summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLukas Slebodnik <lslebodn@redhat.com>2013-05-29 09:57:38 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-06-26 19:28:34 +0200
commitfa3cdcff460d555f4a4905fb0a2d96be564fc599 (patch)
tree6651bdfbc27b50f529dba59b773ae0226c9a9650
parentd413dd5d7d4affeae9fe4dfd2de4b2296ecaffcc (diff)
downloadsssd-fa3cdcff460d555f4a4905fb0a2d96be564fc599.tar.gz
sssd-fa3cdcff460d555f4a4905fb0a2d96be564fc599.tar.bz2
sssd-fa3cdcff460d555f4a4905fb0a2d96be564fc599.zip
Every time return directory for krb5 cache collection.
Function krb5_cc_get_full_name is called only as a way to validate that, we have the right cache. Instead of returned name, location will be returned from function cc_dir_cache_for_princ. https://fedorahosted.org/sssd/ticket/1936
-rw-r--r--src/providers/krb5/krb5_child.c63
-rw-r--r--src/providers/krb5/krb5_utils.c5
2 files changed, 64 insertions, 4 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 130be96b..588c6d64 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1082,13 +1082,59 @@ done:
}
+static char * get_ccache_name_by_principal(TALLOC_CTX *mem_ctx,
+ krb5_context ctx,
+ krb5_principal principal,
+ const char *ccname)
+{
+ krb5_error_code kerr;
+ krb5_ccache tmp_cc = NULL;
+ char *tmp_ccname = NULL;
+ char *ret_ccname = NULL;
+
+ kerr = krb5_cc_set_default_name(ctx, ccname);
+ if (kerr != 0) {
+ KRB5_CHILD_DEBUG(SSSDBG_MINOR_FAILURE, kerr);
+ return NULL;
+ }
+
+ kerr = krb5_cc_cache_match(ctx, principal, &tmp_cc);
+ if (kerr != 0) {
+ KRB5_CHILD_DEBUG(SSSDBG_TRACE_INTERNAL, kerr);
+ return NULL;
+ }
+
+ kerr = krb5_cc_get_full_name(ctx, tmp_cc, &tmp_ccname);
+ if (kerr !=0) {
+ KRB5_CHILD_DEBUG(SSSDBG_MINOR_FAILURE, kerr);
+ goto done;
+ }
+
+ ret_ccname = talloc_strdup(mem_ctx, tmp_ccname);
+ if (ret_ccname == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed (ENOMEM).\n"));
+ }
+
+done:
+ if (tmp_cc != NULL) {
+ kerr = krb5_cc_close(ctx, tmp_cc);
+ if (kerr != 0) {
+ KRB5_CHILD_DEBUG(SSSDBG_MINOR_FAILURE, kerr);
+ }
+ }
+ krb5_free_string(ctx, tmp_ccname);
+
+ return ret_ccname;
+}
+
static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
const char *password)
{
const char *realm_name;
int realm_length;
krb5_error_code kerr;
-
+ char *cc_name;
+ krb5_principal principal;
kerr = sss_krb5_get_init_creds_opt_set_expire_callback(kr->ctx, kr->options,
sss_krb5_expire_callback_func,
@@ -1133,10 +1179,21 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
}
}
+ principal = kr->creds ? kr->creds->client : kr->princ;
+
+ /* If kr->ccname is cache collection (DIR:/...), we want to work
+ * directly with file ccache (DIR::/...), but cache collection
+ * should be returned back to back end.
+ */
+ cc_name = get_ccache_name_by_principal(kr->pd, kr->ctx, principal,
+ kr->ccname);
+ if (cc_name == NULL) {
+ cc_name = kr->ccname;
+ }
+
/* Use the updated principal in the creds in case canonicalized */
kerr = create_ccache(kr->uid, kr->gid, kr->ctx,
- kr->creds ? kr->creds->client : kr->princ,
- kr->ccname, kr->creds);
+ principal, cc_name, kr->creds);
if (kerr != 0) {
KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
goto done;
diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
index 1883d785..3f16faa7 100644
--- a/src/providers/krb5/krb5_utils.c
+++ b/src/providers/krb5/krb5_utils.c
@@ -1164,6 +1164,9 @@ cc_dir_cache_for_princ(TALLOC_CTX *mem_ctx, const char *location,
return NULL;
}
+ /* This function is called only as a way to validate that,
+ * we have the right cache
+ */
krberr = krb5_cc_get_full_name(context, ccache, &name);
if (ccache) krb5_cc_close(context, ccache);
krb5_free_context(context);
@@ -1173,7 +1176,7 @@ cc_dir_cache_for_princ(TALLOC_CTX *mem_ctx, const char *location,
return NULL;
}
- return talloc_strdup(mem_ctx, name);
+ return talloc_strdup(mem_ctx, location);
}
errno_t