svn commit: r194878 - head/sys/rpc/rpcsec_gss
Rick Macklem
rmacklem at FreeBSD.org
Wed Jun 24 18:30:16 UTC 2009
Author: rmacklem
Date: Wed Jun 24 18:30:14 2009
New Revision: 194878
URL: http://svn.freebsd.org/changeset/base/194878
Log:
If the initial attempt to refresh credentials in the RPCSEC_GSS client
side fails, the entry in the cache is left with no valid context
(gd_ctx == GSS_C_NO_CONTEXT). As such, subsequent hits on the cache
will result in persistent authentication failure, even after the user has
done a kinit or similar and acquired a new valid TGT. This patch adds a test
for that case upon a cache hit and calls rpc_gss_init() to make another
attempt at getting valid credentials. It also moves the setting of gc_proc
to before the import of the principal name to ensure that, if that case
fails, it will be detected as a failure after going to "out:".
Reviewed by: dfr
Approved by: kib (mentor)
Modified:
head/sys/rpc/rpcsec_gss/rpcsec_gss.c
Modified: head/sys/rpc/rpcsec_gss/rpcsec_gss.c
==============================================================================
--- head/sys/rpc/rpcsec_gss/rpcsec_gss.c Wed Jun 24 18:29:32 2009 (r194877)
+++ head/sys/rpc/rpcsec_gss/rpcsec_gss.c Wed Jun 24 18:30:14 2009 (r194878)
@@ -193,6 +193,7 @@ rpc_gss_secfind(CLIENT *clnt, struct ucr
uint32_t h, th;
AUTH *auth;
struct rpc_gss_data *gd, *tgd;
+ rpc_gss_options_ret_t options;
if (rpc_gss_count > RPC_GSS_MAX) {
while (rpc_gss_count > RPC_GSS_MAX) {
@@ -231,6 +232,17 @@ again:
} else {
sx_sunlock(&rpc_gss_lock);
}
+
+ /*
+ * If the state != ESTABLISHED, try and initialize
+ * the authenticator again. This will happen if the
+ * user's credentials have expired. It may succeed now,
+ * if they have done a kinit or similar.
+ */
+ if (gd->gd_state != RPCSEC_GSS_ESTABLISHED) {
+ memset(&options, 0, sizeof (options));
+ (void) rpc_gss_init(gd->gd_auth, &options);
+ }
return (gd->gd_auth);
}
}
@@ -730,6 +742,9 @@ rpc_gss_init(AUTH *auth, rpc_gss_options
gd->gd_state = RPCSEC_GSS_CONTEXT;
mtx_unlock(&gd->gd_lock);
+ gd->gd_cred.gc_proc = RPCSEC_GSS_INIT;
+ gd->gd_cred.gc_seq = 0;
+
principal_desc.value = (void *)gd->gd_principal;
principal_desc.length = strlen(gd->gd_principal);
maj_stat = gss_import_name(&min_stat, &principal_desc,
@@ -741,9 +756,6 @@ rpc_gss_init(AUTH *auth, rpc_gss_options
}
/* GSS context establishment loop. */
- gd->gd_cred.gc_proc = RPCSEC_GSS_INIT;
- gd->gd_cred.gc_seq = 0;
-
memset(&recv_token, 0, sizeof(recv_token));
memset(&gr, 0, sizeof(gr));
memset(options_ret, 0, sizeof(*options_ret));
More information about the svn-src-all
mailing list