From: Stefan Metzmacher Date: Wed, 6 Jul 2016 10:48:11 +0000 (+0200) Subject: libads: ensure the right ccache is used during gssapi bind X-Git-Tag: samba-4.3.12~98 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0bbf381c992d184063f8c9bd3d9fafa952654eaf;p=thirdparty%2Fsamba.git libads: ensure the right ccache is used during gssapi bind When doing gssapi sasl bind: 1. Try working without kinit only if a password is not provided 2. When using kinit, ensure the KRB5CCNAME env var is set to a private memory ccache, so that the bind is on behalf of the requested user. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007 Signed-off-by: Stefan Metzmacher Reviewed-by: Uri Simchoni (cherry picked from commit 2672968851966e5c01e4fc4d906b45b5c047e655) --- diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index d76d8724ac0..6c054cd1cce 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -26,6 +26,7 @@ #include "smb_krb5.h" #include "system/gssapi.h" #include "lib/param/loadparm.h" +#include "krb5_env.h" #ifdef HAVE_LDAP @@ -1015,21 +1016,29 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads) { ADS_STATUS status; struct ads_service_principal p; + const char *ccache_name = "MEMORY:ads_sasl_gssapi_do_bind"; status = ads_generate_service_principal(ads, &p); if (!ADS_ERR_OK(status)) { return status; } - status = ads_sasl_gssapi_do_bind(ads, p.name); - if (ADS_ERR_OK(status)) { - ads_free_service_principal(&p); - return status; - } + if (ads->auth.password == NULL || + ads->auth.password[0] == '\0') { + status = ads_sasl_gssapi_do_bind(ads, p.name); + if (ADS_ERR_OK(status)) { + ads_free_service_principal(&p); + return status; + } - DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, " - "calling kinit\n", ads_errstr(status))); + DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, " + "calling kinit\n", ads_errstr(status))); + } + if (ads->auth.ccache_name != NULL) { + ccache_name = ads->auth.ccache_name; + } + setenv(KRB5_ENV_CCNAME, ccache_name, 1); status = ADS_ERROR_KRB5(ads_kinit_password(ads)); if (ADS_ERR_OK(status)) {