diff options
author | Stephen Gallagher <sgallagh@redhat.com> | 2011-04-28 13:51:26 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-04-29 11:24:41 -0400 |
commit | c2df718c9a3e8d479547b5caa642cc84888f9a29 (patch) | |
tree | e5f921de1f8c62676d2a2f55717fd1268b0a9f31 /src/providers | |
parent | b4abe4088ceec0189f97b1a0e3fce37c23066206 (diff) | |
download | sssd-c2df718c9a3e8d479547b5caa642cc84888f9a29.tar.gz sssd-c2df718c9a3e8d479547b5caa642cc84888f9a29.tar.xz sssd-c2df718c9a3e8d479547b5caa642cc84888f9a29.zip |
Fix bad password caching when using automatic TGT renewal
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 49dc6d2e4..ecb7d61a3 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -1001,8 +1001,13 @@ static void krb5_save_ccname_done(struct tevent_req *req) state->dp_err = DP_ERR_OK; switch(pd->cmd) { - case SSS_PAM_AUTHENTICATE: case SSS_CMD_RENEW: + /* The authtok is set to the credential cache + * during renewal. We don't want to save this + * as the cached password. + */ + break; + case SSS_PAM_AUTHENTICATE: case SSS_PAM_CHAUTHTOK_PRELIM: password = talloc_size(state, pd->authtok_size + 1); if (password != NULL) { @@ -1022,8 +1027,11 @@ static void krb5_save_ccname_done(struct tevent_req *req) } if (password == NULL) { - DEBUG(0, ("password not available, offline auth may not work.\n")); - ret = EOK; /* password caching failures are not fatal errors */ + if (pd->cmd != SSS_CMD_RENEW) { + DEBUG(0, ("password not available, offline auth may not work.\n")); + /* password caching failures are not fatal errors */ + } + ret = EOK; goto done; } @@ -1035,6 +1043,7 @@ static void krb5_save_ccname_done(struct tevent_req *req) if (ret) { DEBUG(2, ("Failed to cache password, offline auth may not work." " (%d)[%s]!?\n", ret, strerror(ret))); + /* password caching failures are not fatal errors */ } } |