gssd: Clean up gssd_setup_krb5_user_gss_ccache()

[nfs-utils.git] / utils / gssd / krb5_util.c

diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index aeb8f70bbcfbe6200cba6c907a5c781409860726..4df840e17723518417f3d23c557493884dc4defa 100644 (file)
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -169,13 +169,13 @@ select_krb5_ccache(const struct dirent *d)
 
 /*
  * Look in directory "dirname" for files that look like they
- * are Kerberos Credential Cache files for a given UID.  Return
- * non-zero and the dirent pointer for the entry most likely to be
- * what we want. Otherwise, return zero and no dirent pointer.
- * The caller is responsible for freeing the dirent if one is returned.
+ * are Kerberos Credential Cache files for a given UID.
  *
- * Returns 0 if a valid-looking entry was found and a non-zero error
- * code otherwise.
+ * Returns 0 if a valid-looking entry is found.  "*cctype" is
+ * set to the name of the cache type.  A pointer to the dirent
+ * is planted in "*d".  Caller must free "*d" with free(3).
+ *
+ * Otherwise, a negative errno is returned.
  */
 static int
 gssd_find_existing_krb5_ccache(uid_t uid, char *dirname,
@@ -350,6 +350,11 @@ gssd_get_single_krb5_cred(krb5_context context,
 
        memset(&my_creds, 0, sizeof(my_creds));
 
+       /*
+        * Workaround for clock skew among NFS server, NFS client and KDC
+        * 300 because clock skew must be within 300sec for kerberos
+        */
+       now += 300;
        if (ple->ccname && ple->endtime > now && !nocache) {
                printerr(2, "INFO: Credentials in CC '%s' are good until %d\n",
                         ple->ccname, ple->endtime);
@@ -1037,7 +1042,7 @@ err_cache:
  * given only a UID.  We really need more information, but we
  * do the best we can.
  *
- * Returns 0 if a ccache was found, and a non-zero error code otherwise.
+ * Returns 0 if a ccache was found, or a negative errno otherwise.
  */
 int
 gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername, char *dirpattern)
@@ -1082,7 +1087,7 @@ gssd_setup_krb5_user_gss_ccache(uid_t uid, char *servername, char *dirpattern)
        printerr(2, "using %s as credentials cache for client with "
                    "uid %u for server %s\n", buf, uid, servername);
        gssd_set_krb5_ccache_name(buf);
-       return err;
+       return 0;
 }
 
 /*
@@ -1212,9 +1217,9 @@ gssd_destroy_krb5_machine_creds(void)
                                    "cache '%s'\n", k5err, ple->ccname);
                }
        }
+       krb5_free_context(context);
   out:
        free(k5err);
-       krb5_free_context(context);
 }
 
 /*
@@ -1257,7 +1262,7 @@ gssd_refresh_krb5_machine_credential(char *hostname,
                k5err = gssd_k5_err_msg(context, code);
                printerr(0, "ERROR: %s: %s while resolving keytab '%s'\n",
                         __func__, k5err, keytabfile);
-               goto out;
+               goto out_free_context;
        }
 
        if (ple == NULL) {
@@ -1272,7 +1277,7 @@ gssd_refresh_krb5_machine_credential(char *hostname,
                                 "in keytab %s for connection with host %s\n",
                                 __FUNCTION__, keytabfile, hostname);
                        retval = code;
-                       goto out;
+                       goto out_free_kt;
                }
 
                ple = get_ple_by_princ(context, kte.principal);
@@ -1288,14 +1293,15 @@ gssd_refresh_krb5_machine_credential(char *hostname,
                                 __FUNCTION__, pname ? pname : "<unparsable>",
                                 hostname);
                        if (pname) k5_free_unparsed_name(context, pname);
-                       goto out;
+                       goto out_free_kt;
                }
        }
        retval = gssd_get_single_krb5_cred(context, kt, ple, 0);
-out:
-       if (kt)
-               krb5_kt_close(context, kt);
+out_free_kt:
+       krb5_kt_close(context, kt);
+out_free_context:
        krb5_free_context(context);
+out:
        free(k5err);
        return retval;
 }