one more patch from git master
This commit is contained in:
parent
4a8bf8a4fb
commit
de786e0220
54
samba-v4.6-credentials-fix-realm.patch
Normal file
54
samba-v4.6-credentials-fix-realm.patch
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
commit 4dc389c6ae95b7bd34e762b5362c8a79fbda7c7c
|
||||||
|
Author: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Wed Dec 21 22:17:22 2016 +0100
|
||||||
|
|
||||||
|
auth/credentials: Always set the the realm if we set the principal from the ccache
|
||||||
|
|
||||||
|
This fixes a bug in gensec_gssapi_client_start() where an invalid realm
|
||||||
|
is used to get a Kerberos ticket.
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||||
|
(cherry picked from commit 30c07065300281e3a67197fe39ed928346480ff7)
|
||||||
|
|
||||||
|
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
|
||||||
|
index 0e68012..1912c48 100644
|
||||||
|
--- a/auth/credentials/credentials_krb5.c
|
||||||
|
+++ b/auth/credentials/credentials_krb5.c
|
||||||
|
@@ -107,7 +107,8 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
|
||||||
|
enum credentials_obtained obtained,
|
||||||
|
const char **error_string)
|
||||||
|
{
|
||||||
|
-
|
||||||
|
+ bool ok;
|
||||||
|
+ char *realm;
|
||||||
|
krb5_principal princ;
|
||||||
|
krb5_error_code ret;
|
||||||
|
char *name;
|
||||||
|
@@ -134,11 +135,24 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
- cli_credentials_set_principal(cred, name, obtained);
|
||||||
|
-
|
||||||
|
+ ok = cli_credentials_set_principal(cred, name, obtained);
|
||||||
|
+ if (!ok) {
|
||||||
|
+ krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
|
||||||
|
+ return ENOMEM;
|
||||||
|
+ }
|
||||||
|
free(name);
|
||||||
|
|
||||||
|
+ realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context,
|
||||||
|
+ princ);
|
||||||
|
krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
|
||||||
|
+ if (realm == NULL) {
|
||||||
|
+ return ENOMEM;
|
||||||
|
+ }
|
||||||
|
+ ok = cli_credentials_set_realm(cred, realm, obtained);
|
||||||
|
+ SAFE_FREE(realm);
|
||||||
|
+ if (!ok) {
|
||||||
|
+ return ENOMEM;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */
|
||||||
|
cred->ccache_obtained = obtained;
|
@ -6,7 +6,7 @@
|
|||||||
# ctdb is enabled by default, you can disable it with: --without clustering
|
# ctdb is enabled by default, you can disable it with: --without clustering
|
||||||
%bcond_without clustering
|
%bcond_without clustering
|
||||||
|
|
||||||
%define main_release 2
|
%define main_release 3
|
||||||
|
|
||||||
%define samba_version 4.6.0
|
%define samba_version 4.6.0
|
||||||
%define talloc_version 2.1.9
|
%define talloc_version 2.1.9
|
||||||
@ -108,6 +108,7 @@ Source200: README.dc
|
|||||||
Source201: README.downgrade
|
Source201: README.downgrade
|
||||||
|
|
||||||
Patch0: samba-v4.6-gss_krb5_import_cred.patch
|
Patch0: samba-v4.6-gss_krb5_import_cred.patch
|
||||||
|
Patch1: samba-v4.6-credentials-fix-realm.patch
|
||||||
|
|
||||||
Requires(pre): /usr/sbin/groupadd
|
Requires(pre): /usr/sbin/groupadd
|
||||||
Requires(post): systemd
|
Requires(post): systemd
|
||||||
@ -2628,6 +2629,10 @@ rm -rf %{buildroot}
|
|||||||
%endif # with_clustering_support
|
%endif # with_clustering_support
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Mar 10 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.0-3
|
||||||
|
- auth/credentials: Always set the the realm if we set the principal from the ccache
|
||||||
|
- resolves: #1430761 - credentials_crb5: use gss_acquire_cred for client-side GSSAPI use case
|
||||||
|
|
||||||
* Thu Mar 09 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.0-2
|
* Thu Mar 09 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.0-2
|
||||||
- resolves: #1430761 - credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case
|
- resolves: #1430761 - credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user