diff options
| author | Jeremy Allison <jra@samba.org> | 2012-08-21 14:08:24 -0700 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2012-08-23 20:21:28 +0200 |
| commit | 51c5f84d2496b5117a2fe6afc061594cf33b5fc1 (patch) | |
| tree | 8712c90dea45df251e50dfe665719ebce6814c4f | |
| parent | 36dc8a0f40a38d9c03570856cb4c843b74c1c7bd (diff) | |
| download | samba-51c5f84d2496b5117a2fe6afc061594cf33b5fc1.tar.gz | |
Fix bug #9098 - winbind does not refresh kerberos tickets.
Based on work from Ian Gordon <ian.gordon@strath.ac.uk>.
| -rw-r--r-- | source3/winbindd/winbindd_cred_cache.c | 30 | ||||
| -rw-r--r-- | source3/winbindd/winbindd_pam.c | 9 | ||||
| -rw-r--r-- | source3/winbindd/winbindd_proto.h | 1 |
3 files changed, 39 insertions, 1 deletions
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c index e63e73221e2..ba4a7b27da0 100644 --- a/source3/winbindd/winbindd_cred_cache.c +++ b/source3/winbindd/winbindd_cred_cache.c @@ -484,6 +484,7 @@ NTSTATUS add_ccache_to_list(const char *princ_name, const char *ccname, const char *service, const char *username, + const char *pass, const char *realm, uid_t uid, time_t create_time, @@ -586,7 +587,20 @@ NTSTATUS add_ccache_to_list(const char *princ_name, DEBUG(10,("add_ccache_to_list: added krb5_ticket handler\n")); } - + + /* + * If we're set up to renew our krb5 tickets, we must + * cache the credentials in memory for the ticket + * renew function (or increase the reference count + * if we're logging in more than once). Fix inspired + * by patch from Ian Gordon <ian.gordon@strath.ac.uk> + * for bugid #9098. + */ + + ntret = winbindd_add_memory_creds(username, uid, pass); + DEBUG(10, ("winbindd_add_memory_creds returned: %s\n", + nt_errstr(ntret))); + return NT_STATUS_OK; } @@ -669,6 +683,20 @@ NTSTATUS add_ccache_to_list(const char *princ_name, "added ccache [%s] for user [%s] to the list\n", ccname, username)); + if (entry->event) { + /* + * If we're set up to renew our krb5 tickets, we must + * cache the credentials in memory for the ticket + * renew function. Fix inspired by patch from + * Ian Gordon <ian.gordon@strath.ac.uk> for + * bugid #9098. + */ + + ntret = winbindd_add_memory_creds(username, uid, pass); + DEBUG(10, ("winbindd_add_memory_creds returned: %s\n", + nt_errstr(ntret))); + } + return NT_STATUS_OK; no_mem: diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index c8910d6a437..4cc181a7eaf 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -656,6 +656,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, cc, service, state->request->data.auth.user, + state->request->data.auth.pass, realm, uid, time(NULL), @@ -1034,6 +1035,7 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, cc, service, state->request->data.auth.user, + state->request->data.auth.pass, domain->alt_name, uid, time(NULL), @@ -2456,6 +2458,13 @@ enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain, goto process_result; } + /* + * Remove any mlock'ed memory creds in the child + * we might be using for krb5 ticket renewal. + */ + + winbindd_delete_memory_creds(state->request->data.logoff.user); + #else result = NT_STATUS_NOT_SUPPORTED; #endif diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 62fbc8ec76e..b7b64de4e71 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -216,6 +216,7 @@ NTSTATUS add_ccache_to_list(const char *princ_name, const char *ccname, const char *service, const char *username, + const char *password, const char *realm, uid_t uid, time_t create_time, |