From e8384b6daea3b8091ad1bcfce84efc9e2c6a746d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Thu, 22 Jan 2026 14:27:09 +0100
Subject: [PATCH 1/7] s3:libads: Allocate cli_credentials on a stackframe
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This fixes:
ERROR: talloc_free with references at ../../source3/libads/ldap_utils.c:158

What happens:

* `struct cli_credentials *creds` is allocated on `ads` talloc context
* gensec_set_credentials() creates a talloc_reference to `creds`
* TALLOC_FREE(creds) sees two parents and complains

All other code is using temporary talloc_stackframe() for `creds`.
Do it here as well.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jan 23 11:20:28 UTC 2026 on atb-devel-224
---
 source3/libads/ldap_utils.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/source3/libads/ldap_utils.c b/source3/libads/ldap_utils.c
index 9d6d962a2bc..d01afa69697 100644
--- a/source3/libads/ldap_utils.c
+++ b/source3/libads/ldap_utils.c
@@ -99,6 +99,7 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind
 		struct cli_credentials *creds = NULL;
 		char *cred_name = NULL;
 		NTSTATUS ntstatus;
+		TALLOC_CTX *frame = talloc_stackframe();
 
 		if (NT_STATUS_EQUAL(ads_ntstatus(status), NT_STATUS_IO_TIMEOUT) &&
 		    ads->config.ldap_page_size >= (lp_ldap_page_size() / 4) &&
@@ -119,18 +120,20 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind
 			DBG_NOTICE("Search for %s in <%s> failed: %s\n",
 				   expr, bp, ads_errstr(status));
 			SAFE_FREE(bp);
+			TALLOC_FREE(frame);
 			return status;
 		}
 
 		ntstatus = ads->auth.reconnect_state->fn(ads,
 				ads->auth.reconnect_state->private_data,
-				ads, &creds);
+				frame, &creds);
 		if (!NT_STATUS_IS_OK(ntstatus)) {
 			DBG_WARNING("Failed to get creds for realm(%s): %s\n",
 				    ads->server.realm, nt_errstr(ntstatus));
 			DBG_WARNING("Search for %s in <%s> failed: %s\n",
 				   expr, bp, ads_errstr(status));
 			SAFE_FREE(bp);
+			TALLOC_FREE(frame);
 			return status;
 		}
 
@@ -151,11 +154,11 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind
 			 * callers depend on it being around.
 			 */
 			ads_disconnect(ads);
-			TALLOC_FREE(creds);
+			TALLOC_FREE(frame);
 			SAFE_FREE(bp);
 			return status;
 		}
-		TALLOC_FREE(creds);
+		TALLOC_FREE(frame);
 
 		*res = NULL;
 
-- 
2.52.0


From 7af95c7cb142aeb5f422a69d3b7a0ea3c0d2c2c2 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Mon, 26 Jan 2026 13:36:02 +0100
Subject: [PATCH 2/7] s3:rpc_client: Fix memory leak opening local named pipe

If no local server name was passed to rpc_pipe_open_local_np() then
get_myname() was called with NULL talloc context instead of the
current stackframe.

This was causing an increase of memory usage on busy servers with long-living
rpcd_* workers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15979

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jan 27 10:13:40 UTC 2026 on atb-devel-224

(cherry picked from commit 24dc455362fb49ef81c99d95880e106a234ce29a)
---
 source3/rpc_client/cli_pipe.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index e3f48526492..c61b8eb16cf 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -3625,7 +3625,7 @@ NTSTATUS rpc_pipe_open_local_np(
 	}
 
 	if (local_server_name == NULL) {
-		local_server_name = get_myname(result);
+		local_server_name = get_myname(frame);
 	}
 
 	if (local_server_addr != NULL) {
-- 
2.52.0


From ab1287f78bd9d2397c8eb26fbedafa028e2aaa16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Dec 2025 17:17:33 +0100
Subject: [PATCH 3/7] s3-selftest: mention in-memory ccache usage when nothing
 is provided

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 source3/script/tests/test_net_ads_kerberos.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh
index 8a3c9ef2bc7..92d3996d078 100755
--- a/source3/script/tests/test_net_ads_kerberos.sh
+++ b/source3/script/tests/test_net_ads_kerberos.sh
@@ -30,6 +30,7 @@ KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
 ## Test "net ads kerberos kinit" variants
 #################################################
 
+#simply uses in memory ccache
 testit "net_ads_kerberos_kinit" \
 	"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
 	-U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
@@ -50,6 +51,7 @@ rm -f "$KRB5CCNAME_PATH"
 #	--use-krb5-ccache=${KRB5CCNAME} \
 #	|| failed=$((failed + 1))
 
+#simply uses in memory ccache
 testit "net_ads_kerberos_kinit (-P)" \
 	"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
 	-P "$ADDARGS" \
-- 
2.52.0


From 0aa0d39e9a5deb77114f40930b599f11fd7cf3b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Dec 2025 17:18:41 +0100
Subject: [PATCH 4/7] s3-selftest: verify KRB5CCNAME presence after kinit using
 klist

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 source3/script/tests/test_net_ads_kerberos.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh
index 92d3996d078..c53520cf733 100755
--- a/source3/script/tests/test_net_ads_kerberos.sh
+++ b/source3/script/tests/test_net_ads_kerberos.sh
@@ -14,6 +14,12 @@ PREFIX="$4"
 shift 4
 ADDARGS="$*"
 
+if [ -x $(which klist) ]; then
+	KLIST=$(which klist);
+else
+	KLIST="test -e";
+fi
+
 incdir=$(dirname "$0")/../../../testprogs/blackbox
 . "$incdir"/subunit.sh
 
@@ -41,6 +47,9 @@ testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \
 	"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
 	-U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
 	|| failed=$((failed + 1))
+testit "klist env $KRB5CCNAME" \
+	"$KLIST" "$KRB5CCNAME" \
+	|| failed=$((failed +1))
 unset KRB5CCNAME
 rm -f "$KRB5CCNAME_PATH"
 
@@ -62,6 +71,9 @@ testit "net_ads_kerberos_kinit (-P and KRB5CCNAME env set)" \
 	"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
 	-P "$ADDARGS" \
 	|| failed=$((failed + 1))
+testit "klist env $KRB5CCNAME" \
+	"$KLIST" "$KRB5CCNAME" \
+	|| failed=$((failed +1))
 unset KRB5CCNAME
 rm -f "$KRB5CCNAME_PATH"
 
-- 
2.52.0


From b9c07d59c6a20931b80fa104629477ab8f78b4ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Dec 2025 17:01:31 +0100
Subject: [PATCH 5/7] s3-selftest: Activate "net ads kerberos kinit" tests with
 --use-krb5-ccache

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 selftest/knownfail                            |  2 ++
 source3/script/tests/test_net_ads_kerberos.sh | 30 +++++++++++--------
 2 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/selftest/knownfail b/selftest/knownfail
index ab2d79d7114..76f1dae605d 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -338,3 +338,5 @@
 
 # We currently don't send referrals for LDAP modify of non-replicated attrs
 ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
+
+^samba3.blackbox.net_ads_kerberos.*.klist.*--use-krb5-ccache.*
diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh
index c53520cf733..b7933bab6a6 100755
--- a/source3/script/tests/test_net_ads_kerberos.sh
+++ b/source3/script/tests/test_net_ads_kerberos.sh
@@ -53,12 +53,15 @@ testit "klist env $KRB5CCNAME" \
 unset KRB5CCNAME
 rm -f "$KRB5CCNAME_PATH"
 
-# --use-krb5-ccache is not working
-#testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \
-#	$VALGRIND $BINDIR/net ads kerberos kinit \
-#	-U$USERNAME%$PASSWORD $ADDARGS \
-#	--use-krb5-ccache=${KRB5CCNAME} \
-#	|| failed=$((failed + 1))
+testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \
+	"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+	-U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+	--use-krb5-ccache="${KRB5CCNAME_PATH}" \
+	|| failed=$((failed + 1))
+testit "klist --use-krb5-ccache $KRB5CCNAME_PATH" \
+	"$KLIST" "$KRB5CCNAME_PATH" \
+	|| failed=$((failed +1))
+rm -f "$KRB5CCNAME_PATH"
 
 #simply uses in memory ccache
 testit "net_ads_kerberos_kinit (-P)" \
@@ -77,12 +80,15 @@ testit "klist env $KRB5CCNAME" \
 unset KRB5CCNAME
 rm -f "$KRB5CCNAME_PATH"
 
-# --use-krb5-ccache is not working
-#testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \
-#	$VALGRIND $BINDIR/net ads kerberos kinit \
-#	-P $ADDARGS \
-#	--use-krb5-ccache=${KRB5CCNAME} \
-#	|| failed=$((failed + 1))
+testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \
+	"$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+	-P "$ADDARGS" \
+	--use-krb5-ccache="${KRB5CCNAME_PATH}" \
+	|| failed=$((failed + 1))
+testit "klist --use-krb5-ccache $KRB5CCNAME_PATH" \
+	"$KLIST" "$KRB5CCNAME_PATH" \
+	|| failed=$((failed +1))
+rm -f "$KRB5CCNAME_PATH"
 
 
 #################################################
-- 
2.52.0


From c82b7636b633575621e8e5964a93332956c238ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Dec 2025 16:56:44 +0100
Subject: [PATCH 6/7] s3-net: properly setup krb5 ccache name via
 --use-krb5-ccache

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 selftest/knownfail      |  2 --
 source3/utils/net.c     | 19 ++++++++++++-------
 source3/utils/net_ads.c |  4 ++++
 3 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/selftest/knownfail b/selftest/knownfail
index 76f1dae605d..ab2d79d7114 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -338,5 +338,3 @@
 
 # We currently don't send referrals for LDAP modify of non-replicated attrs
 ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
-
-^samba3.blackbox.net_ads_kerberos.*.klist.*--use-krb5-ccache.*
diff --git a/source3/utils/net.c b/source3/utils/net.c
index ecabd980d0c..271c96cf804 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -1396,7 +1396,7 @@ static struct functable net_func[] = {
 			cli_credentials_get_principal_obtained(c->creds);
 		enum credentials_obtained password_obtained =
 			cli_credentials_get_password_obtained(c->creds);
-		char *krb5ccname = NULL;
+		const char *krb5ccname = NULL;
 
 		if (principal_obtained == CRED_SPECIFIED) {
 			c->explicit_credentials = true;
@@ -1415,15 +1415,20 @@ static struct functable net_func[] = {
 		}
 
 		/* cli_credentials_get_ccache_name_obtained() would not work
-		 * here, we also cannot get the content of --use-krb5-ccache= so
-		 * for now at least honour the KRB5CCNAME environment variable
-		 * to get 'net ads kerberos' functions to work at all - gd */
-
-		krb5ccname = getenv("KRB5CCNAME");
-		if (krb5ccname == NULL) {
+		 * here but we can now access the content of the
+		 * --use-krb5-ccache option via cli credentials. Fallback to
+		 * KRB5CCNAME environment variable to get 'net ads kerberos'
+		 * functions to work at all - gd */
+
+		krb5ccname = cli_credentials_get_out_ccache_name(c->creds);
+		if (krb5ccname == NULL || krb5ccname[0] == '\0') {
+			krb5ccname = getenv("KRB5CCNAME");
+		}
+		if (krb5ccname == NULL || krb5ccname[0] == '\0') {
 			krb5ccname = talloc_strdup(c, "MEMORY:net");
 		}
 		if (krb5ccname == NULL) {
+			DBG_ERR("Not able to setup krb5 ccache");
 			exit(1);
 		}
 		c->opt_krb5_ccache = krb5ccname;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index d49b7537e71..5c57a0b290e 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -3245,7 +3245,11 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **
 	if (ret) {
 		d_printf(_("failed to kinit password: %s\n"),
 			nt_errstr(status));
+		return ret;
 	}
+
+	d_printf("Stored Kerberos TGT in: %s\n", c->opt_krb5_ccache);
+
 	return ret;
 }
 
-- 
2.52.0


From 4f5ffea631d805564f7e92cc5f0f2f7ad55ba493 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Sat, 13 Dec 2025 13:49:37 +0100
Subject: [PATCH 7/7] doc-xml: Document "net ads kerberos" commands
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Jan  5 15:49:04 UTC 2026 on atb-devel-224
---
 docs-xml/manpages/net.8.xml | 139 ++++++++++++++++++++++++++++++++++++
 1 file changed, 139 insertions(+)

diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index d9293d0bb34..737415b3722 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1810,7 +1810,146 @@ the following entry types;
 
 </refsect2>
 
+<refsect2>
+	<title>ADS KERBEROS</title>
+
+<para>
+	Issue Kerberos operations against an Active Directory KDC.
+</para>
+
+</refsect2>
+
+<refsect2>
+	<title>ADS KERBEROS KINIT</title>
+
+<para>
+	Issue a kinit request for a given user. When no other options are
+	defined the ticket granting ticket (TGT) will be stored in a memory cache.
+</para>
+
+<para>
+	To store the TGT in a different location either use the
+	<option>--krb5-ccache</option> option or set the
+	<replaceable>KRB5CCNAME</replaceable> environment variable.
+</para>
+
+<para>Example: <userinput>net ads kerberos kinit -P --krb5-ccache=/tmp/krb5cache</userinput></para>
+
+</refsect2>
+
+<refsect2>
+	<title>ADS KERBEROS RENEW</title>
+
+<para>
+	Renew an already acquired ticket granting ticket (TGT).
+</para>
+
+<para>Example: <userinput>net ads kerberos renew</userinput></para>
+
+</refsect2>
+
+<refsect2>
+	<title>ADS KERBEROS PAC</title>
+
+<para>
+	Request a Kerberos PAC while authenticating to an Active Directory KDC.
+</para>
+
+<para>
+	The following commands are provided:
+</para>
+
+<simplelist>
+<member>net ads kerberos pac dump - Dump a PAC to stdout.</member>
+<member>net ads kerneros pac save - Save a PAC to a file.</member>
+</simplelist>
+
+<para>
+	All commands allow to define an impersonation principal to do a Kerberos
+	Service for User (S4U2SELF) operation via
+	the <replaceable>impersonate=STRING</replaceable> option.
+	The impersonation principal can have multiple different formats:
+</para>
+
+<itemizedlist>
+	<listitem>
+		<para><replaceable>user@MY.REALM</replaceable></para>
+		<para>This is the default format.</para>
+	</listitem>
+	<listitem>
+		<para><replaceable>user@MY.REALM@MY.REALM</replaceable></para>
+		<para>The Kerberos Service for User (S4U2SELF) also supports
+		Enterprise Principals.</para>
+	</listitem>
+	<listitem>
+		<para><replaceable>user@UPN.SUFFIX@MY.REALM</replaceable></para>
+		<para>Enterprise Principal using a defined upn suffix.</para>
+	</listitem>
+	<listitem>
+		<para><replaceable>user@WORKGROUP@MY.REALM</replaceable></para>
+		<para>Enterprise Principal with netbios domain name.
+		This format is currently not supported by Samba AD.</para>
+	</listitem>
+</itemizedlist>
 
+<para>
+	By default net will request a service ticket for the local service
+	of the joined machine. A different service can be defined via
+        <replaceable>local_service=STRING</replaceable>.
+</para>
+
+</refsect2>
+<refsect2>
+	<title>ADS KERBEROS PAC DUMP [impersonate=string] [local_service=string] [pac_buffer_type=int]</title>
+
+<para>
+	Request a Kerberos PAC while authenticating to an Active Directory KDC.
+	The PAC will be printed on stdout.
+</para>
+
+<para>
+	When no specific pac_buffer is selected, all buffers will be printed.
+	It is possible to select a specific one via
+	<replaceable>pac_buffer_type=INT</replaceable> from this list:
+</para>
+
+<simplelist>
+<member>1 PAC_TYPE_LOGON_INFO</member>
+<member>2 PAC_TYPE_CREDENTIAL_INFO</member>
+<member>6 PAC_TYPE_SRV_CHECKSUM</member>
+<member>7 PAC_TYPE_KDC_CHECKSUM</member>
+<member>10 PAC_TYPE_LOGON_NAME</member>
+<member>11 PAC_TYPE_CONSTRAINED_DELEGATION</member>
+<member>12 PAC_TYPE_UPN_DNS_INFO</member>
+<member>13 PAC_TYPE_CLIENT_CLAIMS_INFO</member>
+<member>14 PAC_TYPE_DEVICE_INFO</member>
+<member>15 PAC_TYPE_DEVICE_CLAIMS_INFO</member>
+<member>16 PAC_TYPE_TICKET_CHECKSUM</member>
+<member>17 PAC_TYPE_ATTRIBUTES_INFO</member>
+<member>18 PAC_TYPE_REQUESTER_SID</member>
+<member>19 PAC_TYPE_FULL_CHECKSUM</member>
+</simplelist>
+
+<para>Example: <userinput>net ads kerberos pac dump -P impersonate=anyuser@MY.REALM.COM</userinput></para>
+
+</refsect2>
+
+<refsect2>
+	<title>ADS KERBEROS PAC SAVE [impersonate=string] [local_service=string] [filename=string]</title>
+
+<para>
+	Request a Kerberos PAC while authenticating to an Active Directory KDC.
+	The PAC will be saved in a file.
+</para>
+
+<para>
+	The filename to store the PAC can be set via the
+	<replaceable>filename=STRING</replaceable> option.
+</para>
+
+<para>Example: <userinput>net ads kerberos pac save -U user%password filename=/tmp/pacstore</userinput></para>
+
+</refsect2>
 <refsect2>
 <title>SAM CREATEBUILTINGROUP &lt;NAME&gt;</title>
 
-- 
2.52.0