diff options
author | Lukas Slebodnik <lslebodn@redhat.com> | 2013-05-29 09:57:38 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-26 19:28:34 +0200 |
commit | fa3cdcff460d555f4a4905fb0a2d96be564fc599 (patch) | |
tree | 6651bdfbc27b50f529dba59b773ae0226c9a9650 | |
parent | d413dd5d7d4affeae9fe4dfd2de4b2296ecaffcc (diff) | |
download | sssd-fa3cdcff460d555f4a4905fb0a2d96be564fc599.tar.gz sssd-fa3cdcff460d555f4a4905fb0a2d96be564fc599.tar.bz2 sssd-fa3cdcff460d555f4a4905fb0a2d96be564fc599.zip |
Every time return directory for krb5 cache collection.
Function krb5_cc_get_full_name is called only as a way to validate that,
we have the right cache. Instead of returned name, location will be returned
from function cc_dir_cache_for_princ.
https://fedorahosted.org/sssd/ticket/1936
-rw-r--r-- | src/providers/krb5/krb5_child.c | 63 | ||||
-rw-r--r-- | src/providers/krb5/krb5_utils.c | 5 |
2 files changed, 64 insertions, 4 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 130be96b..588c6d64 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1082,13 +1082,59 @@ done: } +static char * get_ccache_name_by_principal(TALLOC_CTX *mem_ctx, + krb5_context ctx, + krb5_principal principal, + const char *ccname) +{ + krb5_error_code kerr; + krb5_ccache tmp_cc = NULL; + char *tmp_ccname = NULL; + char *ret_ccname = NULL; + + kerr = krb5_cc_set_default_name(ctx, ccname); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_MINOR_FAILURE, kerr); + return NULL; + } + + kerr = krb5_cc_cache_match(ctx, principal, &tmp_cc); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_TRACE_INTERNAL, kerr); + return NULL; + } + + kerr = krb5_cc_get_full_name(ctx, tmp_cc, &tmp_ccname); + if (kerr !=0) { + KRB5_CHILD_DEBUG(SSSDBG_MINOR_FAILURE, kerr); + goto done; + } + + ret_ccname = talloc_strdup(mem_ctx, tmp_ccname); + if (ret_ccname == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed (ENOMEM).\n")); + } + +done: + if (tmp_cc != NULL) { + kerr = krb5_cc_close(ctx, tmp_cc); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_MINOR_FAILURE, kerr); + } + } + krb5_free_string(ctx, tmp_ccname); + + return ret_ccname; +} + static krb5_error_code get_and_save_tgt(struct krb5_req *kr, const char *password) { const char *realm_name; int realm_length; krb5_error_code kerr; - + char *cc_name; + krb5_principal principal; kerr = sss_krb5_get_init_creds_opt_set_expire_callback(kr->ctx, kr->options, sss_krb5_expire_callback_func, @@ -1133,10 +1179,21 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, } } + principal = kr->creds ? kr->creds->client : kr->princ; + + /* If kr->ccname is cache collection (DIR:/...), we want to work + * directly with file ccache (DIR::/...), but cache collection + * should be returned back to back end. + */ + cc_name = get_ccache_name_by_principal(kr->pd, kr->ctx, principal, + kr->ccname); + if (cc_name == NULL) { + cc_name = kr->ccname; + } + /* Use the updated principal in the creds in case canonicalized */ kerr = create_ccache(kr->uid, kr->gid, kr->ctx, - kr->creds ? kr->creds->client : kr->princ, - kr->ccname, kr->creds); + principal, cc_name, kr->creds); if (kerr != 0) { KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); goto done; diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c index 1883d785..3f16faa7 100644 --- a/src/providers/krb5/krb5_utils.c +++ b/src/providers/krb5/krb5_utils.c @@ -1164,6 +1164,9 @@ cc_dir_cache_for_princ(TALLOC_CTX *mem_ctx, const char *location, return NULL; } + /* This function is called only as a way to validate that, + * we have the right cache + */ krberr = krb5_cc_get_full_name(context, ccache, &name); if (ccache) krb5_cc_close(context, ccache); krb5_free_context(context); @@ -1173,7 +1176,7 @@ cc_dir_cache_for_princ(TALLOC_CTX *mem_ctx, const char *location, return NULL; } - return talloc_strdup(mem_ctx, name); + return talloc_strdup(mem_ctx, location); } errno_t |