summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStef Walter <stefw@gnome.org>2012-04-11 12:12:57 +0200
committerStephen Gallagher <sgallagh@redhat.com>2012-05-04 15:47:04 -0400
commit4d1a261202d828efc84e3a84d16c30548f29f76d (patch)
tree1f5fd8c9522842979eed34efecfd7636c79a9e67
parent077ec9ac6dfef339c16ecc9c2f60cd77e62c9272 (diff)
downloadsssd-4d1a261202d828efc84e3a84d16c30548f29f76d.tar.gz
sssd-4d1a261202d828efc84e3a84d16c30548f29f76d.tar.xz
sssd-4d1a261202d828efc84e3a84d16c30548f29f76d.zip
If canon'ing principals, write ccache with updated default principal
* When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518
-rw-r--r--src/providers/krb5/krb5_child.c8
-rw-r--r--src/providers/ldap/ldap_child.c3
2 files changed, 8 insertions, 3 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index cc29c00f6..f403dbc39 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -628,7 +628,8 @@ static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx,
return kerr;
}
- kerr = create_ccache_file(ctx, princ, ccname, &creds);
+ /* Use the updated principal in the creds in case canonicalized */
+ kerr = create_ccache_file(ctx, creds.client, ccname, &creds);
if (kerr != 0) {
KRB5_DEBUG(1, kerr);
goto done;
@@ -685,7 +686,10 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
}
}
- kerr = create_ccache_file(kr->ctx, kr->princ, kr->ccname, kr->creds);
+ /* Use the updated principal in the creds in case canonicalized */
+ kerr = create_ccache_file(kr->ctx,
+ kr->creds ? kr->creds->client : kr->princ,
+ kr->ccname, kr->creds);
if (kerr != 0) {
KRB5_DEBUG(1, kerr);
goto done;
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index 5356f8834..e6bf4c3a7 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -285,7 +285,8 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
goto done;
}
- krberr = krb5_cc_initialize(context, ccache, kprinc);
+ /* Use updated principal if changed due to canonicalization. */
+ krberr = krb5_cc_initialize(context, ccache, my_creds.client);
if (krberr) {
DEBUG(2, ("Failed to init ccache: %s\n",
sss_krb5_get_error_message(context, krberr)));