]> git.decadent.org.uk Git - nfs-utils.git/blobdiff - utils/gssd/krb5_util.c
projects / nfs-utils.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
gssd: picking wrong creds
[nfs-utils.git] / utils / gssd / krb5_util.c
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 1c10bd4d3ef414aecb21f4444e24f9e706b01e44..d23654ff1b9c581ebb713370efc8d93f88158f1a 100644 (file)
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -224,6 +224,13 @@ gssd_find_existing_krb5_ccache(uid_t uid, char *dirname, struct dirent **d)
                                free(namelist[i]);
                                continue;
                        }
+                       if (uid == 0 && !root_uses_machine_creds && 
+                               strstr(namelist[i]->d_name, "_machine_")) {
+                               printerr(3, "CC file '%s' not available to root\n",
+                                        statname);
+                               free(namelist[i]);
+                               continue;
+                       }
                        if (!query_krb5_ccache(buf, &princname, &realm)) {
                                printerr(3, "CC file '%s' is expired or corrupt\n",
                                         statname);
@@ -1274,6 +1281,8 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid)
                                    ENCTYPE_DES_CBC_MD5,
                                    ENCTYPE_DES_CBC_MD4 };
        int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
+       extern int num_krb5_enctypes;
+       extern krb5_enctype *krb5_enctypes;
 
        /* We only care about getting a krb5 cred */
        desired_mechs.count = 1;
@@ -1290,8 +1299,17 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid)
                return -1;
        }
 
-       maj_stat = gss_set_allowable_enctypes(&min_stat, credh, &krb5oid,
-                                            num_enctypes, &enctypes);
+       /*
+        * If we failed for any reason to produce global
+        * list of supported enctypes, use local default here.
+        */
+       if (krb5_enctypes == NULL)
+               maj_stat = gss_set_allowable_enctypes(&min_stat, credh,
+                                       &krb5oid, num_enctypes, enctypes);
+       else
+               maj_stat = gss_set_allowable_enctypes(&min_stat, credh,
+                                       &krb5oid, num_krb5_enctypes, krb5_enctypes);
+
        if (maj_stat != GSS_S_COMPLETE) {
                pgsserr("gss_set_allowable_enctypes",
                        maj_stat, min_stat, &krb5oid);
Debian package of nfs-utils