krb5: handle GSS-Proxy credentials lifetime

Review changes
Open in Workspace
Download
Patches
Plain diff

samba-team/devel/samba:abbra-fix-bz15902 into master Sep 02, 2025

Overview 8
Commits 1
Pipelines 2
Changes 2

GSS-Proxy stores its credential in encrypted form in the Kerberos ccache with a start and end time of 0 and a server principal in the realm named 'X-GSSPROXY:'. This credential is accessed through GSS-Proxy interposer mechanism in MIT Kerberos and cannot be analysed with raw krb5 API.

As MIT Kerberos has no krb5_cc_get_lifetime() implementation, add check for the GSS-Proxy credential to smb_krb5_cc_get_lifetime() wrapper to return KRB5_PLUGIN_NO_HANDLE. The two places where smb_krb5_cc_get_lifetime() is used then handle this return code to avoid deciding on the 'expired' lifetime to cause a kinit.

This fixes FreeIPA use case where an IPA API endpoint uses Samba Python bindings with a GSS-Proxy-controlled credential cache.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15902

Checklist

Commits have Signed-off-by: with name/author being identical to the commit author
(optional) This MR is just one part towards a larger feature.
(optional, if backport required) Bugzilla bug filed and BUG: tag added
Test suite updated with functionality tests
Test suite updated with negative tests
Documentation updated
CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)

Reviewer's checklist:

There is a test suite reasonably covering new functionality or modifications
Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md
This feature/change has adequate documentation added
No obvious mistakes in the code

Merge request reports

Assignee Loading

Reviewers Loading

Request review from

Loading

Time tracking Loading

Loading