search for: ccname

...================================= RCS file: /cvs/openssh/auth-krb5.c,v retrieving revision 1.25 diff -u -r1.25 auth-krb5.c --- auth-krb5.c 11 Sep 2004 13:32:09 -0000 1.25 +++ auth-krb5.c 6 Jul 2005 10:31:51 -0000 @@ -67,9 +67,6 @@ #ifndef HEIMDAL krb5_creds creds; krb5_principal server; - char ccname[40]; - int tmpfd; - mode_t old_umask; #endif krb5_error_code problem; krb5_ccache ccache = NULL; @@ -146,28 +143,7 @@ goto out; } - snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); - - old_umask = umask(0177); - tmpfd = mkstemp(ccname + strlen("FILE...

.../auth.h ./session.c * file diffs --- orig/auth-krb5.c +++ mod/auth-krb5.c @@ -199,6 +199,25 @@ return (1); } +/* + * Mainly useful with GSSAPI Kerberos 5 forwarded credentials. + * Called after we have setuid to the user. + */ +void +session_krb5_use_ccache(Authctxt *authctxt) +{ + char *ccname; + debug("session_krb5_use_ccache called"); + if (authctxt->krb5_fwd_ccache) + return; + ccname = getenv("KRB5CCNAME"); + if (!ccname) + return; + debug("using ccname=%.100s", ccname); + if (krb5_init(authctxt)) + return; + krb5_cc_resolve(authctxt->krb5_ctx,...

I'm using a OpenSSH 3.0.2p1 with the krb5 patch from <http://www.sxw.org.uk/computing/patches/openssh.html>. I'm getting KRB5CCNAME set to "" even though <http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98269278629018&w=2> mentions fixing it. This causes things like kinit to fail with a somewhat uninformative error message. The relevant sshd_config lines I use are: # To change Kerberos options Kerbe...

Hi Aurélien, Thanks for the idea! For Debian packages: 6.4-1 works 6.5-1 works 6.5-2 works 6.6-1 fails 6.6-5 fails So looks like something changed from 6.5 to 6.6... When I have time I'll figure out how to compile the upcall binary.

...lly don't want to do the same check twice.          Signed-off-by: Jeff Layton <jlayton at samba.org> commit 9be6e885c3bd63aa6ae9e6351e1b33a4b15d9183 Author: Jeff Layton <jlayton at samba.org> Date:   Sun Aug 21 09:42:59 2016 -0400     cifs.upcall: use krb5 routines to get default ccname          Currently we end up groveling around in /tmp, trying to guess what the     credcache will be. Instead, just get the default ccname for the user,     and then see if it has a valid tgt. If it doesn't then we try to use     the keytab to init the credcache before proceeding.          Sig...

...es exist in 6.6 . My best guess ATM is that the below commit caused the problem. Thanks for your time! Chad. commit 9be6e885c3bd63aa6ae9e6351e1b33a4b15d9183 Author: Jeff Layton <jlayton at samba.org> Date: Sun Aug 21 09:42:59 2016 -0400 cifs.upcall: use krb5 routines to get default ccname Currently we end up groveling around in /tmp, trying to guess what the credcache will be. Instead, just get the default ccname for the user, and then see if it has a valid tgt. If it doesn't then we try to use the keytab to init the credcache before proceeding.

...the below commit caused the problem. > > Thanks for your time! > Chad. > > commit 9be6e885c3bd63aa6ae9e6351e1b33a4b15d9183 > Author: Jeff Layton <jlayton at samba.org> > Date: Sun Aug 21 09:42:59 2016 -0400 > > cifs.upcall: use krb5 routines to get default ccname > Currently we end up groveling around in /tmp, trying to guess what > the credcache will be. Instead, just get the default ccname for the > user, and then see if it has a valid tgt. If it doesn't then we try to > use the keytab to init the credcache before proceeding. Tha...

...ss_krb5_copy_ccache(&min_status, + client->creds, ccache))) { + logit("gss_krb5_copy_ccache() failed"); + krb5_cc_destroy(krb_context, ccache); + return; + } + + client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); + client->store.envvar = "KRB5CCNAME"; + client->store.envval = xstrdup(client->store.filename); + + krb5_cc_close(krb_context, ccache); + + return; +} + +ssh_gssapi_mech gssapi_kerberos_mech = { + "toWM5Slw5Ew8Mqkay+al2g==", + "Kerberos", + {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"}, + NULL,...

...l.c 7852bec cifs.upcall: stop passing around ccache name strings 39dbb7b cifs.upcall: make get_tgt_time take a ccache arg 3db6b3a cifs.upcall: remove KRB5_TC_OPENCLOSE a3743af cifs.upcall: make the krb5_context a static global variable 9be6e88 cifs.upcall: use krb5 routines to get default ccname It seems the way cached credentials are searched changed, which your logs show if you diff them: uid=0 creduid=0 user=smbadmin at PHYSICS.WISC.EDU -pid=27600 -find_krb5_cc: scandir error on directory '/run/user/0': No such file or directory -find_krb5_cc: considering /tmp/krb5cc_...

On Fri, 2017-02-10 at 11:15 -0600, Chad William Seys wrote: > Hi Jeff, > > > So we have a default credcache for the user for whom we are operating > > as, but we can't get the default principal name from it. My guess is > > that it's not finding the > > This mount is run by root UID=0 and seems to be find that credential > cache without problem (earlier

...aves a few linking headaches */ > =A0int cli_krb5_get_ticket(const char *principal, time_t time_offset, > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0DATA_BLOB *ticket, = DATA_BLOB *session_key_krb5, > uint32 extra_ap_opts, > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0const char *ccname, = time_t *tgs_expire, > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0const char = *impersonate_princ_s) > { > =A0 =A0 =A0 =A0 DEBUG(0,("NO KERBEROS SUPPORT\n")); > =A0 =A0 =A0 =A0 return 1; > } > > but for some reason that's not happening for you, so you get li...

...site. * Add saf_join_store() function to memorize the dc used at join time. * Return an error instead of crashing when no realm is given. * Handle the SMB signing states the same in the krb5 and ntlmssp cases. o Andreas Schneider <mail@cynapses.org> * Delete the krb5 ccname variable from the PAM environment if set. * Fix the build of pam_winbind. * Fix circular dependency error with autoconf 2.6.3. o Simo Sorce <idra@samba.org> * Fix an ifdef check. * Fix warning. o Yasuma Takeda <yasuma@osstech.co.jp> * BUG 5909: Fix MS-DFS lin...

...site. * Add saf_join_store() function to memorize the dc used at join time. * Return an error instead of crashing when no realm is given. * Handle the SMB signing states the same in the krb5 and ntlmssp cases. o Andreas Schneider <mail@cynapses.org> * Delete the krb5 ccname variable from the PAM environment if set. * Fix the build of pam_winbind. * Fix circular dependency error with autoconf 2.6.3. o Simo Sorce <idra@samba.org> * Fix an ifdef check. * Fix warning. o Yasuma Takeda <yasuma@osstech.co.jp> * BUG 5909: Fix MS-DFS lin...

...ifs.upcall > > > is not guessing that piece of the filename correctly? > > > > > > > (cc'ing Nalin, Simo and the linux-cifs ml) > > > > Yeah, it seems pretty likely that that is the problem. My guess is > > that > > the extra stuff on the ccname is coming from pam_krb5, which seems to > > want to create a credcache that is session-specific. > > > > You could play with setting a different ccname_template for pam_krb5 > > that doesn't have the trailing stuff at the end, but it looks like it > > won't cl...

...raffic_analyzer build for static links. o TAKAHASHI Motonobu <monyo@samba.gr.jp> * BUG 5901: Fix default for streams_depot location. o Tim Prouty <tim.prouty@isilon.com> * Fix several build warnings. o Andreas Schneider <mail@cynapses.org> * Delete the krb5 ccname variable from the PAM environment if set. * Fix circular dependency error with autoconf 2.6.3. o Martin Schwenke <martin@meltin.net> * Add @CIFSUPCALL_PROGS@ to "all" target so cifs.upcall gets built at compile time rather than install time. o Davide Sfriso &lt...

...raffic_analyzer build for static links. o TAKAHASHI Motonobu <monyo@samba.gr.jp> * BUG 5901: Fix default for streams_depot location. o Tim Prouty <tim.prouty@isilon.com> * Fix several build warnings. o Andreas Schneider <mail@cynapses.org> * Delete the krb5 ccname variable from the PAM environment if set. * Fix circular dependency error with autoconf 2.6.3. o Martin Schwenke <martin@meltin.net> * Add @CIFSUPCALL_PROGS@ to "all" target so cifs.upcall gets built at compile time rather than install time. o Davide Sfriso &lt...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

...> > > > > > > > > > > (cc'ing Nalin, Simo and the linux-cifs ml) > > > > > > > > Yeah, it seems pretty likely that that is the problem. My guess > > > > is > > > > that > > > > the extra stuff on the ccname is coming from pam_krb5, which > > > > seems to > > > > want to create a credcache that is session-specific. > > > > > > > > You could play with setting a different ccname_template for > > > > pam_krb5 > > > > that doesn't...

Hello, On Debian 9 (stretch prerelease) I am able to mount with the following command with root using the following command: mount -t cifs //smb.physics.wisc.edu/smb /smb -osec=krb5,multiuser,username=smbadmin at PHYSICS.WISC.EDU --verbose root can also access files as expected However, when cifs-utils 6.6-5 is installed, a different user cannot access as expected: ls /smb ls: cannot

Hi After starting Samba 4, before anyone can do anything, Administrator has to do a kinit to get a new ticket. This creates a cache /tmp/krb5cc_0 with an expiry time. I've created a host principal and put it into the keytab: samba-tool spn add host someuser samba-tool domain exportkeytab /etc/krb5.keytab --principal=host/HH3.SITE How can I keep Samba 4 up without having to get a new