/*
* Look in directory "dirname" for files that look like they
- * are Kerberos Credential Cache files for a given UID. Return
- * non-zero and the dirent pointer for the entry most likely to be
- * what we want. Otherwise, return zero and no dirent pointer.
- * The caller is responsible for freeing the dirent if one is returned.
+ * are Kerberos Credential Cache files for a given UID.
*
- * Returns 0 if a valid-looking entry was found and a non-zero error
- * code otherwise.
+ * Returns 0 if a valid-looking entry is found. "*cctype" is
+ * set to the name of the cache type. A pointer to the dirent
+ * is planted in "*d". Caller must free "*d" with free(3).
+ *
+ * Otherwise, a negative errno is returned.
*/
static int
gssd_find_existing_krb5_ccache(uid_t uid, char *dirname,
memset(&my_creds, 0, sizeof(my_creds));
+ /*
+ * Workaround for clock skew among NFS server, NFS client and KDC
+ * 300 because clock skew must be within 300sec for kerberos
+ */
+ now += 300;
if (ple->ccname && ple->endtime > now && !nocache) {
printerr(2, "INFO: Credentials in CC '%s' are good until %d\n",
ple->ccname, ple->endtime);
}
/*
- * Find a keytab entry to use for a given target hostname.
+ * Find a keytab entry to use for a given target realm.
* Tries to find the most appropriate keytab to use given the
* name of the host we are trying to connect with.
+ *
+ * Note: the tgtname contains a hostname in the realm that we
+ * are authenticating to. It may, or may not be the same as
+ * the server hostname.
*/
static int
-find_keytab_entry(krb5_context context, krb5_keytab kt, const char *hostname,
+find_keytab_entry(krb5_context context, krb5_keytab kt, const char *tgtname,
krb5_keytab_entry *kte, const char **svcnames)
{
krb5_error_code code;
/* Get full target hostname */
- retval = get_full_hostname(hostname, targethostname,
+ retval = get_full_hostname(tgtname, targethostname,
sizeof(targethostname));
if (retval)
goto out;
/* Get full local hostname */
- retval = gethostname(myhostname, sizeof(myhostname));
- if (retval) {
+ if (gethostname(myhostname, sizeof(myhostname)) == -1) {
+ retval = errno;
k5err = gssd_k5_err_msg(context, retval);
printerr(1, "%s while getting local hostname\n", k5err);
goto out;
* given only a UID. We really need more information, but we
* do the best we can.
*
- * Returns 0 if a ccache was found, and a non-zero error code otherwise.
+ * Returns 0 if a ccache was found, or a negative errno otherwise.
*/
int
gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername, char *dirpattern)
printerr(2, "using %s as credentials cache for client with "
"uid %u for server %s\n", buf, uid, servername);
gssd_set_krb5_ccache_name(buf);
- return err;
+ return 0;
}
/*
if (ple->ccname) {
/* Make sure cred is up-to-date before returning it */
retval = gssd_refresh_krb5_machine_credential(NULL, ple,
- NULL);
+ NULL, NULL);
if (retval)
continue;
if (i + 1 > listsize) {
"cache '%s'\n", k5err, ple->ccname);
}
}
+ krb5_free_context(context);
out:
free(k5err);
- krb5_free_context(context);
}
/*
int
gssd_refresh_krb5_machine_credential(char *hostname,
struct gssd_k5_kt_princ *ple,
- char *service)
+ char *service,
+ char *tgtname)
{
krb5_error_code code = 0;
krb5_context context;
k5err = gssd_k5_err_msg(context, code);
printerr(0, "ERROR: %s: %s while resolving keytab '%s'\n",
__func__, k5err, keytabfile);
- goto out;
+ goto out_free_context;
}
if (ple == NULL) {
krb5_keytab_entry kte;
- code = find_keytab_entry(context, kt, hostname, &kte, svcnames);
+ if (tgtname == NULL)
+ tgtname = hostname;
+
+ code = find_keytab_entry(context, kt, tgtname, &kte, svcnames);
if (code) {
printerr(0, "ERROR: %s: no usable keytab entry found "
"in keytab %s for connection with host %s\n",
__FUNCTION__, keytabfile, hostname);
retval = code;
- goto out;
+ goto out_free_kt;
}
ple = get_ple_by_princ(context, kte.principal);
__FUNCTION__, pname ? pname : "<unparsable>",
hostname);
if (pname) k5_free_unparsed_name(context, pname);
- goto out;
+ goto out_free_kt;
}
}
retval = gssd_get_single_krb5_cred(context, kt, ple, 0);
-out:
- if (kt)
- krb5_kt_close(context, kt);
+out_free_kt:
+ krb5_kt_close(context, kt);
+out_free_context:
krb5_free_context(context);
+out:
free(k5err);
return retval;
}
krb5_free_context(context);
}
+static int
+gssd_acquire_krb5_cred(gss_name_t name, gss_cred_id_t *gss_cred)
+{
+ OM_uint32 maj_stat, min_stat;
+ gss_OID_set_desc desired_mechs = { 1, &krb5oid };
+
+ maj_stat = gss_acquire_cred(&min_stat, name, GSS_C_INDEFINITE,
+ &desired_mechs, GSS_C_INITIATE,
+ gss_cred, NULL, NULL);
+
+ if (maj_stat != GSS_S_COMPLETE) {
+ if (get_verbosity() > 0)
+ pgsserr("gss_acquire_cred",
+ maj_stat, min_stat, &krb5oid);
+ return -1;
+ }
+
+ return 0;
+}
+
+int
+gssd_acquire_user_cred(uid_t uid, gss_cred_id_t *gss_cred)
+{
+ OM_uint32 maj_stat, min_stat;
+ gss_buffer_desc name_buf;
+ gss_name_t name;
+ char buf[11];
+ int ret;
+
+ ret = snprintf(buf, 11, "%u", uid);
+ if (ret < 1 || ret > 10) {
+ return -1;
+ }
+ name_buf.value = buf;
+ name_buf.length = ret + 1;
+
+ maj_stat = gss_import_name(&min_stat, &name_buf,
+ GSS_C_NT_STRING_UID_NAME, &name);
+ if (maj_stat != GSS_S_COMPLETE) {
+ if (get_verbosity() > 0)
+ pgsserr("gss_import_name",
+ maj_stat, min_stat, &krb5oid);
+ return -1;
+ }
+
+ ret = gssd_acquire_krb5_cred(name, gss_cred);
+
+ maj_stat = gss_release_name(&min_stat, &name);
+ return ret;
+}
+
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
/*
* this routine obtains a credentials handle via gss_acquire_cred()
limit_krb5_enctypes(struct rpc_gss_sec *sec)
{
u_int maj_stat, min_stat;
- gss_cred_id_t credh;
- gss_OID_set_desc desired_mechs;
krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC,
ENCTYPE_DES_CBC_MD5,
ENCTYPE_DES_CBC_MD4 };
int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
extern int num_krb5_enctypes;
extern krb5_enctype *krb5_enctypes;
+ int err = -1;
- /* We only care about getting a krb5 cred */
- desired_mechs.count = 1;
- desired_mechs.elements = &krb5oid;
-
- maj_stat = gss_acquire_cred(&min_stat, NULL, 0,
- &desired_mechs, GSS_C_INITIATE,
- &credh, NULL, NULL);
-
- if (maj_stat != GSS_S_COMPLETE) {
- if (get_verbosity() > 0)
- pgsserr("gss_acquire_cred",
- maj_stat, min_stat, &krb5oid);
- return -1;
+ if (sec->cred == GSS_C_NO_CREDENTIAL) {
+ err = gssd_acquire_krb5_cred(GSS_C_NO_NAME, &sec->cred);
+ if (err)
+ return -1;
}
/*
* list of supported enctypes, use local default here.
*/
if (krb5_enctypes == NULL || limit_to_legacy_enctypes)
- maj_stat = gss_set_allowable_enctypes(&min_stat, credh,
+ maj_stat = gss_set_allowable_enctypes(&min_stat, sec->cred,
&krb5oid, num_enctypes, enctypes);
else
- maj_stat = gss_set_allowable_enctypes(&min_stat, credh,
+ maj_stat = gss_set_allowable_enctypes(&min_stat, sec->cred,
&krb5oid, num_krb5_enctypes, krb5_enctypes);
if (maj_stat != GSS_S_COMPLETE) {
pgsserr("gss_set_allowable_enctypes",
maj_stat, min_stat, &krb5oid);
- gss_release_cred(&min_stat, &credh);
return -1;
}
- sec->cred = credh;
return 0;
}