summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorJim McDonough <jmcd@samba.org>2004-04-14 17:34:48 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:51:14 -0500
commit0859a89166089b505e447034e119a9bb0eba7ba8 (patch)
tree9017532589162c88e3719d40799a593e972a93e1 /source3
parent1cd9d74016b2fdc84cae14d21a25016443da99ed (diff)
downloadsamba-0859a89166089b505e447034e119a9bb0eba7ba8.tar.gz
samba-0859a89166089b505e447034e119a9bb0eba7ba8.tar.bz2
samba-0859a89166089b505e447034e119a9bb0eba7ba8.zip
r219: Obtain new tickets if current ones are expired. Next part of fix for
bug 1208. Based on a fix from Guether Deschener. Outstanding pieces: - Heimdal FILE-based ccaches don't actually remove creds properly, so we need to code a check for this - what if ticket expires between our check and when we use it? Guenther has coded up fixes for these parts, but I still need to review them, as I'm not totally comfortable with the solutions. (This used to be commit ef008b9710e682f87f0bbf526d30eb5114264233)
Diffstat (limited to 'source3')
-rw-r--r--source3/libsmb/clikrb5.c48
1 files changed, 36 insertions, 12 deletions
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 15b244a83d..e957cbc91f 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -249,6 +249,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
krb5_creds * credsp;
krb5_creds creds;
krb5_data in_data;
+ BOOL have_creds = False;
retval = krb5_parse_name(context, principal, &server);
if (retval) {
@@ -270,20 +271,43 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
goto cleanup_creds;
}
- if ((retval = krb5_get_credentials(context, 0,
- ccache, &creds, &credsp))) {
- DEBUG(1,("krb5_get_credentials failed for %s (%s)\n",
- principal, error_message(retval)));
- goto cleanup_creds;
+ while(!have_creds) {
+ if ((retval = krb5_get_credentials(context, 0, ccache,
+ &creds, &credsp))) {
+ DEBUG(1,("krb5_get_credentials failed for %s (%s)\n",
+ principal, error_message(retval)));
+ goto cleanup_creds;
+ }
+
+ /* cope with ticket being in the future due to clock skew */
+ if ((unsigned)credsp->times.starttime > time(NULL)) {
+ time_t t = time(NULL);
+ int time_offset =(unsigned)credsp->times.starttime-t;
+ DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
+ krb5_set_real_time(context, t + time_offset + 1, 0);
+ }
+
+ /* cope with expired tickets */
+ if ((unsigned)credsp->times.endtime < time(NULL)) {
+ DEBUG(3,("Ticket (%s) in ccache (%s) has expired (%s - %d). Obtaining new ticket.\n",
+ principal, krb5_cc_default_name(context),
+ http_timestring(
+ (unsigned)credsp->times.endtime),
+ (unsigned)credsp->times.endtime));
+ if ((retval = krb5_cc_remove_cred(context, ccache, 0,
+ credsp))) {
+ DEBUG(1,("krb5_cc_remove_cred failed for %s (%s)\n",
+ principal, error_message(retval)));
+ }
+ } else {
+ have_creds = True;
+ }
}
- /* cope with the ticket being in the future due to clock skew */
- if ((unsigned)credsp->times.starttime > time(NULL)) {
- time_t t = time(NULL);
- int time_offset = (unsigned)credsp->times.starttime - t;
- DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
- krb5_set_real_time(context, t + time_offset + 1, 0);
- }
+ DEBUG(10,("Ticket (%s) in ccache (%s) is valid until: (%s - %d)\n",
+ principal, krb5_cc_default_name(context),
+ http_timestring((unsigned)credsp->times.endtime),
+ (unsigned)credsp->times.endtime));
in_data.length = 0;
retval = krb5_mk_req_extended(context, auth_context, ap_req_options,