[Freeipa-devel] [PATCH] 0071 Recover from invalid cached credentials in ipasam

Alexander Bokovoy abokovoy at redhat.com
Mon Aug 20 11:38:40 UTC 2012 

Hi,

https://fedorahosted.org/freeipa/ticket/3009

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From c5904ea253dae18db383d2efed8a85fbbe4d5c8b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Mon, 20 Aug 2012 13:26:20 +0300
Subject: [PATCH 3/3] Recover from invalid cached kerberos credentials in
 ipasam

When developing and testing in the same environment, multiple re-installs
may be needed. This means previously issued and cached Kerberos credentials
will become invalid upon new install.

ipasam passdb module for Samba uses Kerberos authentication when talking to
IPA LDAP server. Obtained Kerberos credentials are cached during their lifetime.
However, the ccache is not removed automatically and if IPA setup is made
again, cached credentials are used, only to discover that they are invalid.

With this change invalid correctly obtained cached credentials are recognized
and, if LDAP SASL bind fails, new credentials are requested from the KDC.

https://fedorahosted.org/freeipa/ticket/3009
---
 daemons/ipa-sam/ipa_sam.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index aa54429b5bec4b26906b2a34e59ff95299a67f80..2ecbc055df60bc40d4032c17cbdf5fb9b3d1842f 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -3311,6 +3311,7 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo
 	krb5_free_principal(data.context, in_creds.client);
 
 	if (rc) {
+notdone:
 		rc = krb5_get_init_creds_opt_alloc(data.context, &data.options);
 		if (rc) {
 			bind_callback_cleanup(&data, rc);
@@ -3337,6 +3338,19 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo
 					   LDAP_SASL_QUIET,
 					   ldap_sasl_interact, &data);
 	if (ret != LDAP_SUCCESS) {
+		if (LDAP_SECURITY_ERROR(ret)) {
+		/* LDAP server rejected our ccache. There may be several issues:
+		 * 1. Credentials are invalid due to outdated ccache leftover from previous install
+		 *    Wipe out old ccache and start again
+		 * 2. Key in the keytab is not enough to obtain ticket for cifs/FQDN at REALM service
+		 *    Cannot continue without proper keytab
+		 */
+			if ((ret == LDAP_INVALID_CREDENTIALS) && (rc == 0)) {
+			/* LDAP reported credentials are invalid but Kerberos result was 0
+			 * thus we were using invalid cached creds. Force reinitialize. */
+				goto notdone;
+			}
+		}
 		DEBUG(0, ("bind_callback: cannot perform interactive SASL bind with GSSAPI\n"));
 	}
 
-- 
1.7.11.4

More information about the Freeipa-devel mailing list