From 35573445d5ddefdd026c7995c3e7022c18e608f0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 10 Oct 2016 15:53:26 +0200 Subject: [PATCH 1/3] HEIMDAL:lib/krb5: destroy a memory ccache on reinit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Uri Simchoni (cherry picked from commit 2abc3710a8a63327a769ba0482c553ed274b2113) --- source4/heimdal/lib/krb5/mcache.c | 52 ++++++++++++++++++++++++++------------- 1 file changed, 35 insertions(+), 17 deletions(-) diff --git a/source4/heimdal/lib/krb5/mcache.c b/source4/heimdal/lib/krb5/mcache.c index e4b90c1..dc79b87 100644 --- a/source4/heimdal/lib/krb5/mcache.c +++ b/source4/heimdal/lib/krb5/mcache.c @@ -155,13 +155,47 @@ mcc_gen_new(krb5_context context, krb5_ccache *id) return 0; } +static void KRB5_CALLCONV +mcc_destroy_internal(krb5_context context, + krb5_mcache *m) +{ + struct link *l; + + if (m->primary_principal != NULL) { + krb5_free_principal (context, m->primary_principal); + m->primary_principal = NULL; + } + m->dead = 1; + + l = m->creds; + while (l != NULL) { + struct link *old; + + krb5_free_cred_contents (context, &l->cred); + old = l; + l = l->next; + free (old); + } + + m->creds = NULL; + return; +} + static krb5_error_code KRB5_CALLCONV mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal primary_principal) { krb5_mcache *m = MCACHE(id); + /* + * It's important to destroy any existing + * creds here, that matches the baheviour + * of all other backends and also the + * MEMORY: backend in MIT. + */ + mcc_destroy_internal(context, m); m->dead = 0; + m->kdc_offset = 0; m->mtime = time(NULL); return krb5_copy_principal (context, primary_principal, @@ -195,7 +229,6 @@ mcc_destroy(krb5_context context, krb5_ccache id) { krb5_mcache **n, *m = MCACHE(id); - struct link *l; if (m->refcnt == 0) krb5_abortx(context, "mcc_destroy: refcnt already 0"); @@ -211,22 +244,7 @@ mcc_destroy(krb5_context context, } } HEIMDAL_MUTEX_unlock(&mcc_mutex); - if (m->primary_principal != NULL) { - krb5_free_principal (context, m->primary_principal); - m->primary_principal = NULL; - } - m->dead = 1; - - l = m->creds; - while (l != NULL) { - struct link *old; - - krb5_free_cred_contents (context, &l->cred); - old = l; - l = l->next; - free (old); - } - m->creds = NULL; + mcc_destroy_internal(context, m); } return 0; } -- 1.9.1 From 447c6d2fdbf23fdaa5d29deb6a3b3357852c2efd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 10 Oct 2016 17:07:12 +0200 Subject: [PATCH 2/3] s3:libads: don't use MEMORY:ads_sasl_gssapi_do_bind nor set "KRB5CCNAME" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Uri Simchoni (cherry picked from commit 890b1bbdb8e965c4ff6e35214acc96ffbbff5dfd) --- source3/libads/sasl.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 85a2eb0..4e4486f 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -1027,7 +1027,6 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads) { ADS_STATUS status; struct ads_service_principal p; - const char *ccache_name = "MEMORY:ads_sasl_gssapi_do_bind"; status = ads_generate_service_principal(ads, &p); if (!ADS_ERR_OK(status)) { @@ -1046,10 +1045,6 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads) "calling kinit\n", ads_errstr(status))); } - if (ads->auth.ccache_name != NULL) { - ccache_name = ads->auth.ccache_name; - } - setenv(KRB5_ENV_CCNAME, ccache_name, 1); status = ADS_ERROR_KRB5(ads_kinit_password(ads)); if (ADS_ERR_OK(status)) { -- 1.9.1 From e4887c758238d9714055282079392fd095556e1d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 10 Oct 2016 17:07:12 +0200 Subject: [PATCH 3/3] s3:libads: don't use MEMORY:ads_sasl_spnego_bind nor set "KRB5CCNAME" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Uri Simchoni Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Oct 13 00:35:21 CEST 2016 on sn-devel-144 (cherry picked from commit a5f895a53016af71db53967062728fec5bc307ca) --- source3/libads/sasl.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 4e4486f..39c60c3 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -749,11 +749,6 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && got_kerberos_mechanism) { - const char *ccache_name = "MEMORY:ads_sasl_spnego_bind"; - if (ads->auth.ccache_name != NULL) { - ccache_name = ads->auth.ccache_name; - } - if (ads->auth.password == NULL || ads->auth.password[0] == '\0') { @@ -771,7 +766,6 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) "calling kinit\n", ads_errstr(status))); } - setenv(KRB5_ENV_CCNAME, ccache_name, 1); status = ADS_ERROR_KRB5(ads_kinit_password(ads)); if (ADS_ERR_OK(status)) { -- 1.9.1