summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/config/etc/sssd.api.d/sssd-ad.conf2
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf2
-rw-r--r--src/config/etc/sssd.api.d/sssd-krb5.conf2
-rw-r--r--src/man/sssd-krb5.5.xml26
-rw-r--r--src/providers/ad/ad_opts.h2
-rw-r--r--src/providers/ipa/ipa_opts.h2
-rw-r--r--src/providers/krb5/krb5_auth.c18
-rw-r--r--src/providers/krb5/krb5_init_shared.c16
-rw-r--r--src/providers/krb5/krb5_opts.h2
9 files changed, 59 insertions, 13 deletions
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 85e34cb1..dbee270e 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -115,7 +115,7 @@ ldap_pwd_policy = str, None, false
krb5_store_password_if_offline = bool, None, false
krb5_renewable_lifetime = str, None, false
krb5_lifetime = str, None, false
-krb5_renew_interval = int, None, false
+krb5_renew_interval = str, None, false
krb5_use_fast = str, None, false
krb5_fast_principal = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index e9c7b232..a165bc23 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -136,7 +136,7 @@ ldap_pwd_policy = str, None, false
krb5_store_password_if_offline = bool, None, false
krb5_renewable_lifetime = str, None, false
krb5_lifetime = str, None, false
-krb5_renew_interval = int, None, false
+krb5_renew_interval = str, None, false
krb5_use_fast = str, None, false
krb5_fast_principal = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-krb5.conf b/src/config/etc/sssd.api.d/sssd-krb5.conf
index 3a36f5ef..6534282f 100644
--- a/src/config/etc/sssd.api.d/sssd-krb5.conf
+++ b/src/config/etc/sssd.api.d/sssd-krb5.conf
@@ -15,7 +15,7 @@ krb5_validate = bool, None, false
krb5_store_password_if_offline = bool, None, false
krb5_renewable_lifetime = str, None, false
krb5_lifetime = str, None, false
-krb5_renew_interval = int, None, false
+krb5_renew_interval = str, None, false
krb5_use_fast = str, None, false
krb5_fast_principal = str, None, false
krb5_canonicalize = bool, None, false
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index 80b2d54d..00881b8b 100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -351,12 +351,34 @@
</varlistentry>
<varlistentry>
- <term>krb5_renew_interval (integer)</term>
+ <term>krb5_renew_interval (string)</term>
<listitem>
<para>
The time in seconds between two checks if the TGT
should be renewed. TGTs are renewed if about half
- of their lifetime is exceeded.
+ of their lifetime is exceeded, given as an integer
+ immediately followed by a time unit:
+ </para>
+ <para>
+ <emphasis>s</emphasis> for seconds
+ </para>
+ <para>
+ <emphasis>m</emphasis> for minutes
+ </para>
+ <para>
+ <emphasis>h</emphasis> for hours
+ </para>
+ <para>
+ <emphasis>d</emphasis> for days.
+ </para>
+ <para>
+ If there is no unit given, <emphasis>s</emphasis> is
+ assumed.
+ </para>
+ <para>
+ NOTE: It is not possible to mix units. To set
+ the renewable lifetime to one and a half hours,
+ use '90m' instead of '1h30m'.
</para>
<para>
If this option is not set or is 0 the automatic
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 28567222..09aee7e2 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -138,7 +138,7 @@ struct dp_option ad_def_krb5_opts[] = {
{ "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
- { "krb5_renew_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
+ { "krb5_renew_interval", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index cb6f40e8..970d05b3 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -259,7 +259,7 @@ struct dp_option ipa_def_krb5_opts[] = {
{ "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
- { "krb5_renew_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
+ { "krb5_renew_interval", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 6c0f429f..00025bfc 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -827,6 +827,9 @@ static void krb5_auth_done(struct tevent_req *subreq)
struct krb5_child_response *res;
const char *store_ccname;
struct fo_server *search_srv;
+ krb5_deltat renew_interval_delta;
+ char *renew_interval_str;
+ time_t renew_interval_time = 0;
ret = handle_child_recv(subreq, pd, &buf, &len);
talloc_zfree(subreq);
@@ -1072,9 +1075,18 @@ static void krb5_auth_done(struct tevent_req *subreq)
DEBUG(1, ("krb5_save_ccname failed.\n"));
goto done;
}
-
- if (res->msg_status == ERR_OK &&
- (dp_opt_get_int(kr->krb5_ctx->opts, KRB5_RENEW_INTERVAL) > 0) &&
+ renew_interval_str = dp_opt_get_string(kr->krb5_ctx->opts,
+ KRB5_RENEW_INTERVAL);
+ if (renew_interval_str != NULL) {
+ ret = krb5_string_to_deltat(renew_interval_str, &renew_interval_delta);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Reading krb5_renew_interval failed.\n"));
+ renew_interval_delta = 0;
+ }
+ renew_interval_time = renew_interval_delta;
+ }
+ if (res->msg_status == ERR_OK && renew_interval_time > 0 &&
(pd->cmd == SSS_PAM_AUTHENTICATE ||
pd->cmd == SSS_CMD_RENEW ||
pd->cmd == SSS_PAM_CHAUTHTOK) &&
diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c
index 0dac5fa6..c9eec2f8 100644
--- a/src/providers/krb5/krb5_init_shared.c
+++ b/src/providers/krb5/krb5_init_shared.c
@@ -30,7 +30,9 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx,
{
errno_t ret;
FILE *debug_filep;
- time_t renew_intv;
+ time_t renew_intv = 0;
+ krb5_deltat renew_interval_delta;
+ char *renew_interval_str;
if (dp_opt_get_bool(krb5_auth_ctx->opts, KRB5_STORE_PASSWORD_IF_OFFLINE)) {
ret = init_delayed_online_authentication(krb5_auth_ctx, bectx,
@@ -40,8 +42,18 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx,
goto done;
}
}
+ renew_interval_str = dp_opt_get_string(krb5_auth_ctx->opts,
+ KRB5_RENEW_INTERVAL);
+ if (renew_interval_str != NULL) {
+ ret = krb5_string_to_deltat(renew_interval_str, &renew_interval_delta);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Reading krb5_renew_interval failed.\n"));
+ renew_interval_delta = 0;
+ }
+ renew_intv = renew_interval_delta;
+ }
- renew_intv = dp_opt_get_int(krb5_auth_ctx->opts, KRB5_RENEW_INTERVAL);
if (renew_intv > 0) {
ret = init_renew_tgt(krb5_auth_ctx, bectx, bectx->ev, renew_intv);
if (ret != EOK) {
diff --git a/src/providers/krb5/krb5_opts.h b/src/providers/krb5/krb5_opts.h
index f29fbaaf..8ac29532 100644
--- a/src/providers/krb5/krb5_opts.h
+++ b/src/providers/krb5/krb5_opts.h
@@ -39,7 +39,7 @@ struct dp_option default_krb5_opts[] = {
{ "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
- { "krb5_renew_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER },
+ { "krb5_renew_interval", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },