1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00

s3:winbindd: don't use ads_kdestroy(NULL) in winbindd_raw_kerberos_login()

This fixes a problem introduced in the commit:

commit e6c693b705
Author: Stefan Metzmacher <metze@samba.org>
Date:   Wed Feb 28 17:28:43 2024 +0100

    s3:winbindd: pass a NULL ccache to kerberos_return_pac() for a MEMORY ccache

    It means kerberos_return_pac() will use smb_krb5_cc_new_unique_memory().

    ...

Before that commit cc was never NULL as generate_krb5_ccache()
returned "MEMORY:winbindd_pam_ccache" as fallback.

So we called ads_kdestroy("MEMORY:winbindd_pam_ccache").

Now we have cc == NULL if user_ccache_file == NULL.

and kerberos_return_pac() uses smb_krb5_cc_new_unique_memory()
and krb5_cc_destroy() internally.

It means unless user_ccache_file != NULL we should not
call ads_kdestroy(cc) as cc is NULL and means we would destroy
any global default krb5 ccache.

Review with: git show -U25

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Stefan Metzmacher 2024-05-14 09:02:07 +02:00
parent 712ffbffc0
commit 4959f93227

View File

@ -739,7 +739,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
{
#ifdef HAVE_KRB5
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
krb5_error_code krb5_ret;
const char *cc = NULL;
const char *principal_s = NULL;
char *realm = NULL;
@ -851,6 +850,11 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
}
/*
* Note cc can be NULL, it means
* kerberos_return_pac() will use
* a temporary krb5 ccache internally.
*/
result = kerberos_return_pac(mem_ctx,
principal_s,
pass,
@ -939,18 +943,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
nt_errstr(result)));
}
} else {
/* need to delete the memory cred cache, it is not used anymore */
krb5_ret = ads_kdestroy(cc);
if (krb5_ret) {
DEBUG(3,("winbindd_raw_kerberos_login: "
"could not destroy krb5 credential cache: "
"%s\n", error_message(krb5_ret)));
}
}
*info6 = info6_copy;
return NT_STATUS_OK;
@ -969,13 +963,6 @@ failed:
* local host and therefore didn't get the PAC, we need to remove that
* cache entirely now */
krb5_ret = ads_kdestroy(cc);
if (krb5_ret) {
DEBUG(3,("winbindd_raw_kerberos_login: "
"could not destroy krb5 credential cache: "
"%s\n", error_message(krb5_ret)));
}
if (!NT_STATUS_IS_OK(remove_ccache(user))) {
DEBUG(3,("winbindd_raw_kerberos_login: "
"could not remove ccache for user %s\n",