diff options
| author | Simo Sorce <ssorce@redhat.com> | 2012-03-01 17:22:10 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-03-01 00:56:15 -0500 |
| commit | 079bbaa6e9aab06ba1a06d1fa8f4a4ae0ab2d528 (patch) | |
| tree | 20d8d056c753378198400352d97c09357bf2d3dc | |
| parent | ae8876e93c02c39c562bcdaa1396fcccaf1280c0 (diff) | |
| download | freeipa-079bbaa6e9aab06ba1a06d1fa8f4a4ae0ab2d528.tar.gz freeipa-079bbaa6e9aab06ba1a06d1fa8f4a4ae0ab2d528.tar.xz freeipa-079bbaa6e9aab06ba1a06d1fa8f4a4ae0ab2d528.zip | |
Fix ticket checks when using either s4u2proxy or a delegated krbtgt
When using s4u2proxy the only ticket we can access via direct krb5 calls is
the HTTP/ ticket which was saved in the ccache as evidence ticket.
This ticket is later used by GSSAPI as evidence to obtain an ldap ticket.
This works by chance, we shouldn't use calls to get_credentials just to
verify ticket expiration dates, but I realize this is a limitation of the
current krbV bindings and we have no other way around at the moment.
Checking the HTTP/ ticket will fail in case a krbtgt is fully delegated to
us. In that case the ccache will contain only a krbtgt, so as a fallback
we check that.
Checking the ldap/ ticket is never really useful. When s4u2proxy is used,
trying to check the ldap/ ticket will fail because we do not have it yet
on the first authentication before a session is estalished, and doing it
later is not useful.
When we have a krbtgt we could go and grap a ldap/ ticket directy, but
again that makes little sense. In general all tickets will have the same
expiration date (which deopends on the original krbtgt) so checking one
is sufficient.
Fixes: http://fedorahosted.org/freeipa/ticket/2472
| -rw-r--r-- | ipalib/krb_utils.py | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/ipalib/krb_utils.py b/ipalib/krb_utils.py index a8f7751dd..b0010e9e5 100644 --- a/ipalib/krb_utils.py +++ b/ipalib/krb_utils.py @@ -343,7 +343,7 @@ class KRB5_CCache(object): ''' try: - principal = krb5_format_service_principal_name('ldap', host, realm) + principal = krb5_format_service_principal_name('HTTP', host, realm) valid = self.credential_is_valid(principal) if valid: return True @@ -372,7 +372,7 @@ class KRB5_CCache(object): result = 0 try: - principal = krb5_format_service_principal_name('ldap', host, realm) + principal = krb5_format_service_principal_name('HTTP', host, realm) authtime, starttime, endtime, renew_till = self.get_credential_times(principal) if result: result = min(result, endtime) |