From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 27 Feb 2024 12:03:46 +0000 (+0100)
Subject: s3:libads: we only need to gensec_expire_time()...
X-Git-Tag: tdb-1.4.11~767
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ea97abd545ec13a161b7082cae10f0012f11e8e6;p=thirdparty%2Fsamba.git

s3:libads: we only need to gensec_expire_time()...

The lifetime of a service ticket is never longer than
the lifetime of the TGT...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/source3/libads/kerberos_util.c b/source3/libads/kerberos_util.c
index 3b25dea28bb..7fca56d3741 100644
--- a/source3/libads/kerberos_util.c
+++ b/source3/libads/kerberos_util.c
@@ -64,7 +64,7 @@ int ads_kinit_password(ADS_STRUCT *ads)
 
 	ret = kerberos_kinit_password_ext(s, ads->auth.password,
 					  ads->auth.time_offset,
-					  &ads->auth.tgt_expire, NULL,
+					  NULL, NULL,
 					  ads->auth.ccache_name, false, false,
 					  0,
 					  NULL, NULL, NULL, NULL);
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 04f29d35f6a..8cbb8062cca 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -321,7 +321,6 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads,
 	struct auth_generic_state *auth_generic_state;
 	const char *sasl = "GSS-SPNEGO";
 	const char *sasl_list[] = { sasl, NULL };
-	NTTIME end_nt_time;
 	struct ads_saslwrap *wrap = &ads->ldap_wrap_data;
 	const DATA_BLOB *tls_cb = NULL;
 
@@ -488,13 +487,7 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads,
 		}
 	}
 
-	ads->auth.tgs_expire = LONG_MAX;
-	end_nt_time = gensec_expire_time(auth_generic_state->gensec_security);
-	if (end_nt_time != GENSEC_EXPIRE_TIME_INFINITY) {
-		struct timeval tv;
-		nttime_to_timeval(&tv, end_nt_time);
-		ads->auth.tgs_expire = tv.tv_sec;
-	}
+	ads->auth.expire_time = gensec_expire_time(auth_generic_state->gensec_security);
 
 	if (wrap->wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
 		size_t max_wrapped =
diff --git a/source3/librpc/idl/ads.idl b/source3/librpc/idl/ads.idl
index 37f145d6676..ded3c738d6d 100644
--- a/source3/librpc/idl/ads.idl
+++ b/source3/librpc/idl/ads.idl
@@ -54,8 +54,7 @@ interface ads
 		ads_auth_flags flags;
 		int time_offset;
 		string ccache_name;
-		time_t tgt_expire;
-		time_t tgs_expire;
+		NTTIME expire_time;
 	} ads_auth;
 
 	typedef [nopull,nopush] struct {
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 1714f0e6ef8..b2ceada9802 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -59,7 +59,7 @@ static void ads_cached_connection_reuse(ADS_STRUCT **adsp)
 		time_t expire;
 		time_t now = time(NULL);
 
-		expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire);
+		expire = nt_time_to_unix(ads->auth.expire_time);
 
 		DEBUG(7, ("Current tickets expire in %d seconds (at %d, time "
 			  "is now %d)\n", (uint32_t)expire - (uint32_t)now,