diff options
| author | Greg Hudson <ghudson@mit.edu> | 2010-12-14 17:28:38 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2010-12-14 17:28:38 +0000 |
| commit | 0ad46eaa6eabfba18beb81d97b8a6d34486671fe (patch) | |
| tree | 9f5e39faaef8519923a861fbfcb27ac377354da8 /src | |
| parent | 20337d95b42b43d3f6858294490f0ee1ba3a007d (diff) | |
| download | krb5-0ad46eaa6eabfba18beb81d97b8a6d34486671fe.tar.gz krb5-0ad46eaa6eabfba18beb81d97b8a6d34486671fe.tar.xz krb5-0ad46eaa6eabfba18beb81d97b8a6d34486671fe.zip | |
Fix a regression in the client-side ticket renewal code where KDC
options were not folded into the renewal request (most notably, the
KDC_OPT_RENEWABLE flag), so we didn't request renewable renewed
tickets. Add a simple test case for ticket renewal.
ticket: 6838
tags: pullups
target_version: 1.9
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24566 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/krb5/krb/val_renew.c | 5 | ||||
| -rw-r--r-- | src/tests/Makefile.in | 1 | ||||
| -rw-r--r-- | src/tests/t_renew.py | 16 |
3 files changed, 21 insertions, 1 deletions
diff --git a/src/lib/krb5/krb/val_renew.c b/src/lib/krb5/krb/val_renew.c index 46eff99b7..bc3b90c3e 100644 --- a/src/lib/krb5/krb/val_renew.c +++ b/src/lib/krb5/krb/val_renew.c @@ -59,7 +59,10 @@ get_new_creds(krb5_context context, krb5_ccache ccache, krb5_creds *in_creds, if (code != 0) return code; - /* Use it to get a new credential from the KDC. */ + /* Use KDC options from old credential as well as requested options. */ + kdcopt |= (old_creds.ticket_flags & KDC_TKT_COMMON_MASK); + + /* Use the old credential to get a new credential from the KDC. */ code = krb5_get_cred_via_tkt(context, &old_creds, kdcopt, old_creds.addresses, in_creds, &new_creds); krb5_free_cred_contents(context, &old_creds); diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index cc3eafec5..964da6ee1 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -66,6 +66,7 @@ check-pytests:: $(RUNPYTEST) $(srcdir)/t_lockout.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_renew.py $(PYTESTFLAGS) clean:: $(RM) kdc.conf diff --git a/src/tests/t_renew.py b/src/tests/t_renew.py new file mode 100644 index 000000000..105364634 --- /dev/null +++ b/src/tests/t_renew.py @@ -0,0 +1,16 @@ +#!/usr/bin/python +from k5test import * + +realm = K5Realm(create_host=False, start_kadmind=False, get_creds=False) + +# Configure the realm to allow renewable tickets and acquire some. +realm.run_kadminl('modprinc -maxrenewlife "2 days" user') +realm.run_kadminl('modprinc -maxrenewlife "2 days" %s' % realm.krbtgt_princ) +realm.kinit(realm.user_princ, password('user'), flags=['-r', '2d']) + +# Renew twice, to test that renewed tickets are renewable. +realm.kinit(realm.user_princ, flags=['-R']) +realm.kinit(realm.user_princ, flags=['-R']) +realm.klist(realm.user_princ) + +success('Renewing credentials.') |