[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
kinit -4 -R
OK, hopefully no embarressing oversight this time. :)
kinit -4 -R doesn't work; when the -R switch is passed it simply renews krb5
tickets and exist. I set out to fix this, but ran into the problem that no
matter what I did, it always seemed that the krb4 tickets would begin when
the *initial* krb5 authentication was done, not the renewal. I tracked this
down to krb524_convert_creds_kdc in convert_creds.c; it was doing
v4creds->issue_date = v5_creds->times.authtime;
Changing this to
v4creds->issue_date = v5_creds->times.starttime;
made things much happier. Attached are the patch to kinit.c and the
(trivial) patch to convert_creds.c. I'm not 100% positive on whether it's
the right way to do things in kinit.c (in particular I'm not sure how it
relates to the "validate" switch in kinit), but it works for me.
--
..ooOO chris@chiappa.net | My opinions are my own OOoo..
..ooOO Chris.Chiappa@oracle.com | and certainly not those OOoo..
..ooOO http://www.chiappa.net/~chris/ | of my employer OOoo..
--- convert_creds.c.orig Tue Jul 11 15:30:04 2000
+++ convert_creds.c Sat Mar 10 12:31:31 2001
@@ -217,7 +217,7 @@
v4creds->instance,
v4creds->realm);
if(ret) goto out;
- v4creds->issue_date = v5_creds->times.authtime;
+ v4creds->issue_date = v5_creds->times.starttime;
v4creds->lifetime = _krb_time_to_life(v4creds->issue_date,
v5_creds->times.endtime);
ret = krb5_524_conv_principal(context, v5_creds->client,
--- kinit.c.orig Sat Feb 24 10:54:07 2001
+++ kinit.c Sat Mar 10 12:47:28 2001
@@ -252,6 +252,31 @@
exit (ret);
}
+static void
+convert_524(krb5_context context,
+ krb5_ccache cache,
+ krb5_creds *creds)
+{
+ CREDENTIALS c;
+ int tret, cret;
+
+ if(!get_v4_tgt)
+ return;
+
+ cret = krb524_convert_creds_kdc(context, cache, creds, &c);
+ if(cret)
+ krb5_warn(context, cret, "converting creds");
+ else
+ {
+ tret = tf_setup(&c, c.pname, c.pinst);
+ if(tret)
+ warnx("saving v4 creds: %s", krb_get_err_text(tret));
+ }
+ memset(&c, 0, sizeof(c));
+
+ return;
+}
+
static int
renew_validate(krb5_context context,
int renew,
@@ -314,6 +339,17 @@
goto out;
}
ret = krb5_cc_store_cred(context, cache, out);
+
+#ifdef KRB4
+ if(!ret)
+ {
+ convert_524(context, cache, out);
+
+ if(do_afslog && k_hasafs())
+ krb5_afslog(context, cache, NULL, NULL);
+ }
+#endif
+
krb5_free_creds (context, out);
if(ret) {
krb5_warn(context, ret, "krb5_cc_store_cred");
@@ -561,11 +597,16 @@
#ifdef KRB4
if(get_v4_tgt) {
CREDENTIALS c;
+ int tret;
ret = krb524_convert_creds_kdc(context, ccache, &cred, &c);
if(ret)
krb5_warn(context, ret, "converting creds");
else
- tf_setup(&c, c.pname, c.pinst);
+ {
+ tret = tf_setup(&c, c.pname, c.pinst);
+ if(tret)
+ warnx("saving v4 creds: %s", krb_get_err_text(tret));
+ }
memset(&c, 0, sizeof(c));
}
if(do_afslog && k_hasafs())