/* Return 0 if cache is accessible, present, and unexpired; return 1 if not. */
static int
check_ccache(krb5_ccache cache)
{
krb5_error_code ret;
krb5_cc_cursor cur;
krb5_creds creds;
krb5_principal princ;
krb5_boolean found_tgt, found_current_tgt, found_current_cred;
if (krb5_cc_get_principal(context, cache, &princ) != 0)
return 1;
if (krb5_cc_start_seq_get(context, cache, &cur) != 0)
return 1;
found_tgt = found_current_tgt = found_current_cred = FALSE;
while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) {
if (is_local_tgt(creds.server, &princ->realm)) {
found_tgt = TRUE;
if (ts_after(creds.times.endtime, now))
found_current_tgt = TRUE;
} else if (!krb5_is_config_principal(context, creds.server) &&
ts_after(creds.times.endtime, now)) {
found_current_cred = TRUE;
}
krb5_free_cred_contents(context, &creds);
}
krb5_free_principal(context, princ);
if (ret != KRB5_CC_END)
return 1;
if (krb5_cc_end_seq_get(context, cache, &cur) != 0)
return 1;
/* If the cache contains at least one local TGT, require that it be
* current. Otherwise accept any current cred. */
if (found_tgt)
return found_current_tgt ? 0 : 1;
return found_current_cred ? 0 : 1;
}
int
main(int argc, char *argv[])
{
krb5_context kcontext = NULL;
krb5_error_code code;
krb5_ccache ccache=NULL;
krb5_ccache mslsa_ccache=NULL;
krb5_cc_cursor cursor;
krb5_creds creds;
krb5_principal princ = NULL;
int found_tgt = 0;
int has_tickets;
int option;
char * ccachestr = 0;
prog = strrchr(argv[0], '/');
prog = prog ? (prog + 1) : argv[0];
while ((option = getopt(argc, argv, "c:h")) != -1) {
switch (option) {
case 'c':
ccachestr = optarg;
break;
case 'h':
default:
xusage();
break;
}
}
if (code = krb5_init_context(&kcontext)) {
com_err(argv[0], code, "while initializing kerberos library");
goto cleanup;
}
if (code = krb5_cc_resolve(kcontext, "MSLSA:", &mslsa_ccache)) {
com_err(argv[0], code, "while opening MS LSA ccache");
goto cleanup;
}
/* Enumerate tickets from cache looking for a TGT */
if ((code = krb5_cc_start_seq_get(kcontext, mslsa_ccache, &cursor))) {
com_err(argv[0], code, "while initiating the cred sequence of MS LSA ccache");
goto cleanup;
}
while (!found_tgt) {
code = krb5_cc_next_cred(kcontext, mslsa_ccache, &cursor, &creds);
if (code)
break;
/* Check if the ticket is a TGT */
if (is_local_tgt(creds.server))
found_tgt = 1;
krb5_free_cred_contents(kcontext, &creds);
}
krb5_cc_end_seq_get(kcontext, mslsa_ccache, &cursor);
if (!found_tgt) {
fprintf(stderr, "%s: Initial Ticket Getting Tickets are not available from the MS LSA\n",
argv[0]);
/* Only set the LSA cache as the default if it actually has tickets. */
code = cc_has_tickets(kcontext, mslsa_ccache, &has_tickets);
if (code)
goto cleanup;
if (has_tickets)
code = krb5int_cc_user_set_default_name(kcontext, "MSLSA:");
goto cleanup;
}
if (code = krb5_cc_get_principal(kcontext, mslsa_ccache, &princ)) {
com_err(argv[0], code, "while obtaining MS LSA principal");
goto cleanup;
}
if (ccachestr)
code = krb5_cc_resolve(kcontext, ccachestr, &ccache);
else
code = krb5_cc_resolve(kcontext, "API:", &ccache);
if (code) {
com_err(argv[0], code, "while getting default ccache");
goto cleanup;
}
if (code = krb5_cc_initialize(kcontext, ccache, princ)) {
com_err (argv[0], code, "when initializing ccache");
goto cleanup;
}
if (code = krb5_cc_copy_creds(kcontext, mslsa_ccache, ccache)) {
com_err (argv[0], code, "while copying MS LSA ccache to default ccache");
goto cleanup;
}
/* Don't try and set the default cache if the cache name was specified. */
if (ccachestr == NULL) {
/* On success set the default cache to API. */
code = krb5int_cc_user_set_default_name(kcontext, "API:");
if (code) {
com_err(argv[0], code, "when setting default to API");
goto cleanup;
}
}
cleanup:
krb5_free_principal(kcontext, princ);
if (ccache != NULL)
krb5_cc_close(kcontext, ccache);
if (mslsa_ccache != NULL)
krb5_cc_close(kcontext, mslsa_ccache);
krb5_free_context(kcontext);
return code ? 1 : 0;
}
