From b53c6d5adcd51869fe2d84b6149b4894fa18a436 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Sat, 18 Oct 2014 20:52:43 +0200

Subject: [PATCH 85/92] KRB5: Move ccache-related functions to krb5_ccache.c

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Add a new module krb5_ccache.c that contains all ccache-related

operations. The only user of this module shall be krb5_child.c as the

other modules will run unprivileged and accessing the ccache requires

either privileges of root or the ccache owner.

Related:

https://fedorahosted.org/sssd/ticket/2370

Reviewed-by: Sumit Bose <sbose@redhat.com>

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

---

 Makefile.am                                        |   4 +

 src/providers/krb5/krb5_auth.c                     |  16 +-

 src/providers/krb5/krb5_auth.h                     |   1 +

 src/providers/krb5/{krb5_utils.c => krb5_ccache.c} | 720 +++++----------------

 src/providers/krb5/{krb5_utils.h => krb5_ccache.h} |  49 +-

 src/providers/krb5/krb5_child.c                    |   1 +

 src/providers/krb5/krb5_common.h                   |   7 -

 src/providers/krb5/krb5_renew_tgt.c                |   1 +

 src/providers/krb5/krb5_utils.c                    | 674 +------------------

 src/providers/krb5/krb5_utils.h                    |  15 -

 src/tests/krb5_child-test.c                        |   1 +

 src/tests/krb5_utils-tests.c                       |   1 +

 12 files changed, 198 insertions(+), 1292 deletions(-)

 copy src/providers/krb5/{krb5_utils.c => krb5_ccache.c} (57%)

 copy src/providers/krb5/{krb5_utils.h => krb5_ccache.h} (53%)

diff --git a/Makefile.am b/Makefile.am

index 5f265dcefd16ce4efdde4d62f3cd5d02dbce255f..4a69ecb0cfe48e20bde958c9351c2a5ece5ffffa 100644

--- a/Makefile.am

+++ b/Makefile.am

@@ -568,6 +568,7 @@ dist_noinst_HEADERS = \

     src/providers/krb5/krb5_utils.h \

     src/providers/krb5/krb5_init_shared.h \

     src/providers/krb5/krb5_opts.h \

+    src/providers/krb5/krb5_ccache.h \

     src/providers/ldap/ldap_common.h \

     src/providers/ldap/sdap.h \

     src/providers/ldap/sdap_access.h \

@@ -1322,6 +1323,7 @@ strtonum_tests_LDADD = \

 krb5_utils_tests_SOURCES = \

     src/tests/krb5_utils-tests.c \

     src/providers/krb5/krb5_utils.c \

+    src/providers/krb5/krb5_ccache.c \

     src/providers/krb5/krb5_common.c \

     src/util/sss_krb5.c \

     src/providers/data_provider_fo.c \

@@ -1603,6 +1605,7 @@ stress_tests_LDADD = \

 krb5_child_test_SOURCES = \

     src/tests/krb5_child-test.c \

     src/providers/krb5/krb5_utils.c \

+    src/providers/krb5/krb5_ccache.c \

     src/providers/krb5/krb5_child_handler.c \

     src/providers/krb5/krb5_common.c \

     src/util/sss_krb5.c \

@@ -2306,6 +2309,7 @@ libsss_krb5_common_la_SOURCES = \

     src/providers/krb5/krb5_access.c \

     src/providers/krb5/krb5_child_handler.c \

     src/providers/krb5/krb5_init_shared.c \

+    src/providers/krb5/krb5_ccache.c \

     src/util/sss_krb5.c \

     src/util/become_user.c \

     $(NULL)

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c

index c96b7aee99da8c3d43a67a04bb1f67ee048d4705..bd8b51f47462f1eaef8da61b42caedda3475a4e7 100644

--- a/src/providers/krb5/krb5_auth.c

+++ b/src/providers/krb5/krb5_auth.c

@@ -39,21 +39,7 @@

 #include "util/child_common.h"

 #include "providers/krb5/krb5_auth.h"

 #include "providers/krb5/krb5_utils.h"

-

-static errno_t safe_remove_old_ccache_file(const char *old_ccache,

-                                           const char *new_ccache,

-                                           uid_t uid, gid_t gid)

-{

-    if ((old_ccache == new_ccache)

-        || (old_ccache && new_ccache

-            && (strcmp(old_ccache, new_ccache) == 0))) {

-        DEBUG(SSSDBG_TRACE_FUNC, "New and old ccache file are the same, "

-                                  "none will be deleted.\n");

-        return EOK;

-    }

-

-    return sss_krb5_cc_destroy(old_ccache, uid, gid);

-}

+#include "providers/krb5/krb5_ccache.h"

 static errno_t

 check_old_ccache(const char *old_ccache, struct krb5child_req *kr,

diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h

index 022dc9b7645f18d01a8a334371e178aa470d92a1..00cb658c418ade2e6a1d9b5362a40f97e0dc6c6b 100644

--- a/src/providers/krb5/krb5_auth.h

+++ b/src/providers/krb5/krb5_auth.h

@@ -32,6 +32,7 @@

 #include "providers/dp_backend.h"

 #include "util/child_common.h"

 #include "providers/krb5/krb5_common.h"

+#include "providers/krb5/krb5_ccache.h"

 #define CCACHE_ENV_NAME "KRB5CCNAME"

diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_ccache.c

similarity index 57%

copy from src/providers/krb5/krb5_utils.c

copy to src/providers/krb5/krb5_ccache.c

index 0d2e281198390043068e21b412b57de04df6a12b..5586963338616519f36e5d75e796a597d3ac2f22 100644

--- a/src/providers/krb5/krb5_utils.c

+++ b/src/providers/krb5/krb5_ccache.c

@@ -1,12 +1,13 @@

 /*

     SSSD

-    Kerberos 5 Backend Module -- Utilities

+    Kerberos 5 Backend Module -- ccache related utilities

     Authors:

         Sumit Bose <sbose@redhat.com>

+        Jakub Hrozek <jhrozek@redhat.com>

-    Copyright (C) 2009 Red Hat

+    Copyright (C) 2014 Red Hat

     This program is free software; you can redistribute it and/or modify

     it under the terms of the GNU General Public License as published by

@@ -21,427 +22,37 @@

     You should have received a copy of the GNU General Public License

     along with this program.  If not, see <http://www.gnu.org/licenses/>.

 */

-#include <string.h>

-#include <stdlib.h>

-#include <libgen.h>

-#include "providers/krb5/krb5_utils.h"

-#include "providers/krb5/krb5_auth.h"

-#include "src/util/find_uid.h"

+#ifdef HAVE_KRB5_KRB5_H

+#include <krb5/krb5.h>

+#else

+#include <krb5.h>

+#endif

+

+#include "providers/krb5/krb5_ccache.h"

+#include "util/sss_krb5.h"

 #include "util/util.h"

-errno_t find_or_guess_upn(TALLOC_CTX *mem_ctx, struct ldb_message *msg,

-                          struct krb5_ctx *krb5_ctx,

-                          struct sss_domain_info *dom, const char *user,

-                          const char *user_dom, char **_upn)

+static errno_t

+check_ccache_re(const char *filename, pcre *illegal_re)

 {

-    const char *upn = NULL;

-    int ret;

+    errno_t ret;

-    if (krb5_ctx == NULL || dom == NULL || user == NULL || _upn == NULL) {

-        return EINVAL;

-    }

-

-    if (msg != NULL) {

-        upn = ldb_msg_find_attr_as_string(msg, SYSDB_CANONICAL_UPN, NULL);

-        if (upn != NULL) {

-            ret = EOK;

-            goto done;

-        }

-

-        upn = ldb_msg_find_attr_as_string(msg, SYSDB_UPN, NULL);

-        if (upn != NULL) {

-            ret = EOK;

-            goto done;

-        }

-    }

-

-    ret = krb5_get_simple_upn(mem_ctx, krb5_ctx, dom, user,

-                              user_dom, _upn);

-    if (ret != EOK) {

-        DEBUG(SSSDBG_OP_FAILURE, "krb5_get_simple_upn failed.\n");

-        return ret;

-    }

-

-done:

-    if (ret == EOK && upn != NULL) {

-        *_upn = talloc_strdup(mem_ctx, upn);

-        if (*_upn == NULL) {

-            DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");

-            return ENOMEM;

-        }

-    }

-

-    return ret;

-}

-

-errno_t check_if_cached_upn_needs_update(struct sysdb_ctx *sysdb,

-                                         struct sss_domain_info *domain,

-                                         const char *user,

-                                         const char *upn)

-{

-    TALLOC_CTX *tmp_ctx;

-    int ret;

-    int sret;

-    const char *attrs[] = {SYSDB_UPN, SYSDB_CANONICAL_UPN, NULL};

-    struct sysdb_attrs *new_attrs;

-    struct ldb_result *res;

-    bool in_transaction = false;

-    const char *cached_upn;

-    const char *cached_canonical_upn;

-

-    if (sysdb == NULL || user == NULL || upn == NULL) {

-        return EINVAL;

-    }

-

-    tmp_ctx = talloc_new(NULL);

-    if (tmp_ctx == NULL) {

-        DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");

-        return ENOMEM;

-    }

-

-    ret = sysdb_get_user_attr(tmp_ctx, domain, user, attrs, &res;;

-    if (ret != EOK) {

-        DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_user_attr failed.\n");

-        goto done;

-    }

-

-    if (res->count != 1) {

-        DEBUG(SSSDBG_OP_FAILURE, "[%d] user objects for name [%s] found, " \

-                                  "expected 1.\n", res->count, user);

-        ret = EINVAL;

-        goto done;

-    }

-

-    cached_upn = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_UPN, NULL);

-

-    if (cached_upn != NULL && strcmp(cached_upn, upn) == 0) {

-        DEBUG(SSSDBG_TRACE_ALL, "Cached UPN and new one match, "

-                                 "nothing to do.\n");

-        ret = EOK;

-        goto done;

-    }

-

-    cached_canonical_upn = ldb_msg_find_attr_as_string(res->msgs[0],

-                                                       SYSDB_CANONICAL_UPN,

-                                                       NULL);

-

-    if (cached_canonical_upn != NULL

-            && strcmp(cached_canonical_upn, upn) == 0) {

-        DEBUG(SSSDBG_TRACE_ALL, "Cached canonical UPN and new one match, "

-                                 "nothing to do.\n");

-        ret = EOK;

-        goto done;

-    }

-

-    DEBUG(SSSDBG_TRACE_LIBS, "Replacing canonical UPN [%s] with [%s] " \

-                              "for user [%s].\n",

-                              cached_canonical_upn == NULL ?

-                                                 "empty" : cached_canonical_upn,

-                              upn, user);

-

-    new_attrs = sysdb_new_attrs(tmp_ctx);

-    if (new_attrs == NULL) {

-        DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");

-        ret = ENOMEM;

-        goto done;

-    }

-

-    ret = sysdb_attrs_add_string(new_attrs, SYSDB_CANONICAL_UPN, upn);

-    if (ret != EOK) {

-        DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n");

-        goto done;

-    }

-

-    ret = sysdb_transaction_start(sysdb);

-    if (ret != EOK) {

+    ret = pcre_exec(illegal_re, NULL, filename, strlen(filename),

+                    0, 0, NULL, 0);

+    if (ret == 0) {

         DEBUG(SSSDBG_OP_FAILURE,

-              "Error %d starting transaction (%s)\n", ret, strerror(ret));

-        goto done;

-    }

-    in_transaction = true;

-

-    ret = sysdb_set_entry_attr(sysdb, res->msgs[0]->dn, new_attrs,

-                               cached_canonical_upn == NULL ? SYSDB_MOD_ADD :

-                                                              SYSDB_MOD_REP);

-    if (ret != EOK) {

-        DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed [%d][%s].\n",

-                                  ret, strerror(ret));

-        goto done;

-    }

-

-    ret = sysdb_transaction_commit(sysdb);

-    if (ret != EOK) {

-        DEBUG(SSSDBG_OP_FAILURE, "Failed to commit transaction!\n");

-        goto done;

-    }

-    in_transaction = false;

-

-    ret = EOK;

-

-done:

-    if (in_transaction) {

-        sret = sysdb_transaction_cancel(sysdb);

-        if (sret != EOK) {

-            DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n");

-        }

-    }

-

-    talloc_free(tmp_ctx);

-

-    return ret;

-}

-

-#define S_EXP_UID "{uid}"

-#define L_EXP_UID (sizeof(S_EXP_UID) - 1)

-#define S_EXP_USERID "{USERID}"

-#define L_EXP_USERID (sizeof(S_EXP_USERID) - 1)

-#define S_EXP_EUID "{euid}"

-#define L_EXP_EUID (sizeof(S_EXP_EUID) - 1)

-#define S_EXP_USERNAME "{username}"

-#define L_EXP_USERNAME (sizeof(S_EXP_USERNAME) - 1)

-

-char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,

-                             const char *template, bool file_mode,

-                             bool case_sensitive)

-{

-    char *copy;

-    char *p;

-    char *n;

-    char *result = NULL;

-    char *dummy;

-    char *name;

-    char *res = NULL;

-    const char *cache_dir_tmpl;

-    TALLOC_CTX *tmp_ctx = NULL;

-    char action;

-    bool rerun;

-

-    if (template == NULL) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Missing template.\n");

-        return NULL;

-    }

-

-    tmp_ctx = talloc_new(NULL);

-    if (!tmp_ctx) return NULL;

-

-    copy = talloc_strdup(tmp_ctx, template);

-    if (copy == NULL) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n");

-        goto done;

-    }

-

-    result = talloc_strdup(tmp_ctx, "");

-    if (result == NULL) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n");

-        goto done;

-    }

-

-    p = copy;

-    while ( (n = strchr(p, '%')) != NULL) {

-        *n = '\0';

-        n++;

-        if ( *n == '\0' ) {

-            DEBUG(SSSDBG_CRIT_FAILURE,

-                  "format error, single %% at the end of the template.\n");

-            goto done;

-        }

-

-        rerun = true;

-        action = *n;

-        while (rerun) {

-            rerun = false;

-            switch (action) {

-            case 'u':

-                if (kr->pd->user == NULL) {

-                    DEBUG(SSSDBG_CRIT_FAILURE,

-                          "Cannot expand user name template "

-                              "because user name is empty.\n");

-                    goto done;

-                }

-                name = sss_get_cased_name(tmp_ctx, kr->pd->user,

-                                          case_sensitive);

-                if (!name) {

-                    DEBUG(SSSDBG_CRIT_FAILURE,

-                          "sss_get_cased_name failed\n");

-                    goto done;

-                }

-

-                result = talloc_asprintf_append(result, "%s%s", p,

-                                                name);

-                break;

-            case 'U':

-                if (kr->uid <= 0) {

-                    DEBUG(SSSDBG_CRIT_FAILURE, "Cannot expand uid template "

-                              "because uid is invalid.\n");

-                    goto done;

-                }

-                result = talloc_asprintf_append(result, "%s%"SPRIuid, p,

-                                                kr->uid);

-                break;

-            case 'p':

-                if (kr->upn == NULL) {

-                    DEBUG(SSSDBG_CRIT_FAILURE,

-                          "Cannot expand user principal name template "

-                              "because upn is empty.\n");

-                    goto done;

-                }

-                result = talloc_asprintf_append(result, "%s%s", p, kr->upn);

-                break;

-            case '%':

-                result = talloc_asprintf_append(result, "%s%%", p);

-                break;

-            case 'r':

-                dummy = dp_opt_get_string(kr->krb5_ctx->opts, KRB5_REALM);

-                if (dummy == NULL) {

-                    DEBUG(SSSDBG_CRIT_FAILURE, "Missing kerberos realm.\n");

-                    goto done;

-                }

-                result = talloc_asprintf_append(result, "%s%s", p, dummy);

-                break;

-            case 'h':

-                if (kr->homedir == NULL) {

-                    DEBUG(SSSDBG_CRIT_FAILURE,

-                          "Cannot expand home directory template "

-                              "because the path is not available.\n");

-                    goto done;

-                }

-                result = talloc_asprintf_append(result, "%s%s", p, kr->homedir);

-                break;

-            case 'd':

-                if (file_mode) {

-                    cache_dir_tmpl = dp_opt_get_string(kr->krb5_ctx->opts,

-                                                       KRB5_CCACHEDIR);

-                    if (cache_dir_tmpl == NULL) {

-                        DEBUG(SSSDBG_CRIT_FAILURE,

-                              "Missing credential cache directory.\n");

-                        goto done;

-                    }

-

-                    dummy = expand_ccname_template(tmp_ctx, kr, cache_dir_tmpl,

-                                                   false, case_sensitive);

-                    if (dummy == NULL) {

-                        DEBUG(SSSDBG_CRIT_FAILURE,

-                              "Expanding credential cache directory "

-                                  "template failed.\n");

-                        goto done;

-                    }

-                    result = talloc_asprintf_append(result, "%s%s", p, dummy);

-                    talloc_zfree(dummy);

-                } else {

-                    DEBUG(SSSDBG_CRIT_FAILURE,

-                          "'%%d' is not allowed in this template.\n");

-                    goto done;

-                }

-                break;

-            case 'P':

-                if (!file_mode) {

-                    DEBUG(SSSDBG_CRIT_FAILURE,

-                          "'%%P' is not allowed in this template.\n");

-                    goto done;

-                }

-                if (kr->pd->cli_pid == 0) {

-                    DEBUG(SSSDBG_CRIT_FAILURE, "Cannot expand PID template "

-                              "because PID is not available.\n");

-                    goto done;

-                }

-                result = talloc_asprintf_append(result, "%s%d", p,

-                                                kr->pd->cli_pid);

-                break;

-

-            /* Additional syntax from krb5.conf default_ccache_name */

-            case '{':

-                if (strncmp(n , S_EXP_UID, L_EXP_UID) == 0) {

-                    action = 'U';

-                    n += L_EXP_UID - 1;

-                    rerun = true;

-                    continue;

-                } else if (strncmp(n , S_EXP_USERID, L_EXP_USERID) == 0) {

-                    action = 'U';

-                    n += L_EXP_USERID - 1;

-                    rerun = true;

-                    continue;

-                } else if (strncmp(n , S_EXP_EUID, L_EXP_EUID) == 0) {

-                    /* SSSD does not distinguish betwen uid and euid,

-                     * so we treat both the same way */

-                    action = 'U';

-                    n += L_EXP_EUID - 1;

-                    rerun = true;

-                    continue;

-                } else if (strncmp(n , S_EXP_USERNAME, L_EXP_USERNAME) == 0) {

-                    action = 'u';

-                    n += L_EXP_USERNAME - 1;

-                    rerun = true;

-                    continue;

-                } else {

-                    /* ignore any expansion variable we do not understand and

-                     * let libkrb5 hndle it or fail */

-                    name = n;

-                    n = strchr(name, '}');

-                    if (!n) {

-                        DEBUG(SSSDBG_CRIT_FAILURE, 

-                              "Invalid substitution sequence in cache "

-                              "template. Missing closing '}' in [%s].\n",

-                              template);

-                        goto done;

-                    }

-                    result = talloc_asprintf_append(result, "%s%%%.*s", p,

-                                                    (int)(n - name + 1), name);

-                }

-                break;

-            default:

-                DEBUG(SSSDBG_CRIT_FAILURE,

-                      "format error, unknown template [%%%c].\n", *n);

-                goto done;

-            }

-        }

-

-        if (result == NULL) {

-            DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n");

-            goto done;

-        }

-

-        p = n + 1;

-    }

-

-    result = talloc_asprintf_append(result, "%s", p);

-    if (result == NULL) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n");

-        goto done;

-    }

-

-    res = talloc_move(mem_ctx, &result);

-done:

-    talloc_zfree(tmp_ctx);

-    return res;

-}

-

-static errno_t check_parent_stat(struct stat *parent_stat, uid_t uid)

-{

-    if (parent_stat->st_uid != 0 && parent_stat->st_uid != uid) {

-        DEBUG(SSSDBG_CRIT_FAILURE,

-              "Private directory can only be created below a directory "

-              "belonging to root or to [%"SPRIuid"].\n", uid);

+              "Illegal pattern in ccache directory name [%s].\n", filename);

         return EINVAL;

+    } else if (ret == PCRE_ERROR_NOMATCH) {

+        DEBUG(SSSDBG_TRACE_LIBS,

+              "Ccache directory name [%s] does not contain "

+               "illegal patterns.\n", filename);

+        return EOK;

     }

-    if (parent_stat->st_uid == uid) {

-        if (!(parent_stat->st_mode & S_IXUSR)) {

-            DEBUG(SSSDBG_CRIT_FAILURE,

-                  "Parent directory does not have the search bit set for "

-                   "the owner.\n");

-            return EINVAL;

-        }

-    } else {

-        if (!(parent_stat->st_mode & S_IXOTH)) {

-            DEBUG(SSSDBG_CRIT_FAILURE,

-                  "Parent directory does not have the search bit set for "

-                   "others.\n");

-            return EINVAL;

-        }

-    }

-

-    return EOK;

+    DEBUG(SSSDBG_CRIT_FAILURE, "pcre_exec failed [%d].\n", ret);

+    return EFAULT;

 }

 struct string_list {

@@ -523,31 +134,37 @@ done:

     return ret;

 }

-static errno_t

-check_ccache_re(const char *filename, pcre *illegal_re)

+static errno_t check_parent_stat(struct stat *parent_stat, uid_t uid)

 {

-    errno_t ret;

-

-    ret = pcre_exec(illegal_re, NULL, filename, strlen(filename),

-                    0, 0, NULL, 0);

-    if (ret == 0) {

-        DEBUG(SSSDBG_OP_FAILURE,

-              "Illegal pattern in ccache directory name [%s].\n", filename);

+    if (parent_stat->st_uid != 0 && parent_stat->st_uid != uid) {

+        DEBUG(SSSDBG_CRIT_FAILURE,

+              "Private directory can only be created below a directory "

+              "belonging to root or to [%"SPRIuid"].\n", uid);

         return EINVAL;

-    } else if (ret == PCRE_ERROR_NOMATCH) {

-        DEBUG(SSSDBG_TRACE_LIBS,

-              "Ccache directory name [%s] does not contain "

-               "illegal patterns.\n", filename);

-        return EOK;

     }

-    DEBUG(SSSDBG_CRIT_FAILURE, "pcre_exec failed [%d].\n", ret);

-    return EFAULT;

+    if (parent_stat->st_uid == uid) {

+        if (!(parent_stat->st_mode & S_IXUSR)) {

+            DEBUG(SSSDBG_CRIT_FAILURE,

+                  "Parent directory does not have the search bit set for "

+                   "the owner.\n");

+            return EINVAL;

+        }

+    } else {

+        if (!(parent_stat->st_mode & S_IXOTH)) {

+            DEBUG(SSSDBG_CRIT_FAILURE,

+                  "Parent directory does not have the search bit set for "

+                   "others.\n");

+            return EINVAL;

+        }

+    }

+

+    return EOK;

 }

-errno_t

-create_ccache_dir(const char *ccdirname, pcre *illegal_re,

-                  uid_t uid, gid_t gid)

+errno_t create_ccache_dir(const char *ccdirname,

+                          pcre *illegal_re,

+                          uid_t uid, gid_t gid)

 {

     int ret = EFAULT;

     struct stat parent_stat;

@@ -625,113 +242,6 @@ done:

     return ret;

 }

-errno_t get_ccache_file_data(const char *ccache_file, const char *client_name,

-                             struct tgt_times *tgtt)

-{

-    krb5_error_code kerr;

-    krb5_context ctx = NULL;

-    krb5_ccache cc = NULL;

-    krb5_principal client_princ = NULL;

-    krb5_principal server_princ = NULL;

-    char *server_name;

-    krb5_creds mcred;

-    krb5_creds cred;

-    const char *realm_name;

-    int realm_length;

-

-    kerr = krb5_init_context(&ctx;;

-    if (kerr != 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "krb5_init_context failed.\n");

-        goto done;

-    }

-

-    kerr = krb5_parse_name(ctx, client_name, &client_princ);

-    if (kerr != 0) {

-        KRB5_DEBUG(SSSDBG_OP_FAILURE, ctx, kerr);

-        DEBUG(SSSDBG_CRIT_FAILURE, "krb5_parse_name failed.\n");

-        goto done;

-    }

-

-    sss_krb5_princ_realm(ctx, client_princ, &realm_name, &realm_length);

-

-    server_name = talloc_asprintf(NULL, "krbtgt/%.*s@%.*s",

-                                  realm_length, realm_name,

-                                  realm_length, realm_name);

-    if (server_name == NULL) {

-        kerr = KRB5_CC_NOMEM;

-        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");

-        goto done;

-    }

-

-    kerr = krb5_parse_name(ctx, server_name, &server_princ);

-    talloc_free(server_name);

-    if (kerr != 0) {

-        KRB5_DEBUG(SSSDBG_OP_FAILURE, ctx, kerr);

-        DEBUG(SSSDBG_CRIT_FAILURE, "krb5_parse_name failed.\n");

-        goto done;

-    }

-

-    kerr = krb5_cc_resolve(ctx, ccache_file, &cc);

-    if (kerr != 0) {

-        KRB5_DEBUG(SSSDBG_OP_FAILURE, ctx, kerr);

-        DEBUG(SSSDBG_CRIT_FAILURE, "krb5_cc_resolve failed.\n");

-        goto done;

-    }

-

-    memset(&mcred, 0, sizeof(mcred));

-    memset(&cred, 0, sizeof(mcred));

-

-    mcred.server = server_princ;

-    mcred.client = client_princ;

-

-    kerr = krb5_cc_retrieve_cred(ctx, cc, 0, &mcred, &cred);

-    if (kerr != 0) {

-        KRB5_DEBUG(SSSDBG_OP_FAILURE, ctx, kerr);

-        DEBUG(SSSDBG_CRIT_FAILURE, "krb5_cc_retrieve_cred failed.\n");

-        goto done;

-    }

-

-    tgtt->authtime = cred.times.authtime;

-    tgtt->starttime = cred.times.starttime;

-    tgtt->endtime = cred.times.endtime;

-    tgtt->renew_till = cred.times.renew_till;

-

-    krb5_free_cred_contents(ctx, &cred);

-

-    kerr = krb5_cc_close(ctx, cc);

-    if (kerr != 0) {