From 66668deb267d63f17c70aaea6f720a7c440bb71c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 10 Oct 2016 15:53:26 +0200
Subject: [PATCH 1/3] HEIMDAL:lib/krb5: destroy a memory ccache on reinit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
(cherry picked from commit 2abc3710a8a63327a769ba0482c553ed274b2113)
---
source4/heimdal/lib/krb5/mcache.c | 52 ++++++++++++++++++++++++++-------------
1 file changed, 35 insertions(+), 17 deletions(-)
diff --git a/source4/heimdal/lib/krb5/mcache.c b/source4/heimdal/lib/krb5/mcache.c
index e4b90c1..dc79b87 100644
--- a/source4/heimdal/lib/krb5/mcache.c
+++ b/source4/heimdal/lib/krb5/mcache.c
@@ -155,13 +155,47 @@ mcc_gen_new(krb5_context context, krb5_ccache *id)
return 0;
}
+static void KRB5_CALLCONV
+mcc_destroy_internal(krb5_context context,
+ krb5_mcache *m)
+{
+ struct link *l;
+
+ if (m->primary_principal != NULL) {
+ krb5_free_principal (context, m->primary_principal);
+ m->primary_principal = NULL;
+ }
+ m->dead = 1;
+
+ l = m->creds;
+ while (l != NULL) {
+ struct link *old;
+
+ krb5_free_cred_contents (context, &l->cred);
+ old = l;
+ l = l->next;
+ free (old);
+ }
+
+ m->creds = NULL;
+ return;
+}
+
static krb5_error_code KRB5_CALLCONV
mcc_initialize(krb5_context context,
krb5_ccache id,
krb5_principal primary_principal)
{
krb5_mcache *m = MCACHE(id);
+ /*
+ * It's important to destroy any existing
+ * creds here, that matches the baheviour
+ * of all other backends and also the
+ * MEMORY: backend in MIT.
+ */
+ mcc_destroy_internal(context, m);
m->dead = 0;
+ m->kdc_offset = 0;
m->mtime = time(NULL);
return krb5_copy_principal (context,
primary_principal,
@@ -195,7 +229,6 @@ mcc_destroy(krb5_context context,
krb5_ccache id)
{
krb5_mcache **n, *m = MCACHE(id);
- struct link *l;
if (m->refcnt == 0)
krb5_abortx(context, "mcc_destroy: refcnt already 0");
@@ -211,22 +244,7 @@ mcc_destroy(krb5_context context,
}
}
HEIMDAL_MUTEX_unlock(&mcc_mutex);
- if (m->primary_principal != NULL) {
- krb5_free_principal (context, m->primary_principal);
- m->primary_principal = NULL;
- }
- m->dead = 1;
-
- l = m->creds;
- while (l != NULL) {
- struct link *old;
-
- krb5_free_cred_contents (context, &l->cred);
- old = l;
- l = l->next;
- free (old);
- }
- m->creds = NULL;
+ mcc_destroy_internal(context, m);
}
return 0;
}
--
1.9.1
From 5484f6cb0d812d11234347f592dff1a15ef5ef50 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 10 Oct 2016 17:07:12 +0200
Subject: [PATCH 2/3] s3:libads: don't use MEMORY:ads_sasl_gssapi_do_bind nor
set "KRB5CCNAME"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
(cherry picked from commit 890b1bbdb8e965c4ff6e35214acc96ffbbff5dfd)
---
source3/libads/sasl.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 85a2eb0..4e4486f 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -1027,7 +1027,6 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
{
ADS_STATUS status;
struct ads_service_principal p;
- const char *ccache_name = "MEMORY:ads_sasl_gssapi_do_bind";
status = ads_generate_service_principal(ads, &p);
if (!ADS_ERR_OK(status)) {
@@ -1046,10 +1045,6 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
"calling kinit\n", ads_errstr(status)));
}
- if (ads->auth.ccache_name != NULL) {
- ccache_name = ads->auth.ccache_name;
- }
- setenv(KRB5_ENV_CCNAME, ccache_name, 1);
status = ADS_ERROR_KRB5(ads_kinit_password(ads));
if (ADS_ERR_OK(status)) {
--
1.9.1
From 012e763219f42071ced497fcc0ecd387789efd4f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 10 Oct 2016 17:07:12 +0200
Subject: [PATCH 3/3] s3:libads: don't use MEMORY:ads_sasl_spnego_bind nor set
"KRB5CCNAME"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 13 00:35:21 CEST 2016 on sn-devel-144
(cherry picked from commit a5f895a53016af71db53967062728fec5bc307ca)
---
source3/libads/sasl.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 4e4486f..39c60c3 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -749,11 +749,6 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
got_kerberos_mechanism)
{
- const char *ccache_name = "MEMORY:ads_sasl_spnego_bind";
- if (ads->auth.ccache_name != NULL) {
- ccache_name = ads->auth.ccache_name;
- }
-
if (ads->auth.password == NULL ||
ads->auth.password[0] == '\0')
{
@@ -771,7 +766,6 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
"calling kinit\n", ads_errstr(status)));
}
- setenv(KRB5_ENV_CCNAME, ccache_name, 1);
status = ADS_ERROR_KRB5(ads_kinit_password(ads));
if (ADS_ERR_OK(status)) {
--
1.9.1