diff options
| author | Lukas Slebodnik <lslebodn@redhat.com> | 2013-05-29 09:57:38 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-12-02 21:08:27 +0100 |
| commit | da1ee87ceffea21a4c6fa9b7f561144681f7968e (patch) | |
| tree | 27d0748ff286b7e3117b745d090dfa189c824643 | |
| parent | cd1e5f2ce4f9f19dfa6ca5a1e8980b11c8372e0b (diff) | |
| download | sssd-da1ee87ceffea21a4c6fa9b7f561144681f7968e.tar.gz sssd-da1ee87ceffea21a4c6fa9b7f561144681f7968e.tar.xz sssd-da1ee87ceffea21a4c6fa9b7f561144681f7968e.zip | |
Every time return directory for krb5 cache collection.
Function krb5_cc_get_full_name is called only as a way to validate that,
we have the right cache. Instead of returned name, location will be returned
from function cc_dir_cache_for_princ.
https://fedorahosted.org/sssd/ticket/1936
Reviewed-by: Pavel Reichl <preichl@redhat.com>
| -rw-r--r-- | src/providers/krb5/krb5_child.c | 65 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_utils.c | 5 |
2 files changed, 65 insertions, 5 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index e4dc49327..3beaa07ca 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -949,14 +949,60 @@ done: } +static char * get_ccache_name_by_principal(TALLOC_CTX *mem_ctx, + krb5_context ctx, + krb5_principal principal, + const char *ccname) +{ + krb5_error_code kerr; + krb5_ccache tmp_cc = NULL; + char *tmp_ccname = NULL; + char *ret_ccname = NULL; + + kerr = krb5_cc_set_default_name(ctx, ccname); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_MINOR_FAILURE, kerr); + return NULL; + } + + kerr = krb5_cc_cache_match(ctx, principal, &tmp_cc); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_TRACE_INTERNAL, kerr); + return NULL; + } + + kerr = krb5_cc_get_full_name(ctx, tmp_cc, &tmp_ccname); + if (kerr !=0) { + KRB5_CHILD_DEBUG(SSSDBG_MINOR_FAILURE, kerr); + goto done; + } + + ret_ccname = talloc_strdup(mem_ctx, tmp_ccname); + if (ret_ccname == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed (ENOMEM).\n")); + } + +done: + if (tmp_cc != NULL) { + kerr = krb5_cc_close(ctx, tmp_cc); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_MINOR_FAILURE, kerr); + } + } + krb5_free_string(ctx, tmp_ccname); + + return ret_ccname; +} + static krb5_error_code get_and_save_tgt(struct krb5_req *kr, char *password) { - krb5_error_code kerr = 0; int ret; const char *realm_name; int realm_length; - + krb5_error_code kerr; + char *cc_name; + krb5_principal principal; kerr = sss_krb5_get_init_creds_opt_set_expire_callback(kr->ctx, kr->options, sss_krb5_expire_callback_func, @@ -1000,10 +1046,21 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, } } + principal = kr->creds ? kr->creds->client : kr->princ; + + /* If kr->ccname is cache collection (DIR:/...), we want to work + * directly with file ccache (DIR::/...), but cache collection + * should be returned back to back end. + */ + cc_name = get_ccache_name_by_principal(kr->pd, kr->ctx, principal, + kr->ccname); + if (cc_name == NULL) { + cc_name = kr->ccname; + } + /* Use the updated principal in the creds in case canonicalized */ kerr = create_ccache(kr->uid, kr->gid, kr->ctx, - kr->creds ? kr->creds->client : kr->princ, - kr->ccname, kr->creds); + principal, cc_name, kr->creds); if (kerr != 0) { KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); goto done; diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c index d85ca20d1..7d0ad1ec9 100644 --- a/src/providers/krb5/krb5_utils.c +++ b/src/providers/krb5/krb5_utils.c @@ -1163,6 +1163,9 @@ cc_dir_cache_for_princ(TALLOC_CTX *mem_ctx, const char *location, return NULL; } + /* This function is called only as a way to validate that, + * we have the right cache + */ krberr = krb5_cc_get_full_name(context, ccache, &name); if (ccache) krb5_cc_close(context, ccache); krb5_free_context(context); @@ -1172,7 +1175,7 @@ cc_dir_cache_for_princ(TALLOC_CTX *mem_ctx, const char *location, return NULL; } - return talloc_strdup(mem_ctx, name); + return talloc_strdup(mem_ctx, location); } errno_t |