>From f5982a340c3b64ee25dcee2577a6f496becfc2c9 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Wed, 29 May 2013 09:57:38 +0200 Subject: [PATCH] Every time return directory for krb5 cache collection. Function krb5_cc_get_full_name is called only as a way to validate that, we have the right cache. Instead of returned name, location will be returned from function cc_dir_cache_for_princ. https://fedorahosted.org/sssd/ticket/1936 (cherry picked from commit fa3cdcff460d555f4a4905fb0a2d96be564fc599) Conflicts: src/providers/krb5/krb5_child.c --- src/providers/krb5/krb5_child.c | 65 ++++++++++++++++++++++++++++++++++++++--- src/providers/krb5/krb5_utils.c | 5 +++- 2 files changed, 65 insertions(+), 5 deletions(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 1f910769528ce9b9945f1dfc0c9ebc3584064c4d..b672f18d1b3e11d4d04775bba26b008cab05f1f2 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1014,14 +1014,60 @@ done: } +static char * get_ccache_name_by_principal(TALLOC_CTX *mem_ctx, + krb5_context ctx, + krb5_principal principal, + const char *ccname) +{ + krb5_error_code kerr; + krb5_ccache tmp_cc = NULL; + char *tmp_ccname = NULL; + char *ret_ccname = NULL; + + kerr = krb5_cc_set_default_name(ctx, ccname); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_MINOR_FAILURE, kerr); + return NULL; + } + + kerr = krb5_cc_cache_match(ctx, principal, &tmp_cc); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_TRACE_INTERNAL, kerr); + return NULL; + } + + kerr = krb5_cc_get_full_name(ctx, tmp_cc, &tmp_ccname); + if (kerr !=0) { + KRB5_CHILD_DEBUG(SSSDBG_MINOR_FAILURE, kerr); + goto done; + } + + ret_ccname = talloc_strdup(mem_ctx, tmp_ccname); + if (ret_ccname == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed (ENOMEM).\n")); + } + +done: + if (tmp_cc != NULL) { + kerr = krb5_cc_close(ctx, tmp_cc); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_MINOR_FAILURE, kerr); + } + } + krb5_free_string(ctx, tmp_ccname); + + return ret_ccname; +} + static krb5_error_code get_and_save_tgt(struct krb5_req *kr, char *password) { - krb5_error_code kerr = 0; int ret; const char *realm_name; int realm_length; - + krb5_error_code kerr; + char *cc_name; + krb5_principal principal; kerr = sss_krb5_get_init_creds_opt_set_expire_callback(kr->ctx, kr->options, sss_krb5_expire_callback_func, @@ -1065,10 +1111,21 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, } } + principal = kr->creds ? kr->creds->client : kr->princ; + + /* If kr->ccname is cache collection (DIR:/...), we want to work + * directly with file ccache (DIR::/...), but cache collection + * should be returned back to back end. + */ + cc_name = get_ccache_name_by_principal(kr->pd, kr->ctx, principal, + kr->ccname); + if (cc_name == NULL) { + cc_name = kr->ccname; + } + /* Use the updated principal in the creds in case canonicalized */ kerr = create_ccache(kr->uid, kr->gid, kr->ctx, - kr->creds ? kr->creds->client : kr->princ, - kr->ccname, kr->creds); + principal, cc_name, kr->creds); if (kerr != 0) { KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); goto done; diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c index 7c406e6c2e0fa909adc073371d55e557b09c6df2..d61df585bb7625a225a718451256b3f76b223ac2 100644 --- a/src/providers/krb5/krb5_utils.c +++ b/src/providers/krb5/krb5_utils.c @@ -1167,6 +1167,9 @@ cc_dir_cache_for_princ(TALLOC_CTX *mem_ctx, const char *location, return NULL; } + /* This function is called only as a way to validate that, + * we have the right cache + */ krberr = krb5_cc_get_full_name(context, ccache, &name); if (ccache) krb5_cc_close(context, ccache); krb5_free_context(context); @@ -1176,7 +1179,7 @@ cc_dir_cache_for_princ(TALLOC_CTX *mem_ctx, const char *location, return NULL; } - return talloc_strdup(mem_ctx, name); + return talloc_strdup(mem_ctx, location); } errno_t -- 2.1.0