diff options
| author | Uri Simchoni <urisimchoni@gmail.com> | 2015-05-09 22:59:17 +0300 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2015-05-13 04:32:16 +0200 |
| commit | 40eac8e4d8bc85f2329b8ed6c5ba96a141dc20a3 (patch) | |
| tree | f16b2921506cebe76281469c16540f6570b9a309 /source3/libads | |
| parent | 9efa61c8631e8c6088611df2c38add0d4ee7114b (diff) | |
| download | samba-40eac8e4d8bc85f2329b8ed6c5ba96a141dc20a3.tar.gz | |
libads: record service ticket endtime for sealed ldap connections
When a ticket is obtained for binding a signed/sealed ldap connection,
its liftime should be recorded in the ads struct, in order to enable
reuse of the connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11267
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <rb@sernet.de>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 13 04:32:16 CEST 2015 on sn-devel-104
Diffstat (limited to 'source3/libads')
| -rw-r--r-- | source3/libads/sasl.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index ce3740f2d62..db7335ec81e 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -458,6 +458,8 @@ static ADS_STATUS ads_sasl_spnego_gsskrb5_bind(ADS_STRUCT *ads, const gss_name_t DATA_BLOB unwrapped; DATA_BLOB wrapped; struct berval cred, *scred = NULL; + uint32_t context_validity = 0; + time_t context_endtime = 0; status = ads_init_gssapi_cred(ads, &gss_cred); if (!ADS_ERR_OK(status)) { @@ -652,6 +654,26 @@ static ADS_STATUS ads_sasl_spnego_gsskrb5_bind(ADS_STRUCT *ads, const gss_name_t goto failed; } + gss_rc = + gss_context_time(&minor_status, context_handle, &context_validity); + if (gss_rc == GSS_S_COMPLETE) { + if (context_validity != 0) { + context_endtime = time(NULL) + context_validity; + DEBUG(10, ("context (service ticket) valid for " + "%u seconds\n", + context_validity)); + } else { + DEBUG(10, ("context (service ticket) expired\n")); + } + } else { + DEBUG(1, ("gss_context_time failed (%d,%u) -" + " this will be a one-time context\n", + gss_rc, minor_status)); + if (gss_rc == GSS_S_CONTEXT_EXPIRED) { + DEBUG(10, ("context (service ticket) expired\n")); + } + } + if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) { uint32_t max_msg_size = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED; @@ -677,6 +699,7 @@ static ADS_STATUS ads_sasl_spnego_gsskrb5_bind(ADS_STRUCT *ads, const gss_name_t context_handle = GSS_C_NO_CONTEXT; } + ads->auth.tgs_expire = context_endtime; status = ADS_SUCCESS; failed: |