The Samba-Bugzilla – Attachment 12819 Details for
Bug 12480
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred (with MIT krb5)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-4-test (also applies to v4-3 and v4-2)
tmp44.diff.txt (text/plain), 6.22 KB, created by
Stefan Metzmacher
on 2017-01-10 15:50:52 UTC
(
hide
)
Description:
Patches for v4-4-test (also applies to v4-3 and v4-2)
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2017-01-10 15:50:52 UTC
Size:
6.22 KB
patch
obsolete
>From 29a0ec1c65d624e2f4089eaa0656ed746afaf097 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 22 Dec 2016 08:46:21 +0100 >Subject: [PATCH 1/3] s3:librpc/gse: include ccache_name in DEBUG message if > krb5_cc_resolve() fails > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 6f029d58703f657e46fee35fc663128157db4d9f) >--- > source3/librpc/crypto/gse.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c >index c4c4bbc..3f1615d 100644 >--- a/source3/librpc/crypto/gse.c >+++ b/source3/librpc/crypto/gse.c >@@ -172,8 +172,8 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx, > k5ret = krb5_cc_resolve(gse_ctx->k5ctx, ccache_name, > &gse_ctx->ccache); > if (k5ret) { >- DEBUG(1, ("Failed to resolve credential cache! (%s)\n", >- error_message(k5ret))); >+ DEBUG(1, ("Failed to resolve credential cache '%s'! (%s)\n", >+ ccache_name, error_message(k5ret))); > status = NT_STATUS_INTERNAL_ERROR; > goto err_out; > } >-- >1.9.1 > > >From f2248ef492305c7a3170ca15a865ff9a588d9918 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 22 Dec 2016 08:47:32 +0100 >Subject: [PATCH 2/3] s3:librpc/gse: remove unused #ifdef > HAVE_GSS_KRB5_IMPORT_CRED > >We always have gss_krb5_import_cred(), it available in heimdal >and also the oldest version (1.9) of MIT krb5 that we support. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit b61a93755ca59a58775c1c8c21baee49fef42fbf) >--- > source3/librpc/crypto/gse.c | 3 --- > 1 file changed, 3 deletions(-) > >diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c >index 3f1615d..1ac581f 100644 >--- a/source3/librpc/crypto/gse.c >+++ b/source3/librpc/crypto/gse.c >@@ -380,8 +380,6 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, > goto done; > } > >-#ifdef HAVE_GSS_KRB5_IMPORT_CRED >- > /* This creates a GSSAPI cred_id_t with the keytab set */ > gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab, > &gse_ctx->creds); >@@ -400,7 +398,6 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, > * principal in request'. Work around the issue by > * falling back to the alternate approach below. */ > } else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) >-#endif > /* FIXME!!! > * This call sets the default keytab for the whole server, not > * just for this context. Need to find a way that does not alter >-- >1.9.1 > > >From 7df11805b6308a8579c352ea03ed5b8ce8b817bd Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 22 Dec 2016 08:49:38 +0100 >Subject: [PATCH 3/3] s3:librpc/gse: make use of gss_krb5_import_cred() instead > of gss_acquire_cred() > >This avoids the usage of the ccselect_realm logic in MIT krb5, >which leads to unpredictable results. > >The problem is the usage of gss_acquire_cred(), that just creates >a credential handle without ccache. > >As result gss_init_sec_context() will trigger a code path >where it use "ccselect" plugins. And the ccselect_realm >module just chooses a random ccache from a global list >where the realm of the provides target principal matches >the realm of the ccache user principal. > >In the winbindd case we're using MEMORY:cliconnect to setup >the smb connection to the DC. For ldap connections we use >MEMORY:winbind_ccache. > >The typical case is that we do the smb connection first. >If we try to create a new ldap connection, while the >credentials in MEMORY:cliconnect are expired, >we'll do the required kinit into MEMORY:winbind_ccache, >but the ccselect_realm module will select MEMORY:cliconnect >and tries to get a service ticket for the ldap server >using the already expired TGT from MEMORY:cliconnect. > >The solution will be to use gss_krb5_import_cred() and explicitly >pass the desired ccache, which avoids the ccselect logic. > >We could also use gss_acquire_cred_from(), but that's only available >in modern MIT krb5 versions, while gss_krb5_import_cred() is available >in heimdal and all supported MIT versions (>=1.9). >As far as I can see both call the same internal function in MIT >(at least for the ccache case). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 7c3ea9fe96336483752adb821f8062a883d52998) >--- > source3/librpc/crypto/gse.c | 31 ++++++++++++++++++------------- > 1 file changed, 18 insertions(+), 13 deletions(-) > >diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c >index 1ac581f..1b9ec24 100644 >--- a/source3/librpc/crypto/gse.c >+++ b/source3/librpc/crypto/gse.c >@@ -203,7 +203,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, > struct gse_context *gse_ctx; > OM_uint32 gss_maj, gss_min; > gss_buffer_desc name_buffer = GSS_C_EMPTY_BUFFER; >- gss_OID_set_desc mech_set; > #ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X > gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER; > #endif >@@ -248,20 +247,26 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, > /* TODO: get krb5 ticket using username/password, if no valid > * one already available in ccache */ > >- mech_set.count = 1; >- mech_set.elements = &gse_ctx->gss_mech; >- >- gss_maj = gss_acquire_cred(&gss_min, >- GSS_C_NO_NAME, >- GSS_C_INDEFINITE, >- &mech_set, >- GSS_C_INITIATE, >- &gse_ctx->creds, >- NULL, NULL); >+ gss_maj = gss_krb5_import_cred(&gss_min, >+ gse_ctx->ccache, >+ NULL, /* keytab_principal */ >+ NULL, /* keytab */ >+ &gse_ctx->creds); > if (gss_maj) { >- DEBUG(5, ("gss_acquire_creds failed for GSS_C_NO_NAME with [%s] -" >+ char *ccache = NULL; >+ int kret; >+ >+ kret = krb5_cc_get_full_name(gse_ctx->k5ctx, >+ gse_ctx->ccache, >+ &ccache); >+ if (kret != 0) { >+ ccache = NULL; >+ } >+ >+ DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -" > "the caller may retry after a kinit.\n", >- gse_errstr(gse_ctx, gss_maj, gss_min))); >+ ccache, gse_errstr(gse_ctx, gss_maj, gss_min))); >+ SAFE_FREE(ccache); > status = NT_STATUS_INTERNAL_ERROR; > goto err_out; > } >-- >1.9.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
asn
:
review+
Actions:
View
Attachments on
bug 12480
:
12785
|
12818
| 12819