[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Detect when KRB5CCNAME changes for certain server scenarios

Consider a web application that authenticates clients using
gss_accept_sec_context, places the delegated credential into a file and
exports KRB5CCNAME. If the web application were to then call a library
function (e.g. ldap_sasl_bind_s) that also used Heimdals GSSAPI it may
fail to find the credential.

The reason is because once lib/krb5/cache.c:krb5_cc_default_name sets
context->default_cc_name it is not set again by gss_* routines. So it
will work for the first client but not for subsequent clients.

Please consider the below patch. This will cause krb5_cc_set_default_name
to be called if KRB5CCNAME changes at all. It assumes getenv returns
the same address but if it does not the code is at least correct.


$ diff -Naur cache.c.0 cache.c
--- cache.c.0   2007-02-08 00:04:47.000000000 -0500
+++ cache.c     2007-02-08 00:06:05.000000000 -0500
@@ -389,8 +389,12 @@
 const char* KRB5_LIB_FUNCTION
 krb5_cc_default_name(krb5_context context)
-    if (context->default_cc_name == NULL)
+    static char *krb5ccname;
+    if (context->default_cc_name == NULL || krb5ccname != getenv("KRB5CCNAME")) {
        krb5_cc_set_default_name(context, NULL);
+        krb5ccname = getenv("KRB5CCNAME");
+    }
     return context->default_cc_name;

Michael B Allen
PHP Active Directory SSO