Add support for automatic Kerberos ticket renewal

author: Sumit Bose <sbose@redhat.com> 2010-11-15 13:46:17 +0100
committer: Stephen Gallagher <sgallagh@redhat.com> 2010-12-03 10:41:28 -0500
commit: f3f9ce8024d7610439d6c70ddafab1ab025cf8a8 (patch)
tree: 415d65170f362c2df65410084cadbcc016b4673d /src/providers/krb5/krb5_auth.c
parent: 1709edfb690bb4ffa4b96c64d08853f47390eda3 (diff)
download: sssd-f3f9ce8024d7610439d6c70ddafab1ab025cf8a8.tar.gz
sssd-f3f9ce8024d7610439d6c70ddafab1ab025cf8a8.tar.xz
sssd-f3f9ce8024d7610439d6c70ddafab1ab025cf8a8.zip
1 files changed, 18 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 974e76844..515c181bc 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -210,6 +210,7 @@ static struct krb5_ctx *get_krb5_ctx(struct be_req *be_req)
 
     switch (pd->cmd) {
         case SSS_PAM_AUTHENTICATE:
+        case SSS_CMD_RENEW:
             return talloc_get_type(be_req->be_ctx->bet_info[BET_AUTH].pvt_bet_data,
                                    struct krb5_ctx);
             break;
@@ -327,6 +328,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
 
     switch (pd->cmd) {
         case SSS_PAM_AUTHENTICATE:
+        case SSS_CMD_RENEW:
         case SSS_PAM_CHAUTHTOK:
             break;
         case SSS_PAM_CHAUTHTOK_PRELIM:
@@ -786,6 +788,19 @@ static void krb5_child_done(struct tevent_req *subreq)
         }
     }
 
+    if (msg_status == PAM_SUCCESS &&
+        dp_opt_get_int(kr->krb5_ctx->opts, KRB5_RENEW_INTERVAL) > 0 &&
+        (pd->cmd == SSS_PAM_AUTHENTICATE || pd->cmd == SSS_CMD_RENEW ||
+         pd->cmd == SSS_PAM_CHAUTHTOK) &&
+        tgtt.renew_till > tgtt.endtime && kr->ccname != NULL) {
+        DEBUG(7, ("Adding [%s] for automatic renewal.\n", kr->ccname));
+        ret = add_tgt_to_renew_table(kr->krb5_ctx, kr->ccname, &tgtt, pd);
+        if (ret != EOK) {
+            DEBUG(1, ("add_tgt_to_renew_table failed, "
+                      "automatic renewal not possible.\n"));
+        }
+    }
+
     /* If the child request failed, but did not return an offline error code,
      * return with the status */
     if (msg_status != PAM_SUCCESS && msg_status != PAM_AUTHINFO_UNAVAIL &&
@@ -891,6 +906,7 @@ static struct tevent_req *krb5_next_server(struct tevent_req *req)
 
     switch (pd->cmd) {
         case SSS_PAM_AUTHENTICATE:
+        case SSS_CMD_RENEW:
             fo_set_port_status(state->kr->srv, PORT_NOT_WORKING);
             next_req = krb5_next_kdc(req);
             break;
@@ -975,6 +991,7 @@ static void krb5_save_ccname_done(struct tevent_req *req)
 
         switch(pd->cmd) {
             case SSS_PAM_AUTHENTICATE:
+            case SSS_CMD_RENEW:
             case SSS_PAM_CHAUTHTOK_PRELIM:
                 password = talloc_size(state, pd->authtok_size + 1);
                 if (password != NULL) {
@@ -1077,6 +1094,7 @@ void krb5_pam_handler(struct be_req *be_req)
 
     switch (pd->cmd) {
         case SSS_PAM_AUTHENTICATE:
+        case SSS_CMD_RENEW:
         case SSS_PAM_CHAUTHTOK_PRELIM:
         case SSS_PAM_CHAUTHTOK:
             req = krb5_auth_send(be_req, be_req->be_ctx->ev, be_req->be_ctx, pd,
author	Sumit Bose <sbose@redhat.com>	2010-11-15 13:46:17 +0100
committer	Stephen Gallagher <sgallagh@redhat.com>	2010-12-03 10:41:28 -0500
commit	f3f9ce8024d7610439d6c70ddafab1ab025cf8a8 (patch)
tree	415d65170f362c2df65410084cadbcc016b4673d /src/providers/krb5/krb5_auth.c
parent	1709edfb690bb4ffa4b96c64d08853f47390eda3 (diff)
download	sssd-f3f9ce8024d7610439d6c70ddafab1ab025cf8a8.tar.gz sssd-f3f9ce8024d7610439d6c70ddafab1ab025cf8a8.tar.xz sssd-f3f9ce8024d7610439d6c70ddafab1ab025cf8a8.zip