git.ipfire.org Git - thirdparty/samba.git/commit

author	Alexander Bokovoy <ab@samba.org>
	Tue, 2 Sep 2025 07:36:11 +0000 (10:36 +0300)
committer	Pavel Filipensky <pfilipensky@samba.org>
	Wed, 3 Sep 2025 10:15:50 +0000 (10:15 +0000)
commit	c00b98ad840706cda222bb610d0d4860b98c72d4
tree	e80dd2ca9319622be6e7d625c0bac4d06dc75ab8	tree \| snapshot
parent	70bd05c225153222c889fb4ef5e5c611d6631a18	commit \| diff

krb5: handle GSS-Proxy credentials lifetime

GSS-Proxy stores its credential in encrypted form in the Kerberos ccache
with a start and end time of 0 and a server principal in the realm named
'X-GSSPROXY:'. This credential is accessed through GSS-Proxy interposer
mechanism in MIT Kerberos and cannot be analysed with raw krb5 API.

As MIT Kerberos has no krb5_cc_get_lifetime() implementation, add check
for the GSS-Proxy credential to smb_krb5_cc_get_lifetime() wrapper to
return KRB5_PLUGIN_NO_HANDLE. The two places where
smb_krb5_cc_get_lifetime() is used then handle this return code to avoid
deciding on the 'expired' lifetime to cause a kinit.

This fixes FreeIPA use case where an IPA API endpoint uses Samba Python
bindings with a GSS-Proxy-controlled credential cache.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15902

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Wed Sep 3 10:15:50 UTC 2025 on atb-devel-224

auth/credentials/credentials_krb5.c		diff \| blob \| blame \| history
lib/krb5_wrap/krb5_samba.c		diff \| blob \| blame \| history