[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

kinit -4 -R

To: heimdal-discuss@sics.se
Subject: kinit -4 -R
From: Chris Chiappa <griffon+heimdal-discuss@snurgle.org>
Date: Sat, 10 Mar 2001 13:10:45 -0500
Reply-To: chris@chiappa.net
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mutt/1.3.16i

OK, hopefully no embarressing oversight this time. :)
kinit -4 -R doesn't work; when the -R switch is passed it simply renews krb5
tickets and exist.  I set out to fix this, but ran into the problem that no
matter what I did, it always seemed that the krb4 tickets would begin when
the *initial* krb5 authentication was done, not the renewal.  I tracked this
down to krb524_convert_creds_kdc in convert_creds.c; it was doing
     v4creds->issue_date = v5_creds->times.authtime;
Changing this to
     v4creds->issue_date = v5_creds->times.starttime;
made things much happier.  Attached are the patch to kinit.c and the
(trivial) patch to convert_creds.c.  I'm not 100% positive on whether it's
the right way to do things in kinit.c (in particular I'm not sure how it
relates to the "validate" switch in kinit), but it works for me.

-- 

..ooOO chris@chiappa.net              | My opinions are my own  OOoo..
..ooOO Chris.Chiappa@oracle.com       | and certainly not those OOoo..
..ooOO http://www.chiappa.net/~chris/ | of my employer          OOoo..

--- convert_creds.c.orig	Tue Jul 11 15:30:04 2000
+++ convert_creds.c	Sat Mar 10 12:31:31 2001
@@ -217,7 +217,7 @@
 				      v4creds->instance, 
 				      v4creds->realm);
 	if(ret) goto out;
-	v4creds->issue_date = v5_creds->times.authtime;
+	v4creds->issue_date = v5_creds->times.starttime;
 	v4creds->lifetime = _krb_time_to_life(v4creds->issue_date,
 					      v5_creds->times.endtime);
 	ret = krb5_524_conv_principal(context, v5_creds->client,

--- kinit.c.orig	Sat Feb 24 10:54:07 2001
+++ kinit.c	Sat Mar 10 12:47:28 2001
@@ -252,6 +252,31 @@
     exit (ret);
 }
 
+static void
+convert_524(krb5_context context,
+            krb5_ccache cache,
+            krb5_creds *creds)
+{
+    CREDENTIALS c;
+    int tret, cret;
+
+    if(!get_v4_tgt)
+        return;
+
+    cret = krb524_convert_creds_kdc(context, cache, creds, &c);
+    if(cret)
+        krb5_warn(context, cret, "converting creds");
+    else
+    {
+        tret = tf_setup(&c, c.pname, c.pinst);
+        if(tret)
+            warnx("saving v4 creds: %s", krb_get_err_text(tret));
+    }
+    memset(&c, 0, sizeof(c));
+    
+    return;
+}
+
 static int
 renew_validate(krb5_context context, 
 	       int renew,
@@ -314,6 +339,17 @@
 	goto out;
     }
     ret = krb5_cc_store_cred(context, cache, out);
+
+#ifdef KRB4
+    if(!ret)
+    {
+        convert_524(context, cache, out);
+
+        if(do_afslog && k_hasafs())
+            krb5_afslog(context, cache, NULL, NULL);
+    }
+#endif
+
     krb5_free_creds (context, out);
     if(ret) {
 	krb5_warn(context, ret, "krb5_cc_store_cred");
@@ -561,11 +597,16 @@
 #ifdef KRB4
     if(get_v4_tgt) {
 	CREDENTIALS c;
+        int tret;
 	ret = krb524_convert_creds_kdc(context, ccache, &cred, &c);
 	if(ret)
 	    krb5_warn(context, ret, "converting creds");
 	else
-	    tf_setup(&c, c.pname, c.pinst);
+        {
+            tret = tf_setup(&c, c.pname, c.pinst);
+            if(tret)
+                warnx("saving v4 creds: %s", krb_get_err_text(tret));
+        }
 	memset(&c, 0, sizeof(c));
     }
     if(do_afslog && k_hasafs())

Follow-Ups:
- kinit 524 conversion only
  - From: Derrick J Brashear <shadow@dementia.org>

Prev by Date: Re: pam_krb5 not talking to kdc
Next by Date: Server not found in database
Prev by thread: Building error on SuSE 7.1
Next by thread: kinit 524 conversion only
Index(es):
- Date
- Thread