auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine...

[samba.git] / source3 / libads / kerberos.c

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 9a5ca567ca97ce431348cb64b9f375f91df7ea46..72ce5b7bb348d78b83681a7f0eed6e0c8caeb3bf 100644 (file)
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -34,8 +34,6 @@
 
 #ifdef HAVE_KRB5
 
-#define LIBADS_CCACHE_NAME "MEMORY:libads"
-
 /*
   we use a prompter to avoid a crash bug in the kerberos libs when
   dealing with empty passwords
@@ -64,13 +62,13 @@ kerb_prompter(krb5_context ctx, void *data,
                     prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
                        /*
                         * We don't want to change passwords here. We're
-                        * called from heimal when the KDC returns
+                        * called from heimdal when the KDC returns
                         * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
                         * have the chance to ask the user for a new
                         * password. If we return 0 (i.e. success), we will be
                         * spinning in the endless for-loop in
                         * change_password() in
-                        * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
+                        * third_party/heimdal/lib/krb5/init_creds_pw.c
                         */
                        return KRB5KDC_ERR_KEY_EXPIRED;
                }
@@ -133,6 +131,14 @@ int kerberos_kinit_password_ext(const char *given_principal,
 
        ZERO_STRUCT(my_creds);
 
+       if (cache_name == NULL) {
+               DBG_DEBUG("Missing ccache for [%s] and config [%s]\n",
+                         given_principal,
+                         getenv("KRB5_CONFIG"));
+               TALLOC_FREE(frame);
+               return EINVAL;
+       }
+
        code = smb_krb5_init_context_common(&ctx);
        if (code != 0) {
                DBG_ERR("kerberos init context failed (%s)\n",
@@ -147,10 +153,10 @@ int kerberos_kinit_password_ext(const char *given_principal,
 
        DBG_DEBUG("as %s using [%s] as ccache and config [%s]\n",
                  given_principal,
-                 cache_name ? cache_name: krb5_cc_default_name(ctx),
+                 cache_name,
                  getenv("KRB5_CONFIG"));
 
-       if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) {
+       if ((code = krb5_cc_resolve(ctx, cache_name, &cc))) {
                goto out;
        }
 
@@ -284,23 +290,25 @@ int ads_kdestroy(const char *cc_name)
                return code;
        }
 
-       if (!cc_name) {
-               if ((code = krb5_cc_default(ctx, &cc))) {
-                       krb5_free_context(ctx);
-                       return code;
-               }
-       } else {
-               if ((code = krb5_cc_resolve(ctx, cc_name, &cc))) {
-                       DEBUG(3, ("ads_kdestroy: krb5_cc_resolve failed: %s\n",
-                                 error_message(code)));
-                       krb5_free_context(ctx);
-                       return code;
-               }
+       /*
+        * This should not happen, if
+        * we need that behaviour we
+        * should add an ads_kdestroy_default()
+        */
+       SMB_ASSERT(cc_name != NULL);
+
+       code = krb5_cc_resolve(ctx, cc_name, &cc);
+       if (code != 0) {
+               DBG_NOTICE("krb5_cc_resolve(%s) failed: %s\n",
+                          cc_name, error_message(code));
+               krb5_free_context(ctx);
+               return code;
        }
 
-       if ((code = krb5_cc_destroy (ctx, cc))) {
-               DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
-                       error_message(code)));
+       code = krb5_cc_destroy(ctx, cc);
+       if (code != 0) {
+               DBG_ERR("krb5_cc_destroy(%s) failed: %s\n",
+                       cc_name, error_message(code));
        }
 
        krb5_free_context (ctx);
@@ -437,23 +445,23 @@ static char *get_kdc_ip_string(char *mem_ctx,
        char *kdc_str = NULL;
        char *canon_sockaddr = NULL;
 
-       SMB_ASSERT(pss != NULL);
-
-       canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
-       if (canon_sockaddr == NULL) {
-               goto out;
-       }
+       if (pss != NULL) {
+               canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
+               if (canon_sockaddr == NULL) {
+                       goto out;
+               }
 
-       kdc_str = talloc_asprintf(frame,
-                                 "\t\tkdc = %s\n",
-                                 canon_sockaddr);
-       if (kdc_str == NULL) {
-               goto out;
-       }
+               kdc_str = talloc_asprintf(frame,
+                                         "\t\tkdc = %s\n",
+                                         canon_sockaddr);
+               if (kdc_str == NULL) {
+                       goto out;
+               }
 
-       ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
-       if (!ok) {
-               goto out;
+               ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
+               if (!ok) {
+                       goto out;
+               }
        }
 
        /*
@@ -704,7 +712,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
                return false;
        }
 
-       if (domain == NULL || pss == NULL) {
+       if (domain == NULL) {
                return false;
        }
 
@@ -880,7 +888,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
                                goto done; /* Not a fatal error. */
                        }
 
-                       /* Yes, this is a race conditon... too bad. */
+                       /* Yes, this is a race condition... too bad. */
                        if (rename(SYSTEM_KRB5_CONF_PATH, newpath) == -1) {
                                DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
                                        "of %s to %s failed. Errno %s\n",