search for: keytab_name

Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop capabilities before doing most of its work. This may help reduce the attack surface of the program. Jeff Layton (4): cifs.upcall: convert

First thing - I'd like to say a big "THANK YOU" to the developers. I just upgraded to samba-3.0.23 and I've noticed an alarming issue with respect to my configuration. I've been using the built-in keytab management and it looks like the updated code no longer creates the userPrincipal in Active Directory. Whether this is an issue for others or not, it would be nice to have

...BUG, "%s: default ccache is %s\n", __func__, cachename); + krb5_free_string(context, cachename); + } + if (!get_tgt_time(cc)) { krb5_cc_close(context, cc); cc = NULL; @@ -173,7 +297,6 @@ get_default_cc(void) return cc; } - static krb5_ccache init_cc_from_keytab(const char *keytab_name, const char *user) { @@ -664,10 +787,11 @@ lowercase_string(char *c) static void usage(void) { - fprintf(stderr, "Usage: %s [ -K /path/to/keytab] [-k /path/to/krb5.conf] [-t] [-v] [-l] key_serial\n", prog); + fprintf(stderr, "Usage: %s [ -K /path/to/keytab] [-k /path/to/krb5.con...

Apologies for v3 series, I had some extra patches in there. This is the one that should have been sent. Relabeled as v4 for clarity. Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop

Small respin of the patches that I posted a few days ago. The main difference is the reordering of the series to make it do the group and grouplist manipulation first, and then the patch that makes it grab the KRB5CCNAME from the initiating process. I think the code is sound, my main question is whether we really need the command-line switch for this. Should this just be the default mode of

...ENV_NAME, cachename, 1)) + syslog(LOG_DEBUG, "%s: failed to setenv %d\n", __func__, errno); + free(cachename); + } ret = krb5_cc_default(context, &cc); if (ret) { @@ -182,7 +298,6 @@ get_default_cc(void) return cc; } - static krb5_ccache init_cc_from_keytab(const char *keytab_name, const char *user) { @@ -815,7 +930,7 @@ int main(const int argc, char *const argv[]) goto out; } - ccache = get_default_cc(); + ccache = get_existing_cc(arg.pid); /* Couldn't find credcache? Try to use keytab */ if (ccache == NULL && arg.username != NULL) ccache = init_c...

...s.upcall.c @@ -47,6 +47,8 @@ #include <netdb.h> #include <arpa/inet.h> #include <ctype.h> +#include <pwd.h> +#include <grp.h> #include "replace.h" #include "data_blob.h" @@ -818,6 +820,7 @@ int main(const int argc, char *const argv[]) char *keytab_name = NULL; char *env_cachename = NULL; krb5_ccache ccache = NULL; + struct passwd *pw; hostbuf[0] = '\0'; memset(&arg, 0, sizeof(arg)); @@ -924,20 +927,54 @@ int main(const int argc, char *const argv[]) } /* + * The kernel doesn't pass down the gid, so we resort here t...

...5_principal host_princ, char *host_princ_s, krb5_data password, krb5_enctype *enctypes, krb5_keytab *keytab, char *keytab_name) { krb5_keytab_entry entry; krb5_kvno kvno = 1; krb5_error_code ret; krb5_keyblock *key; int i; [... lines deleted ...] entry.keyblock = *key; The problem is that the structure member name is key, not keyblock. >From krb5.h typedef s...

On Fri, 2017-02-10 at 11:15 -0600, Chad William Seys wrote: > Hi Jeff, > > > So we have a default credcache for the user for whom we are operating > > as, but we can't get the default principal name from it. My guess is > > that it's not finding the > > This mount is run by root UID=0 and seems to be find that credential > cache without problem (earlier