|
 |
905b4d |
From 03afa4cbef2c2ba3c70fbad4f3e1e36c05fafe82 Mon Sep 17 00:00:00 2001
|
|
|
905b4d |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
905b4d |
Date: Mon, 8 Dec 2014 13:29:23 +0100
|
|
|
905b4d |
Subject: [PATCH 138/138] KRB5: Check FAST kinit errors using get_tgt_times()
|
|
|
905b4d |
MIME-Version: 1.0
|
|
|
905b4d |
Content-Type: text/plain; charset=UTF-8
|
|
|
905b4d |
Content-Transfer-Encoding: 8bit
|
|
|
905b4d |
|
|
|
905b4d |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
905b4d |
---
|
|
|
905b4d |
src/providers/krb5/krb5_child.c | 28 +++++++++++++++-------------
|
|
|
905b4d |
1 file changed, 15 insertions(+), 13 deletions(-)
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
|
|
905b4d |
index 8f23346a67d4d2467a4d1869fd298ec4d6f68e92..3318e0647c0e7d7f0e7305cc4204d9c2db020162 100644
|
|
|
905b4d |
--- a/src/providers/krb5/krb5_child.c
|
|
|
905b4d |
+++ b/src/providers/krb5/krb5_child.c
|
|
|
905b4d |
@@ -1662,6 +1662,7 @@ static krb5_error_code get_tgt_times(krb5_context ctx, const char *ccname,
|
|
|
905b4d |
krberr = krb5_cc_resolve(ctx, ccname, &ccache);
|
|
|
905b4d |
if (krberr != 0) {
|
|
|
905b4d |
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_cc_resolve failed.\n");
|
|
|
905b4d |
+ KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, krberr);
|
|
|
905b4d |
goto done;
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
@@ -1814,7 +1815,6 @@ static krb5_error_code check_fast_ccache(TALLOC_CTX *mem_ctx,
|
|
|
905b4d |
} while (kerr == -1 && errno == EINTR);
|
|
|
905b4d |
|
|
|
905b4d |
if (kerr > 0) {
|
|
|
905b4d |
- kerr = EIO;
|
|
|
905b4d |
if (WIFEXITED(status)) {
|
|
|
905b4d |
kerr = WEXITSTATUS(status);
|
|
|
905b4d |
/* Don't blindly fail if the child fails, but check
|
|
|
905b4d |
@@ -1830,26 +1830,28 @@ static krb5_error_code check_fast_ccache(TALLOC_CTX *mem_ctx,
|
|
|
905b4d |
fchild_pid);
|
|
|
905b4d |
}
|
|
|
905b4d |
} else {
|
|
|
905b4d |
- DEBUG(SSSDBG_FUNC_DATA,
|
|
|
905b4d |
- "Failed to wait for children %d\n", fchild_pid);
|
|
|
905b4d |
- kerr = EIO;
|
|
|
905b4d |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
905b4d |
+ "Failed to wait for child %d\n", fchild_pid);
|
|
|
905b4d |
+ /* Let the code re-check the TGT times and fail if we
|
|
|
905b4d |
+ * can't find the updated principal */
|
|
|
905b4d |
}
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
/* Check the ccache times again. Should be updated ... */
|
|
|
905b4d |
memset(&tgtt, 0, sizeof(tgtt));
|
|
|
905b4d |
kerr = get_tgt_times(ctx, ccname, server_princ, client_princ, &tgtt);
|
|
|
905b4d |
- if (kerr == 0) {
|
|
|
905b4d |
- if (tgtt.endtime > time(NULL)) {
|
|
|
905b4d |
- DEBUG(SSSDBG_FUNC_DATA, "FAST TGT was successfully recreated!\n");
|
|
|
905b4d |
- goto done;
|
|
|
905b4d |
- } else {
|
|
|
905b4d |
- kerr = ERR_CREDS_EXPIRED;
|
|
|
905b4d |
- goto done;
|
|
|
905b4d |
- }
|
|
|
905b4d |
+ if (kerr != 0) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_OP_FAILURE, "get_tgt_times() failed\n");
|
|
|
905b4d |
+ goto done;
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
- kerr = 0;
|
|
|
905b4d |
+ if (tgtt.endtime < time(NULL)) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
905b4d |
+ "Valid FAST TGT not found after attempting to renew it\n");
|
|
|
905b4d |
+ kerr = ERR_CREDS_EXPIRED;
|
|
|
905b4d |
+ goto done;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+ DEBUG(SSSDBG_FUNC_DATA, "FAST TGT was successfully recreated!\n");
|
|
|
905b4d |
|
|
|
905b4d |
done:
|
|
|
905b4d |
if (client_princ != NULL) {
|
|
|
905b4d |
--
|
|
|
905b4d |
1.9.3
|
|
|
905b4d |
|