Created attachment 349319 [details] Set default ccname in the absence of KRB5CCNAME env variable Description of problem: PAM_REINITIALIZE_CRED only obeys the environment variable, but this variable may not be set. In that case, it should try default credentials cache, as specified in kinit manual page. Version-Release number of selected component (if applicable): 2.3.6-1.fc12 How reproducible: Always. Steps to Reproduce: 1. Run src/harness --auth --setcred-reinitialize without KRB5CCNAME in the env. Actual results: Does not reissue the TGT. Expected results: Should reissue the TGT, if we have default CC. Additional info: May be related to bug #187485.
Created attachment 349321 [details] Set default ccname in the absence of KRB5CCNAME env variable Correct the comment.
Created attachment 349327 [details] Set default ccname in the absence of KRB5CCNAME env variable Add debugging code.
Created attachment 349355 [details] Set default ccname in the absence of KRB5CCNAME env variable Use PATH_MAX for the size of the ccname. Use snprintf() instead of sprintf().
Created attachment 349364 [details] Set default ccname in the absence of KRB5CCNAME env variable Although previous patches worked, it seems that the code differentiates between v5ccname and v5filename. So, this patch follows that rule.
Created attachment 349495 [details] Set default ccname in the absence of KRB5CCNAME env variable This patch improves a bit on the logic of the default ccname when reinitialising, by removing some unnecessary ifs. However, the main change is that we now obey KRB5CCNAME in establish, if it exists in the environment. With this, src/harness --auth --establish actually issues the ticket specified in KRB5CCNAME. This is useful in situation where this environment variable is pre-set by an administrator.
Created attachment 349503 [details] Set default ccname in the absence of KRB5CCNAME env variable Use unsigned types for printing uid_t.
(In reply to comment #5) > Created an attachment (id=349495) [details] > Set default ccname in the absence of KRB5CCNAME env variable Better to use the krb5_cc_default_name() function for this, as it's what the libraries do. > However, the main change is that we now obey KRB5CCNAME in establish, if it > exists in the environment. With this, src/harness --auth --establish actually > issues the ticket specified in KRB5CCNAME. This is useful in situation where > this environment variable is pre-set by an administrator. Um, no. That would overwrite my ccache irreversibly if I were to su to another user using pam_krb5, and if I'm reading the patch right, delete it when the su session was closed.
Created attachment 349610 [details] patch to use krb5_cc_default_name() and do similar things for v4 tickets
Thanks. Not being too familiar with the code, I was just stumbling along there :-)
No problem, and thanks for taking a stab at it regardless.