From 319340bafe996b4878b2a2df97f58d7ec1797e47 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 18 Jan 2014 10:38:51 -0500 Subject: gssd: Improve first attempt at acquiring GSS credentials Since now rpc.gssd is switching uid before attempting to acquire credentials, we do not need to pass in the special uid-as-a-string name to gssapi, because the process is already running under the user's credentials. By removing this code we can fix a class of false negatives where the user name does not match the actual ccache credentials and the ccache type used is not one of the only 2 supported explicitly by rpc.gssd by the fallback trolling done later. Signed-off-by: Simo Sorce Signed-off-by: Steve Dickson --- utils/gssd/krb5_util.c | 24 ++---------------------- 1 file changed, 2 insertions(+), 22 deletions(-) (limited to 'utils/gssd/krb5_util.c') diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index 697d1d2..230b909 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -1381,29 +1381,10 @@ gssd_acquire_krb5_cred(gss_name_t name, gss_cred_id_t *gss_cred) int gssd_acquire_user_cred(uid_t uid, gss_cred_id_t *gss_cred) { - OM_uint32 maj_stat, min_stat; - gss_buffer_desc name_buf; - gss_name_t name; - char buf[11]; + OM_uint32 min_stat; int ret; - ret = snprintf(buf, 11, "%u", uid); - if (ret < 1 || ret > 10) { - return -1; - } - name_buf.value = buf; - name_buf.length = ret + 1; - - maj_stat = gss_import_name(&min_stat, &name_buf, - GSS_C_NT_STRING_UID_NAME, &name); - if (maj_stat != GSS_S_COMPLETE) { - if (get_verbosity() > 0) - pgsserr("gss_import_name", - maj_stat, min_stat, &krb5oid); - return -1; - } - - ret = gssd_acquire_krb5_cred(name, gss_cred); + ret = gssd_acquire_krb5_cred(GSS_C_NO_NAME, gss_cred); /* force validation of cred to check for expiry */ if (ret == 0) { @@ -1412,7 +1393,6 @@ gssd_acquire_user_cred(uid_t uid, gss_cred_id_t *gss_cred) ret = -1; } - maj_stat = gss_release_name(&min_stat, &name); return ret; } -- cgit