Blame SOURCES/Fix-KCM-retrieval-support-for-sssd.patch

6cfd83
From 0bfe0b2bc0a8ee0e9a8cee26528030c16d4fd15f Mon Sep 17 00:00:00 2001
6cfd83
From: Greg Hudson <ghudson@mit.edu>
6cfd83
Date: Tue, 11 May 2021 14:04:07 -0400
6cfd83
Subject: [PATCH] Fix KCM retrieval support for sssd
6cfd83
6cfd83
Commit 795ebba8c039be172ab93cd41105c73ffdba0fdb added a retrieval
6cfd83
handler using KCM_OP_RETRIEVE, falling back on the same error codes as
6cfd83
the previous KCM_OP_GET_CRED_LIST support.  But sssd (as of 2.4)
6cfd83
returns KRB5_CC_NOSUPP instead of KRB5_CC_IO if it recognizes an
6cfd83
opcode but does not implement it.  Add a helper function to recognize
6cfd83
all known unsupported-opcode error codes, and use it in kcm_retrieve()
6cfd83
and kcm_start_seq_get().
6cfd83
6cfd83
ticket: 8997
6cfd83
(cherry picked from commit da103e36e13f3c846bcddbe38dd518a21e5260a0)
6cfd83
(cherry picked from commit a5b2cff51808cd86fe8195e7ac074ecd25c3344d)
6cfd83
(cherry picked from commit 6a00fd149edd017ece894566771e2e9d4ba089f4)
6cfd83
---
6cfd83
 src/lib/krb5/ccache/cc_kcm.c | 18 ++++++++++++++++--
6cfd83
 1 file changed, 16 insertions(+), 2 deletions(-)
6cfd83
6cfd83
diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c
6cfd83
index b600c6f15..6a36cfdce 100644
6cfd83
--- a/src/lib/krb5/ccache/cc_kcm.c
6cfd83
+++ b/src/lib/krb5/ccache/cc_kcm.c
6cfd83
@@ -144,6 +144,20 @@ map_tcflags(krb5_flags mitflags)
6cfd83
     return heimflags;
6cfd83
 }
6cfd83
 
6cfd83
+/*
6cfd83
+ * Return true if code could indicate an unsupported operation.  Heimdal's KCM
6cfd83
+ * returns KRB5_FCC_INTERNAL.  sssd's KCM daemon (as of sssd 2.4) returns
6cfd83
+ * KRB5_CC_NO_SUPP if it recognizes the operation but does not implement it,
6cfd83
+ * and KRB5_CC_IO if it doesn't recognize the operation (which is unfortunate
6cfd83
+ * since it could also indicate a communication failure).
6cfd83
+ */
6cfd83
+static krb5_boolean
6cfd83
+unsupported_op_error(krb5_error_code code)
6cfd83
+{
6cfd83
+    return code == KRB5_FCC_INTERNAL || code == KRB5_CC_IO ||
6cfd83
+        code == KRB5_CC_NOSUPP;
6cfd83
+}
6cfd83
+
6cfd83
 /* Begin a request for the given opcode.  If cache is non-null, supply the
6cfd83
  * cache name as a request parameter. */
6cfd83
 static void
6cfd83
@@ -841,7 +855,7 @@ kcm_retrieve(krb5_context context, krb5_ccache cache, krb5_flags flags,
6cfd83
     ret = cache_call(context, cache, &req;;
6cfd83
 
6cfd83
     /* Fall back to iteration if the server does not support retrieval. */
6cfd83
-    if (ret == KRB5_FCC_INTERNAL || ret == KRB5_CC_IO) {
6cfd83
+    if (unsupported_op_error(ret)) {
6cfd83
         ret = k5_cc_retrieve_cred_default(context, cache, flags, mcred,
6cfd83
                                           cred_out);
6cfd83
         goto cleanup;
6cfd83
@@ -922,7 +936,7 @@ kcm_start_seq_get(krb5_context context, krb5_ccache cache,
6cfd83
         ret = kcmreq_get_cred_list(&req, &creds);
6cfd83
         if (ret)
6cfd83
             goto cleanup;
6cfd83
-    } else if (ret == KRB5_FCC_INTERNAL || ret == KRB5_CC_IO) {
6cfd83
+    } else if (unsupported_op_error(ret)) {
6cfd83
         /* Fall back to GET_CRED_UUID_LIST. */
6cfd83
         kcmreq_free(&req;;
6cfd83
         kcmreq_init(&req, KCM_OP_GET_CRED_UUID_LIST, cache);