Fix 'net ads kerberos kinit' to use default ccache name from krb5.conf

- resolves: RHEL-147419
2026-02-11 18:34:14 +01:00 · 2026-02-11 18:34:14 +01:00 · 2d5c9ad7aa
commit 2d5c9ad7aa
parent 9dde1088f5
1 changed files with 189 additions and 7 deletions
--- a/redhat-4.23.patch
+++ b/redhat-4.23.patch
@ -1,7 +1,7 @@
 From e8384b6daea3b8091ad1bcfce84efc9e2c6a746d Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
 Date: Thu, 22 Jan 2026 14:27:09 +0100
-Subject: [PATCH 1/7] s3:libads: Allocate cli_credentials on a stackframe
+Subject: [PATCH 1/9] s3:libads: Allocate cli_credentials on a stackframe
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -82,7 +82,7 @@ index 9d6d962a2bc..d01afa69697 100644
 From 7af95c7cb142aeb5f422a69d3b7a0ea3c0d2c2c2 Mon Sep 17 00:00:00 2001
 From: Samuel Cabrero <scabrero@samba.org>
 Date: Mon, 26 Jan 2026 13:36:02 +0100
-Subject: [PATCH 2/7] s3:rpc_client: Fix memory leak opening local named pipe
+Subject: [PATCH 2/9] s3:rpc_client: Fix memory leak opening local named pipe

 If no local server name was passed to rpc_pipe_open_local_np() then
 get_myname() was called with NULL talloc context instead of the
@ -125,7 +125,7 @@ index e3f48526492..c61b8eb16cf 100644
 From ab1287f78bd9d2397c8eb26fbedafa028e2aaa16 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
 Date: Tue, 2 Dec 2025 17:17:33 +0100
-Subject: [PATCH 3/7] s3-selftest: mention in-memory ccache usage when nothing
+Subject: [PATCH 3/9] s3-selftest: mention in-memory ccache usage when nothing
 is provided

 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
@ -165,7 +165,7 @@ index 8a3c9ef2bc7..92d3996d078 100755
 From 0aa0d39e9a5deb77114f40930b599f11fd7cf3b6 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
 Date: Tue, 2 Dec 2025 17:18:41 +0100
-Subject: [PATCH 4/7] s3-selftest: verify KRB5CCNAME presence after kinit using
+Subject: [PATCH 4/9] s3-selftest: verify KRB5CCNAME presence after kinit using
 klist

 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
@ -222,7 +222,7 @@ index 92d3996d078..c53520cf733 100755
 From b9c07d59c6a20931b80fa104629477ab8f78b4ad Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
 Date: Tue, 2 Dec 2025 17:01:31 +0100
-Subject: [PATCH 5/7] s3-selftest: Activate "net ads kerberos kinit" tests with
+Subject: [PATCH 5/9] s3-selftest: Activate "net ads kerberos kinit" tests with
 --use-krb5-ccache

 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
@ -301,7 +301,7 @@ index c53520cf733..b7933bab6a6 100755
 From c82b7636b633575621e8e5964a93332956c238ff Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
 Date: Tue, 2 Dec 2025 16:56:44 +0100
-Subject: [PATCH 6/7] s3-net: properly setup krb5 ccache name via
+Subject: [PATCH 6/9] s3-net: properly setup krb5 ccache name via
 --use-krb5-ccache

 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
@ -389,7 +389,7 @@ index d49b7537e71..5c57a0b290e 100644
 From 4f5ffea631d805564f7e92cc5f0f2f7ad55ba493 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
 Date: Sat, 13 Dec 2025 13:49:37 +0100
-Subject: [PATCH 7/7] doc-xml: Document "net ads kerberos" commands
+Subject: [PATCH 7/9] doc-xml: Document "net ads kerberos" commands
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -561,3 +561,185 @@ index d9293d0bb34..737415b3722 100644
 -- 
 2.52.0

+
+From f634526bd95b8396ea7f5f1c8ed059eb01a5286b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
+Date: Tue, 3 Feb 2026 12:53:10 +0100
+Subject: [PATCH 8/9] s3:utils: 'net ads kerberos kinit' should use also
+ default ccache name from krb5.conf
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is re-introducing the behavior from samba-4.20 where both these
+commands operated on the same ccache (default_ccache_name in
+[libdefaults] section of krb5.conf)
+
+ 'net ads kerberos kinit -P'
+ 'klist'
+
+ With samba-4.21 it no longer works, 'net ads kerberos kinit -P'
+ fallbacks to 'MEMORY:net' (which is of a very limited use, ticket
+ cannot be used by other process) and klist finds no ticket.
+
+ The order is changed from:
+
+    --use-krb5-ccache
+    env "KRB5CCNAME"
+    "MEMORY:net"
+
+to ("MEMORY:net" is removed):
+
+    --use-krb5-ccache
+    env "KRB5CCNAME"
+    default_ccache_name
+
+'--use-krb5-ccache=MEMORY:net' can be used to validate the credentials.
+
+Use smb_force_krb5_cc_default_name() instead of krb5_cc_default_name()
+because of commit:
+1ca6fb5 make sure krb5_cc_default[_name]() is no longer used directly
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15993
+
+Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 4cc6a13590434f6a3aa1add663728188970d727e)
+---
+ source3/utils/net.c | 36 ++++++++++++++++++++++++++----------
+ 1 file changed, 26 insertions(+), 10 deletions(-)
+
+diff --git a/source3/utils/net.c b/source3/utils/net.c
+index 271c96cf804..0ce03f8213d 100644
+--- a/source3/utils/net.c
+++ b/source3/utils/net.c
+@@ -54,6 +54,7 @@
+ #include "source3/utils/passwd_proto.h"
+ #include "auth/gensec/gensec.h"
+ #include "lib/param/param.h"
+#include "lib/krb5_wrap/krb5_samba.h"
+ 
+ #ifdef WITH_FAKE_KASERVER
+ #include "utils/net_afs.h"
+@@ -1414,18 +1415,33 @@ static struct functable net_func[] = {
+ 				CRED_SPECIFIED);
+ 		}
+ 
+-		/* cli_credentials_get_ccache_name_obtained() would not work
+-		 * here but we can now access the content of the
+-		 * --use-krb5-ccache option via cli credentials. Fallback to
+-		 * KRB5CCNAME environment variable to get 'net ads kerberos'
+-		 * functions to work at all - gd */
+-
+		/*
+		 * Priority order for krb5 credential cache name
+		 *
+		 *    via cli_credentials_get_out_ccache_name() :
+		 *
+		 * 1. '--use-krb5-ccache' option
+		 *
+		 *    via krb5_cc_default_name() :
+		 *
+		 * 2. KRB5CCNAME environment variable
+		 * 3. default_ccache_name in [libdefaults] section of krb5.conf
+		 * 4. ...more - krb5_cc_default_name() always returns something
+		 *    - see documentation
+		 */
+ 		krb5ccname = cli_credentials_get_out_ccache_name(c->creds);
+ 		if (krb5ccname == NULL || krb5ccname[0] == '\0') {
+-			krb5ccname = getenv("KRB5CCNAME");
+-		}
+-		if (krb5ccname == NULL || krb5ccname[0] == '\0') {
+-			krb5ccname = talloc_strdup(c, "MEMORY:net");
+			krb5_context ct = NULL;
+			krb5_error_code ret = smb_krb5_init_context_common(&ct);
+
+			if (ret == 0) {
+				krb5ccname = smb_force_krb5_cc_default_name(ct);
+				if (krb5ccname != NULL) {
+					krb5ccname = talloc_strdup(c,
+								   krb5ccname);
+				}
+				krb5_free_context(ct);
+			}
+ 		}
+ 		if (krb5ccname == NULL) {
+ 			DBG_ERR("Not able to setup krb5 ccache");
+-- 
+2.52.0
+
+
+From 0ca830d6ddded29b2b5d1969ebcbc4df1156656e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
+Date: Thu, 5 Feb 2026 16:04:25 +0100
+Subject: [PATCH 9/9] manpages: Update NET ADS KERBEROS KINIT manpage
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15993
+
+Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
+Autobuild-Date(master): Thu Feb  5 21:11:13 UTC 2026 on atb-devel-224
+
+(cherry picked from commit 9d083a28fe45afd8f82441c6e24255e4c64c113b)
+---
+ docs-xml/manpages/net.8.xml | 36 ++++++++++++++++++++++++++++--------
+ 1 file changed, 28 insertions(+), 8 deletions(-)
+
+diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
+index 737415b3722..b793361a27f 100644
+--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
+@@ -1823,17 +1823,37 @@ the following entry types;
+ 	<title>ADS KERBEROS KINIT</title>
+ 
+ <para>
+-	Issue a kinit request for a given user. When no other options are
+-	defined the ticket granting ticket (TGT) will be stored in a memory cache.
+	Issue a kinit request for a given user.  The following methods can be used
+	to specify where to store the ticket granting ticket (TGT) (in order of
+	precedence):
+ </para>
+ 
+-<para>
+-	To store the TGT in a different location either use the
+-	<option>--krb5-ccache</option> option or set the
+-	<replaceable>KRB5CCNAME</replaceable> environment variable.
+-</para>
+<itemizedlist>
+	<listitem>
+		<para>option <option>--use-krb5-ccache</option></para>
+	</listitem>
+	<listitem>
+		<para><replaceable>KRB5CCNAME</replaceable> environment variable</para>
+	</listitem>
+	<listitem>
+		<para><parameter>default_ccache_name</parameter> setting in <filename>krb5.conf</filename></para>
+	</listitem>
+</itemizedlist>
+ 
+-<para>Example: <userinput>net ads kerberos kinit -P --krb5-ccache=/tmp/krb5cache</userinput></para>
+<variablelist><title>Examples:</title>
+<varlistentry>
+<term>Use file based cache (FILE:/tmp/krb5cache)</term>
+<listitem><literallayout>
+net ads kerberos kinit -P --use-krb5-ccache=/tmp/krb5cache
+</literallayout></listitem>
+</varlistentry>
+<varlistentry>
+<term>Use memory cache (MEMORY:net) to verify the authentication</term>
+<listitem><literallayout>
+net ads kerberos kinit -P --use-krb5-ccache=MEMORY:net
+</literallayout></listitem>
+</varlistentry>
+</variablelist>
+ 
+ </refsect2>
+ 
+-- 
+2.52.0
+