diff options
| author | Stef Walter <stefw@gnome.org> | 2012-04-11 12:12:57 +0200 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2012-05-04 15:47:04 -0400 |
| commit | 4d1a261202d828efc84e3a84d16c30548f29f76d (patch) | |
| tree | 1f5fd8c9522842979eed34efecfd7636c79a9e67 /src | |
| parent | 077ec9ac6dfef339c16ecc9c2f60cd77e62c9272 (diff) | |
| download | sssd-4d1a261202d828efc84e3a84d16c30548f29f76d.tar.gz sssd-4d1a261202d828efc84e3a84d16c30548f29f76d.tar.bz2 sssd-4d1a261202d828efc84e3a84d16c30548f29f76d.zip | |
If canon'ing principals, write ccache with updated default principal
* When calling krb5_get_init_creds_keytab() with
krb5_get_init_creds_opt_set_canonicalize() the credential
principal can get updated.
* Create the cache file with the correct default credential.
* LDAP GSSAPI SASL would fail due to the mismatched credentials
before this patch.
https://bugzilla.redhat.com/show_bug.cgi?id=811518
Diffstat (limited to 'src')
| -rw-r--r-- | src/providers/krb5/krb5_child.c | 8 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_child.c | 3 |
2 files changed, 8 insertions, 3 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index cc29c00f..f403dbc3 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -628,7 +628,8 @@ static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx, return kerr; } - kerr = create_ccache_file(ctx, princ, ccname, &creds); + /* Use the updated principal in the creds in case canonicalized */ + kerr = create_ccache_file(ctx, creds.client, ccname, &creds); if (kerr != 0) { KRB5_DEBUG(1, kerr); goto done; @@ -685,7 +686,10 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, } } - kerr = create_ccache_file(kr->ctx, kr->princ, kr->ccname, kr->creds); + /* Use the updated principal in the creds in case canonicalized */ + kerr = create_ccache_file(kr->ctx, + kr->creds ? kr->creds->client : kr->princ, + kr->ccname, kr->creds); if (kerr != 0) { KRB5_DEBUG(1, kerr); goto done; diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c index 5356f883..e6bf4c3a 100644 --- a/src/providers/ldap/ldap_child.c +++ b/src/providers/ldap/ldap_child.c @@ -285,7 +285,8 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, goto done; } - krberr = krb5_cc_initialize(context, ccache, kprinc); + /* Use updated principal if changed due to canonicalization. */ + krberr = krb5_cc_initialize(context, ccache, my_creds.client); if (krberr) { DEBUG(2, ("Failed to init ccache: %s\n", sss_krb5_get_error_message(context, krberr))); |