auth/credentials: 'workgroup' set via command line will not drop existing ccache

The root cause for existing ccache being invalidated was use of global loadparm with
'workgroup' value set as if from command line. However, we don't really need to take
'workgroup' parameter value's nature into account when invalidating existing ccache.
When -U is used on the command line, one can specify a password to force ccache
invalidation.

The commit also reverts previous fix now that root cause is clear.

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 3eaccde25ee8a1672b81a9e0886094507a6f9d04..05f0a624db380a5ee3dde58e399e2a32e96413e4 100644 (file)
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -483,7 +483,11 @@ _PUBLIC_ bool cli_credentials_set_domain(struct cli_credentials *cred,
                 * calculations */
                cred->domain = strupper_talloc(cred, val);
                cred->domain_obtained = obtained;
-               cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
+               /* setting domain does not mean we have to invalidate ccache 
+                * because domain in not used for Kerberos operations.
+                * If ccache invalidation is required, one will anyway specify
+                * a password to kinit, and that will force invalidation of the ccache
+                */
                return true;
        }
 

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 2c93a8febc95cb15ff6ce622c0fcfdbbe50e65bd..2a23688ffdbbf04f8dc51f58e642b65e826aaf0c 100644 (file)
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -486,18 +486,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
                }
        }
 
-
-       if (cred->ccache_obtained == CRED_UNINITIALISED) {
-               /* Only attempt to re-acquire ccache if it is not already in place.
-                * this is important for client-side use within frameworks with already acquired tickets
-                * like Apache+mod_auth_kerb+Python
-                */
-               ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
-                                                &ccache, error_string);
-       } else {
-               ccache = cred->ccache;
-       }
-
+       ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
+                                        &ccache, error_string);
        if (ret) {
                if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
                        DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string));

diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh
index 14f1e62c9e8731580a3c3afffa09c0f274506ea5..981987d03fdd8a8237798747b94293f6cccf3df6 100755 (executable)
--- a/testprogs/blackbox/test_kinit.sh
+++ b/testprogs/blackbox/test_kinit.sh
@@ -174,7 +174,6 @@ rm -f $KRB5CCNAME
 testit "kinit with machineaccountccache script" $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=`expr $failed + 1`
 test_smbclient "Test machine account login with kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1`
 
-rm -f $KRB5CCNAME
 testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings $PWSETCONFIG set --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
 
 rm -f $PREFIX/tmpccache tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript