search for: krb5_ccache

...t; # here are the per-package modules (the "Primary" block) > auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 > auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass > auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass > the krb5_ccache file is saved on /tmp/ is there a way to save that to an other folder, thats not cleanup on reboot? /usr/lib .... for example. > If not, run : pam-auth-update ( even if you dont see it, run it, it sets everything correct.) > >...

...revision 1.25 diff -u -r1.25 auth-krb5.c --- auth-krb5.c 11 Sep 2004 13:32:09 -0000 1.25 +++ auth-krb5.c 6 Jul 2005 10:31:51 -0000 @@ -67,9 +67,6 @@ #ifndef HEIMDAL krb5_creds creds; krb5_principal server; - char ccname[40]; - int tmpfd; - mode_t old_umask; #endif krb5_error_code problem; krb5_ccache ccache = NULL; @@ -146,28 +143,7 @@ goto out; } - snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); - - old_umask = umask(0177); - tmpfd = mkstemp(ccname + strlen("FILE:")); - umask(old_umask); - if (tmpfd == -1) { - logit("mkstemp(): %.100s&qu...

Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop capabilities before doing most of its work. This may help reduce the attack surface of the program. Jeff Layton (4): cifs.upcall: convert

...+ cachename = strndup(pos + ENV_PREFIX_LEN, + len - ENV_PREFIX_LEN); + syslog(LOG_DEBUG, "%s: cachename = %s\n", + __func__, cachename); + break; + } + buflen -= (len + 1); + pos += (len + 1); + } + free(buf); +out_close: + close(fd); + return cachename; +} + static krb5_ccache -get_default_cc(void) +get_existing_cc(const char *env_cachename) { krb5_error_code ret; krb5_ccache cc; + char *cachename; + + if (env_cachename) { + if (setenv(ENV_NAME, env_cachename, 1)) + syslog(LOG_DEBUG, "%s: failed to setenv %d\n", __func__, errno); + } ret = krb5_cc_d...

Small respin of the patches that I posted a few days ago. The main difference is the reordering of the series to make it do the group and grouplist manipulation first, and then the patch that makes it grab the KRB5CCNAME from the initiating process. I think the code is sound, my main question is whether we really need the command-line switch for this. Should this just be the default mode of

On 09.07.20 11:06, basti via samba wrote: > There must be a way to cache login infos between reboot. > > sssd or somethink like that? sssd can do it, but windbind's own cache should work just as well. But yes, network-online.target is counterproductive here. > the krb5_ccache file is saved on /tmp/ is there a way to save that to an > other folder, thats not cleanup on reboot? /usr/lib .... for example. As far as I understand the manpages, krb5_ccache is unrelated to offline logon. The stuff you need is controlled by the cached_login PAM parameter and the "winbi...

Apologies for v3 series, I had some extra patches in there. This is the one that should have been sent. Relabeled as v4 for clarity. Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop

...X_LEN)) { + cachename = strndup(pos + ENV_PREFIX_LEN, + len - ENV_PREFIX_LEN); + syslog(LOG_DEBUG, "%s: cachename = %s\n", __func__, cachename); + break; + } + buflen -= (len + 1); + pos += (len + 1); + } + free(buf); +out_close: + close(fd); + return cachename; +} + static krb5_ccache -get_default_cc(void) +get_existing_cc(pid_t pid) { krb5_error_code ret; krb5_ccache cc; - char *cachename; + char *cachename = NULL; + + cachename = get_cachename_from_process_env(pid); + if (cachename) { + if (setenv(ENV_NAME, cachename, 1)) + syslog(LOG_DEBUG, "%s: failed to setenv...

...4 2003 @@ -34,6 +34,7 @@ #include "ssh1.h" #include "packet.h" #include "xmalloc.h" +#include "canohost.h" #include "log.h" #include "servconf.h" #include "uidswap.h" @@ -71,12 +72,23 @@ #endif krb5_error_code problem; krb5_ccache ccache = NULL; + char localname[MAXHOSTNAMELEN]; + char *socketname; if (authctxt->pw == NULL) return (0); temporarily_use_uid(authctxt->pw); + socketname = get_local_name(packet_get_connection_in()); + if (socketname) { + strlcpy(localname, socketname, MAXHOSTNAMELEN); + xfree(so...

...Jeff Layton <jlayton at samba.org> --- cifs.upcall.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/cifs.upcall.c b/cifs.upcall.c index 8f146c92b4a5..dd0843e358b1 100644 --- a/cifs.upcall.c +++ b/cifs.upcall.c @@ -159,6 +159,7 @@ get_default_cc(void) { krb5_error_code ret; krb5_ccache cc; + char *cachename; ret = krb5_cc_default(context, &cc); if (ret) { @@ -166,6 +167,14 @@ get_default_cc(void) return NULL; } + ret = krb5_cc_get_full_name(context, cc, &cachename); + if (ret) { + syslog(LOG_DEBUG, "%s: krb5_cc_get_full_name failed: %d\n", __func__...

...t; #include <arpa/inet.h> #include <ctype.h> +#include <pwd.h> +#include <grp.h> #include "replace.h" #include "data_blob.h" @@ -818,6 +820,7 @@ int main(const int argc, char *const argv[]) char *keytab_name = NULL; char *env_cachename = NULL; krb5_ccache ccache = NULL; + struct passwd *pw; hostbuf[0] = '\0'; memset(&arg, 0, sizeof(arg)); @@ -924,20 +927,54 @@ int main(const int argc, char *const argv[]) } /* + * The kernel doesn't pass down the gid, so we resort here to scraping + * one out of /etc/passwd (or the equiv...

...02/11/21 23:03:51 deraadt Exp $"); +RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -208,6 +208,7 @@ int auth_krb5_password(Authctxt *authctxt, const char *password) { krb5_error_code problem; + krb5_ccache ccache = NULL; if (authctxt->pw == NULL) return (0); @@ -223,30 +224,46 @@ auth_krb5_password(Authctxt *authctxt, c if (problem) goto out; - problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, - &authctxt->krb5_fwd_ccache); + problem = krb5_cc_gen_new(aut...

First thing - I'd like to say a big "THANK YOU" to the developers. I just upgraded to samba-3.0.23 and I've noticed an alarming issue with respect to my configuration. I've been using the built-in keytab management and it looks like the updated code no longer creates the userPrincipal in Active Directory. Whether this is an issue for others or not, it would be nice to have

On Thu, 2017-02-09 at 14:45 -0600, Chad William Seys wrote: > Hi Jeff, > Could you look at the following mailing list posting? > > https://lists.samba.org/archive/samba/2017-February/206468.html > > It looks like cifs.upcall has changed its behavior. As described in > that post, I can mount with root / kerberos, but then cannot access with > another user who has

Hello, I have setup a laptop with debian10, where samba ad users should able to login. I also setup PAM_Offline_Authentication, so far so good. There are several Problems: - After Reboot winbind seem to start before network is redy, so winbind can't get user info via getent passwd <username>, after restart winbind it works - How can I cache logins infos, for offline login (e.g. when

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

...src/samba-git/samba/st/hosts' SOCKET_WRAPPER_DEFAULT_IFACE="23" RESOLV_WRAPPER_HOSTS="/home/user/src/samba-git/samba/st/dns_host_file" KRB5_CONFIG="/home/user/src/samba-git/samba/st/s4member/etc/krb5.conf" KRB5CCNAME="/home/user/src/samba-git/samba/st/s4member/krb5_ccache" RESOLV_CONF="/home/user/src/samba-git/samba/st/dns_hub/rootdnsforwarder/resolv.conf" python3 ./bin/samba-tool domain join --configfile=/home/user/src/samba-git/samba/st/s4member/etc/smb.conf SAMBA.EXAMPLE.COM member -UAdministrator%locDCpass1 --machinepass=machinelocMEMpass3 at /hom...

Thanks for the reply, Besides the problem with source4/lib/messaging/messaging_handlers.c, Good to hear that selftest is actively used, then do I understand it right that 'make test' should succeed? My bigger problem is that it failed with lots of errors. This must be a problem with my build, then, but since this is a fresh tarball I am a bit puzzled. I would appreciate some hint on

...e + retval = 0; + + krb5_free_principal(krb_context, princ); + return retval; +} + + +/* This writes out any forwarded credentials from the structure populated + * during userauth. Called after we have setuid to the user */ + +static void +ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) +{ + krb5_ccache ccache; + krb5_error_code problem; + krb5_principal princ; + OM_uint32 maj_status, min_status; + + if (client->creds == NULL) { + debug("No credentials stored"); + return; + } + + if (ssh_gssapi_krb5_init() == 0) + return; + + if ((problem = krb5_cc_gen_new(krb_context, &krb5_fc...