git.samba.org - kai/samba.git/commit

author	Simo Sorce <idra@samba.org>
	Fri, 7 Sep 2012 18:14:08 +0000 (14:14 -0400)
committer	Alexander Bokovoy <ab@samba.org>
	Wed, 12 Sep 2012 19:18:09 +0000 (21:18 +0200)
commit	893b21387665a7b644355d60f6fbccaf48ffaedb
tree	91721ee23469a110630937c14efbdc2b62ae5412	tree
parent	a11e45f1c5268e798124fe9e0716b7b9d0557014	commit \| diff

Avoid overriding default ccache for ads operations.

Avoid overriding default ccache for ads operations.

Nowadays various samba components may need to use GSSAPI and a default cred
cache to perform their tasks.
This code was completely overriding the whole process default ccache name, thus
altering the current credentials and sometimes hijacking them (or getting
preemptively hijaked).

By using gss_krb5_import_cred we can instead use a private ccache (necessary
sometimes to use a different set of credentials fromt he default
cifs/fqdn@realm one, for example when contacting foreign DCs using trust
credentials) that does not affect the rest of the process.

For the kerberos versions which don't have gss_krb5_import_cred
we fallback to temp override of KRB5CCNAME and gss_acquire_cred.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104

source3/include/ads.h		diff \| blob \| history
source3/include/proto.h		diff \| blob \| history
source3/libads/ads_struct.c		diff \| blob \| history
source3/libads/kerberos_util.c		diff \| blob \| history
source3/libads/sasl.c		diff \| blob \| history
source3/libsmb/cliconnect.c		diff \| blob \| history
source3/libsmb/clispnego.c		diff \| blob \| history
source3/winbindd/winbindd_ads.c		diff \| blob \| history