ipasam: better Kerberos error handling in ipasam

If time is moved back on the IPA server, ipasam does not invalidate the
existing ticket.

https://fedorahosted.org/freeipa/ticket/3183

1 files changed, 5 insertions, 3 deletions

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index b1592b71f..3c4c97cd1 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -3809,9 +3809,9 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo
 					   ldap_sasl_interact, &data);
 
 	/* By now we have 'ret' for LDAP result and 'rc' for Kerberos result
-	 * if ret is LDAP_INVALID_CREDENTIALS, LDAP server rejected our ccache. There may be several issues:
+	 * if LDAP_API_ERROR(ret) is true, LDAP server rejected our ccache. There may be several issues:
 	 *
-	 * 1. Credentials are invalid due to outdated ccache leftover from previous install
+	 * 1. Credentials are invalid due to outdated ccache leftover from previous install or ticket is from future
 	 *    Wipe out old ccache and start again
 	 *
 	 * 2. Key in the keytab is not enough to obtain ticket for cifs/FQDN@REALM service
@@ -3825,7 +3825,9 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo
 	 * a new ccache file by the above call of bind_callback_obtain_creds(). This is expected and correct behavior.
 	 *
 	 */
-	if ((ret == LDAP_INVALID_CREDENTIALS) && (rc == 0)) {
+
+	if (LDAP_API_ERROR(ret) &&
+	    ((rc == 0) || (rc == KRB5KRB_AP_ERR_TKT_NYV) || (rc == KRB5KRB_AP_ERR_TKT_EXPIRED))) {
 		bind_callback_cleanup_creds(&data);
 		rc = bind_callback_obtain_creds(&data);
 		if (rc) {