From: Andreas Schneider Date: Fri, 4 Apr 2025 11:37:21 +0000 (+0200) Subject: librpc:gse: Implement storing tickets into an emtpy ccache X-Git-Tag: tdb-1.4.14~42 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7a4c8d6f84cabfe9d27fcb795a4030de93a1b8cb;p=thirdparty%2Fsamba.git librpc:gse: Implement storing tickets into an emtpy ccache smbclient //server/share --krb5-use-ccache=/tmp/foo Will write the ticket to the specified ccache. Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy --- diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index e6f96d2464e..d29122c9ce6 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -632,6 +632,71 @@ init_sec_context_done: goto done; } + /* + * In case we have a ccache specified on the command line we probably + * want to use it to store credentials we got it. + */ +#ifdef HAVE_GSS_KEY_VALUE_SET_DESC + if (NT_STATUS_IS_OK(status)) { + struct cli_credentials *creds = gensec_get_credentials( + gensec_security); + bool ccache_valid = false; + enum credentials_obtained ccache_obtained = CRED_UNINITIALISED; + + ccache_valid = cli_credentials_get_ccache_name_obtained( + creds, gse_ctx, NULL, &ccache_obtained); + /* + * In case we don't have a valid ccache yet, try to create it if + * one has been specified. + */ + if (!ccache_valid) { + gss_key_value_set_desc store; + const char *ccache_name = + cli_credentials_get_out_ccache_name(creds); + + if (ccache_name == NULL) { + goto done; + } + + store.elements = talloc_zero_array( + mem_ctx, + struct gss_key_value_element_struct, + 1); + if (store.elements == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + store.count = 1; + store.elements[0] = + (struct gss_key_value_element_struct){ + .key = "ccache", + .value = ccache_name, + }; + + /* + * We attempt to store the cred into the ccache. It + * might fail but we don't need to act on it for the + * purpose of the authentication. + */ + gss_maj = gss_store_cred_into(&gss_min, + gse_ctx->creds, + GSS_C_INITIATE, + GSS_C_NO_OID, + /* overwrite_cred = */ 1, + /* default_cred = */ 1, + &store, + NULL, + NULL); + if (gss_maj != 0) { + DBG_ERR("Failed to store Kerberos credentials " + "into ccache: %s\n", + ccache_name); + } + } + } +#endif /* HAVE_GSS_KEY_VALUE_SET_DESC */ + /* we may be told to return nothing */ if (out_data.length) { blob = data_blob_talloc(mem_ctx, out_data.value, out_data.length); diff --git a/wscript_configure_embedded_heimdal b/wscript_configure_embedded_heimdal index c1488e5506e..325b1b11d4b 100644 --- a/wscript_configure_embedded_heimdal +++ b/wscript_configure_embedded_heimdal @@ -15,3 +15,4 @@ conf.RECURSE('third_party/heimdal_build') conf.define('HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG', 1) conf.define('HAVE_KRB5_INIT_CREDS_STEP', 1) +conf.define('HAVE_GSS_KEY_VALUE_SET_DESC', 1) diff --git a/wscript_configure_system_heimdal b/wscript_configure_system_heimdal index c320a76ea17..6256bbac4e6 100644 --- a/wscript_configure_system_heimdal +++ b/wscript_configure_system_heimdal @@ -66,3 +66,12 @@ conf.CHECK_FUNCS(''' ''', lib='krb5', headers='krb5.h') + +# gss_key_value_set_desc is not part of system heimdal in the build image. Maybe +# the distro we use is too old. +conf.CHECK_CODE( + "gss_key_value_set_desc", + "HAVE_GSS_KEY_VALUE_SET_DESC", + headers="gssapi/gssapi.h", + lib="gssapi", +) diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 index 0bf755bc0cb..6b70f2530ed 100644 --- a/wscript_configure_system_mitkrb5 +++ b/wscript_configure_system_mitkrb5 @@ -339,6 +339,13 @@ conf.CHECK_CODE(''' headers='krb5.h', lib='krb5', execute=False, msg="Checking whether krb5_creds have flags property") +conf.CHECK_CODE( + "gss_key_value_set_desc", + "HAVE_GSS_KEY_VALUE_SET_DESC", + headers="gssapi/gssapi_ext.h", + lib="gssapi", +) + # Check for MIT KDC if conf.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'): Logs.info("Looking for MIT KDC")