| commit | 2709f28a1bd8fba02070b8a47f8a049881582cf6 | |
| author | Nicolas Williams <nico@twosigma.com> | |
| Fri, 26 Jul 2019 01:18:22 +0000 (25 20:18 -0500) | ||
| committer | Nicolas Williams <nico@twosigma.com> | |
| Thu, 5 Sep 2019 14:52:49 +0000 (5 09:52 -0500) | ||
| tree | 481d142c7c7a0749db9de66a1908da7f38b0ca55 | treesnapshot (tar.gz zip) |
| parent | fae8df383961a4843a832ec7bf49443be5518202 | commitdiff |
Make gss_store_cred*() work
krb5_cc_cache_match() searches all ccache collections for a ccache that
has credentials for a given principal name. This includes MEMORY
ccaches, which means it can find the same ccache as is referenced by a
GSS cred handle given to gss_store_cred(), which means that
gss_store_cred() can fail.
For now we work around this by including a private variant of
krb5_cc_cache_match() that only searches the default ccache, not all
collections. Eventually we should ensure that krb5_cc_default() also
searches all collection-type (other than MEMORY) ccaches for a default
credential, then we can go back to using krb5_cc_cache_match() (though
we'll need to make sure that MEMORY is searched last or not at all).
krb5_cc_cache_match() searches all ccache collections for a ccache that
has credentials for a given principal name. This includes MEMORY
ccaches, which means it can find the same ccache as is referenced by a
GSS cred handle given to gss_store_cred(), which means that
gss_store_cred() can fail.
For now we work around this by including a private variant of
krb5_cc_cache_match() that only searches the default ccache, not all
collections. Eventually we should ensure that krb5_cc_default() also
searches all collection-type (other than MEMORY) ccaches for a default
credential, then we can go back to using krb5_cc_cache_match() (though
we'll need to make sure that MEMORY is searched last or not at all).
| lib/gssapi/krb5/store_cred.c | diffblobblamehistory | |
| lib/gssapi/mech/gss_store_cred.c | diffblobblamehistory | |
| lib/gssapi/mech/gss_store_cred_into.c | diffblobblamehistory |