int
v5::renewCredential(krb5_context kcontext, krb5_principal kprincipal, krb5_timestamp *tgtEndtime)
{
krb5_error_code retval;
krb5_creds my_creds;
krb5_ccache ccache;
krb5_get_init_creds_opt opts;
qDebug("renew called");
if (kprincipal == NULL)
{
qDebug("No principal name");
return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
}
krb5_get_init_creds_opt_init(&opts);
if (getTgtFromCcache (kcontext, &my_creds))
{
qDebug("got tgt from ccache");
//setOptionsUsingCreds(kcontext, &my_creds, &opts);
*tgtEndtime = my_creds.times.endtime;
krb5_free_cred_contents(kcontext, &my_creds);
}
else
{
qDebug("TGT expired");
*tgtEndtime = 0;
}
retval = krb5_cc_default(kcontext, &ccache);
if (retval)
return retval;
retval = krb5_get_renewed_creds(kcontext, &my_creds, kprincipal, ccache,
NULL);
qDebug("krb5_get_renewed_creds returned: %d", retval);
if (retval)
goto out;
retval = krb5_cc_initialize(kcontext, ccache, kprincipal);
if (retval)
goto out;
retval = krb5_cc_store_cred(kcontext, ccache, &my_creds);
if (retval)
goto out;
*tgtEndtime = my_creds.times.endtime;
out:
krb5_free_cred_contents(kcontext, &my_creds);
krb5_cc_close (kcontext, ccache);
return retval;
}
creds& ccache::renew_creds(){
if(_creds==NULL)
_creds=new creds(ctx);
_creds->clear();
principal* pme=getPrincipal();
if(pme){
kerror = krb5_get_renewed_creds(ctx(), (*_creds)(),
(*pme)(), _cc, NULL);
}
return *_creds;
}
static krb5_error_code
get_renewed_creds (krb5_context context,
krb5_creds *creds,
krb5_principal client,
krb5_ccache ccache, char *in_tkt_service)
{
#ifdef HAVE_KRB5_GET_RENEWED_CREDS
return krb5_get_renewed_creds (context, creds, client, ccache,
in_tkt_service);
#else
return 1; /* XXX is there something better to return? */
#endif
}
void*
kinit_qtask( void *ctx, void *arg )
{
struct re_s *rtask = arg;
kinit_data *kid = (kinit_data*)rtask->arg;
krb5_error_code rc;
krb5_creds creds;
int nextcheck, remaining, renew=0;
Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, "kinit_qtask: running TGT check\n" );
memset(&creds, 0, sizeof(creds));
renew = kinit_check_tgt(kid, &remaining);
if (renew > 0) {
if (renew==1) {
Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG,
"kinit_qtask: Trying to renew TGT: ");
rc = krb5_get_renewed_creds(kid->ctx, &creds, kid->princ, kid->ccache, NULL);
if (rc!=0) {
Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, "Failed\n" );
log_krb5_errmsg( kid->ctx,
"kinit_qtask, Renewal failed: krb5_get_renewed_creds", rc );
renew++;
} else {
Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, "Success\n" );
krb5_cc_initialize(kid->ctx, kid->ccache, creds.client);
krb5_cc_store_cred(kid->ctx, kid->ccache, &creds);
krb5_free_cred_contents(kid->ctx, &creds);
renew=kinit_check_tgt(kid, &remaining);
}
}
if (renew > 1) {
Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG,
"kinit_qtask: Trying to get new TGT: ");
rc = krb5_get_init_creds_keytab( kid->ctx, &creds, kid->princ,
kid->keytab, 0, NULL, kid->opts);
if (rc) {
Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, "Failed\n" );
log_krb5_errmsg(kid->ctx, "krb5_get_init_creds_keytab", rc);
} else {
Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, "Success\n" );
renew=kinit_check_tgt(kid, &remaining);
}
krb5_free_cred_contents(kid->ctx, &creds);
}
}
if (renew == 0) {
nextcheck = remaining-30;
} else {
nextcheck = 60;
}
ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
if ( ldap_pvt_runqueue_isrunning( &slapd_rq, rtask )) {
ldap_pvt_runqueue_stoptask( &slapd_rq, rtask );
}
Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG,
"kinit_qtask: Next TGT check in %dh:%02dm:%02ds\n",
nextcheck/3600, (nextcheck%3600)/60, nextcheck%60);
rtask->interval.tv_sec = nextcheck;
ldap_pvt_runqueue_resched( &slapd_rq, rtask, 0 );
slap_wake_listener();
ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
return NULL;
}
/* returns boolean */
static int
k5_kinit(struct k_opts *opts, struct k5_data *k5, struct user_info *u_info)
{
char *doing;
int notix = 1;
krb5_keytab keytab = 0;
krb5_creds my_creds;
krb5_error_code code = 0;
krb5_get_init_creds_opt options;
krb5_address **addresses;
krb5_get_init_creds_opt_init(&options);
g_memset(&my_creds, 0, sizeof(my_creds));
/*
From this point on, we can goto cleanup because my_creds is
initialized.
*/
if (opts->lifetime)
{
krb5_get_init_creds_opt_set_tkt_life(&options, opts->lifetime);
}
if (opts->rlife)
{
krb5_get_init_creds_opt_set_renew_life(&options, opts->rlife);
}
if (opts->forwardable)
{
krb5_get_init_creds_opt_set_forwardable(&options, 1);
}
if (opts->not_forwardable)
{
krb5_get_init_creds_opt_set_forwardable(&options, 0);
}
if (opts->proxiable)
{
krb5_get_init_creds_opt_set_proxiable(&options, 1);
}
if (opts->not_proxiable)
{
krb5_get_init_creds_opt_set_proxiable(&options, 0);
}
if (opts->addresses)
{
addresses = NULL;
code = krb5_os_localaddr(k5->ctx, &addresses);
if (code != 0)
{
g_printf("krb5_os_localaddr failed in k5_kinit\n");
goto cleanup;
}
krb5_get_init_creds_opt_set_address_list(&options, addresses);
}
if (opts->no_addresses)
{
krb5_get_init_creds_opt_set_address_list(&options, NULL);
}
if ((opts->action == INIT_KT) && opts->keytab_name)
{
code = krb5_kt_resolve(k5->ctx, opts->keytab_name, &keytab);
if (code != 0)
{
g_printf("krb5_kt_resolve failed in k5_kinit\n");
goto cleanup;
}
}
switch (opts->action)
{
case INIT_PW:
code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
0, kinit_prompter, u_info,
opts->starttime,
opts->service_name,
&options);
break;
case INIT_KT:
code = krb5_get_init_creds_keytab(k5->ctx, &my_creds, k5->me,
keytab,
opts->starttime,
opts->service_name,
&options);
break;
case VALIDATE:
code = krb5_get_validated_creds(k5->ctx, &my_creds, k5->me, k5->cc,
opts->service_name);
break;
case RENEW:
code = krb5_get_renewed_creds(k5->ctx, &my_creds, k5->me, k5->cc,
opts->service_name);
break;
}
if (code != 0)
{
doing = 0;
switch (opts->action)
{
case INIT_PW:
case INIT_KT:
doing = "getting initial credentials";
break;
case VALIDATE:
doing = "validating credentials";
break;
case RENEW:
doing = "renewing credentials";
break;
}
if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
{
g_printf("sesman: Password incorrect while %s in k5_kinit\n", doing);
}
else
{
g_printf("sesman: error while %s in k5_kinit\n", doing);
}
goto cleanup;
}
if (!opts->lifetime)
{
/* We need to figure out what lifetime to use for Kerberos 4. */
opts->lifetime = my_creds.times.endtime - my_creds.times.authtime;
}
code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me);
if (code != 0)
{
g_printf("krb5_cc_initialize failed in k5_kinit\n");
goto cleanup;
}
code = krb5_cc_store_cred(k5->ctx, k5->cc, &my_creds);
if (code != 0)
{
g_printf("krb5_cc_store_cred failed in k5_kinit\n");
goto cleanup;
}
notix = 0;
cleanup:
if (my_creds.client == k5->me)
{
my_creds.client = 0;
}
krb5_free_cred_contents(k5->ctx, &my_creds);
if (keytab)
{
krb5_kt_close(k5->ctx, keytab);
}
return notix ? 0 : 1;
}
static krb5_error_code
renew_creds(
char *princ,
time_t *new_exp_time) /* out */
{
krb5_creds my_creds;
krb5_error_code code = 0;
struct k5_data k5;
uid_t saved_u = getuid();
uid_t u;
if (kwarnd_debug)
printf("renew start: uid=%d\n", getuid());
if (!getpruid(princ, &u)) {
if (kwarnd_debug)
printf("renew: getpruid failed, princ='%s'\n",
princ ? princ : "<null>");
return (-1); /* better err num? */
}
set_warnd_uid(u);
(void) memset(&my_creds, 0, sizeof (my_creds));
(void) memset(&k5, 0, sizeof (k5));
if (code = krb5_init_context(&k5.ctx)) {
com_err(progname, code,
gettext("while initializing Kerberos 5 library"));
goto out;
}
if ((code = krb5_cc_default(k5.ctx, &k5.cc))) {
com_err(progname, code,
gettext("while getting default ccache"));
goto out;
}
if ((code = krb5_parse_name(k5.ctx, princ,
&k5.me))) {
com_err(progname, code, gettext("when parsing name %s"),
princ);
goto out;
}
if ((code = krb5_get_renewed_creds(k5.ctx, &my_creds, k5.me, k5.cc,
NULL))) {
com_err(progname, code, gettext("while renewing creds"));
goto out;
}
if (code = krb5_cc_initialize(k5.ctx, k5.cc, k5.me)) {
com_err(progname, code, gettext("when initializing cache %s"),
"defcc");
goto out;
}
if (code = krb5_cc_store_cred(k5.ctx, k5.cc, &my_creds)) {
com_err(progname, code, gettext("while storing credentials"));
goto out;
}
/* "return" new expire time */
*new_exp_time = my_creds.times.endtime;
out:
krb5_free_cred_contents(k5.ctx, &my_creds);
if (k5.name)
krb5_free_unparsed_name(k5.ctx, k5.name);
if (k5.me)
krb5_free_principal(k5.ctx, k5.me);
if (k5.cc)
krb5_cc_close(k5.ctx, k5.cc);
if (k5.ctx)
krb5_free_context(k5.ctx);
set_warnd_uid(saved_u);
if (kwarnd_debug)
printf("renew end: code=%s, uid=%d\n", error_message(code),
getuid());
return (code);
}
int
main(int argc, char **argv)
{
krb5_principal client;
krb5_context context;
const char *in_tkt_service = NULL;
krb5_ccache id;
krb5_error_code ret;
krb5_creds out;;
int optidx = 0;
setprogname(argv[0]);
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage (0);
if(version_flag){
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
if (argc > 0)
in_tkt_service = argv[0];
memset(&out, 0, sizeof(out));
ret = krb5_init_context(&context);
if (ret)
krb5_err(context, 1, ret, "krb5_init_context");
ret = krb5_cc_default(context, &id);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_default");
ret = krb5_cc_get_principal(context, id, &client);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_default");
ret = krb5_get_renewed_creds(context,
&out,
client,
id,
in_tkt_service);
if(ret)
krb5_err(context, 1, ret, "krb5_get_kdc_cred");
if (krb5_principal_compare(context, out.client, client) != TRUE)
krb5_errx(context, 1, "return principal is not as expected");
krb5_free_cred_contents(context, &out);
krb5_free_context(context);
return 0;
}