From: Andreas Schneider Date: Tue, 10 Feb 2026 13:00:43 +0000 (+0100) Subject: lib:krb5_wrap: Add function to read the default_ccache_name config value X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a2e77fbc2676045dd965c70cfde182fa57c10488;p=thirdparty%2Fsamba.git lib:krb5_wrap: Add function to read the default_ccache_name config value krb5_cc_default_name() expands the config value %{uid} is expanded to the current id. However when we call this as winbind, it is expanded to root and not the user we are authenticating. This functions reads directly from the config. Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy --- diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index abb44b5d515..0d80c50ee08 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -30,6 +30,10 @@ #include #endif /* HAVE_COM_ERR_H */ +#ifdef HAVE_PROFILE_H +#include +#endif /* HAVE_PROFILE_H */ + #ifndef KRB5_AUTHDATA_WIN2K_PAC #define KRB5_AUTHDATA_WIN2K_PAC 128 #endif @@ -4095,6 +4099,87 @@ const char *smb_force_krb5_cc_default_name(krb5_context ctx) #define krb5_cc_default_name __ERROR__XX__NEVER_USE_krb5_cc_default_name__; } +/** + * @brief Read the default ccache name from krb5.conf without expanding tokens + * like %{uid}. + * + * This returns the raw configured value. + * + * @param mem_ctx The memory context to allocate `pname` on. + * + * @param ctx The krb5 context. + * + * @param pname A pointer to store the default_ccache_name. + * + * @return 0 on success, or and krb5 error code otherwise. + */ +#ifdef SAMBA4_USES_HEIMDAL +krb5_error_code smb_krb5_config_cc_default_name(TALLOC_CTX *mem_ctx, + krb5_context ctx, + char **pname) +{ + const char *cfg = NULL; + + *pname = NULL; + + cfg = krb5_config_get_string( + ctx, NULL, "libdefaults", "default_cc_name", NULL); + if (cfg == NULL) { + cfg = krb5_config_get_string( + ctx, NULL, "libdefaults", "default_ccache_name", NULL); + } + if (cfg == NULL) { + return 0; + } + + *pname = talloc_strdup(mem_ctx, cfg); + if (*pname == NULL) { + return ENOMEM; + } + + return 0; +} +#else /* MIT */ +krb5_error_code smb_krb5_config_cc_default_name(TALLOC_CTX *mem_ctx, + krb5_context ctx, + char **pname) +{ + krb5_error_code ret; + profile_t profile = NULL; + char *value = NULL; + + *pname = NULL; + + ret = krb5_get_profile(ctx, &profile); + if (ret != 0) { + return ret; + } + + ret = profile_get_string(profile, + "libdefaults", + "default_ccache_name", + NULL, + NULL, + &value); + profile_release(profile); + if (ret != 0) { + return ret; + } + + if (value == NULL) { + return 0; + } + + *pname = talloc_strdup(mem_ctx, value); + profile_release_string(value); + if (*pname == NULL) { + return ENOMEM; + } + + return 0; +} +#endif /* SAMBA4_USES_HEIMDAL */ + #else /* HAVE_KRB5 */ /* This saves a few linking headaches */ int ads_krb5_cli_get_ticket(TALLOC_CTX *mem_ctx, diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h index a562359e121..c12ae83fe4e 100644 --- a/lib/krb5_wrap/krb5_samba.h +++ b/lib/krb5_wrap/krb5_samba.h @@ -317,6 +317,14 @@ krb5_error_code smb_force_krb5_cc_default(krb5_context ctx, krb5_ccache *id); */ const char *smb_force_krb5_cc_default_name(krb5_context ctx); +/* + * Read the default ccache name from krb5.conf without expanding tokens + * like %{uid}. Returns the raw configured value. + */ +krb5_error_code smb_krb5_config_cc_default_name(TALLOC_CTX *mem_ctx, + krb5_context ctx, + char **pname); + krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc); #if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)