aboutsummaryrefslogtreecommitdiff
path: root/sys/rpc/rpcsec_gss/rpcsec_gss.c
diff options
context:
space:
mode:
authorRick Macklem <rmacklem@FreeBSD.org>2009-06-24 18:30:14 +0000
committerRick Macklem <rmacklem@FreeBSD.org>2009-06-24 18:30:14 +0000
commitb21158859645b629a32931fb64a866f2a7ee4e04 (patch)
tree94d0e0aaf35da871bf0cbfc45cf4e391adfdd2a5 /sys/rpc/rpcsec_gss/rpcsec_gss.c
parentd8602bb9a720bc4f494c2065ad93b9e74e90fa6c (diff)
downloadsrc-b21158859645b629a32931fb64a866f2a7ee4e04.tar.gz
src-b21158859645b629a32931fb64a866f2a7ee4e04.zip
If the initial attempt to refresh credentials in the RPCSEC_GSS client
side fails, the entry in the cache is left with no valid context (gd_ctx == GSS_C_NO_CONTEXT). As such, subsequent hits on the cache will result in persistent authentication failure, even after the user has done a kinit or similar and acquired a new valid TGT. This patch adds a test for that case upon a cache hit and calls rpc_gss_init() to make another attempt at getting valid credentials. It also moves the setting of gc_proc to before the import of the principal name to ensure that, if that case fails, it will be detected as a failure after going to "out:". Reviewed by: dfr Approved by: kib (mentor)
Notes
Notes: svn path=/head/; revision=194878
Diffstat (limited to 'sys/rpc/rpcsec_gss/rpcsec_gss.c')
-rw-r--r--sys/rpc/rpcsec_gss/rpcsec_gss.c18
1 files changed, 15 insertions, 3 deletions
diff --git a/sys/rpc/rpcsec_gss/rpcsec_gss.c b/sys/rpc/rpcsec_gss/rpcsec_gss.c
index 790804d39278..e529b83b9832 100644
--- a/sys/rpc/rpcsec_gss/rpcsec_gss.c
+++ b/sys/rpc/rpcsec_gss/rpcsec_gss.c
@@ -193,6 +193,7 @@ rpc_gss_secfind(CLIENT *clnt, struct ucred *cred, const char *principal,
uint32_t h, th;
AUTH *auth;
struct rpc_gss_data *gd, *tgd;
+ rpc_gss_options_ret_t options;
if (rpc_gss_count > RPC_GSS_MAX) {
while (rpc_gss_count > RPC_GSS_MAX) {
@@ -231,6 +232,17 @@ again:
} else {
sx_sunlock(&rpc_gss_lock);
}
+
+ /*
+ * If the state != ESTABLISHED, try and initialize
+ * the authenticator again. This will happen if the
+ * user's credentials have expired. It may succeed now,
+ * if they have done a kinit or similar.
+ */
+ if (gd->gd_state != RPCSEC_GSS_ESTABLISHED) {
+ memset(&options, 0, sizeof (options));
+ (void) rpc_gss_init(gd->gd_auth, &options);
+ }
return (gd->gd_auth);
}
}
@@ -730,6 +742,9 @@ rpc_gss_init(AUTH *auth, rpc_gss_options_ret_t *options_ret)
gd->gd_state = RPCSEC_GSS_CONTEXT;
mtx_unlock(&gd->gd_lock);
+ gd->gd_cred.gc_proc = RPCSEC_GSS_INIT;
+ gd->gd_cred.gc_seq = 0;
+
principal_desc.value = (void *)gd->gd_principal;
principal_desc.length = strlen(gd->gd_principal);
maj_stat = gss_import_name(&min_stat, &principal_desc,
@@ -741,9 +756,6 @@ rpc_gss_init(AUTH *auth, rpc_gss_options_ret_t *options_ret)
}
/* GSS context establishment loop. */
- gd->gd_cred.gc_proc = RPCSEC_GSS_INIT;
- gd->gd_cred.gc_seq = 0;
-
memset(&recv_token, 0, sizeof(recv_token));
memset(&gr, 0, sizeof(gr));
memset(options_ret, 0, sizeof(*options_ret));