oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Fix kinit renew vs. new strategy.

Browse Source 
The previous code never obtained a new TGT when -l was not used.
This commit is contained in:
Viktor Dukhovni
2013-09-23 10:58:52 -04:00
parent dae1a38d80
commit 2ccdebdacc
1 changed files with 19 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
kuser/kinit.c
View File

@@ -870,6 +870,7 @@ struct renew_ctx {
krb5_ccache ccache; krb5_ccache ccache;
krb5_principal principal; krb5_principal principal;
krb5_deltat ticket_life; krb5_deltat ticket_life;
krb5_deltat timeout;
}; };
static time_t static time_t
@@ -879,9 +880,6 @@ renew_func(void *ptr)
struct renew_ctx *ctx = ptr; struct renew_ctx *ctx = ptr;
time_t renew_expire; time_t renew_expire;
static time_t exp_delay = 1; static time_t exp_delay = 1;
#ifndef NO_AFS;
size_t got_tix = 0;
#endif
/* /*
* NOTE: We count on the ccache implementation to notice changes to the * NOTE: We count on the ccache implementation to notice changes to the
@@ -894,28 +892,28 @@ renew_func(void *ptr)
expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal, expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal,
server_str, &renew_expire); server_str, &renew_expire);
/*
* When a keytab is available to obtain new tickets, if we are within
* half of the original ticket lifetime of the renew limit, get a new
* TGT instead of renewing the existing TGT. Note, ctx->ticket_life
* is zero by default (without a '-l' option) and cannot be used to
* set the time scale on which we decide whether we're "close to the
* renew limit".
*/
if (use_keytab || keytab_str)
expire += ctx->timeout;
if (renew_expire > expire) { if (renew_expire > expire) {
ret = renew_validate(ctx->context, 1, validate_flag, ctx->ccache, ret = renew_validate(ctx->context, 1, validate_flag, ctx->ccache,
server_str, ctx->ticket_life); server_str, ctx->ticket_life);
expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal, } else {
server_str, &renew_expire); ret = get_new_tickets(ctx->context, ctx->principal, ctx->ccache,
#ifndef NO_AFS ctx->ticket_life, 0);
got_tix = ret == 0;
#endif
}
if (expire < ctx->ticket_life / 2) {
ret = get_new_tickets(ctx->context, ctx->principal,
ctx->ccache, ctx->ticket_life, 0);
expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal,
server_str, &renew_expire);
#ifndef NO_AFS
got_tix = got_tix || ret == 0;
#endif
} }
expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal,
server_str, &renew_expire);
#ifndef NO_AFS #ifndef NO_AFS
if (got_tix && server_str == NULL && do_afslog && k_hasafs()) if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
krb5_afslog(ctx->context, ctx->ccache, NULL, NULL); krb5_afslog(ctx->context, ctx->ccache, NULL, NULL);
#endif #endif
@@ -1013,7 +1011,7 @@ get_user_realm(krb5_context context)
} }
if (*user_realm == 0) { if (*user_realm == 0) {
free(user_realm); free(user_realm);
user_realm = NULL; user_realm = NULL;
} }
@@ -1329,6 +1327,7 @@ main(int argc, char **argv)
ctx.ccache = ccache; ctx.ccache = ccache;
ctx.principal = principal; ctx.principal = principal;
ctx.ticket_life = ticket_life; ctx.ticket_life = ticket_life;
ctx.timeout = timeout;
#ifdef HAVE_SIGACTION #ifdef HAVE_SIGACTION
memset(&sa, 0, sizeof(sa)); memset(&sa, 0, sizeof(sa));