diff options
| author | rmacklem <rmacklem@FreeBSD.org> | 2009-06-24 18:30:14 +0000 |
|---|---|---|
| committer | rmacklem <rmacklem@FreeBSD.org> | 2009-06-24 18:30:14 +0000 |
| commit | a5268d56f65b258f44e20334592225f3556cdc5c (patch) | |
| tree | 94d0e0aaf35da871bf0cbfc45cf4e391adfdd2a5 /sys/rpc/rpcsec_gss | |
| parent | e13ea48de648aaa38679919abe3a877c7d86001c (diff) | |
| download | FreeBSD-src-a5268d56f65b258f44e20334592225f3556cdc5c.zip FreeBSD-src-a5268d56f65b258f44e20334592225f3556cdc5c.tar.gz | |
If the initial attempt to refresh credentials in the RPCSEC_GSS client
side fails, the entry in the cache is left with no valid context
(gd_ctx == GSS_C_NO_CONTEXT). As such, subsequent hits on the cache
will result in persistent authentication failure, even after the user has
done a kinit or similar and acquired a new valid TGT. This patch adds a test
for that case upon a cache hit and calls rpc_gss_init() to make another
attempt at getting valid credentials. It also moves the setting of gc_proc
to before the import of the principal name to ensure that, if that case
fails, it will be detected as a failure after going to "out:".
Reviewed by: dfr
Approved by: kib (mentor)
Diffstat (limited to 'sys/rpc/rpcsec_gss')
| -rw-r--r-- | sys/rpc/rpcsec_gss/rpcsec_gss.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/sys/rpc/rpcsec_gss/rpcsec_gss.c b/sys/rpc/rpcsec_gss/rpcsec_gss.c index 790804d..e529b83 100644 --- a/sys/rpc/rpcsec_gss/rpcsec_gss.c +++ b/sys/rpc/rpcsec_gss/rpcsec_gss.c @@ -193,6 +193,7 @@ rpc_gss_secfind(CLIENT *clnt, struct ucred *cred, const char *principal, uint32_t h, th; AUTH *auth; struct rpc_gss_data *gd, *tgd; + rpc_gss_options_ret_t options; if (rpc_gss_count > RPC_GSS_MAX) { while (rpc_gss_count > RPC_GSS_MAX) { @@ -231,6 +232,17 @@ again: } else { sx_sunlock(&rpc_gss_lock); } + + /* + * If the state != ESTABLISHED, try and initialize + * the authenticator again. This will happen if the + * user's credentials have expired. It may succeed now, + * if they have done a kinit or similar. + */ + if (gd->gd_state != RPCSEC_GSS_ESTABLISHED) { + memset(&options, 0, sizeof (options)); + (void) rpc_gss_init(gd->gd_auth, &options); + } return (gd->gd_auth); } } @@ -730,6 +742,9 @@ rpc_gss_init(AUTH *auth, rpc_gss_options_ret_t *options_ret) gd->gd_state = RPCSEC_GSS_CONTEXT; mtx_unlock(&gd->gd_lock); + gd->gd_cred.gc_proc = RPCSEC_GSS_INIT; + gd->gd_cred.gc_seq = 0; + principal_desc.value = (void *)gd->gd_principal; principal_desc.length = strlen(gd->gd_principal); maj_stat = gss_import_name(&min_stat, &principal_desc, @@ -741,9 +756,6 @@ rpc_gss_init(AUTH *auth, rpc_gss_options_ret_t *options_ret) } /* GSS context establishment loop. */ - gd->gd_cred.gc_proc = RPCSEC_GSS_INIT; - gd->gd_cred.gc_seq = 0; - memset(&recv_token, 0, sizeof(recv_token)); memset(&gr, 0, sizeof(gr)); memset(options_ret, 0, sizeof(*options_ret)); |
