From 3a37579b0dc95830d8fa7d596eec17d720940998 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 9 Oct 2019 20:11:03 +0200
Subject: [PATCH 1/2] lib:krb5_wrap: Do not create a temporary file for MEMORY
 keytabs

The autobuild cleanup script fails with:

The tree has 3 new uncommitted files!!!
git clean -n
Would remove MEMORY:tmp_smb_creds_SK98Lv
Would remove MEMORY:tmp_smb_creds_kornU6
Would remove MEMORY:tmp_smb_creds_ljR828

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit d888655244b4d8ec7a69a042e0ff3c074585b0de)
---
 lib/krb5_wrap/krb5_samba.c | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index a4e73c64f00..5aceae44eec 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2002,26 +2002,23 @@ krb5_error_code smb_krb5_kinit_keyblock_ccache(krb5_context ctx,
 					    krb_options);
 #elif defined(HAVE_KRB5_GET_INIT_CREDS_KEYTAB)
 {
-#define SMB_CREDS_KEYTAB "MEMORY:tmp_smb_creds_XXXXXX"
-	char tmp_name[sizeof(SMB_CREDS_KEYTAB)];
+#define SMB_CREDS_KEYTAB "MEMORY:tmp_kinit_keyblock_ccache"
+	char tmp_name[64] = {0};
 	krb5_keytab_entry entry;
 	krb5_keytab keytab;
-	int tmpfd;
-	mode_t mask;
+	int rc;
 
 	memset(&entry, 0, sizeof(entry));
 	entry.principal = principal;
 	*(KRB5_KT_KEY(&entry)) = *keyblock;
 
-	memcpy(tmp_name, SMB_CREDS_KEYTAB, sizeof(SMB_CREDS_KEYTAB));
-	mask = umask(S_IRWXO | S_IRWXG);
-	tmpfd = mkstemp(tmp_name);
-	umask(mask);
-	if (tmpfd == -1) {
-		DBG_ERR("Failed to mkstemp %s\n", tmp_name);
+	rc = snprintf(tmp_name, sizeof(tmp_name),
+		      "%s-%p",
+		      SMB_CREDS_KEYTAB,
+		      &my_creds);
+	if (rc < 0) {
 		return KRB5_KT_BADNAME;
 	}
-	close(tmpfd);
 	code = krb5_kt_resolve(ctx, tmp_name, &keytab);
 	if (code) {
 		return code;
-- 
2.23.0


From 2d17adb1d8ca727258ae79c8bfa69c7f5b0c5560 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 9 Oct 2019 16:32:47 +0200
Subject: [PATCH 2/2] s3:libads: Do not turn on canonicalization flag for MIT
 Kerberos

This partially reverts 303b7e59a286896888ee2473995fc50bb2b5ce5e.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155

Pair-Programmed-With: Isaac Boukris <iboukris@redhat.com>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 123584294cfd153acc2d9a5be9d71c395c847a25)
---
 source3/libads/krb5_setpw.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index 67bc2f4640d..028b0dcfa65 100644
--- a/source3/libads/krb5_setpw.c
+++ b/source3/libads/krb5_setpw.c
@@ -207,7 +207,22 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
 	krb5_get_init_creds_opt_set_win2k(context, opts, true);
 	krb5_get_init_creds_opt_set_canonicalize(context, opts, true);
 #else /* MIT */
+#if 0
+	/*
+	 * FIXME
+	 *
+	 * Due to an upstream MIT Kerberos bug, this feature is not
+	 * not working. Affection versions (2019-10-09): <= 1.17
+	 *
+	 * Reproducer:
+	 * kinit -C aDmInIsTrAtOr@ACME.COM -S kadmin/changepw@ACME.COM
+	 *
+	 * This is NOT a problem if the service is a krbtgt.
+	 *
+	 * https://bugzilla.samba.org/show_bug.cgi?id=14155
+	 */
 	krb5_get_init_creds_opt_set_canonicalize(opts, true);
+#endif
 #endif /* MIT */
 
     /* note that heimdal will fill in the local addresses if the addresses
-- 
2.23.0