diff options
author | Jim McDonough <jmcd@samba.org> | 2004-04-14 17:34:48 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:51:14 -0500 |
commit | 0859a89166089b505e447034e119a9bb0eba7ba8 (patch) | |
tree | 9017532589162c88e3719d40799a593e972a93e1 /source3 | |
parent | 1cd9d74016b2fdc84cae14d21a25016443da99ed (diff) | |
download | samba-0859a89166089b505e447034e119a9bb0eba7ba8.tar.gz samba-0859a89166089b505e447034e119a9bb0eba7ba8.tar.bz2 samba-0859a89166089b505e447034e119a9bb0eba7ba8.zip |
r219: Obtain new tickets if current ones are expired. Next part of fix for
bug 1208. Based on a fix from Guether Deschener.
Outstanding pieces:
- Heimdal FILE-based ccaches don't actually remove creds properly, so we
need to code a check for this
- what if ticket expires between our check and when we use it?
Guenther has coded up fixes for these parts, but I still need
to review them, as I'm not totally comfortable with the solutions.
(This used to be commit ef008b9710e682f87f0bbf526d30eb5114264233)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/libsmb/clikrb5.c | 48 |
1 files changed, 36 insertions, 12 deletions
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 15b244a83d..e957cbc91f 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -249,6 +249,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, krb5_creds * credsp; krb5_creds creds; krb5_data in_data; + BOOL have_creds = False; retval = krb5_parse_name(context, principal, &server); if (retval) { @@ -270,20 +271,43 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, goto cleanup_creds; } - if ((retval = krb5_get_credentials(context, 0, - ccache, &creds, &credsp))) { - DEBUG(1,("krb5_get_credentials failed for %s (%s)\n", - principal, error_message(retval))); - goto cleanup_creds; + while(!have_creds) { + if ((retval = krb5_get_credentials(context, 0, ccache, + &creds, &credsp))) { + DEBUG(1,("krb5_get_credentials failed for %s (%s)\n", + principal, error_message(retval))); + goto cleanup_creds; + } + + /* cope with ticket being in the future due to clock skew */ + if ((unsigned)credsp->times.starttime > time(NULL)) { + time_t t = time(NULL); + int time_offset =(unsigned)credsp->times.starttime-t; + DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset)); + krb5_set_real_time(context, t + time_offset + 1, 0); + } + + /* cope with expired tickets */ + if ((unsigned)credsp->times.endtime < time(NULL)) { + DEBUG(3,("Ticket (%s) in ccache (%s) has expired (%s - %d). Obtaining new ticket.\n", + principal, krb5_cc_default_name(context), + http_timestring( + (unsigned)credsp->times.endtime), + (unsigned)credsp->times.endtime)); + if ((retval = krb5_cc_remove_cred(context, ccache, 0, + credsp))) { + DEBUG(1,("krb5_cc_remove_cred failed for %s (%s)\n", + principal, error_message(retval))); + } + } else { + have_creds = True; + } } - /* cope with the ticket being in the future due to clock skew */ - if ((unsigned)credsp->times.starttime > time(NULL)) { - time_t t = time(NULL); - int time_offset = (unsigned)credsp->times.starttime - t; - DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset)); - krb5_set_real_time(context, t + time_offset + 1, 0); - } + DEBUG(10,("Ticket (%s) in ccache (%s) is valid until: (%s - %d)\n", + principal, krb5_cc_default_name(context), + http_timestring((unsigned)credsp->times.endtime), + (unsigned)credsp->times.endtime)); in_data.length = 0; retval = krb5_mk_req_extended(context, auth_context, ap_req_options, |