kinit: Make default-for-princ behavior optional
We can't just default to useing the krb5_cc_default_for() ccache for a principal -- that breaks a number of uses of kinit.
This commit is contained in:
Nicolas Williams
@@ -40,6 +40,7 @@
|
||||
.Sh SYNOPSIS
|
||||
.Nm kinit
|
||||
.Op Fl Fl no-change-default
|
||||
.Op Fl Fl default-for-principal
|
||||
.Op Fl Fl afslog
|
||||
.Oo Fl c Ar cachename \*(Ba Xo
|
||||
.Fl Fl cache= Ns Ar cachename
|
||||
@@ -114,6 +115,32 @@ the name of the principal whose credentials are stored therein. This
|
||||
option is ignored if the
|
||||
.Fl c Ar cachename | Fl Fl cache= Ns Ar cachename
|
||||
option is given.
|
||||
See also
|
||||
.Xr kswitch 1 .
|
||||
.It Fl Fl default-for-principal
|
||||
If this option is given and
|
||||
.Fl c Ar cachename | Fl Fl cache= Ns Ar cachename
|
||||
is not given, then the cache that will be used will be one that
|
||||
is appropriate for the client principal. For example, if the
|
||||
default cache type is
|
||||
.Ar FILE
|
||||
then the default cache may be either
|
||||
.Ar FILE:/tmp/krb5cc_%{uid}+%{principal_name}
|
||||
or
|
||||
.Ar FILE:/tmp/krb5cc_%{uid}
|
||||
if the principal is the default principal for the user, meaning
|
||||
that it is of rht form
|
||||
.Ar ${USER}@${user_realm}
|
||||
or
|
||||
.Ar ${USER}@${default_realm} .
|
||||
This option implies
|
||||
.Fl Fl no-change-default
|
||||
unless
|
||||
.Fl Fl change-default
|
||||
is given. Caches for the user can be listed with the
|
||||
.Fl l
|
||||
option to
|
||||
.Xr klist 1 .
|
||||
.It Fl f Fl Fl forwardable
|
||||
Obtain a ticket than can be forwarded to another host.
|
||||
.It Fl F Fl Fl no-forwardable
|
||||
@@ -253,6 +280,7 @@ the default being
|
||||
.Sh SEE ALSO
|
||||
.Xr kdestroy 1 ,
|
||||
.Xr klist 1 ,
|
||||
.Xr kswitch 1 ,
|
||||
.Xr krb5_appdefault 3 ,
|
||||
.Xr krb5.conf 5
|
||||
.\".Sh STANDARDS
|
||||
|
||||
@@ -64,7 +64,8 @@ char *server_str = NULL;
|
||||
static krb5_principal tgs_service;
|
||||
char *cred_cache = NULL;
|
||||
char *start_str = NULL;
|
||||
static int switch_cache_flags = 1;
|
||||
static int switch_cache_flags = -1;
|
||||
static int default_for = 0;
|
||||
struct getarg_strings etype_str;
|
||||
int use_keytab = 0;
|
||||
char *keytab_str = NULL;
|
||||
@@ -191,6 +192,9 @@ static struct getargs args[] = {
|
||||
{ "change-default", 0, arg_negative_flag, &switch_cache_flags,
|
||||
NP_("switch the default cache to the new credentials cache", ""), NULL },
|
||||
|
||||
{ "default-for-principal", 0, arg_negative_flag, &default_for,
|
||||
NP_("use a default cache appropriate for the client principal name", ""), NULL },
|
||||
|
||||
{ "ok-as-delegate", 0, arg_flag, &ok_as_delegate_flag,
|
||||
NP_("honor ok-as-delegate on tickets", ""), NULL },
|
||||
|
||||
@@ -1364,7 +1368,6 @@ main(int argc, char **argv)
|
||||
#endif
|
||||
krb5_boolean unique_ccache = FALSE;
|
||||
krb5_boolean historical_anon_pkinit = FALSE;
|
||||
krb5_boolean default_for = FALSE;
|
||||
int anonymous_pkinit = FALSE;
|
||||
|
||||
setprogname(argv[0]);
|
||||
@@ -1493,11 +1496,19 @@ main(int argc, char **argv)
|
||||
krb5_cc_get_name(context, ccache));
|
||||
setenv("KRB5CCNAME", s, 1);
|
||||
unique_ccache = TRUE;
|
||||
} else {
|
||||
} else if (default_for) {
|
||||
ret = krb5_cc_default_for(context, principal, &ccache);
|
||||
default_for = TRUE;
|
||||
if (switch_cache_flags == -1)
|
||||
switch_cache_flags = 0;
|
||||
} else {
|
||||
ret = krb5_cc_default(context, &ccache);
|
||||
if (switch_cache_flags == -1)
|
||||
switch_cache_flags = 0;
|
||||
}
|
||||
|
||||
if (switch_cache_flags == -1)
|
||||
switch_cache_flags = 1;
|
||||
|
||||
if (ret)
|
||||
krb5_err(context, 1, ret, N_("resolving credentials cache", ""));
|
||||
|
||||
@@ -1535,7 +1546,8 @@ main(int argc, char **argv)
|
||||
|
||||
if (renew_flag || validate_flag) {
|
||||
ret = renew_validate(context, renew_flag, validate_flag,
|
||||
&ccache, principal, default_for, server_str,
|
||||
&ccache, principal,
|
||||
default_for ? TRUE : FALSE, server_str,
|
||||
ticket_life);
|
||||
|
||||
#ifndef NO_AFS
|
||||
|
||||
@@ -139,8 +139,8 @@ export KRB5_CONFIG
|
||||
unset KRB5CCNAME
|
||||
rm -rf ${objdir}/kt ${objdir}/cc_dir
|
||||
mkdir ${objdir}/cc_dir || { ec=1 ; eval "${testfailed}"; }
|
||||
${kinit} foo@${R} || { ec=1 ; eval "${testfailed}"; }
|
||||
${kinit} --no-change-default bar@${R} || { ec=1 ; eval "${testfailed}"; }
|
||||
${kinit} --default-for-principal foo@${R} || { ec=1 ; eval "${testfailed}"; }
|
||||
${kinit} --default-for-principal --no-change-default bar@${R} || { ec=1 ; eval "${testfailed}"; }
|
||||
primary=`cat ${objdir}/cc_dir/primary`
|
||||
[ "x$primary" = xtkt.foo@${R} ] || { ec=1 ; eval "${testfailed}"; }
|
||||
${klist} -l |
|
||||
|
||||
Reference in New Issue
Block a user