diff options
| author | Lukas Slebodnik <lslebodn@redhat.com> | 2014-12-17 09:10:33 +0100 |
|---|---|---|
| committer | Sumit Bose <sbose@redhat.com> | 2014-12-17 12:06:52 +0100 |
| commit | a183e279f754afdd571d8b084c7a36b71d5c1701 (patch) | |
| tree | 7060ae06b623188bf68e56a77ab37e3a129a0c0e /src/providers/krb5 | |
| parent | 01fa6711add8c52aa1a8474cf34af67d1e555c91 (diff) | |
| download | sssd-a183e279f754afdd571d8b084c7a36b71d5c1701.tar.gz sssd-a183e279f754afdd571d8b084c7a36b71d5c1701.tar.xz sssd-a183e279f754afdd571d8b084c7a36b71d5c1701.zip | |
krb5_child: Initialize REALM earlier
Environment variable SSSD_KRB5_REALM was used to late for initialisation
realm. and therefore default value NULL was used.
The SSSD_KRB5_REALM (kr->realm) was used as fast_principal_realm for checking
fast cache: privileged_krb5_setup -> k5c_setup_fast -> check_fast_ccache
And therefore wrong principal was used when the option krb5_fast_principal is
empty.
[find_principal_in_keytab] (0x4000): Trying to find principal (null)@(null) in keytab.
[match_principal] (0x1000): Principal matched to the sample ((null)@(null)).
[get_tgt_times] (0x1000): FAST ccache must be recreated
[get_tgt_times] (0x0020): krb5_cc_retrieve_cred failed
[get_tgt_times] (0x0020): 1688: [-1765328243][Matching credential not found]
[check_fast_ccache] (0x0040): Valid FAST TGT not found after attempting to renew it
[k5c_setup_fast] (0x0020): check_fast_ccache failed.
[k5c_setup_fast] (0x0020): 1956: [1432158213][Unknown code UUz 5]
[privileged_krb5_setup] (0x0040): Cannot set up FAST
[main] (0x0020): privileged_krb5_setup failed.
[main] (0x0020): krb5_child failed!
As a result of this user was not able to authenticate.
Resolves:
https://fedorahosted.org/sssd/ticket/2526
Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src/providers/krb5')
| -rw-r--r-- | src/providers/krb5/krb5_child.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 76a0757f6..64fe6f0cb 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -2159,12 +2159,6 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline) DEBUG(SSSDBG_TRACE_INTERNAL, "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid()); - kr->realm = getenv(SSSD_KRB5_REALM); - if (kr->realm == NULL) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Cannot read [%s] from environment.\n", SSSD_KRB5_REALM); - } - /* Set the global error context */ krb5_error_ctx = kr->ctx; @@ -2254,6 +2248,12 @@ static krb5_error_code privileged_krb5_setup(struct krb5_req *kr, int ret; char *mem_keytab; + kr->realm = getenv(SSSD_KRB5_REALM); + if (kr->realm == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot read [%s] from environment.\n", SSSD_KRB5_REALM); + } + kerr = krb5_init_context(&kr->ctx); if (kerr != 0) { KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); |