From 3c62df47809865daf80c215135d46c722992134b Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Wed, 14 Apr 2004 19:06:45 +0000 Subject: r221: Remainder of bug 1208. We do not remove creds from _any_ FILE ccache, because not only does it not work on Heimdal, but also since ccaches created within samba are memory-based, so we shouldn't touch a FILE-based one (it was probably created via kinit or similar). (This used to be commit 5971b0980ca8abae2208f22485c5af4c0dde0459) --- source3/libsmb/clikrb5.c | 57 +++++++++++++++++++++++++++++++++--------------- 1 file changed, 40 insertions(+), 17 deletions(-) (limited to 'source3/libsmb') diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index e957cbc91f..81797a7bfc 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -234,6 +234,42 @@ krb5_error_code get_kerberos_allowed_etypes(krb5_context context, } #endif +static BOOL ads_cleanup_expired_creds(krb5_context context, + krb5_ccache ccache, + krb5_creds *credsp) +{ + krb5_error_code retval; + + DEBUG(3, ("Ticket in ccache[%s] expiration %s\n", + krb5_cc_default_name(context), + http_timestring(credsp->times.endtime))); + + /* we will probably need new tickets if the current ones + will expire within 10 seconds. + */ + if (credsp->times.endtime >= (time(NULL) + 10)) + return False; + + /* heimdal won't remove creds from a file ccache, and + perhaps we shouldn't anyway, since internally we + use memory ccaches, and a FILE one probably means that + we're using creds obtained outside of our exectuable + */ + if (StrCaseCmp(krb5_cc_get_type(context, ccache), "FILE") == 0) { + DEBUG(5, ("We do not remove creds from a FILE ccache\n")); + return False; + } + + retval = krb5_cc_remove_cred(context, ccache, 0, credsp); + if (retval) { + DEBUG(1, ("krb5_cc_remove_cred failed, err %s\n", + error_message(retval))); + /* If we have an error in this, we want to display it, + but continue as though we deleted it */ + } + return True; +} + /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ @@ -249,7 +285,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, krb5_creds * credsp; krb5_creds creds; krb5_data in_data; - BOOL have_creds = False; + BOOL creds_ready = False; retval = krb5_parse_name(context, principal, &server); if (retval) { @@ -271,7 +307,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, goto cleanup_creds; } - while(!have_creds) { + while(!creds_ready) { if ((retval = krb5_get_credentials(context, 0, ccache, &creds, &credsp))) { DEBUG(1,("krb5_get_credentials failed for %s (%s)\n", @@ -287,21 +323,8 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, krb5_set_real_time(context, t + time_offset + 1, 0); } - /* cope with expired tickets */ - if ((unsigned)credsp->times.endtime < time(NULL)) { - DEBUG(3,("Ticket (%s) in ccache (%s) has expired (%s - %d). Obtaining new ticket.\n", - principal, krb5_cc_default_name(context), - http_timestring( - (unsigned)credsp->times.endtime), - (unsigned)credsp->times.endtime)); - if ((retval = krb5_cc_remove_cred(context, ccache, 0, - credsp))) { - DEBUG(1,("krb5_cc_remove_cred failed for %s (%s)\n", - principal, error_message(retval))); - } - } else { - have_creds = True; - } + if (!ads_cleanup_expired_creds(context, ccache, credsp)) + creds_ready = True; } DEBUG(10,("Ticket (%s) in ccache (%s) is valid until: (%s - %d)\n", -- cgit