Fixes for automatic ticket renewal

- do not recreate the ccache file when renewing the TGT - use user principal name as hash key instead of ccfile name - let krb5_child return Kerberos error codes
author: Sumit Bose <sbose@redhat.com> 2010-12-13 22:36:05 +0100
committer: Stephen Gallagher <sgallagh@redhat.com> 2010-12-20 09:39:55 -0500
commit: 589dd0f6600515926e4e514442c62366db0a62b3 (patch)
tree: 28cbb3904108e4afae51affbdd823e0d58c2924e /src/providers/krb5/krb5_auth.c
parent: b770be929d9c786b1ac671cca59dfd3314e65fdd (diff)
download: sssd-589dd0f6600515926e4e514442c62366db0a62b3.tar.gz
sssd-589dd0f6600515926e4e514442c62366db0a62b3.tar.xz
sssd-589dd0f6600515926e4e514442c62366db0a62b3.zip
1 files changed, 27 insertions, 18 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index e6b680eaf..a0ac0e92f 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -161,6 +161,8 @@ static int krb5_save_ccname(TALLOC_CTX *mem_ctx,
         return EINVAL;
     }
 
+    DEBUG(9, ("Save ccname [%s] for user [%s].\n", ccname, name));
+
     tmpctx = talloc_new(mem_ctx);
     if (!tmpctx) {
         return ENOMEM;
@@ -349,8 +351,10 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
     }
 
     if (be_is_offline(be_ctx) &&
-        (pd->cmd == SSS_PAM_CHAUTHTOK || pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM)) {
-        DEBUG(9, ("Password changes are not possible while offline.\n"));
+        (pd->cmd == SSS_PAM_CHAUTHTOK || pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ||
+         pd->cmd == SSS_CMD_RENEW)) {
+        DEBUG(9, ("Password changes and ticket renewal are not possible "
+                  "while offline.\n"));
         state->pam_status = PAM_AUTHINFO_UNAVAIL;
         state->dp_err = DP_ERR_OFFLINE;
         ret = EOK;
@@ -582,8 +586,10 @@ static void krb5_find_ccache_step(struct tevent_req *req)
      * is true:
      * - it doesn't exist (kr->ccname == NULL)
      * - the backend is online and the current ccache file is not used, i.e
-     *   the related user is currently not logged in
-     *   (!kr->is_offline && !kr->active_ccache_present)
+     *   the related user is currently not logged in and it is not a renewal
+     *   request
+     *   (!kr->is_offline && !kr->active_ccache_present &&
+     *    pd->cmd != SSS_CMD_RENEW)
      * - the backend is offline and the current cache file not used and
      *   it does not contain a valid tgt
      *   (kr->is_offline &&
@@ -592,7 +598,8 @@ static void krb5_find_ccache_step(struct tevent_req *req)
     if (kr->ccname == NULL ||
         (kr->is_offline && !kr->active_ccache_present &&
             !kr->valid_tgt_present) ||
-        (!kr->is_offline && !kr->active_ccache_present)) {
+        (!kr->is_offline && !kr->active_ccache_present &&
+         pd->cmd != SSS_CMD_RENEW)) {
             DEBUG(9, ("Recreating  ccache file.\n"));
             kr->ccname = expand_ccname_template(kr, kr,
                                           dp_opt_get_cstring(kr->krb5_ctx->opts,
@@ -790,19 +797,6 @@ static void krb5_child_done(struct tevent_req *subreq)
         }
     }
 
-    if (msg_status == PAM_SUCCESS &&
-        dp_opt_get_int(kr->krb5_ctx->opts, KRB5_RENEW_INTERVAL) > 0 &&
-        (pd->cmd == SSS_PAM_AUTHENTICATE || pd->cmd == SSS_CMD_RENEW ||
-         pd->cmd == SSS_PAM_CHAUTHTOK) &&
-        tgtt.renew_till > tgtt.endtime && kr->ccname != NULL) {
-        DEBUG(7, ("Adding [%s] for automatic renewal.\n", kr->ccname));
-        ret = add_tgt_to_renew_table(kr->krb5_ctx, kr->ccname, &tgtt, pd);
-        if (ret != EOK) {
-            DEBUG(1, ("add_tgt_to_renew_table failed, "
-                      "automatic renewal not possible.\n"));
-        }
-    }
-
     /* If the child request failed, but did not return an offline error code,
      * return with the status */
     if (msg_status != PAM_SUCCESS && msg_status != PAM_AUTHINFO_UNAVAIL &&
@@ -889,7 +883,22 @@ static void krb5_child_done(struct tevent_req *subreq)
         goto done;
     }
 
+    if (msg_status == PAM_SUCCESS &&
+        dp_opt_get_int(kr->krb5_ctx->opts, KRB5_RENEW_INTERVAL) > 0 &&
+        (pd->cmd == SSS_PAM_AUTHENTICATE || pd->cmd == SSS_CMD_RENEW ||
+         pd->cmd == SSS_PAM_CHAUTHTOK) &&
+        tgtt.renew_till > tgtt.endtime && kr->ccname != NULL) {
+        DEBUG(7, ("Adding [%s] for automatic renewal.\n", kr->ccname));
+        ret = add_tgt_to_renew_table(kr->krb5_ctx, kr->ccname, &tgtt, pd,
+                                     kr->upn);
+        if (ret != EOK) {
+            DEBUG(1, ("add_tgt_to_renew_table failed, "
+                      "automatic renewal not possible.\n"));
+        }
+    }
+
     krb5_save_ccname_done(req);
+
     return;
 
 done:
author	Sumit Bose <sbose@redhat.com>	2010-12-13 22:36:05 +0100
committer	Stephen Gallagher <sgallagh@redhat.com>	2010-12-20 09:39:55 -0500
commit	589dd0f6600515926e4e514442c62366db0a62b3 (patch)
tree	28cbb3904108e4afae51affbdd823e0d58c2924e /src/providers/krb5/krb5_auth.c
parent	b770be929d9c786b1ac671cca59dfd3314e65fdd (diff)
download	sssd-589dd0f6600515926e4e514442c62366db0a62b3.tar.gz sssd-589dd0f6600515926e4e514442c62366db0a62b3.tar.xz sssd-589dd0f6600515926e4e514442c62366db0a62b3.zip