s3:smbspool: Fallback to default ccache if KRB5CCNAME is not set

This could also support the new KCM credential cache storage.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
index 3266b90ec1a348e298502ee6d722b22fcebe3a6f..bff1df417e831ef698851b32b87dca276dba8f61 100644 (file)
--- a/source3/client/smbspool_krb5_wrapper.c
+++ b/source3/client/smbspool_krb5_wrapper.c
@@ -21,6 +21,7 @@
 
 #include "includes.h"
 #include "system/filesys.h"
+#include "system/kerberos.h"
 #include "system/passwd.h"
 
 #include <errno.h>
@@ -68,6 +69,50 @@ static void cups_smb_debug(enum cups_smb_dbglvl_e lvl, const char *format, ...)
                buffer);
 }
 
+static bool kerberos_get_default_ccache(char *ccache_buf, size_t len)
+{
+       krb5_context ctx;
+       const char *ccache_name = NULL;
+       char *full_ccache_name = NULL;
+       krb5_ccache ccache = NULL;
+       krb5_error_code code;
+
+       code = krb5_init_context(&ctx);
+       if (code != 0) {
+               return false;
+       }
+
+       ccache_name = krb5_cc_default_name(ctx);
+       if (ccache_name == NULL) {
+               krb5_free_context(ctx);
+               return false;
+       }
+
+       code = krb5_cc_resolve(ctx, ccache_name, &ccache);
+       if (code != 0) {
+               krb5_free_context(ctx);
+               return false;
+       }
+
+       code = krb5_cc_get_full_name(ctx, ccache, &full_ccache_name);
+       krb5_cc_close(ctx, ccache);
+       if (code != 0) {
+               krb5_free_context(ctx);
+               return false;
+       }
+
+       snprintf(ccache_buf, len, "%s", full_ccache_name);
+
+#ifdef SAMBA4_USES_HEIMDAL
+       free(full_ccache_name);
+#else
+       krb5_free_string(ctx, full_ccache_name);
+#endif
+       krb5_free_context(ctx);
+
+       return true;
+}
+
 /*
  * This is a helper binary to execute smbspool.
  *
@@ -84,7 +129,6 @@ int main(int argc, char *argv[])
        struct passwd *pwd;
        struct group *g = NULL;
        char gen_cc[PATH_MAX] = {0};
-       struct stat sb;
        char *env = NULL;
        char auth_info_required[256] = {0};
        char device_uri[4096] = {0};
@@ -92,6 +136,7 @@ int main(int argc, char *argv[])
        gid_t gid = (gid_t)-1;
        gid_t groups[1] = { (gid_t)-1 };
        unsigned long tmp;
+       bool ok;
        int cmp;
        int rc;
 
@@ -225,32 +270,16 @@ int main(int argc, char *argv[])
                goto create_env;
        }
 
-       CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
-
-       snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid);
-
-       rc = lstat(gen_cc, &sb);
-       if (rc == 0) {
-               snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
-       } else {
-               snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid);
-
-               rc = lstat(gen_cc, &sb);
-               if (rc == 0 && S_ISDIR(sb.st_mode)) {
-                       snprintf(gen_cc,
-                                sizeof(gen_cc),
-                                "DIR:/run/user/%d/krb5cc",
-                                uid);
-               } else {
-#if defined(__linux__)
-                       snprintf(gen_cc,
-                                sizeof(gen_cc),
-                                "KEYRING:persistent:%d",
-                                uid);
-#endif
-               }
+       ok = kerberos_get_default_ccache(gen_cc, sizeof(gen_cc));
+       if (ok) {
+               CUPS_SMB_DEBUG("Use default KRB5CCNAME [%s]",
+                              gen_cc);
+               goto create_env;
        }
 
+       /* Fallback to a FILE ccache */
+       snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
+
 create_env:
        /*
         * Make sure we do not have LD_PRELOAD or other security relevant

diff --git a/source3/wscript_build b/source3/wscript_build
index 3a19fd3517cda3cc626873e324f36ff4ed56d7f7..7c8c98c5d9d8f147ec296ec62d6dac55d16ae207 100644 (file)
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -1134,6 +1134,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper',
                  deps='''
                       DYNCONFIG
                       cups
+                      krb5
                       ''',
                  install_path='${LIBEXECDIR}/samba',
                  enabled=bld.CONFIG_SET('HAVE_CUPS'))