From 2093007d4d2b3183b65a07d421954b3e8a12e93b Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 20 Nov 2012 15:18:50 +0200 Subject: ipasam: better Kerberos error handling in ipasam If time is moved back on the IPA server, ipasam does not invalidate the existing ticket. https://fedorahosted.org/freeipa/ticket/3183 --- daemons/ipa-sam/ipa_sam.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'daemons/ipa-sam') diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index b1592b71f..3c4c97cd1 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -3809,9 +3809,9 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo ldap_sasl_interact, &data); /* By now we have 'ret' for LDAP result and 'rc' for Kerberos result - * if ret is LDAP_INVALID_CREDENTIALS, LDAP server rejected our ccache. There may be several issues: + * if LDAP_API_ERROR(ret) is true, LDAP server rejected our ccache. There may be several issues: * - * 1. Credentials are invalid due to outdated ccache leftover from previous install + * 1. Credentials are invalid due to outdated ccache leftover from previous install or ticket is from future * Wipe out old ccache and start again * * 2. Key in the keytab is not enough to obtain ticket for cifs/FQDN@REALM service @@ -3825,7 +3825,9 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo * a new ccache file by the above call of bind_callback_obtain_creds(). This is expected and correct behavior. * */ - if ((ret == LDAP_INVALID_CREDENTIALS) && (rc == 0)) { + + if (LDAP_API_ERROR(ret) && + ((rc == 0) || (rc == KRB5KRB_AP_ERR_TKT_NYV) || (rc == KRB5KRB_AP_ERR_TKT_EXPIRED))) { bind_callback_cleanup_creds(&data); rc = bind_callback_obtain_creds(&data); if (rc) { -- cgit