From 03fc5c3d735db78fcfc78e9aab647ac7505a1600 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Thu, 1 Mar 2012 17:22:10 -0500
Subject: Fix ticket checks when using either s4u2proxy or a delegated krbtgt

When using s4u2proxy the only ticket we can access via direct krb5 calls is
the HTTP/ ticket which was saved in the ccache as evidence ticket.
This ticket is later used by GSSAPI as evidence to obtain an ldap ticket.

This works by chance, we shouldn't use calls to get_credentials just to
verify ticket expiration dates, but I realize this is a limitation of the
current krbV bindings and we have no other way around at the moment.

Checking the HTTP/ ticket will fail in case a krbtgt is fully delegated to
us. In that case the ccache will contain only a krbtgt, so as a fallback
we check that.

Checking the ldap/ ticket is never really useful. When s4u2proxy is used,
trying to check the ldap/ ticket will fail because we do not have it yet
on the first authentication before a session is estalished, and doing it
later is not useful.

When we have a krbtgt we could go and grap a ldap/ ticket directy, but
again that makes little sense. In general all tickets will have the same
expiration date (which deopends on the original krbtgt) so checking one
is sufficient.

Fixes: http://fedorahosted.org/freeipa/ticket/2472
---
 ipalib/krb_utils.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'ipalib/krb_utils.py')

diff --git a/ipalib/krb_utils.py b/ipalib/krb_utils.py
index a8f7751dd..b0010e9e5 100644
--- a/ipalib/krb_utils.py
+++ b/ipalib/krb_utils.py
@@ -343,7 +343,7 @@ class KRB5_CCache(object):
         '''
 
         try:
-            principal = krb5_format_service_principal_name('ldap', host, realm)
+            principal = krb5_format_service_principal_name('HTTP', host, realm)
             valid = self.credential_is_valid(principal)
             if valid:
                 return True
@@ -372,7 +372,7 @@ class KRB5_CCache(object):
 
         result = 0
         try:
-            principal = krb5_format_service_principal_name('ldap', host, realm)
+            principal = krb5_format_service_principal_name('HTTP', host, realm)
             authtime, starttime, endtime, renew_till = self.get_credential_times(principal)
             if result:
                 result = min(result, endtime)
-- 
cgit