|
 |
472fdf |
From 1fa33903be640f8d22757d21da294e70f0812698 Mon Sep 17 00:00:00 2001
|
|
|
472fdf |
From: Robbie Harwood <rharwood@redhat.com>
|
|
|
472fdf |
Date: Tue, 10 Oct 2017 18:00:45 -0400
|
|
|
472fdf |
Subject: [PATCH] Only empty FILE ccaches when storing remote creds
|
|
|
472fdf |
|
|
|
472fdf |
This mitigates issues when services share a ccache between two
|
|
|
472fdf |
processes. We cannot fix this for FILE ccaches without introducing
|
|
|
472fdf |
other issues.
|
|
|
472fdf |
|
|
|
472fdf |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
472fdf |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
472fdf |
Merges: #216
|
|
|
472fdf |
(cherry picked from commit d09e87f47a21dd250bfd7a9c59a5932b5c995057)
|
|
|
472fdf |
---
|
|
|
472fdf |
proxy/src/mechglue/gpp_creds.c | 18 +++++++++++++-----
|
|
|
472fdf |
1 file changed, 13 insertions(+), 5 deletions(-)
|
|
|
472fdf |
|
|
|
472fdf |
diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c
|
|
|
472fdf |
index 9fe9bd1..6bdff45 100644
|
|
|
472fdf |
--- a/proxy/src/mechglue/gpp_creds.c
|
|
|
472fdf |
+++ b/proxy/src/mechglue/gpp_creds.c
|
|
|
472fdf |
@@ -147,6 +147,7 @@ uint32_t gpp_store_remote_creds(uint32_t *min, bool default_creds,
|
|
|
472fdf |
char cred_name[creds->desired_name.display_name.octet_string_len + 1];
|
|
|
472fdf |
XDR xdrctx;
|
|
|
472fdf |
bool xdrok;
|
|
|
472fdf |
+ const char *cc_type;
|
|
|
472fdf |
|
|
|
472fdf |
*min = 0;
|
|
|
472fdf |
|
|
|
472fdf |
@@ -193,13 +194,20 @@ uint32_t gpp_store_remote_creds(uint32_t *min, bool default_creds,
|
|
|
472fdf |
}
|
|
|
472fdf |
cred.ticket.length = xdr_getpos(&xdrctx);
|
|
|
472fdf |
|
|
|
472fdf |
- /* Always initialize and destroy any existing contents to avoid pileup of
|
|
|
472fdf |
- * entries */
|
|
|
472fdf |
- ret = krb5_cc_initialize(ctx, ccache, cred.client);
|
|
|
472fdf |
- if (ret == 0) {
|
|
|
472fdf |
- ret = krb5_cc_store_cred(ctx, ccache, &cred);
|
|
|
472fdf |
+ cc_type = krb5_cc_get_type(ctx, ccache);
|
|
|
472fdf |
+ if (strcmp(cc_type, "FILE") == 0) {
|
|
|
472fdf |
+ /* FILE ccaches don't handle updates properly: if they have the same
|
|
|
472fdf |
+ * principal name, they are blackholed. We either have to change the
|
|
|
472fdf |
+ * name (at which point the file grows forever) or flash the cache on
|
|
|
472fdf |
+ * every update. */
|
|
|
472fdf |
+ ret = krb5_cc_initialize(ctx, ccache, cred.client);
|
|
|
472fdf |
+ if (ret != 0) {
|
|
|
472fdf |
+ goto done;
|
|
|
472fdf |
+ }
|
|
|
472fdf |
}
|
|
|
472fdf |
|
|
|
472fdf |
+ ret = krb5_cc_store_cred(ctx, ccache, &cred);
|
|
|
472fdf |
+
|
|
|
472fdf |
done:
|
|
|
472fdf |
if (ctx) {
|
|
|
472fdf |
krb5_free_cred_contents(ctx, &cred);
|