From: Günther Deschner Date: Sun, 20 Jul 2025 16:00:22 +0000 (+0200) Subject: s3-net: fix "net ads kerberos" krb5ccname handling X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=9ca7d637aae14c49fa82f3a7becf9b2c1c5f5bf8;p=thirdparty%2Fsamba.git s3-net: fix "net ads kerberos" krb5ccname handling We can only rely on KRB5CCNAME being set, --use-krb5-ccname content is not available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andreas Schneider Autobuild-User(master): Günther Deschner Autobuild-Date(master): Thu Jul 24 17:31:14 UTC 2025 on atb-devel-224 (cherry picked from commit 8a97afdae788e8d10a51035f8b287dc00293f90d) Autobuild-User(v4-21-test): Jule Anger Autobuild-Date(v4-21-test): Wed Aug 6 09:29:29 UTC 2025 on atb-devel-224 --- diff --git a/selftest/knownfail b/selftest/knownfail index 802567c2404..a7a2e2b2251 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -343,7 +343,3 @@ # We currently don't send referrals for LDAP modify of non-replicated attrs ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* - -# net ads kerberos -samba3.blackbox.net_ads_kerberos.*net_ads_kerberos_kinit.* -samba3.blackbox.net_ads_kerberos.*net_ads_kerberos_renew.* diff --git a/source3/utils/net.c b/source3/utils/net.c index c432ebe991f..7ce93ced79e 100644 --- a/source3/utils/net.c +++ b/source3/utils/net.c @@ -1394,6 +1394,7 @@ static struct functable net_func[] = { cli_credentials_get_principal_obtained(c->creds); enum credentials_obtained password_obtained = cli_credentials_get_password_obtained(c->creds); + char *krb5ccname = NULL; if (principal_obtained == CRED_SPECIFIED) { c->explicit_credentials = true; @@ -1410,6 +1411,20 @@ static struct functable net_func[] = { GENSEC_FEATURE_NTLM_CCACHE, CRED_SPECIFIED); } + + /* cli_credentials_get_ccache_name_obtained() would not work + * here, we also cannot get the content of --use-krb5-ccache= so + * for now at least honour the KRB5CCNAME environment variable + * to get 'net ads kerberos' functions to work at all - gd */ + + krb5ccname = getenv("KRB5CCNAME"); + if (krb5ccname == NULL) { + krb5ccname = talloc_strdup(c, "MEMORY:net"); + } + if (krb5ccname == NULL) { + exit(1); + } + c->opt_krb5_ccache = krb5ccname; } c->msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE()); diff --git a/source3/utils/net.h b/source3/utils/net.h index 8540a6db9d4..8a4218b529f 100644 --- a/source3/utils/net.h +++ b/source3/utils/net.h @@ -97,6 +97,7 @@ struct net_context { const char *opt_witness_new_ip; int opt_witness_new_node; const char *opt_witness_forced_response; + const char *opt_krb5_ccache; int opt_have_ip; struct sockaddr_storage opt_dest_ip; diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 163dcf3efd6..9ba7afe1e04 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -3030,7 +3030,7 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char ** return -1; } - ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL); + ret = smb_krb5_renew_ticket(c->opt_krb5_ccache, NULL, NULL, NULL); if (ret) { d_printf(_("failed to renew kerberos ticket: %s\n"), error_message(ret)); @@ -3085,7 +3085,7 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch 0, NULL, NULL, - NULL, + c->opt_krb5_ccache, true, true, 2592000, /* one month */ @@ -3266,7 +3266,7 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char ** 0, NULL, NULL, - NULL, + c->opt_krb5_ccache, true, true, 2592000, /* one month */