diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2014-12-08 13:29:23 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-12-13 23:41:34 +0100 |
| commit | 03afa4cbef2c2ba3c70fbad4f3e1e36c05fafe82 (patch) | |
| tree | d481b27cd90b25fdf5d88b5a4d1929f5f2bb500e /src/providers/krb5 | |
| parent | 12e075db7ef0e72fba64ca2cd0eb55a6414388c0 (diff) | |
| download | sssd-03afa4cbef2c2ba3c70fbad4f3e1e36c05fafe82.tar.gz sssd-03afa4cbef2c2ba3c70fbad4f3e1e36c05fafe82.tar.xz sssd-03afa4cbef2c2ba3c70fbad4f3e1e36c05fafe82.zip | |
KRB5: Check FAST kinit errors using get_tgt_times()
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Diffstat (limited to 'src/providers/krb5')
| -rw-r--r-- | src/providers/krb5/krb5_child.c | 28 |
1 files changed, 15 insertions, 13 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 8f23346a6..3318e0647 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1662,6 +1662,7 @@ static krb5_error_code get_tgt_times(krb5_context ctx, const char *ccname, krberr = krb5_cc_resolve(ctx, ccname, &ccache); if (krberr != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "krb5_cc_resolve failed.\n"); + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, krberr); goto done; } @@ -1814,7 +1815,6 @@ static krb5_error_code check_fast_ccache(TALLOC_CTX *mem_ctx, } while (kerr == -1 && errno == EINTR); if (kerr > 0) { - kerr = EIO; if (WIFEXITED(status)) { kerr = WEXITSTATUS(status); /* Don't blindly fail if the child fails, but check @@ -1830,26 +1830,28 @@ static krb5_error_code check_fast_ccache(TALLOC_CTX *mem_ctx, fchild_pid); } } else { - DEBUG(SSSDBG_FUNC_DATA, - "Failed to wait for children %d\n", fchild_pid); - kerr = EIO; + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to wait for child %d\n", fchild_pid); + /* Let the code re-check the TGT times and fail if we + * can't find the updated principal */ } } /* Check the ccache times again. Should be updated ... */ memset(&tgtt, 0, sizeof(tgtt)); kerr = get_tgt_times(ctx, ccname, server_princ, client_princ, &tgtt); - if (kerr == 0) { - if (tgtt.endtime > time(NULL)) { - DEBUG(SSSDBG_FUNC_DATA, "FAST TGT was successfully recreated!\n"); - goto done; - } else { - kerr = ERR_CREDS_EXPIRED; - goto done; - } + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "get_tgt_times() failed\n"); + goto done; } - kerr = 0; + if (tgtt.endtime < time(NULL)) { + DEBUG(SSSDBG_OP_FAILURE, + "Valid FAST TGT not found after attempting to renew it\n"); + kerr = ERR_CREDS_EXPIRED; + goto done; + } + DEBUG(SSSDBG_FUNC_DATA, "FAST TGT was successfully recreated!\n"); done: if (client_princ != NULL) { |