s3-net: fix "net ads kerberos" krb5ccname handling

We can only rely on KRB5CCNAME being set, --use-krb5-ccname content is
not available.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Jul 24 17:31:14 UTC 2025 on atb-devel-224

Author: gd

selftest/knownfail

@@ -338,7 +338,3 @@
 
 # We currently don't send referrals for LDAP modify of non-replicated attrs
 ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
-
-# net ads kerberos
-samba3.blackbox.net_ads_kerberos.*net_ads_kerberos_kinit.*
-samba3.blackbox.net_ads_kerberos.*net_ads_kerberos_renew.*

source3/utils/net.c

@@ -1394,6 +1394,7 @@ static struct functable net_func[] = {
 			cli_credentials_get_principal_obtained(c->creds);
 		enum credentials_obtained password_obtained =
 			cli_credentials_get_password_obtained(c->creds);
+		char *krb5ccname = NULL;
 
 		if (principal_obtained == CRED_SPECIFIED) {
 			c->explicit_credentials = true;
@@ -1410,6 +1411,20 @@ static struct functable net_func[] = {
 				GENSEC_FEATURE_NTLM_CCACHE,
 				CRED_SPECIFIED);
 		}
+
+		/* cli_credentials_get_ccache_name_obtained() would not work
+		 * here, we also cannot get the content of --use-krb5-ccache= so
+		 * for now at least honour the KRB5CCNAME environment variable
+		 * to get 'net ads kerberos' functions to work at all - gd */
+
+		krb5ccname = getenv("KRB5CCNAME");
+		if (krb5ccname == NULL) {
+			krb5ccname = talloc_strdup(c, "MEMORY:net");
+		}
+		if (krb5ccname == NULL) {
+			exit(1);
+		}
+		c->opt_krb5_ccache = krb5ccname;
 	}
 
 	c->msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());

source3/utils/net.h

@@ -97,6 +97,7 @@ struct net_context {
 	const char *opt_witness_new_ip;
 	int opt_witness_new_node;
 	const char *opt_witness_forced_response;
+	const char *opt_krb5_ccache;
 
 	int opt_have_ip;
 	struct sockaddr_storage opt_dest_ip;

source3/utils/net_ads.c

@@ -2998,7 +2998,7 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **
 		return -1;
 	}
 
-	ret = smb_krb5_renew_ticket(NULL, NULL, NULL, NULL);
+	ret = smb_krb5_renew_ticket(c->opt_krb5_ccache, NULL, NULL, NULL);
 	if (ret) {
 		d_printf(_("failed to renew kerberos ticket: %s\n"),
 			error_message(ret));
@@ -3053,7 +3053,7 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch
 				     0,
 				     NULL,
 				     NULL,
-				     NULL,
+				     c->opt_krb5_ccache,
 				     true,
 				     true,
 				     2592000, /* one month */
@@ -3234,7 +3234,7 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **
 					  0,
 					  NULL,
 					  NULL,
-					  NULL,
+					  c->opt_krb5_ccache,
 					  true,
 					  true,
 					  2592000, /* one month */