mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
s4-librpc: use cli_credentials_failed_kerberos_login to cope with stale tickets
This allows our RPC client code to cope with a kerberos server changing password while we have a valid service ticket Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
fce66b22ea
commit
ed2e69fe91
@ -30,6 +30,7 @@
|
||||
#include "librpc/gen_ndr/ndr_misc.h"
|
||||
#include "librpc/rpc/dcerpc_proto.h"
|
||||
#include "auth/credentials/credentials.h"
|
||||
#include "auth/gensec/gensec.h"
|
||||
#include "param/param.h"
|
||||
#include "librpc/rpc/rpc_common.h"
|
||||
|
||||
@ -335,6 +336,7 @@ struct pipe_auth_state {
|
||||
const struct ndr_interface_table *table;
|
||||
struct loadparm_context *lp_ctx;
|
||||
struct cli_credentials *credentials;
|
||||
unsigned int logon_retries;
|
||||
};
|
||||
|
||||
|
||||
@ -395,7 +397,19 @@ static void continue_auth_auto(struct composite_context *ctx)
|
||||
composite_continue(c, sec_conn_req, continue_ntlmssp_connection, c);
|
||||
return;
|
||||
} else if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
|
||||
if (cli_credentials_wrong_password(s->credentials)) {
|
||||
const char *principal;
|
||||
|
||||
principal = gensec_get_target_principal(s->pipe->conn->security_state.generic_state);
|
||||
if (principal == NULL) {
|
||||
const char *hostname = gensec_get_target_hostname(s->pipe->conn->security_state.generic_state);
|
||||
const char *service = gensec_get_target_service(s->pipe->conn->security_state.generic_state);
|
||||
if (hostname != NULL && service != NULL) {
|
||||
principal = talloc_asprintf(c, "%s/%s", service, hostname);
|
||||
}
|
||||
}
|
||||
|
||||
if (cli_credentials_failed_kerberos_login(s->credentials, principal, &s->logon_retries) ||
|
||||
cli_credentials_wrong_password(s->credentials)) {
|
||||
/*
|
||||
* Retry SPNEGO with a better password
|
||||
* send a request for secondary rpc connection
|
||||
|
Loading…
Reference in New Issue
Block a user