|
 |
905b4d |
From a183e279f754afdd571d8b084c7a36b71d5c1701 Mon Sep 17 00:00:00 2001
|
|
|
905b4d |
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
|
905b4d |
Date: Wed, 17 Dec 2014 09:10:33 +0100
|
|
|
905b4d |
Subject: [PATCH 2/2] krb5_child: Initialize REALM earlier
|
|
|
905b4d |
|
|
|
905b4d |
Environment variable SSSD_KRB5_REALM was used to late for initialisation
|
|
|
905b4d |
realm. and therefore default value NULL was used.
|
|
|
905b4d |
The SSSD_KRB5_REALM (kr->realm) was used as fast_principal_realm for checking
|
|
|
905b4d |
fast cache: privileged_krb5_setup -> k5c_setup_fast -> check_fast_ccache
|
|
|
905b4d |
And therefore wrong principal was used when the option krb5_fast_principal is
|
|
|
905b4d |
empty.
|
|
|
905b4d |
|
|
|
905b4d |
[find_principal_in_keytab] (0x4000): Trying to find principal (null)@(null) in keytab.
|
|
|
905b4d |
[match_principal] (0x1000): Principal matched to the sample ((null)@(null)).
|
|
|
905b4d |
[get_tgt_times] (0x1000): FAST ccache must be recreated
|
|
|
905b4d |
[get_tgt_times] (0x0020): krb5_cc_retrieve_cred failed
|
|
|
905b4d |
[get_tgt_times] (0x0020): 1688: [-1765328243][Matching credential not found]
|
|
|
905b4d |
[check_fast_ccache] (0x0040): Valid FAST TGT not found after attempting to renew it
|
|
|
905b4d |
[k5c_setup_fast] (0x0020): check_fast_ccache failed.
|
|
|
905b4d |
[k5c_setup_fast] (0x0020): 1956: [1432158213][Unknown code UUz 5]
|
|
|
905b4d |
[privileged_krb5_setup] (0x0040): Cannot set up FAST
|
|
|
905b4d |
[main] (0x0020): privileged_krb5_setup failed.
|
|
|
905b4d |
[main] (0x0020): krb5_child failed!
|
|
|
905b4d |
|
|
|
905b4d |
As a result of this user was not able to authenticate.
|
|
|
905b4d |
|
|
|
905b4d |
Resolves:
|
|
|
905b4d |
https://fedorahosted.org/sssd/ticket/2526
|
|
|
905b4d |
|
|
|
905b4d |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
905b4d |
---
|
|
|
905b4d |
src/providers/krb5/krb5_child.c | 12 ++++++------
|
|
|
905b4d |
1 file changed, 6 insertions(+), 6 deletions(-)
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
|
|
905b4d |
index 76a0757f6176d4ad9d049bc8825a64328b19a818..64fe6f0cb19e831ed4b49f627cb3b3a124272943 100644
|
|
|
905b4d |
--- a/src/providers/krb5/krb5_child.c
|
|
|
905b4d |
+++ b/src/providers/krb5/krb5_child.c
|
|
|
905b4d |
@@ -2159,12 +2159,6 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline)
|
|
|
905b4d |
DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
|
905b4d |
"Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid());
|
|
|
905b4d |
|
|
|
905b4d |
- kr->realm = getenv(SSSD_KRB5_REALM);
|
|
|
905b4d |
- if (kr->realm == NULL) {
|
|
|
905b4d |
- DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
905b4d |
- "Cannot read [%s] from environment.\n", SSSD_KRB5_REALM);
|
|
|
905b4d |
- }
|
|
|
905b4d |
-
|
|
|
905b4d |
/* Set the global error context */
|
|
|
905b4d |
krb5_error_ctx = kr->ctx;
|
|
|
905b4d |
|
|
|
905b4d |
@@ -2254,6 +2248,12 @@ static krb5_error_code privileged_krb5_setup(struct krb5_req *kr,
|
|
|
905b4d |
int ret;
|
|
|
905b4d |
char *mem_keytab;
|
|
|
905b4d |
|
|
|
905b4d |
+ kr->realm = getenv(SSSD_KRB5_REALM);
|
|
|
905b4d |
+ if (kr->realm == NULL) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
905b4d |
+ "Cannot read [%s] from environment.\n", SSSD_KRB5_REALM);
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
kerr = krb5_init_context(&kr->ctx);
|
|
|
905b4d |
if (kerr != 0) {
|
|
|
905b4d |
KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
|
|
|
905b4d |
--
|
|
|
905b4d |
1.9.3
|
|
|
905b4d |
|