libads: ensure the right ccache is used during spnego bind

When doing spnego sasl bind:
1. Try working without kinit only if a password is not
   provided
2. When using kinit, ensure the KRB5CCNAME env var is set
   to a private memory ccache, so that the bind is on behalf
   of the requested user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jul 12 03:23:33 CEST 2016 on sn-devel-144

(cherry picked from commit a1743de74f09d5bf695f077f5127d02352a014e2)

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 6c054cd1cce10c17f64ee764da954f97e370e724..85a2eb00e98a3bedaf55dbb9e35c0e019eb47dfe 100644 (file)
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -749,18 +749,29 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
        if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
            got_kerberos_mechanism) 
        {
-               status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
-                                                    CRED_MUST_USE_KERBEROS,
-                                                    p.service, p.hostname,
-                                                    blob);
-               if (ADS_ERR_OK(status)) {
-                       ads_free_service_principal(&p);
-                       goto done;
+               const char *ccache_name = "MEMORY:ads_sasl_spnego_bind";
+               if (ads->auth.ccache_name != NULL) {
+                       ccache_name = ads->auth.ccache_name;
                }
 
-               DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
-                         "calling kinit\n", ads_errstr(status)));
+               if (ads->auth.password == NULL ||
+                   ads->auth.password[0] == '\0')
+               {
+
+                       status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+                                                            CRED_MUST_USE_KERBEROS,
+                                                            p.service, p.hostname,
+                                                            blob);
+                       if (ADS_ERR_OK(status)) {
+                               ads_free_service_principal(&p);
+                               goto done;
+                       }
+
+                       DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
+                                 "calling kinit\n", ads_errstr(status)));
+               }
 
+               setenv(KRB5_ENV_CCNAME, ccache_name, 1);
                status = ADS_ERROR_KRB5(ads_kinit_password(ads)); 
 
                if (ADS_ERR_OK(status)) {