Red Hat Bugzilla – Full Text Bug Listing
|Summary:||In the absence of KRB5CCNAME, use default credentials cache, like kinit|
|Product:||[Fedora] Fedora||Reporter:||Bojan Smojver <bojan>|
|Component:||pam_krb5||Assignee:||Nalin Dahyabhai <nalin>|
|Status:||CLOSED RAWHIDE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Fixed In Version:||2.3.7-1||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2009-06-26 17:38:11 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Bojan Smojver 2009-06-24 20:30:20 EDT
Created attachment 349319 [details] Set default ccname in the absence of KRB5CCNAME env variable Description of problem: PAM_REINITIALIZE_CRED only obeys the environment variable, but this variable may not be set. In that case, it should try default credentials cache, as specified in kinit manual page. Version-Release number of selected component (if applicable): 2.3.6-1.fc12 How reproducible: Always. Steps to Reproduce: 1. Run src/harness --auth --setcred-reinitialize without KRB5CCNAME in the env. Actual results: Does not reissue the TGT. Expected results: Should reissue the TGT, if we have default CC. Additional info: May be related to bug #187485.
Comment 1 Bojan Smojver 2009-06-24 20:52:05 EDT
Created attachment 349321 [details] Set default ccname in the absence of KRB5CCNAME env variable Correct the comment.
Comment 2 Bojan Smojver 2009-06-24 23:25:50 EDT
Created attachment 349327 [details] Set default ccname in the absence of KRB5CCNAME env variable Add debugging code.
Comment 3 Bojan Smojver 2009-06-25 04:01:03 EDT
Created attachment 349355 [details] Set default ccname in the absence of KRB5CCNAME env variable Use PATH_MAX for the size of the ccname. Use snprintf() instead of sprintf().
Comment 4 Bojan Smojver 2009-06-25 05:25:20 EDT
Created attachment 349364 [details] Set default ccname in the absence of KRB5CCNAME env variable Although previous patches worked, it seems that the code differentiates between v5ccname and v5filename. So, this patch follows that rule.
Comment 5 Bojan Smojver 2009-06-25 21:54:15 EDT
Created attachment 349495 [details] Set default ccname in the absence of KRB5CCNAME env variable This patch improves a bit on the logic of the default ccname when reinitialising, by removing some unnecessary ifs. However, the main change is that we now obey KRB5CCNAME in establish, if it exists in the environment. With this, src/harness --auth --establish actually issues the ticket specified in KRB5CCNAME. This is useful in situation where this environment variable is pre-set by an administrator.
Comment 6 Bojan Smojver 2009-06-25 23:05:37 EDT
Created attachment 349503 [details] Set default ccname in the absence of KRB5CCNAME env variable Use unsigned types for printing uid_t.
Comment 7 Nalin Dahyabhai 2009-06-26 13:29:56 EDT
(In reply to comment #5) > Created an attachment (id=349495) [details] > Set default ccname in the absence of KRB5CCNAME env variable Better to use the krb5_cc_default_name() function for this, as it's what the libraries do. > However, the main change is that we now obey KRB5CCNAME in establish, if it > exists in the environment. With this, src/harness --auth --establish actually > issues the ticket specified in KRB5CCNAME. This is useful in situation where > this environment variable is pre-set by an administrator. Um, no. That would overwrite my ccache irreversibly if I were to su to another user using pam_krb5, and if I'm reading the patch right, delete it when the su session was closed.
Comment 8 Nalin Dahyabhai 2009-06-26 17:19:32 EDT
Created attachment 349610 [details] patch to use krb5_cc_default_name() and do similar things for v4 tickets
Comment 9 Bojan Smojver 2009-06-26 19:01:23 EDT
Thanks. Not being too familiar with the code, I was just stumbling along there :-)
Comment 10 Nalin Dahyabhai 2009-06-29 13:49:23 EDT
No problem, and thanks for taking a stab at it regardless.