From 7c24b2a788699e7f45f7dacfb94093dd19abc3a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Tue, 27 Jan 2026 18:27:13 +0100 Subject: [PATCH] Fix 'net ads kerberos kinit -P' with option '--use-krb5-ccache' - resolves: RHEL-144590 --- redhat-4.23.patch | 444 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 442 insertions(+), 2 deletions(-) diff --git a/redhat-4.23.patch b/redhat-4.23.patch index c21eb19..64ffd44 100644 --- a/redhat-4.23.patch +++ b/redhat-4.23.patch @@ -1,7 +1,7 @@ From e8384b6daea3b8091ad1bcfce84efc9e2c6a746d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Thu, 22 Jan 2026 14:27:09 +0100 -Subject: [PATCH 1/2] s3:libads: Allocate cli_credentials on a stackframe +Subject: [PATCH 1/7] s3:libads: Allocate cli_credentials on a stackframe MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -82,7 +82,7 @@ index 9d6d962a2bc..d01afa69697 100644 From 7af95c7cb142aeb5f422a69d3b7a0ea3c0d2c2c2 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Mon, 26 Jan 2026 13:36:02 +0100 -Subject: [PATCH 2/2] s3:rpc_client: Fix memory leak opening local named pipe +Subject: [PATCH 2/7] s3:rpc_client: Fix memory leak opening local named pipe If no local server name was passed to rpc_pipe_open_local_np() then get_myname() was called with NULL talloc context instead of the @@ -121,3 +121,443 @@ index e3f48526492..c61b8eb16cf 100644 -- 2.52.0 + +From ab1287f78bd9d2397c8eb26fbedafa028e2aaa16 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 2 Dec 2025 17:17:33 +0100 +Subject: [PATCH 3/7] s3-selftest: mention in-memory ccache usage when nothing + is provided + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +--- + source3/script/tests/test_net_ads_kerberos.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh +index 8a3c9ef2bc7..92d3996d078 100755 +--- a/source3/script/tests/test_net_ads_kerberos.sh ++++ b/source3/script/tests/test_net_ads_kerberos.sh +@@ -30,6 +30,7 @@ KRB5CCNAME="FILE:$KRB5CCNAME_PATH" + ## Test "net ads kerberos kinit" variants + ################################################# + ++#simply uses in memory ccache + testit "net_ads_kerberos_kinit" \ + "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ + -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \ +@@ -50,6 +51,7 @@ rm -f "$KRB5CCNAME_PATH" + # --use-krb5-ccache=${KRB5CCNAME} \ + # || failed=$((failed + 1)) + ++#simply uses in memory ccache + testit "net_ads_kerberos_kinit (-P)" \ + "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ + -P "$ADDARGS" \ +-- +2.52.0 + + +From 0aa0d39e9a5deb77114f40930b599f11fd7cf3b6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 2 Dec 2025 17:18:41 +0100 +Subject: [PATCH 4/7] s3-selftest: verify KRB5CCNAME presence after kinit using + klist + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +--- + source3/script/tests/test_net_ads_kerberos.sh | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh +index 92d3996d078..c53520cf733 100755 +--- a/source3/script/tests/test_net_ads_kerberos.sh ++++ b/source3/script/tests/test_net_ads_kerberos.sh +@@ -14,6 +14,12 @@ PREFIX="$4" + shift 4 + ADDARGS="$*" + ++if [ -x $(which klist) ]; then ++ KLIST=$(which klist); ++else ++ KLIST="test -e"; ++fi ++ + incdir=$(dirname "$0")/../../../testprogs/blackbox + . "$incdir"/subunit.sh + +@@ -41,6 +47,9 @@ testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \ + "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ + -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \ + || failed=$((failed + 1)) ++testit "klist env $KRB5CCNAME" \ ++ "$KLIST" "$KRB5CCNAME" \ ++ || failed=$((failed +1)) + unset KRB5CCNAME + rm -f "$KRB5CCNAME_PATH" + +@@ -62,6 +71,9 @@ testit "net_ads_kerberos_kinit (-P and KRB5CCNAME env set)" \ + "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ + -P "$ADDARGS" \ + || failed=$((failed + 1)) ++testit "klist env $KRB5CCNAME" \ ++ "$KLIST" "$KRB5CCNAME" \ ++ || failed=$((failed +1)) + unset KRB5CCNAME + rm -f "$KRB5CCNAME_PATH" + +-- +2.52.0 + + +From b9c07d59c6a20931b80fa104629477ab8f78b4ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 2 Dec 2025 17:01:31 +0100 +Subject: [PATCH 5/7] s3-selftest: Activate "net ads kerberos kinit" tests with + --use-krb5-ccache + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +--- + selftest/knownfail | 2 ++ + source3/script/tests/test_net_ads_kerberos.sh | 30 +++++++++++-------- + 2 files changed, 20 insertions(+), 12 deletions(-) + +diff --git a/selftest/knownfail b/selftest/knownfail +index ab2d79d7114..76f1dae605d 100644 +--- a/selftest/knownfail ++++ b/selftest/knownfail +@@ -338,3 +338,5 @@ + + # We currently don't send referrals for LDAP modify of non-replicated attrs + ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* ++ ++^samba3.blackbox.net_ads_kerberos.*.klist.*--use-krb5-ccache.* +diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh +index c53520cf733..b7933bab6a6 100755 +--- a/source3/script/tests/test_net_ads_kerberos.sh ++++ b/source3/script/tests/test_net_ads_kerberos.sh +@@ -53,12 +53,15 @@ testit "klist env $KRB5CCNAME" \ + unset KRB5CCNAME + rm -f "$KRB5CCNAME_PATH" + +-# --use-krb5-ccache is not working +-#testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \ +-# $VALGRIND $BINDIR/net ads kerberos kinit \ +-# -U$USERNAME%$PASSWORD $ADDARGS \ +-# --use-krb5-ccache=${KRB5CCNAME} \ +-# || failed=$((failed + 1)) ++testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \ ++ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ ++ -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \ ++ --use-krb5-ccache="${KRB5CCNAME_PATH}" \ ++ || failed=$((failed + 1)) ++testit "klist --use-krb5-ccache $KRB5CCNAME_PATH" \ ++ "$KLIST" "$KRB5CCNAME_PATH" \ ++ || failed=$((failed +1)) ++rm -f "$KRB5CCNAME_PATH" + + #simply uses in memory ccache + testit "net_ads_kerberos_kinit (-P)" \ +@@ -77,12 +80,15 @@ testit "klist env $KRB5CCNAME" \ + unset KRB5CCNAME + rm -f "$KRB5CCNAME_PATH" + +-# --use-krb5-ccache is not working +-#testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \ +-# $VALGRIND $BINDIR/net ads kerberos kinit \ +-# -P $ADDARGS \ +-# --use-krb5-ccache=${KRB5CCNAME} \ +-# || failed=$((failed + 1)) ++testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \ ++ "$VALGRIND" "$BINDIR"/net ads kerberos kinit \ ++ -P "$ADDARGS" \ ++ --use-krb5-ccache="${KRB5CCNAME_PATH}" \ ++ || failed=$((failed + 1)) ++testit "klist --use-krb5-ccache $KRB5CCNAME_PATH" \ ++ "$KLIST" "$KRB5CCNAME_PATH" \ ++ || failed=$((failed +1)) ++rm -f "$KRB5CCNAME_PATH" + + + ################################################# +-- +2.52.0 + + +From c82b7636b633575621e8e5964a93332956c238ff Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 2 Dec 2025 16:56:44 +0100 +Subject: [PATCH 6/7] s3-net: properly setup krb5 ccache name via + --use-krb5-ccache + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +--- + selftest/knownfail | 2 -- + source3/utils/net.c | 19 ++++++++++++------- + source3/utils/net_ads.c | 4 ++++ + 3 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/selftest/knownfail b/selftest/knownfail +index 76f1dae605d..ab2d79d7114 100644 +--- a/selftest/knownfail ++++ b/selftest/knownfail +@@ -338,5 +338,3 @@ + + # We currently don't send referrals for LDAP modify of non-replicated attrs + ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* +- +-^samba3.blackbox.net_ads_kerberos.*.klist.*--use-krb5-ccache.* +diff --git a/source3/utils/net.c b/source3/utils/net.c +index ecabd980d0c..271c96cf804 100644 +--- a/source3/utils/net.c ++++ b/source3/utils/net.c +@@ -1396,7 +1396,7 @@ static struct functable net_func[] = { + cli_credentials_get_principal_obtained(c->creds); + enum credentials_obtained password_obtained = + cli_credentials_get_password_obtained(c->creds); +- char *krb5ccname = NULL; ++ const char *krb5ccname = NULL; + + if (principal_obtained == CRED_SPECIFIED) { + c->explicit_credentials = true; +@@ -1415,15 +1415,20 @@ static struct functable net_func[] = { + } + + /* cli_credentials_get_ccache_name_obtained() would not work +- * here, we also cannot get the content of --use-krb5-ccache= so +- * for now at least honour the KRB5CCNAME environment variable +- * to get 'net ads kerberos' functions to work at all - gd */ +- +- krb5ccname = getenv("KRB5CCNAME"); +- if (krb5ccname == NULL) { ++ * here but we can now access the content of the ++ * --use-krb5-ccache option via cli credentials. Fallback to ++ * KRB5CCNAME environment variable to get 'net ads kerberos' ++ * functions to work at all - gd */ ++ ++ krb5ccname = cli_credentials_get_out_ccache_name(c->creds); ++ if (krb5ccname == NULL || krb5ccname[0] == '\0') { ++ krb5ccname = getenv("KRB5CCNAME"); ++ } ++ if (krb5ccname == NULL || krb5ccname[0] == '\0') { + krb5ccname = talloc_strdup(c, "MEMORY:net"); + } + if (krb5ccname == NULL) { ++ DBG_ERR("Not able to setup krb5 ccache"); + exit(1); + } + c->opt_krb5_ccache = krb5ccname; +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index d49b7537e71..5c57a0b290e 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -3245,7 +3245,11 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char ** + if (ret) { + d_printf(_("failed to kinit password: %s\n"), + nt_errstr(status)); ++ return ret; + } ++ ++ d_printf("Stored Kerberos TGT in: %s\n", c->opt_krb5_ccache); ++ + return ret; + } + +-- +2.52.0 + + +From 4f5ffea631d805564f7e92cc5f0f2f7ad55ba493 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Sat, 13 Dec 2025 13:49:37 +0100 +Subject: [PATCH 7/7] doc-xml: Document "net ads kerberos" commands +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Günther Deschner +Autobuild-Date(master): Mon Jan 5 15:49:04 UTC 2026 on atb-devel-224 +--- + docs-xml/manpages/net.8.xml | 139 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 139 insertions(+) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index d9293d0bb34..737415b3722 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -1810,7 +1810,146 @@ the following entry types; + + + ++ ++ ADS KERBEROS ++ ++ ++ Issue Kerberos operations against an Active Directory KDC. ++ ++ ++ ++ ++ ++ ADS KERBEROS KINIT ++ ++ ++ Issue a kinit request for a given user. When no other options are ++ defined the ticket granting ticket (TGT) will be stored in a memory cache. ++ ++ ++ ++ To store the TGT in a different location either use the ++ option or set the ++ KRB5CCNAME environment variable. ++ ++ ++Example: net ads kerberos kinit -P --krb5-ccache=/tmp/krb5cache ++ ++ ++ ++ ++ ADS KERBEROS RENEW ++ ++ ++ Renew an already acquired ticket granting ticket (TGT). ++ ++ ++Example: net ads kerberos renew ++ ++ ++ ++ ++ ADS KERBEROS PAC ++ ++ ++ Request a Kerberos PAC while authenticating to an Active Directory KDC. ++ ++ ++ ++ The following commands are provided: ++ ++ ++ ++net ads kerberos pac dump - Dump a PAC to stdout. ++net ads kerneros pac save - Save a PAC to a file. ++ ++ ++ ++ All commands allow to define an impersonation principal to do a Kerberos ++ Service for User (S4U2SELF) operation via ++ the impersonate=STRING option. ++ The impersonation principal can have multiple different formats: ++ ++ ++ ++ ++ user@MY.REALM ++ This is the default format. ++ ++ ++ user@MY.REALM@MY.REALM ++ The Kerberos Service for User (S4U2SELF) also supports ++ Enterprise Principals. ++ ++ ++ user@UPN.SUFFIX@MY.REALM ++ Enterprise Principal using a defined upn suffix. ++ ++ ++ user@WORKGROUP@MY.REALM ++ Enterprise Principal with netbios domain name. ++ This format is currently not supported by Samba AD. ++ ++ + ++ ++ By default net will request a service ticket for the local service ++ of the joined machine. A different service can be defined via ++ local_service=STRING. ++ ++ ++ ++ ++ ADS KERBEROS PAC DUMP [impersonate=string] [local_service=string] [pac_buffer_type=int] ++ ++ ++ Request a Kerberos PAC while authenticating to an Active Directory KDC. ++ The PAC will be printed on stdout. ++ ++ ++ ++ When no specific pac_buffer is selected, all buffers will be printed. ++ It is possible to select a specific one via ++ pac_buffer_type=INT from this list: ++ ++ ++ ++1 PAC_TYPE_LOGON_INFO ++2 PAC_TYPE_CREDENTIAL_INFO ++6 PAC_TYPE_SRV_CHECKSUM ++7 PAC_TYPE_KDC_CHECKSUM ++10 PAC_TYPE_LOGON_NAME ++11 PAC_TYPE_CONSTRAINED_DELEGATION ++12 PAC_TYPE_UPN_DNS_INFO ++13 PAC_TYPE_CLIENT_CLAIMS_INFO ++14 PAC_TYPE_DEVICE_INFO ++15 PAC_TYPE_DEVICE_CLAIMS_INFO ++16 PAC_TYPE_TICKET_CHECKSUM ++17 PAC_TYPE_ATTRIBUTES_INFO ++18 PAC_TYPE_REQUESTER_SID ++19 PAC_TYPE_FULL_CHECKSUM ++ ++ ++Example: net ads kerberos pac dump -P impersonate=anyuser@MY.REALM.COM ++ ++ ++ ++ ++ ADS KERBEROS PAC SAVE [impersonate=string] [local_service=string] [filename=string] ++ ++ ++ Request a Kerberos PAC while authenticating to an Active Directory KDC. ++ The PAC will be saved in a file. ++ ++ ++ ++ The filename to store the PAC can be set via the ++ filename=STRING option. ++ ++ ++Example: net ads kerberos pac save -U user%password filename=/tmp/pacstore ++ ++ + + SAM CREATEBUILTINGROUP <NAME> + +-- +2.52.0 +