]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
s3:ntlm_auth: explicitly include default krb5 ccache if no explicit username/password...
authorStefan Metzmacher <metze@samba.org>
Wed, 6 Mar 2024 20:55:24 +0000 (21:55 +0100)
committerStefan Metzmacher <metze@samba.org>
Tue, 14 May 2024 10:18:31 +0000 (10:18 +0000)
Before this silently happened because the gse_krb5 module just used the
default ccache, but that will change soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
source3/utils/ntlm_auth.c

index 6660a31673af3180330431086fb6b4afa59e4752..946754d26d269c46cb5ce172412b2ff74e7be3f2 100644 (file)
@@ -1467,7 +1467,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
 
        static char *want_feature_list = NULL;
        static DATA_BLOB session_key;
-
+       bool include_krb5_default_ccache = false;
        TALLOC_CTX *mem_ctx;
 
        mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx");
@@ -1551,6 +1551,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
                         * NTLMSSP_CLIENT_1 for now.
                         */
                        use_cached_creds = false;
+                       if (opt_username == NULL && state->set_password == NULL) {
+                               include_krb5_default_ccache = true;
+                       }
                        FALL_THROUGH;
                case NTLMSSP_CLIENT_1:
                        /* setup the client side */
@@ -1602,6 +1605,21 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
                                                    GENSEC_FEATURE_NTLM_CCACHE);
                        } else if (state->set_password) {
                                cli_credentials_set_password(creds, state->set_password, CRED_SPECIFIED);
+                       } else if (include_krb5_default_ccache) {
+                               const char *error_string = NULL;
+                               int rc;
+
+                               rc = cli_credentials_set_ccache(creds,
+                                                               lp_ctx,
+                                                               NULL,
+                                                               CRED_SPECIFIED,
+                                                               &error_string);
+                               if (rc != 0) {
+                                       fprintf(stderr,
+                                               "Warning reading default "
+                                               "krb5 credentials cache: %s\n",
+                                               error_string);
+                               }
                        } else {
                                cli_credentials_set_password_callback(creds, get_password);
                        }