URL: https://github.com/freeipa/freeipa/pull/805 Author: simo5 Title: #805: Fix rare race condition with missing ccache file Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/805/head:pr805 git checkout pr805
From 9abfd06c430e6ffdffd6a8044c80a8b05d349509 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 22 May 2017 10:56:41 -0400 Subject: [PATCH] Fix rare race condition with missing ccache file In some circumstances the ccache file may disappear while mod_auth_gssapi still has a valid cookie and the client is performing a json server call. This may lead to credentials getting sourced from the keytab. Make sure we enforce what GSS NAME we want to resolve so HTTP creds are never mistakenly sourced. Ticket: #6972 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipaserver/rpcserver.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 4cde2815a0..32f286148b 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -777,8 +777,17 @@ def __call__(self, environ, start_response): self.debug('no ccache, need login') return self.need_login(start_response) + # If we have a ccache, make sure we have a GSS_NAME and use + # it to resolve the ccache name (Issue: 6972 ) + principal = environ.get('GSS_NAME') + if principal is None: + self.debug('no GSS Name, need login') + return self.need_login(start_response) + gss_name = gssapi.Name(principal, gssapi.NameType.kerberos_principal) + # Redirect to login if Kerberos credentials are expired - creds = get_credentials_if_valid(ccache_name=ccache_name) + creds = get_credentials_if_valid(name=gss_name, + ccache_name=ccache_name) if not creds: self.debug('ccache expired, deleting session, need login') # The request is finished with the ccache, destroy it.
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org