diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2014-12-08 13:29:23 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-12-11 14:09:57 +0100 |
| commit | f33ddf15796745888d0194a2f80f22bb3b379dec (patch) | |
| tree | 7c0beb1652c35a63cb0c205b640188066a0663f2 /src | |
| parent | 5d69dd4d62dab877dfc3c88e410816034981915f (diff) | |
| download | sssd-f33ddf15796745888d0194a2f80f22bb3b379dec.tar.gz sssd-f33ddf15796745888d0194a2f80f22bb3b379dec.tar.xz sssd-f33ddf15796745888d0194a2f80f22bb3b379dec.zip | |
KRB5: Check FAST kinit errors using get_tgt_times()
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/providers/krb5/krb5_child.c | 28 |
1 files changed, 15 insertions, 13 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index e8260c387..76a0757f6 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1670,6 +1670,7 @@ static krb5_error_code get_tgt_times(krb5_context ctx, const char *ccname, krberr = krb5_cc_resolve(ctx, ccname, &ccache); if (krberr != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "krb5_cc_resolve failed.\n"); + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, krberr); goto done; } @@ -1822,7 +1823,6 @@ static krb5_error_code check_fast_ccache(TALLOC_CTX *mem_ctx, } while (kerr == -1 && errno == EINTR); if (kerr > 0) { - kerr = EIO; if (WIFEXITED(status)) { kerr = WEXITSTATUS(status); /* Don't blindly fail if the child fails, but check @@ -1838,26 +1838,28 @@ static krb5_error_code check_fast_ccache(TALLOC_CTX *mem_ctx, fchild_pid); } } else { - DEBUG(SSSDBG_FUNC_DATA, - "Failed to wait for children %d\n", fchild_pid); - kerr = EIO; + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to wait for child %d\n", fchild_pid); + /* Let the code re-check the TGT times and fail if we + * can't find the updated principal */ } } /* Check the ccache times again. Should be updated ... */ memset(&tgtt, 0, sizeof(tgtt)); kerr = get_tgt_times(ctx, ccname, server_princ, client_princ, &tgtt); - if (kerr == 0) { - if (tgtt.endtime > time(NULL)) { - DEBUG(SSSDBG_FUNC_DATA, "FAST TGT was successfully recreated!\n"); - goto done; - } else { - kerr = ERR_CREDS_EXPIRED; - goto done; - } + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "get_tgt_times() failed\n"); + goto done; } - kerr = 0; + if (tgtt.endtime < time(NULL)) { + DEBUG(SSSDBG_OP_FAILURE, + "Valid FAST TGT not found after attempting to renew it\n"); + kerr = ERR_CREDS_EXPIRED; + goto done; + } + DEBUG(SSSDBG_FUNC_DATA, "FAST TGT was successfully recreated!\n"); done: if (client_princ != NULL) { |