gssd: picking wrong creds

When not using machine credentials for root, if the machine
credential cache file is newer than the root credential file
the wrong file will get picked. Ignore the machine file in
this case.

Signed-off-by: Steve Dickson <steved@redhat.com>

diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index dccbeb63ad6478b26d8b6a2151625af1a86ca87a..d23654ff1b9c581ebb713370efc8d93f88158f1a 100644 (file)
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -224,6 +224,13 @@ gssd_find_existing_krb5_ccache(uid_t uid, char *dirname, struct dirent **d)
                                free(namelist[i]);
                                continue;
                        }
+                       if (uid == 0 && !root_uses_machine_creds && 
+                               strstr(namelist[i]->d_name, "_machine_")) {
+                               printerr(3, "CC file '%s' not available to root\n",
+                                        statname);
+                               free(namelist[i]);
+                               continue;
+                       }
                        if (!query_krb5_ccache(buf, &princname, &realm)) {
                                printerr(3, "CC file '%s' is expired or corrupt\n",
                                         statname);