rpms / pam_krb5

Clone
Source Code
GIT

Files

epel8 epel9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f37 f38 f39 f40 f7 f8 f9 main pam_krb5-2_2_6-2 rawhide
  1.   f12
  2.   pam_krb5-2.3.10-ccache_for_kuserok.patch
Blob Blame History Raw 
commit 9aef1b4434d4c5d179f415998cfa74c9f638a0bb
Author: Nalin Dahyabhai <nalin@redhat.com>
Date:   Fri Feb 12 13:19:27 2010 -0500

    * src/kuserok.c(_pam_krb5_kuserok): also set up the user's ccache,
    	in case there's a process on the box that expects the user to
    	have creds before it can look up the location of the user's
    	.k5login file or read from it (possible fix for #563442)

diff --git a/src/kuserok.c b/src/kuserok.c
index 78f1dd6..b227084 100644
--- a/src/kuserok.c
+++ b/src/kuserok.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2008,2009 Red Hat, Inc.
+ * Copyright 2008,2009,2010 Red Hat, Inc.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -146,10 +146,16 @@ _pam_krb5_kuserok(krb5_context ctx,
 			}
 			tokens_obtain(ctx, stash, options, userinfo, 1);
 		}
+		/* Set up the user's Kerberos 5 creds, too. If the naming
+		 * services (for example, nss_ldap in sasl mode) or an
+		 * out-of-process filesystem helper (rpc.gssd) needs the user's
+		 * creds, we probably need to provide them. */
+		v5_save_for_user(ctx, stash, user, userinfo, options, NULL);
 		/* Actually check, now that we have a shot at being able to
 		 * read the user's .k5login file. */
 		allowed = krb5_kuserok(ctx, userinfo->principal_name, user);
 		/* Clean up. */
+		v5_destroy(ctx, stash, options);
 		if ((options->ignore_afs == 0) && tokens_useful()) {
 			if (stash->v4present) {
 				v4_destroy(ctx, stash, options);
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.