Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 1973430 Details for
Bug 2214399
regression: autofs fails to renew kerberos ticket
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh89 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
proof-of-concept patch which clears the cache if an expired ticket can be found in it
autofs-5.1.8-clear-expired-kerberos-tickets.patch (text/plain), 2.24 KB, created by
Ian Collier
on 2023-06-30 17:03:26 UTC
(
hide
)
Description:
proof-of-concept patch which clears the cache if an expired ticket can be found in it
Filename:
MIME Type:
Creator:
Ian Collier
Created:
2023-06-30 17:03:26 UTC
Size:
2.24 KB
patch
obsolete
>--- a/modules/cyrus-sasl.c 2023-03-29 01:00:00.000000000 +0100 >+++ b/modules/cyrus-sasl.c 2023-06-29 15:43:54.370701495 +0100 >@@ -52,6 +52,7 @@ > #include <stdlib.h> > #include <string.h> > #include <sasl/sasl.h> >+#include <time.h> > > #include "automount.h" > #include "lookup_ldap.h" >@@ -509,6 +510,43 @@ > debug(logopt, "Using tgs name %s", tgs_name); > > memset(&my_creds, 0, sizeof(my_creds)); >+ >+ if (krb5cc_in_use++ == 0) { >+ /* tell the cache what the default principal is */ >+ ret = krb5_cc_initialize(ctxt->krb5ctxt, >+ ctxt->krb5_ccache, krb5_client_princ); >+ >+ if (ret) { >+ --krb5cc_in_use; >+ error(logopt, >+ "krb5_cc_initialize failed with error %d", ret); >+ goto out_cleanup_unparse; >+ } >+ } >+ else { >+ /* even if the cache is in use, we will clear it if it >+ * contains an expired credential for our principal, >+ * because Kerberos doesn't always work well with caches >+ * that contain both expired and valid credentials */ >+ krb5_creds match_creds, out_creds; >+ memset(&match_creds, 0, sizeof match_creds); >+ match_creds.client = krb5_client_princ; >+ match_creds.server = tgs_princ; >+ ret = krb5_cc_retrieve_cred(ctxt->krb5ctxt, ctxt->krb5_ccache, >+ 0, &match_creds, &out_creds); >+ if (ret == 0 && (time_t)out_creds.times.endtime < time(NULL)) { >+ debug(logopt, >+ "calling krb5_cc_initialize to clear expired tickets"); >+ ret = krb5_cc_initialize(ctxt->krb5ctxt, >+ ctxt->krb5_ccache, krb5_client_princ); >+ if (ret) >+ warn(logopt, >+ "krb5_cc_initialize failed with error %d " >+ "while trying to clear existing cache", >+ ret); >+ } >+ } >+ > ret = krb5_get_init_creds_keytab(ctxt->krb5ctxt, &my_creds, > krb5_client_princ, > NULL /*keytab*/, >@@ -521,18 +559,7 @@ > goto out_cleanup_unparse; > } > >- if (krb5cc_in_use++ == 0) >- /* tell the cache what the default principal is */ >- ret = krb5_cc_initialize(ctxt->krb5ctxt, >- ctxt->krb5_ccache, krb5_client_princ); >- >- if (ret) { >- error(logopt, >- "krb5_cc_initialize failed with error %d", ret); >- goto out_cleanup_creds; >- } >- >- /* and store credentials for that principal */ >+ /* and store credentials for our principal */ > ret = krb5_cc_store_cred(ctxt->krb5ctxt, ctxt->krb5_ccache, &my_creds); > if (ret) { > error(logopt,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1973430">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2214399
:
1970873
|
1970874
| 1973430