diff options
author | Sumit Bose <sbose@redhat.com> | 2010-12-13 22:36:05 +0100 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-12-20 09:39:55 -0500 |
commit | 589dd0f6600515926e4e514442c62366db0a62b3 (patch) | |
tree | 28cbb3904108e4afae51affbdd823e0d58c2924e /src/providers/krb5/krb5_child.c | |
parent | b770be929d9c786b1ac671cca59dfd3314e65fdd (diff) | |
download | sssd-589dd0f6600515926e4e514442c62366db0a62b3.tar.gz sssd-589dd0f6600515926e4e514442c62366db0a62b3.tar.bz2 sssd-589dd0f6600515926e4e514442c62366db0a62b3.zip |
Fixes for automatic ticket renewal
- do not recreate the ccache file when renewing the TGT
- use user principal name as hash key instead of ccfile name
- let krb5_child return Kerberos error codes
Diffstat (limited to 'src/providers/krb5/krb5_child.c')
-rw-r--r-- | src/providers/krb5/krb5_child.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index b973c134..335da423 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1046,12 +1046,14 @@ static errno_t renew_tgt_child(int fd, struct krb5_req *kr) if (kr->pd->authtok_type != SSS_AUTHTOK_TYPE_CCFILE) { DEBUG(1, ("Unsupported authtok type for TGT renewal [%d].\n", kr->pd->authtok_type)); + kerr = EINVAL; goto done; } ccname = talloc_strndup(kr, (char *) kr->pd->authtok, kr->pd->authtok_size); if (ccname == NULL) { DEBUG(1, ("talloc_strndup failed.\n")); + kerr = ENOMEM; goto done; } @@ -1064,6 +1066,9 @@ static errno_t renew_tgt_child(int fd, struct krb5_req *kr) kerr = krb5_get_renewed_creds(kr->ctx, kr->creds, kr->princ, ccache, NULL); if (kerr != 0) { KRB5_DEBUG(1, kerr); + if (kerr == KRB5_KDC_UNREACH) { + status = PAM_AUTHINFO_UNAVAIL; + } goto done; } @@ -1085,6 +1090,7 @@ static errno_t renew_tgt_child(int fd, struct krb5_req *kr) ret = become_user(kr->uid, kr->gid); if (ret != EOK) { DEBUG(1, ("become_user failed.\n")); + kerr = ret; goto done; } } @@ -1107,6 +1113,7 @@ static errno_t renew_tgt_child(int fd, struct krb5_req *kr) } status = PAM_SUCCESS; + kerr = 0; done: krb5_free_cred_contents(kr->ctx, kr->creds); @@ -1115,7 +1122,7 @@ done: krb5_cc_close(kr->ctx, ccache); } - ret = sendresponse(fd, 0, status, kr); + ret = sendresponse(fd, kerr, status, kr); if (ret != EOK) { DEBUG(1, ("sendresponse failed.\n")); } @@ -1424,7 +1431,13 @@ static int krb5_child_setup(struct krb5_req *kr, uint32_t offline) kr->child_req = kuserok_child; break; case SSS_CMD_RENEW: - kr->child_req = renew_tgt_child; + if (!offline) { + kr->child_req = renew_tgt_child; + } else { + DEBUG(1, ("Cannot renew TGT while offline.\n")); + kerr = KRB5_KDC_UNREACH; + goto failed; + } break; default: DEBUG(1, ("PAM command [%d] not supported.\n", kr->pd->cmd)); |