The branch, v3-5-test has been updated
via 51c5f84 Fix bug #9098 - winbind does not refresh kerberos tickets.
from 36dc8a0 Fix bug #9104 - winbindd can mis-identify idle clients -
can cause crashes and NDR parsing errors.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test
- Log -----------------------------------------------------------------
commit 51c5f84d2496b5117a2fe6afc061594cf33b5fc1
Author: Jeremy Allison <j...@samba.org>
Date: Tue Aug 21 14:08:24 2012 -0700
Fix bug #9098 - winbind does not refresh kerberos tickets.
Based on work from Ian Gordon <ian.gor...@strath.ac.uk>.
-----------------------------------------------------------------------
Summary of changes:
source3/winbindd/winbindd_cred_cache.c | 30 +++++++++++++++++++++++++++++-
source3/winbindd/winbindd_pam.c | 9 +++++++++
source3/winbindd/winbindd_proto.h | 1 +
3 files changed, 39 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/winbindd_cred_cache.c
b/source3/winbindd/winbindd_cred_cache.c
index e63e732..ba4a7b2 100644
--- a/source3/winbindd/winbindd_cred_cache.c
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -484,6 +484,7 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
const char *ccname,
const char *service,
const char *username,
+ const char *pass,
const char *realm,
uid_t uid,
time_t create_time,
@@ -586,7 +587,20 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
DEBUG(10,("add_ccache_to_list: added krb5_ticket
handler\n"));
}
-
+
+ /*
+ * If we're set up to renew our krb5 tickets, we must
+ * cache the credentials in memory for the ticket
+ * renew function (or increase the reference count
+ * if we're logging in more than once). Fix inspired
+ * by patch from Ian Gordon <ian.gor...@strath.ac.uk>
+ * for bugid #9098.
+ */
+
+ ntret = winbindd_add_memory_creds(username, uid, pass);
+ DEBUG(10, ("winbindd_add_memory_creds returned: %s\n",
+ nt_errstr(ntret)));
+
return NT_STATUS_OK;
}
@@ -669,6 +683,20 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
"added ccache [%s] for user [%s] to the list\n",
ccname, username));
+ if (entry->event) {
+ /*
+ * If we're set up to renew our krb5 tickets, we must
+ * cache the credentials in memory for the ticket
+ * renew function. Fix inspired by patch from
+ * Ian Gordon <ian.gor...@strath.ac.uk> for
+ * bugid #9098.
+ */
+
+ ntret = winbindd_add_memory_creds(username, uid, pass);
+ DEBUG(10, ("winbindd_add_memory_creds returned: %s\n",
+ nt_errstr(ntret)));
+ }
+
return NT_STATUS_OK;
no_mem:
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index c8910d6..4cc181a 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -656,6 +656,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct
winbindd_domain *domain,
cc,
service,
state->request->data.auth.user,
+ state->request->data.auth.pass,
realm,
uid,
time(NULL),
@@ -1034,6 +1035,7 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct
winbindd_domain *domain,
cc,
service,
state->request->data.auth.user,
+
state->request->data.auth.pass,
domain->alt_name,
uid,
time(NULL),
@@ -2456,6 +2458,13 @@ enum winbindd_result winbindd_dual_pam_logoff(struct
winbindd_domain *domain,
goto process_result;
}
+ /*
+ * Remove any mlock'ed memory creds in the child
+ * we might be using for krb5 ticket renewal.
+ */
+
+ winbindd_delete_memory_creds(state->request->data.logoff.user);
+
#else
result = NT_STATUS_NOT_SUPPORTED;
#endif
diff --git a/source3/winbindd/winbindd_proto.h
b/source3/winbindd/winbindd_proto.h
index 62fbc8e..b7b64de 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -216,6 +216,7 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
const char *ccname,
const char *service,
const char *username,
+ const char *password,
const char *realm,
uid_t uid,
time_t create_time,
--
Samba Shared Repository
