IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This reconnect is only useful for long running connections (e.g. in winbindd)
and there we'll make use of it...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
In future ads_connect_creds() will be used by callers directly instead
of using ads_connect().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
There's no reason to pass the LDAP servers time to the kerberos
libraries, as we may talk to a KDC different than the LDAP server!
Also Heimdal handles AS-REQ with KRB5KRB_AP_ERR_SKEW fine and
retries with the time from the krb-error.
MIT records the time from the KDC_ERR_PREAUTH_REQUIRED response
in order to use the KDCs time.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
The lifetime of a service ticket is never longer than
the lifetime of the TGT...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
There's really no need to get a reneable ticket for an ldap connection,
we currently always do a kinit for each connection anyway.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
For now we still do the ads_kinit_password() in ads_legacy_creds()
for callers that rely on the global krb5ccache to be filled.
E.g. the dns update code and the kpasswd code.
But at least ads_connect_internal() and ads_sasl_spnego_bind()
will allow to do the kinit in the gensec layer only if needed...
We'll remove ads_legacy_creds() during the following commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This makes it easier to adjust the expected output when it changes in
the next commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
That's better then using !ADS_AUTH_NO_BIND. And it allows callers
to be more flexible in future.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
We should only operate on the creds structure and
avoid using ads->auth.{user_name,realm}.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
In future we'll pass in creds from the caller, so we better
restore the original krb5_state at the end of ads_sasl_spnego_bind().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
We should only operate on the creds structure and avoid ads->auth.flags
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This is just a temporary change until the highlevel caller
will pass in a cli_credentials structure and we'll get rid of
ads->auth.{user_name,realm,password}.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This means we may call kinit multiple times for now,
but we'll remove the kinit from the callers soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This happened implicitly as the gse_krb5 module always used the default
krb5 ccache, but that will change soon.
If kerberos is requested without a fallback to ntlm AND
the caller doesn't provide a password we'll use the
default ccache. This will keep our the following tests
happy once the gse_krb5 module changes the behavior:
samba3.blackbox.krbsmbspool
samba3.blackbox.smbget
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Before this silently happened because the gse_krb5 module just used the
default ccache, but that will change soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This test is useless and won't work anymore in future.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This should not happen, if we ever need that behaviour
we should add an ads_kdestroy_default() helper.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This fixes a problem introduced in the commit:
commit e6c693b705
Author: Stefan Metzmacher <metze@samba.org>
Date: Wed Feb 28 17:28:43 2024 +0100
s3:winbindd: pass a NULL ccache to kerberos_return_pac() for a MEMORY ccache
It means kerberos_return_pac() will use smb_krb5_cc_new_unique_memory().
...
Before that commit cc was never NULL as generate_krb5_ccache()
returned "MEMORY:winbindd_pam_ccache" as fallback.
So we called ads_kdestroy("MEMORY:winbindd_pam_ccache").
Now we have cc == NULL if user_ccache_file == NULL.
and kerberos_return_pac() uses smb_krb5_cc_new_unique_memory()
and krb5_cc_destroy() internally.
It means unless user_ccache_file != NULL we should not
call ads_kdestroy(cc) as cc is NULL and means we would destroy
any global default krb5 ccache.
Review with: git show -U25
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
