From: Jeremy Allison Date: Tue, 21 Aug 2012 21:08:24 +0000 (-0700) Subject: Fix bug #9098 - winbind does not refresh kerberos tickets. X-Git-Tag: samba-3.5.18~9 X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=805992fc98a2cacf9d5e5d02f49dc0866f5a2083 Fix bug #9098 - winbind does not refresh kerberos tickets. Based on work from Ian Gordon . (cherry picked from commit 51c5f84d2496b5117a2fe6afc061594cf33b5fc1) --- diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c index e63e73221e2..ba4a7b27da0 100644 --- a/source3/winbindd/winbindd_cred_cache.c +++ b/source3/winbindd/winbindd_cred_cache.c @@ -484,6 +484,7 @@ NTSTATUS add_ccache_to_list(const char *princ_name, const char *ccname, const char *service, const char *username, + const char *pass, const char *realm, uid_t uid, time_t create_time, @@ -586,7 +587,20 @@ NTSTATUS add_ccache_to_list(const char *princ_name, DEBUG(10,("add_ccache_to_list: added krb5_ticket handler\n")); } - + + /* + * If we're set up to renew our krb5 tickets, we must + * cache the credentials in memory for the ticket + * renew function (or increase the reference count + * if we're logging in more than once). Fix inspired + * by patch from Ian Gordon + * for bugid #9098. + */ + + ntret = winbindd_add_memory_creds(username, uid, pass); + DEBUG(10, ("winbindd_add_memory_creds returned: %s\n", + nt_errstr(ntret))); + return NT_STATUS_OK; } @@ -669,6 +683,20 @@ NTSTATUS add_ccache_to_list(const char *princ_name, "added ccache [%s] for user [%s] to the list\n", ccname, username)); + if (entry->event) { + /* + * If we're set up to renew our krb5 tickets, we must + * cache the credentials in memory for the ticket + * renew function. Fix inspired by patch from + * Ian Gordon for + * bugid #9098. + */ + + ntret = winbindd_add_memory_creds(username, uid, pass); + DEBUG(10, ("winbindd_add_memory_creds returned: %s\n", + nt_errstr(ntret))); + } + return NT_STATUS_OK; no_mem: diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index c8910d6a437..4cc181a7eaf 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -656,6 +656,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, cc, service, state->request->data.auth.user, + state->request->data.auth.pass, realm, uid, time(NULL), @@ -1034,6 +1035,7 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, cc, service, state->request->data.auth.user, + state->request->data.auth.pass, domain->alt_name, uid, time(NULL), @@ -2456,6 +2458,13 @@ enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain, goto process_result; } + /* + * Remove any mlock'ed memory creds in the child + * we might be using for krb5 ticket renewal. + */ + + winbindd_delete_memory_creds(state->request->data.logoff.user); + #else result = NT_STATUS_NOT_SUPPORTED; #endif diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 62fbc8ec76e..b7b64de4e71 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -216,6 +216,7 @@ NTSTATUS add_ccache_to_list(const char *princ_name, const char *ccname, const char *service, const char *username, + const char *password, const char *realm, uid_t uid, time_t create_time,