From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 6 Jul 2016 10:44:11 +0000 (+0200)
Subject: libads: ensure the right ccache is used during spnego bind
X-Git-Tag: samba-4.3.12~97
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1139c8fa22481efcc9dc602b7497c6aa5362c060;p=thirdparty%2Fsamba.git

libads: ensure the right ccache is used during spnego bind

When doing spnego sasl bind:
1. Try working without kinit only if a password is not
   provided
2. When using kinit, ensure the KRB5CCNAME env var is set
   to a private memory ccache, so that the bind is on behalf
   of the requested user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jul 12 03:23:33 CEST 2016 on sn-devel-144

(cherry picked from commit a1743de74f09d5bf695f077f5127d02352a014e2)
---

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 6c054cd1cce..85a2eb00e98 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -749,18 +749,29 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 	if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
 	    got_kerberos_mechanism) 
 	{
-		status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
-						     CRED_MUST_USE_KERBEROS,
-						     p.service, p.hostname,
-						     blob);
-		if (ADS_ERR_OK(status)) {
-			ads_free_service_principal(&p);
-			goto done;
+		const char *ccache_name = "MEMORY:ads_sasl_spnego_bind";
+		if (ads->auth.ccache_name != NULL) {
+			ccache_name = ads->auth.ccache_name;
 		}
 
-		DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
-			  "calling kinit\n", ads_errstr(status)));
+		if (ads->auth.password == NULL ||
+		    ads->auth.password[0] == '\0')
+		{
+
+			status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
+							     CRED_MUST_USE_KERBEROS,
+							     p.service, p.hostname,
+							     blob);
+			if (ADS_ERR_OK(status)) {
+				ads_free_service_principal(&p);
+				goto done;
+			}
+
+			DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "
+				  "calling kinit\n", ads_errstr(status)));
+		}
 
+		setenv(KRB5_ENV_CCNAME, ccache_name, 1);
 		status = ADS_ERROR_KRB5(ads_kinit_password(ads)); 
 
 		if (ADS_ERR_OK(status)) {