s3:winbind: Add support for krb5_ccache_type = DEFAULT

This will use the ccache_type defined in the krb5.conf.

Pair-Programmed-With: Pavel Filipenský <pfilipen@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 58419e89384a343de7579b5444415c48a55c47c1..6e6f0c7495a38f24534361964d9e9892dda899f3 100644 (file)
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -121,6 +121,18 @@
                generate default paths with the user's UID):</para>
 
                <variablelist>
+                       <varlistentry>
+                               <term>DEFAULT</term>
+                               <listitem><para>Uses the default credential cache
+                               location as specified in the system's
+                               <filename>krb5.conf</filename> configuration file
+                               (<quote>default_ccache_name</quote>). This option
+                               allows the Kerberos configuration to centrally
+                               control the credential cache location. The
+                               <quote>%{uid}</quote> pattern in
+                               <filename>krb5.conf</filename> will be substituted
+                               with the user's UID.</para></listitem>
+                       </varlistentry>
                        <varlistentry>
                                <term>KCM</term>
                                <listitem><para>Uses Kerberos Credential Manager

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 68ffebe7e16e14c70f9ce0f1e9dca34757009869..c4a368222b26a99d0ba8ab175add35b7137a8023 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -638,6 +638,43 @@ static bool generate_krb5_ccache(TALLOC_CTX *mem_ctx,
 
        *user_ccache_file = NULL;
 
+       /*
+        * Handle DEFAULT type - use the default_ccache_name from krb5.conf.
+        * This allows the system Kerberos configuration to determine the
+        * credential cache location.
+        */
+       if (strequal(type, "DEFAULT")) {
+               krb5_context krbctx = NULL;
+               krb5_error_code k5ret;
+               char *cc_default_name = NULL;
+
+               k5ret = smb_krb5_init_context_common(&krbctx);
+               if (k5ret != 0) {
+                       DBG_ERR("Failed to initialize krb5 context: %d\n",
+                               k5ret);
+                       return false;
+               }
+
+               k5ret = smb_krb5_config_cc_default_name(mem_ctx,
+                                                       krbctx,
+                                                       &cc_default_name);
+               krb5_free_context(krbctx);
+               if (k5ret != 0) {
+                       DBG_ERR("Failed to get default ccache name: %d\n",
+                               k5ret);
+                       return false;
+               }
+               if (cc_default_name == NULL) {
+                       DBG_ERR("No default_ccache_name configured "
+                               "in krb5.conf\n");
+                       return false;
+               }
+
+               type = cc_default_name;
+
+               /* Now let the code below expand %{uid} */
+       }
+
        /* Check if type has an explicit path prefix */
        for (i = 0; i < ARRAY_SIZE(ccache_prefixes); i++) {
                if (strnequal(type,