mirror of
https://github.com/samba-team/samba.git
synced 2025-02-26 21:57:41 +03:00
0996b58e7f
This avoids the usage of the ccselect_realm logic in MIT krb5, which leads to unpredictable results. The problem is the usage of gss_acquire_cred(), that just creates a credential handle without ccache. As result gss_init_sec_context() will trigger a code path where it use "ccselect" plugins. And the ccselect_realm module just chooses a random ccache from a global list where the realm of the provides target principal matches the realm of the ccache user principal. In the winbindd case we're using MEMORY:cliconnect to setup the smb connection to the DC. For ldap connections we use MEMORY:winbind_ccache. The typical case is that we do the smb connection first. If we try to create a new ldap connection, while the credentials in MEMORY:cliconnect are expired, we'll do the required kinit into MEMORY:winbind_ccache, but the ccselect_realm module will select MEMORY:cliconnect and tries to get a service ticket for the ldap server using the already expired TGT from MEMORY:cliconnect. The solution will be to use gss_krb5_import_cred() and explicitly pass the desired ccache, which avoids the ccselect logic. We could also use gss_acquire_cred_from(), but that's only available in modern MIT krb5 versions, while gss_krb5_import_cred() is available in heimdal and all supported MIT versions (>=1.9). As far as I can see both call the same internal function in MIT (at least for the ccache case). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 7c3ea9fe96336483752adb821f8062a883d52998) Autobuild-User(v4-5-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-5-test): Wed Jan 11 21:46:58 CET 2017 on sn-devel-144