Hi,
this patch is the first step to solve #304. It adds some more
information into an empty ticket. I think this is as much we can do to
make krb5-auth-dialog happy, because krb5-auth-dialog overwrites the
client principal found in the ccache with its own data in
ka_parse_name(). This data is either just the user name, and the realm
is added by the kerberos libraries is default_realm from krb5.conf, or
if set the principal set with krb5-auth-dialog-preferences is taken.
For a quick fix there are two possibilites
- set the default_realm in krb5.conf or
- set the principal with krb5-auth-dialog-preferences
Additionally I'll try to contact the authors of krb5-auth-dialog to see
if they agree to try with the principal found in the ccache file if the
principal is not explictly and use the user name as a fallback.
bye,
Sumit
From d8cd00633bbf81a2726dc4f87cb72dd6aa6a9bf3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Mon, 7 Dec 2009 15:07:26 +0100
Subject: [PATCH] Add dummy credentials to an empty ccache file
Application like krb5-auth-dialog might get confused if there is a
credential cache file without any credentials in it. This patch adds an
expired credential where only the client and the server principal are
set. The client principal is the user's principal and the server
principal corresponds to a TGT principal of the realm the user belongs
to.
---
server/providers/krb5/krb5_child.c | 56 ++++++++++++++++++++++++++++++++++-
1 files changed, 54 insertions(+), 2 deletions(-)
diff --git a/server/providers/krb5/krb5_child.c
b/server/providers/krb5/krb5_child.c
index c0e9fbf..2f48574 100644
--- a/server/providers/krb5/krb5_child.c
+++ b/server/providers/krb5/krb5_child.c
@@ -98,6 +98,49 @@ static const char *__krb5_error_msg;
sss_krb5_free_error_message(krb5_error_ctx, __krb5_error_msg); \
} while(0);
+static krb5_error_code create_empty_cred(struct krb5_req *kr, krb5_creds
**_cred)
+{
+ krb5_error_code kerr;
+ krb5_creds *cred = NULL;
+ krb5_data *krb5_realm;
+
+ cred = calloc(sizeof(krb5_creds), 1);
+ if (cred == NULL) {
+ DEBUG(1, ("calloc failed.\n"));
+ return ENOMEM;
+ }
+
+ kerr = krb5_copy_principal(kr->ctx, kr->princ, &cred->client);
+ if (kerr != 0) {
+ DEBUG(1, ("krb5_copy_principal failed.\n"));
+ goto done;
+ }
+
+ krb5_realm = krb5_princ_realm(kr->ctx, kr->princ);
+
+ kerr = krb5_build_principal_ext(kr->ctx, &cred->server,
+ krb5_realm->length, krb5_realm->data,
+ KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME,
+ krb5_realm->length, krb5_realm->data, 0);
+ if (kerr != 0) {
+ DEBUG(1, ("krb5_build_principal_ext failed.\n"));
+ goto done;
+ }
+
+done:
+ if (kerr != 0) {
+ if (cred != NULL && cred->client != NULL) {
+ krb5_free_principal(kr->ctx, cred->client);
+ }
+
+ free(cred);
+ } else {
+ *_cred = cred;
+ }
+
+ return kerr;
+}
+
static krb5_error_code create_ccache_file(struct krb5_req *kr, krb5_creds
*creds)
{
krb5_error_code kerr;
@@ -107,6 +150,7 @@ static krb5_error_code create_ccache_file(struct krb5_req
*kr, krb5_creds *creds
size_t ccname_len;
char *dummy;
char *tmp_ccname;
+ krb5_creds *l_cred;
if (strncmp(kr->ccname, "FILE:", 5) == 0) {
cc_file_name = kr->ccname + 5;
@@ -149,12 +193,20 @@ static krb5_error_code create_ccache_file(struct krb5_req
*kr, krb5_creds *creds
fd = -1;
}
- if (creds != NULL) {
- kerr = krb5_cc_store_cred(kr->ctx, tmp_cc, creds);
+ if (creds == NULL) {
+ kerr = create_empty_cred(kr, &l_cred);
if (kerr != 0) {
KRB5_DEBUG(1, kerr);
goto done;
}
+ } else {
+ l_cred = creds;
+ }
+
+ kerr = krb5_cc_store_cred(kr->ctx, tmp_cc, l_cred);
+ if (kerr != 0) {
+ KRB5_DEBUG(1, kerr);
+ goto done;
}
kerr = krb5_cc_close(kr->ctx, tmp_cc);
--
1.6.5.2
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
