From cb8c8af56d306267d6964da217c65e129fe83c82 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 26 Feb 2020 18:27:17 -0500 Subject: [PATCH] Refresh manually acquired creds from client keytab If a client keytab is present but credentials are acquired manually, the credentials would not be refreshed because no refresh_time config var is set in the cache. Change kg_cred_time_to_refresh() to attempt a refresh from the client keytab on any credentials which will expire in the next 30 seconds. [ghudson@mit.edu: adjused code and added test case] ticket: 7976 (cherry picked from commit 729896467e3c77904666019d6cbbda583ae49b95) (cherry picked from commit 685aada9eae420cb5156ca7b71c2c7614c0b6e2c) --- src/lib/gssapi/krb5/acquire_cred.c | 14 +++++++++++--- src/tests/gssapi/t_client_keytab.py | 18 ++++++++++++++++++ 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index acc1868f8..4062f4741 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -557,15 +557,23 @@ set_refresh_time(krb5_context context, krb5_ccache ccache, krb5_boolean kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred) { - krb5_timestamp now; + krb5_timestamp now, soon; if (krb5_timeofday(context, &now)) return FALSE; + soon = ts_incr(now, 30); if (cred->refresh_time != 0 && !ts_after(cred->refresh_time, now)) { - set_refresh_time(context, cred->ccache, - ts_incr(cred->refresh_time, 30)); + set_refresh_time(context, cred->ccache, soon); return TRUE; } + + /* If the creds will expire soon, try to refresh even if they weren't + * acquired with a client keytab. */ + if (ts_after(soon, cred->expire)) { + set_refresh_time(context, cred->ccache, soon); + return TRUE; + } + return FALSE; } diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py index e474a27c7..7847b3ecd 100755 --- a/src/tests/gssapi/t_client_keytab.py +++ b/src/tests/gssapi/t_client_keytab.py @@ -124,4 +124,22 @@ realm.kinit(realm.user_princ, password('user')) realm.run(['./t_ccselect', phost], env=bad_cktname, expected_msg=realm.user_princ) +mark('refresh of manually acquired creds') + +# Test 17: no name/ccache specified, manually acquired creds which +# will expire soon. Verify that creds are refreshed using the current +# client name, with refresh_time set in the refreshed ccache. +realm.kinit('bob', password('bob'), ['-l', '15s']) +realm.run(['./t_ccselect', phost], expected_msg='bob') +realm.run([klist, '-C'], expected_msg='refresh_time = ') + +# Test 18: no name/ccache specified, manually acquired creds with a +# client principal not present in the client keytab. A refresh is +# attempted but fails, and an expired ticket error results. +realm.kinit(realm.admin_princ, password('admin'), ['-l', '-1s']) +msgs = ('Getting initial credentials for user/admin@KRBTEST.COM', + '/Matching credential not found') +realm.run(['./t_ccselect', phost], expected_code=1, + expected_msg='Ticket expired', expected_trace=msgs) + success('Client keytab tests')