diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2017-07-19 16:21:43 +0200 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-07-24 21:50:29 +0200 |
commit | 865cbab7db1458422033bbd19197516110b9deca (patch) | |
tree | d06e46a74963ae98816ab8dfd87d150c2b7bbf93 /src/providers/ad/ad_id.c | |
parent | a6f606117e5cfe64c4b49f94e514bf82054716d3 (diff) | |
download | sssd-865cbab7db1458422033bbd19197516110b9deca.tar.gz sssd-865cbab7db1458422033bbd19197516110b9deca.tar.xz sssd-865cbab7db1458422033bbd19197516110b9deca.zip |
KRB5: Return invalid credentials internally when attempting to renew an expired TGT
Since 1.14.2 and in particular commit
d3348f49260998880bb7cd3b2fb72d562b1b7a64 we return ERR_NETWORK_IO for any
krb5_child operations that receive KRB5KRB_AP_ERR_TKT_EXPIRED from libkrb5.
However, when the action that krb5_child performs is ticket renewal and
the ticket is totally expired, this can send the SSSD into offline mode.
Instead, this patch converts the KRB5KRB_AP_ERR_TKT_EXPIRED code into
sssd-internal ERR_CREDS_EXPIRED which map_krb5_error() won't map
anymore.
The effect on the deamon is that just the single renewal fails, but
the failover code is not called and therefore sssd doesn't switch into
offline mode.
Resolves:
https://pagure.io/SSSD/sssd/issue/3406
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Tested-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
Diffstat (limited to 'src/providers/ad/ad_id.c')
0 files changed, 0 insertions, 0 deletions