From ed2e69fe91fee642392803a17d42d64adc36e41d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 31 Oct 2012 18:44:23 +1100 Subject: [PATCH] s4-librpc: use cli_credentials_failed_kerberos_login to cope with stale tickets This allows our RPC client code to cope with a kerberos server changing password while we have a valid service ticket Pair-Programmed-With: Andrew Bartlett --- source4/librpc/rpc/dcerpc_util.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c index 1217e3460773..15847efa9df0 100644 --- a/source4/librpc/rpc/dcerpc_util.c +++ b/source4/librpc/rpc/dcerpc_util.c @@ -30,6 +30,7 @@ #include "librpc/gen_ndr/ndr_misc.h" #include "librpc/rpc/dcerpc_proto.h" #include "auth/credentials/credentials.h" +#include "auth/gensec/gensec.h" #include "param/param.h" #include "librpc/rpc/rpc_common.h" @@ -335,6 +336,7 @@ struct pipe_auth_state { const struct ndr_interface_table *table; struct loadparm_context *lp_ctx; struct cli_credentials *credentials; + unsigned int logon_retries; }; @@ -395,7 +397,19 @@ static void continue_auth_auto(struct composite_context *ctx) composite_continue(c, sec_conn_req, continue_ntlmssp_connection, c); return; } else if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) { - if (cli_credentials_wrong_password(s->credentials)) { + const char *principal; + + principal = gensec_get_target_principal(s->pipe->conn->security_state.generic_state); + if (principal == NULL) { + const char *hostname = gensec_get_target_hostname(s->pipe->conn->security_state.generic_state); + const char *service = gensec_get_target_service(s->pipe->conn->security_state.generic_state); + if (hostname != NULL && service != NULL) { + principal = talloc_asprintf(c, "%s/%s", service, hostname); + } + } + + if (cli_credentials_failed_kerberos_login(s->credentials, principal, &s->logon_retries) || + cli_credentials_wrong_password(s->credentials)) { /* * Retry SPNEGO with a better password * send a request for secondary rpc connection -- 2.34.1