auth-credentials: Support using pre-fetched ccache when obtaining kerberos credentials

When credentials API is used by a client-side program that already as fetched required
tickets into a ccache, we need to skip re-initializing ccache. This is used in FreeIPA
when Samba 4 Python bindings are run after mod_auth_kerb has obtained user tickets
already.

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 2a23688ffdbbf04f8dc51f58e642b65e826aaf0c..2c93a8febc95cb15ff6ce622c0fcfdbbe50e65bd 100644 (file)
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -486,8 +486,18 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
                }
        }
 
-       ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
-                                        &ccache, error_string);
+
+       if (cred->ccache_obtained == CRED_UNINITIALISED) {
+               /* Only attempt to re-acquire ccache if it is not already in place.
+                * this is important for client-side use within frameworks with already acquired tickets
+                * like Apache+mod_auth_kerb+Python
+                */
+               ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
+                                                &ccache, error_string);
+       } else {
+               ccache = cred->ccache;
+       }
+
        if (ret) {
                if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
                        DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string));