@samba.org>
3     Date: Wed, 6 Jul 2016 12:48:11 +0200
4     Subject: [PATCH 1/2] libads: ensure the right ccache is used during gssapi
5     bind
6    
7     When doing gssapi sasl bind:
8     1. Try working without kinit only if a password is not
9     provided
10     2. When using kinit, ensure the KRB5CCNAME env var is set
11     to a private memory ccache, so that the bind is on behalf
12     of the requested user.
13    
14     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007
15    
16     Signed-off-by: Stefan Metzmacher <metze@samba.org>
17     Reviewed-by: Uri Simchoni <uri@samba.org>
18     (cherry picked from commit 2672968851966e5c01e4fc4d906b45b5c047e655)
19     ---
20     source3/libads/sasl.c | 23 ++++++++++++++++-------
21     1 file changed, 16 insertions(+), 7 deletions(-)
22    
23     diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
24     index d76d872..6c054cd 100644
25     --- a/source3/libads/sasl.c
26     +++ b/source3/libads/sasl.c
27     @@ -26,6 +26,7 @@
28     #include "smb_krb5.h"
29     #include "system/gssapi.h"
30     #include "lib/param/loadparm.h"
31     +#include "krb5_env.h"
32    
33     #ifdef HAVE_LDAP
34    
35     @@ -1015,21 +1016,29 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
36     {
37     ADS_STATUS status;
38     struct ads_service_principal p;
39     + const char *ccache_name = "MEMORY:ads_sasl_gssapi_do_bind";
40    
41     status = ads_generate_service_principal(ads, &p);
42     if (!ADS_ERR_OK(status)) {
43     return status;
44     }
45    
46     - status = ads_sasl_gssapi_do_bind(ads, p.name);
47     - if (ADS_ERR_OK(status)) {
48     - ads_free_service_principal(&p);
49     - return status;
50     - }
51     + if (ads->auth.password == NULL ||
52     + ads->auth.password[0] == '\0') {
53     + status = ads_sasl_gssapi_do_bind(ads, p.name);
54     + if (ADS_ERR_OK(status)) {
55     + ads_free_service_principal(&p);
56     + return status;
57     + }
58    
59     - DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
60     - "calling kinit\n", ads_errstr(status)));
61     + DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
62     + "calling kinit\n", ads_errstr(status)));
63     + }
64    
65     + if (ads->auth.ccache_name != NULL) {
66     + ccache_name = ads->auth.ccache_name;
67     + }
68     + setenv(KRB5_ENV_CCNAME, ccache_name, 1);
69     status = ADS_ERROR_KRB5(ads_kinit_password(ads));
70    
71     if (ADS_ERR_OK(status)) {
72     --
73     2.5.5
74    
75    
76     From 416ba773c332288e948871d8f649c0310a94f906 Mon Sep 17 00:00:00 2001
77     From: Stefan Metzmacher <metze@samba.org>
78     Date: Wed, 6 Jul 2016 12:44:11 +0200
79     Subject: [PATCH 2/2] libads: ensure the right ccache is used during spnego
80     bind
81    
82     When doing spnego sasl bind:
83     1. Try working without kinit only if a password is not
84     provided
85     2. When using kinit, ensure the KRB5CCNAME env var is set
86     to a private memory ccache, so that the bind is on behalf
87     of the requested user.
88    
89     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007
90    
91     Signed-off-by: Stefan Metzmacher <metze@samba.org>
92     Reviewed-by: Uri Simchoni <uri@samba.org>
93    
94     Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
95     Autobuild-Date(master): Tue Jul 12 03:23:33 CEST 2016 on sn-devel-144
96    
97     (cherry picked from commit a1743de74f09d5bf695f077f5127d02352a014e2)
98     ---
99     source3/libads/sasl.c | 29 ++++++++++++++++++++---------
100     1 file changed, 20 insertions(+), 9 deletions(-)
101    
102     diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
103     index 6c054cd..85a2eb0 100644
104     --- a/source3/libads/sasl.c
105     +++ b/source3/libads/sasl.c
106     @@ -749,18 +749,29 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
107     if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
108     got_kerberos_mechanism)
109     {
110     - status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
111     - CRED_MUST_USE_KERBEROS,
112     - p.service, p.hostname,
113     - blob);
114     - if (ADS_ERR_OK(status)) {
115     - ads_free_service_principal(&p);
116     - goto done;
117     + const char *ccache_name = "MEMORY:ads_sasl_spnego_bind";
118     + if (ads->auth.ccache_name != NULL) {
119     + ccache_name = ads->auth.ccache_name;
120     }
121    
122     - DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
123     - "calling kinit\n", ads_errstr(status)));
124     + if (ads->auth.password == NULL ||
125     + ads->auth.password[0] == '\0')
126     + {
127     +
128     + status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
129     + CRED_MUST_USE_KERBEROS,
130     + p.service, p.hostname,
131     + blob);
132     + if (ADS_ERR_OK(status)) {
133     + ads_free_service_principal(&p);
134     + goto done;
135     + }
136     +
137     + DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
138     + "calling kinit\n", ads_errstr(status)));
139     + }
140    
141     + setenv(KRB5_ENV_CCNAME, ccache_name, 1);
142     status = ADS_ERROR_KRB5(ads_kinit_password(ads));
143    
144     if (ADS_ERR_OK(status)) {
145     --
146     2.5.5
147    
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed