one more patch from git master

This commit is contained in:
Alexander Bokovoy 2017-03-10 19:47:24 +02:00
parent 4a8bf8a4fb
commit de786e0220
2 changed files with 60 additions and 1 deletions

View File

@ -0,0 +1,54 @@
commit 4dc389c6ae95b7bd34e762b5362c8a79fbda7c7c
Author: Andreas Schneider <asn@samba.org>
Date: Wed Dec 21 22:17:22 2016 +0100
auth/credentials: Always set the the realm if we set the principal from the ccache
This fixes a bug in gensec_gssapi_client_start() where an invalid realm
is used to get a Kerberos ticket.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 30c07065300281e3a67197fe39ed928346480ff7)
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 0e68012..1912c48 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -107,7 +107,8 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
enum credentials_obtained obtained,
const char **error_string)
{
-
+ bool ok;
+ char *realm;
krb5_principal princ;
krb5_error_code ret;
char *name;
@@ -134,11 +135,24 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
return ret;
}
- cli_credentials_set_principal(cred, name, obtained);
-
+ ok = cli_credentials_set_principal(cred, name, obtained);
+ if (!ok) {
+ krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
+ return ENOMEM;
+ }
free(name);
+ realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context,
+ princ);
krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
+ if (realm == NULL) {
+ return ENOMEM;
+ }
+ ok = cli_credentials_set_realm(cred, realm, obtained);
+ SAFE_FREE(realm);
+ if (!ok) {
+ return ENOMEM;
+ }
/* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */
cred->ccache_obtained = obtained;

View File

@ -6,7 +6,7 @@
# ctdb is enabled by default, you can disable it with: --without clustering # ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering %bcond_without clustering
%define main_release 2 %define main_release 3
%define samba_version 4.6.0 %define samba_version 4.6.0
%define talloc_version 2.1.9 %define talloc_version 2.1.9
@ -108,6 +108,7 @@ Source200: README.dc
Source201: README.downgrade Source201: README.downgrade
Patch0: samba-v4.6-gss_krb5_import_cred.patch Patch0: samba-v4.6-gss_krb5_import_cred.patch
Patch1: samba-v4.6-credentials-fix-realm.patch
Requires(pre): /usr/sbin/groupadd Requires(pre): /usr/sbin/groupadd
Requires(post): systemd Requires(post): systemd
@ -2628,6 +2629,10 @@ rm -rf %{buildroot}
%endif # with_clustering_support %endif # with_clustering_support
%changelog %changelog
* Thu Mar 10 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.0-3
- auth/credentials: Always set the the realm if we set the principal from the ccache
- resolves: #1430761 - credentials_crb5: use gss_acquire_cred for client-side GSSAPI use case
* Thu Mar 09 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.0-2 * Thu Mar 09 2017 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.0-2
- resolves: #1430761 - credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case - resolves: #1430761 - credentials_krb5: use gss_acquire_cred for client-side GSSAPI use case