Date: Wed, 24 Jun 2009 18:30:15 +0000 (UTC) From: Rick Macklem <rmacklem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r194878 - head/sys/rpc/rpcsec_gss Message-ID: <200906241830.n5OIUFLK024166@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rmacklem Date: Wed Jun 24 18:30:14 2009 New Revision: 194878 URL: http://svn.freebsd.org/changeset/base/194878 Log: If the initial attempt to refresh credentials in the RPCSEC_GSS client side fails, the entry in the cache is left with no valid context (gd_ctx == GSS_C_NO_CONTEXT). As such, subsequent hits on the cache will result in persistent authentication failure, even after the user has done a kinit or similar and acquired a new valid TGT. This patch adds a test for that case upon a cache hit and calls rpc_gss_init() to make another attempt at getting valid credentials. It also moves the setting of gc_proc to before the import of the principal name to ensure that, if that case fails, it will be detected as a failure after going to "out:". Reviewed by: dfr Approved by: kib (mentor) Modified: head/sys/rpc/rpcsec_gss/rpcsec_gss.c Modified: head/sys/rpc/rpcsec_gss/rpcsec_gss.c ============================================================================== --- head/sys/rpc/rpcsec_gss/rpcsec_gss.c Wed Jun 24 18:29:32 2009 (r194877) +++ head/sys/rpc/rpcsec_gss/rpcsec_gss.c Wed Jun 24 18:30:14 2009 (r194878) @@ -193,6 +193,7 @@ rpc_gss_secfind(CLIENT *clnt, struct ucr uint32_t h, th; AUTH *auth; struct rpc_gss_data *gd, *tgd; + rpc_gss_options_ret_t options; if (rpc_gss_count > RPC_GSS_MAX) { while (rpc_gss_count > RPC_GSS_MAX) { @@ -231,6 +232,17 @@ again: } else { sx_sunlock(&rpc_gss_lock); } + + /* + * If the state != ESTABLISHED, try and initialize + * the authenticator again. This will happen if the + * user's credentials have expired. It may succeed now, + * if they have done a kinit or similar. + */ + if (gd->gd_state != RPCSEC_GSS_ESTABLISHED) { + memset(&options, 0, sizeof (options)); + (void) rpc_gss_init(gd->gd_auth, &options); + } return (gd->gd_auth); } } @@ -730,6 +742,9 @@ rpc_gss_init(AUTH *auth, rpc_gss_options gd->gd_state = RPCSEC_GSS_CONTEXT; mtx_unlock(&gd->gd_lock); + gd->gd_cred.gc_proc = RPCSEC_GSS_INIT; + gd->gd_cred.gc_seq = 0; + principal_desc.value = (void *)gd->gd_principal; principal_desc.length = strlen(gd->gd_principal); maj_stat = gss_import_name(&min_stat, &principal_desc, @@ -741,9 +756,6 @@ rpc_gss_init(AUTH *auth, rpc_gss_options } /* GSS context establishment loop. */ - gd->gd_cred.gc_proc = RPCSEC_GSS_INIT; - gd->gd_cred.gc_seq = 0; - memset(&recv_token, 0, sizeof(recv_token)); memset(&gr, 0, sizeof(gr)); memset(options_ret, 0, sizeof(*options_ret));
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200906241830.n5OIUFLK024166>