Tree - rpms/samba - CentOS Git server

rpms / samba

Blame SOURCES/samba-4.4.7-fix_ads_krb5_ccname_handling.patch

Blob History Raw

		6539dc	`From d29b108d879b4de27d235a1692e090c0993582df Mon Sep 17 00:00:00 2001`
		6539dc	`From: Stefan Metzmacher <metze@samba.org>`
		6539dc	`Date: Wed, 6 Jul 2016 12:48:11 +0200`
		6539dc	`Subject: [PATCH 1/2] libads: ensure the right ccache is used during gssapi`
		6539dc	`bind`
		6539dc
		6539dc	`When doing gssapi sasl bind:`
		6539dc	`1. Try working without kinit only if a password is not`
		6539dc	`provided`
		6539dc	`2. When using kinit, ensure the KRB5CCNAME env var is set`
		6539dc	`to a private memory ccache, so that the bind is on behalf`
		6539dc	`of the requested user.`
		6539dc
		6539dc	`BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007`
		6539dc
		6539dc	`Signed-off-by: Stefan Metzmacher <metze@samba.org>`
		6539dc	`Reviewed-by: Uri Simchoni <uri@samba.org>`
		6539dc	`(cherry picked from commit 2672968851966e5c01e4fc4d906b45b5c047e655)`
		6539dc	`---`
		6539dc	`source3/libads/sasl.c \| 23 ++++++++++++++++-------`
		6539dc	`1 file changed, 16 insertions(+), 7 deletions(-)`
		6539dc
		6539dc	`diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c`
		6539dc	`index d76d872..6c054cd 100644`
		6539dc	`--- a/source3/libads/sasl.c`
		6539dc	`+++ b/source3/libads/sasl.c`
		6539dc	`@@ -26,6 +26,7 @@`
		6539dc	`#include "smb_krb5.h"`
		6539dc	`#include "system/gssapi.h"`
		6539dc	`#include "lib/param/loadparm.h"`
		6539dc	`+#include "krb5_env.h"`
		6539dc
		6539dc	`#ifdef HAVE_LDAP`
		6539dc
		6539dc	`@@ -1015,21 +1016,29 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)`
		6539dc	`{`
		6539dc	`ADS_STATUS status;`
		6539dc	`struct ads_service_principal p;`
		6539dc	`+ const char *ccache_name = "MEMORY:ads_sasl_gssapi_do_bind";`
		6539dc
		6539dc	`status = ads_generate_service_principal(ads, &p);`
		6539dc	`if (!ADS_ERR_OK(status)) {`
		6539dc	`return status;`
		6539dc	`}`
		6539dc
		6539dc	`- status = ads_sasl_gssapi_do_bind(ads, p.name);`
		6539dc	`- if (ADS_ERR_OK(status)) {`
		6539dc	`- ads_free_service_principal(&p);`
		6539dc	`- return status;`
		6539dc	`- }`
		6539dc	`+ if (ads->auth.password == NULL \|\|`
		6539dc	`+ ads->auth.password[0] == '\0') {`
		6539dc	`+ status = ads_sasl_gssapi_do_bind(ads, p.name);`
		6539dc	`+ if (ADS_ERR_OK(status)) {`
		6539dc	`+ ads_free_service_principal(&p);`
		6539dc	`+ return status;`
		6539dc	`+ }`
		6539dc
		6539dc	`- DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "`
		6539dc	`- "calling kinit\n", ads_errstr(status)));`
		6539dc	`+ DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "`
		6539dc	`+ "calling kinit\n", ads_errstr(status)));`
		6539dc	`+ }`
		6539dc
		6539dc	`+ if (ads->auth.ccache_name != NULL) {`
		6539dc	`+ ccache_name = ads->auth.ccache_name;`
		6539dc	`+ }`
		6539dc	`+ setenv(KRB5_ENV_CCNAME, ccache_name, 1);`
		6539dc	`status = ADS_ERROR_KRB5(ads_kinit_password(ads));`
		6539dc
		6539dc	`if (ADS_ERR_OK(status)) {`
		6539dc	`--`
		6539dc	`2.5.5`
		6539dc
		6539dc
		6539dc	`From 416ba773c332288e948871d8f649c0310a94f906 Mon Sep 17 00:00:00 2001`
		6539dc	`From: Stefan Metzmacher <metze@samba.org>`
		6539dc	`Date: Wed, 6 Jul 2016 12:44:11 +0200`
		6539dc	`Subject: [PATCH 2/2] libads: ensure the right ccache is used during spnego`
		6539dc	`bind`
		6539dc
		6539dc	`When doing spnego sasl bind:`
		6539dc	`1. Try working without kinit only if a password is not`
		6539dc	`provided`
		6539dc	`2. When using kinit, ensure the KRB5CCNAME env var is set`
		6539dc	`to a private memory ccache, so that the bind is on behalf`
		6539dc	`of the requested user.`
		6539dc
		6539dc	`BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007`
		6539dc
		6539dc	`Signed-off-by: Stefan Metzmacher <metze@samba.org>`
		6539dc	`Reviewed-by: Uri Simchoni <uri@samba.org>`
		6539dc
		6539dc	`Autobuild-User(master): Stefan Metzmacher <metze@samba.org>`
		6539dc	`Autobuild-Date(master): Tue Jul 12 03:23:33 CEST 2016 on sn-devel-144`
		6539dc
		6539dc	`(cherry picked from commit a1743de74f09d5bf695f077f5127d02352a014e2)`
		6539dc	`---`
		6539dc	`source3/libads/sasl.c \| 29 ++++++++++++++++++++---------`
		6539dc	`1 file changed, 20 insertions(+), 9 deletions(-)`
		6539dc
		6539dc	`diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c`
		6539dc	`index 6c054cd..85a2eb0 100644`
		6539dc	`--- a/source3/libads/sasl.c`
		6539dc	`+++ b/source3/libads/sasl.c`
		6539dc	`@@ -749,18 +749,29 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)`
		6539dc	`if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&`
		6539dc	`got_kerberos_mechanism)`
		6539dc	`{`
		6539dc	`- status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",`
		6539dc	`- CRED_MUST_USE_KERBEROS,`
		6539dc	`- p.service, p.hostname,`
		6539dc	`- blob);`
		6539dc	`- if (ADS_ERR_OK(status)) {`
		6539dc	`- ads_free_service_principal(&p);`
		6539dc	`- goto done;`
		6539dc	`+ const char *ccache_name = "MEMORY:ads_sasl_spnego_bind";`
		6539dc	`+ if (ads->auth.ccache_name != NULL) {`
		6539dc	`+ ccache_name = ads->auth.ccache_name;`
		6539dc	`}`
		6539dc
		6539dc	`- DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "`
		6539dc	`- "calling kinit\n", ads_errstr(status)));`
		6539dc	`+ if (ads->auth.password == NULL \|\|`
		6539dc	`+ ads->auth.password[0] == '\0')`
		6539dc	`+ {`
		6539dc	`+`
		6539dc	`+ status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",`
		6539dc	`+ CRED_MUST_USE_KERBEROS,`
		6539dc	`+ p.service, p.hostname,`
		6539dc	`+ blob);`
		6539dc	`+ if (ADS_ERR_OK(status)) {`
		6539dc	`+ ads_free_service_principal(&p);`
		6539dc	`+ goto done;`
		6539dc	`+ }`
		6539dc	`+`
		6539dc	`+ DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, "`
		6539dc	`+ "calling kinit\n", ads_errstr(status)));`
		6539dc	`+ }`
		6539dc
		6539dc	`+ setenv(KRB5_ENV_CCNAME, ccache_name, 1);`
		6539dc	`status = ADS_ERROR_KRB5(ads_kinit_password(ads));`
		6539dc
		6539dc	`if (ADS_ERR_OK(status)) {`
		6539dc	`--`
		6539dc	`2.5.5`
		6539dc

rpms / samba

Source Code

Blame SOURCES/samba-4.4.7-fix_ads_krb5_ccname_handling.patch