diff options
| author | Lukas Hejtmanek <xhejtman@ics.muni.cz> | 2009-08-27 11:42:24 -0400 |
|---|---|---|
| committer | Steve Dickson <steved@redhat.com> | 2009-08-27 11:42:24 -0400 |
| commit | bd947185cfc7978c562fddf2f14f602c44a5cac9 (patch) | |
| tree | 3eba094b02c5c3c30d3f645538637dd7c19312dc /utils/gssd/krb5_util.c | |
| parent | 1d2951b518dd5df4fc0a637880d204f0f4e949c5 (diff) | |
| download | nfs-utils-bd947185cfc7978c562fddf2f14f602c44a5cac9.tar.gz nfs-utils-bd947185cfc7978c562fddf2f14f602c44a5cac9.tar.xz nfs-utils-bd947185cfc7978c562fddf2f14f602c44a5cac9.zip | |
Gssd blindly caches machine credentials
We have a problem with rpc.gssd which blindly caches machine credentials.
E.g., if someone deletes /tmp/krb5cc_machine_REALM, rpc.gss does not create
new one until the old one expires. Also, it has problems with clock skew, if
time goes back and gssd thinks that machine credentials are not expired yet.
The following patch tries to use cache but in case of failure, it tries it
again without cache. Any comments?
Signed-off-by: Lukas Hejtmanek <xhejtman@ics.muni.cz>
Acked-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>
Diffstat (limited to 'utils/gssd/krb5_util.c')
| -rw-r--r-- | utils/gssd/krb5_util.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index 3009cc5..78e9775 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -137,7 +137,7 @@ static int select_krb5_ccache(const struct dirent *d); static int gssd_find_existing_krb5_ccache(uid_t uid, char *dirname, struct dirent **d); static int gssd_get_single_krb5_cred(krb5_context context, - krb5_keytab kt, struct gssd_k5_kt_princ *ple); + krb5_keytab kt, struct gssd_k5_kt_princ *ple, int nocache); static int query_krb5_ccache(const char* cred_cache, char **ret_princname, char **ret_realm); @@ -359,7 +359,8 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid) static int gssd_get_single_krb5_cred(krb5_context context, krb5_keytab kt, - struct gssd_k5_kt_princ *ple) + struct gssd_k5_kt_princ *ple, + int nocache) { #if HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS krb5_get_init_creds_opt *init_opts = NULL; @@ -379,7 +380,7 @@ gssd_get_single_krb5_cred(krb5_context context, memset(&my_creds, 0, sizeof(my_creds)); - if (ple->ccname && ple->endtime > now) { + if (ple->ccname && ple->endtime > now && !nocache) { printerr(2, "INFO: Credentials in CC '%s' are good until %d\n", ple->ccname, ple->endtime); code = 0; @@ -1095,7 +1096,7 @@ gssd_get_krb5_machine_cred_list(char ***list) for (ple = gssd_k5_kt_princ_list; ple; ple = ple->next) { if (ple->ccname) { /* Make sure cred is up-to-date before returning it */ - retval = gssd_refresh_krb5_machine_credential(NULL, ple); + retval = gssd_refresh_krb5_machine_credential(NULL, ple, 0); if (retval) continue; if (i + 1 > listsize) { @@ -1185,7 +1186,7 @@ gssd_destroy_krb5_machine_creds(void) */ int gssd_refresh_krb5_machine_credential(char *hostname, - struct gssd_k5_kt_princ *ple) + struct gssd_k5_kt_princ *ple, int nocache) { krb5_error_code code = 0; krb5_context context; @@ -1240,7 +1241,7 @@ gssd_refresh_krb5_machine_credential(char *hostname, goto out; } } - retval = gssd_get_single_krb5_cred(context, kt, ple); + retval = gssd_get_single_krb5_cred(context, kt, ple, nocache); out: if (kt) krb5_kt_close(context, kt); |