Hi,
David Woodhouse identified an issue with Kerberos ticket renewal.
Attached two patches fix two issues related to the authtok refactoring
which make renewal for me working again.
bye,
Sumit
From 0f2fb036a9f3b7ef0a64fdfc17869b2d6b673334 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Mon, 24 Jun 2013 14:44:00 +0200
Subject: [PATCH 1/2] KRB5: use the right authtok type for renewals
---
src/providers/krb5/krb5_auth.c | 23 ++++++++++++++++++++---
1 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index f6acfb4..dfd22f7 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -493,10 +493,13 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
switch (pd->cmd) {
case SSS_PAM_AUTHENTICATE:
- case SSS_CMD_RENEW:
case SSS_PAM_CHAUTHTOK:
if (sss_authtok_get_type(pd->authtok) !=
SSS_AUTHTOK_TYPE_PASSWORD) {
- DEBUG(1, ("Missing authtok for user [%s].\n", pd->user));
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Wrong authtok type for user [%s]. " \
+ "Expected [%d], got [%d]\n", pd->user,
+ SSS_AUTHTOK_TYPE_PASSWORD,
+ sss_authtok_get_type(pd->authtok)));
state->pam_status = PAM_SYSTEM_ERR;
state->dp_err = DP_ERR_FATAL;
ret = EINVAL;
@@ -506,13 +509,27 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
case SSS_PAM_CHAUTHTOK_PRELIM:
if (pd->priv == 1 &&
sss_authtok_get_type(pd->authtok) !=
SSS_AUTHTOK_TYPE_PASSWORD) {
- DEBUG(4, ("Password reset by root is not supported.\n"));
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Password reset by root is not supported.\n"));
state->pam_status = PAM_PERM_DENIED;
state->dp_err = DP_ERR_OK;
ret = EOK;
goto done;
}
break;
+ case SSS_CMD_RENEW:
+ if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_CCFILE) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Wrong authtok type for user [%s]. " \
+ "Expected [%d], got [%d]\n", pd->user,
+ SSS_AUTHTOK_TYPE_CCFILE,
+ sss_authtok_get_type(pd->authtok)));
+ state->pam_status = PAM_SYSTEM_ERR;
+ state->dp_err = DP_ERR_FATAL;
+ ret = EINVAL;
+ goto done;
+ }
+ break;
default:
DEBUG(4, ("Unexpected pam task %d.\n", pd->cmd));
state->pam_status = PAM_SYSTEM_ERR;
--
1.7.7.6
From ac2c8c7ac66678e818f57ddd1d2fce946dfa7221 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Mon, 24 Jun 2013 15:41:37 +0200
Subject: [PATCH 2/2] Fix typo in pack_authtok()
---
src/providers/krb5/krb5_child_handler.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/providers/krb5/krb5_child_handler.c
b/src/providers/krb5/krb5_child_handler.c
index 0b8cd6b..292ba00 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -106,7 +106,7 @@ static errno_t pack_authtok(struct io_buffer *buf, size_t
*rp,
auth_token_length = len + 1;
break;
case SSS_AUTHTOK_TYPE_CCFILE:
- ret = sss_authtok_get_password(tok, &data, &len);
+ ret = sss_authtok_get_ccfile(tok, &data, &len);
auth_token_length = len + 1;
break;
default:
--
1.7.7.6
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
