diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ad.conf | 2 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ipa.conf | 2 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-krb5.conf | 2 | ||||
-rw-r--r-- | src/man/sssd-krb5.5.xml | 26 | ||||
-rw-r--r-- | src/providers/ad/ad_opts.h | 2 | ||||
-rw-r--r-- | src/providers/ipa/ipa_opts.h | 2 | ||||
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 18 | ||||
-rw-r--r-- | src/providers/krb5/krb5_init_shared.c | 16 | ||||
-rw-r--r-- | src/providers/krb5/krb5_opts.h | 2 |
9 files changed, 59 insertions, 13 deletions
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index 85e34cb18..dbee270e7 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -115,7 +115,7 @@ ldap_pwd_policy = str, None, false krb5_store_password_if_offline = bool, None, false krb5_renewable_lifetime = str, None, false krb5_lifetime = str, None, false -krb5_renew_interval = int, None, false +krb5_renew_interval = str, None, false krb5_use_fast = str, None, false krb5_fast_principal = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index e9c7b2326..a165bc23a 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -136,7 +136,7 @@ ldap_pwd_policy = str, None, false krb5_store_password_if_offline = bool, None, false krb5_renewable_lifetime = str, None, false krb5_lifetime = str, None, false -krb5_renew_interval = int, None, false +krb5_renew_interval = str, None, false krb5_use_fast = str, None, false krb5_fast_principal = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-krb5.conf b/src/config/etc/sssd.api.d/sssd-krb5.conf index 3a36f5efb..6534282f9 100644 --- a/src/config/etc/sssd.api.d/sssd-krb5.conf +++ b/src/config/etc/sssd.api.d/sssd-krb5.conf @@ -15,7 +15,7 @@ krb5_validate = bool, None, false krb5_store_password_if_offline = bool, None, false krb5_renewable_lifetime = str, None, false krb5_lifetime = str, None, false -krb5_renew_interval = int, None, false +krb5_renew_interval = str, None, false krb5_use_fast = str, None, false krb5_fast_principal = str, None, false krb5_canonicalize = bool, None, false diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml index 80b2d54de..00881b8b0 100644 --- a/src/man/sssd-krb5.5.xml +++ b/src/man/sssd-krb5.5.xml @@ -351,12 +351,34 @@ </varlistentry> <varlistentry> - <term>krb5_renew_interval (integer)</term> + <term>krb5_renew_interval (string)</term> <listitem> <para> The time in seconds between two checks if the TGT should be renewed. TGTs are renewed if about half - of their lifetime is exceeded. + of their lifetime is exceeded, given as an integer + immediately followed by a time unit: + </para> + <para> + <emphasis>s</emphasis> for seconds + </para> + <para> + <emphasis>m</emphasis> for minutes + </para> + <para> + <emphasis>h</emphasis> for hours + </para> + <para> + <emphasis>d</emphasis> for days. + </para> + <para> + If there is no unit given, <emphasis>s</emphasis> is + assumed. + </para> + <para> + NOTE: It is not possible to mix units. To set + the renewable lifetime to one and a half hours, + use '90m' instead of '1h30m'. </para> <para> If this option is not set or is 0 the automatic diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index 285672226..09aee7e27 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -138,7 +138,7 @@ struct dp_option ad_def_krb5_opts[] = { { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "krb5_renew_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }, + { "krb5_renew_interval", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index cb6f40e8b..970d05b39 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -259,7 +259,7 @@ struct dp_option ipa_def_krb5_opts[] = { { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "krb5_renew_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }, + { "krb5_renew_interval", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 6c0f429fb..00025bfc1 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -827,6 +827,9 @@ static void krb5_auth_done(struct tevent_req *subreq) struct krb5_child_response *res; const char *store_ccname; struct fo_server *search_srv; + krb5_deltat renew_interval_delta; + char *renew_interval_str; + time_t renew_interval_time = 0; ret = handle_child_recv(subreq, pd, &buf, &len); talloc_zfree(subreq); @@ -1072,9 +1075,18 @@ static void krb5_auth_done(struct tevent_req *subreq) DEBUG(1, ("krb5_save_ccname failed.\n")); goto done; } - - if (res->msg_status == ERR_OK && - (dp_opt_get_int(kr->krb5_ctx->opts, KRB5_RENEW_INTERVAL) > 0) && + renew_interval_str = dp_opt_get_string(kr->krb5_ctx->opts, + KRB5_RENEW_INTERVAL); + if (renew_interval_str != NULL) { + ret = krb5_string_to_deltat(renew_interval_str, &renew_interval_delta); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Reading krb5_renew_interval failed.\n")); + renew_interval_delta = 0; + } + renew_interval_time = renew_interval_delta; + } + if (res->msg_status == ERR_OK && renew_interval_time > 0 && (pd->cmd == SSS_PAM_AUTHENTICATE || pd->cmd == SSS_CMD_RENEW || pd->cmd == SSS_PAM_CHAUTHTOK) && diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c index 0dac5fa69..c9eec2f87 100644 --- a/src/providers/krb5/krb5_init_shared.c +++ b/src/providers/krb5/krb5_init_shared.c @@ -30,7 +30,9 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx, { errno_t ret; FILE *debug_filep; - time_t renew_intv; + time_t renew_intv = 0; + krb5_deltat renew_interval_delta; + char *renew_interval_str; if (dp_opt_get_bool(krb5_auth_ctx->opts, KRB5_STORE_PASSWORD_IF_OFFLINE)) { ret = init_delayed_online_authentication(krb5_auth_ctx, bectx, @@ -40,8 +42,18 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx, goto done; } } + renew_interval_str = dp_opt_get_string(krb5_auth_ctx->opts, + KRB5_RENEW_INTERVAL); + if (renew_interval_str != NULL) { + ret = krb5_string_to_deltat(renew_interval_str, &renew_interval_delta); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Reading krb5_renew_interval failed.\n")); + renew_interval_delta = 0; + } + renew_intv = renew_interval_delta; + } - renew_intv = dp_opt_get_int(krb5_auth_ctx->opts, KRB5_RENEW_INTERVAL); if (renew_intv > 0) { ret = init_renew_tgt(krb5_auth_ctx, bectx, bectx->ev, renew_intv); if (ret != EOK) { diff --git a/src/providers/krb5/krb5_opts.h b/src/providers/krb5/krb5_opts.h index f29fbaaf7..8ac29532b 100644 --- a/src/providers/krb5/krb5_opts.h +++ b/src/providers/krb5/krb5_opts.h @@ -39,7 +39,7 @@ struct dp_option default_krb5_opts[] = { { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "krb5_renew_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }, + { "krb5_renew_interval", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, |