IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipasam: better Kerberos error handling in ipasam

Browse Source 
If time is moved back on the IPA server, ipasam does not invalidate the
existing ticket.

https://fedorahosted.org/freeipa/ticket/3183
This commit is contained in:
Alexander Bokovoy 2012-11-20 15:18:50 +02:00 committed by Martin Kosek
parent 91e477b9e2
commit 2093007d4d
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
daemons/ipa-sam/ipa_sam.c
View File

@ -3809,9 +3809,9 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo
ldap_sasl_interact, &data);
/* By now we have 'ret' for LDAP result and 'rc' for Kerberos result
* if ret is LDAP_INVALID_CREDENTIALS, LDAP server rejected our ccache. There may be several issues:
* if LDAP_API_ERROR(ret) is true, LDAP server rejected our ccache. There may be several issues:
*
* 1. Credentials are invalid due to outdated ccache leftover from previous install
* 1. Credentials are invalid due to outdated ccache leftover from previous install or ticket is from future
* Wipe out old ccache and start again
*
* 2. Key in the keytab is not enough to obtain ticket for cifs/FQDN@REALM service
@ -3825,7 +3825,9 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo
* a new ccache file by the above call of bind_callback_obtain_creds(). This is expected and correct behavior.
*
*/
if ((ret == LDAP_INVALID_CREDENTIALS) && (rc == 0)) {
if (LDAP_API_ERROR(ret) &&
((rc == 0) || (rc == KRB5KRB_AP_ERR_TKT_NYV) || (rc == KRB5KRB_AP_ERR_TKT_EXPIRED))) {
bind_callback_cleanup_creds(&data);
rc = bind_callback_obtain_creds(&data);
if (rc) {