From: Olga Kornievskaia <kolga@xxxxxxxxxx>
If ticket cache was removed manually, but gssd thinks it has a valid
credentials it will fail mount creation as it can't get a service
ticket (due to lack of the tgt).
Check if file-based ticket cache is not there and set the "nocache"
to 1 forcing the client to get a new tgt.
Signed-off-by: Olga Kornievskaia <kolga@xxxxxxxxxx>
---
utils/gssd/krb5_util.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 0474783..bff759f 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -121,6 +121,9 @@
#include <krb5.h>
#include <rpc/auth_gss.h>
+#include <sys/types.h>
+#include <fcntl.h>
+
#include "nfslib.h"
#include "gssd.h"
#include "err_util.h"
@@ -314,6 +317,25 @@ gssd_find_existing_krb5_ccache(uid_t uid, char *dirname,
return err;
}
+/* check if the ticket cache exists, if not set nocache=1 so that new
+ * tgt is gotten
+ */
+static int
+gssd_check_if_cc_exists(struct gssd_k5_kt_princ *ple)
+{
+ int fd;
+ char cc_name[BUFSIZ];
+
+ snprintf(cc_name, sizeof(cc_name), "%s/%s%s_%s",
+ ccachesearch[0], GSSD_DEFAULT_CRED_PREFIX,
+ GSSD_DEFAULT_MACHINE_CRED_SUFFIX, ple->realm);
+ fd = open(cc_name, O_RDONLY);
+ if (fd < 0)
+ return 1;
+ close(fd);
+ return 0;
+}
+
/*
* Obtain credentials via a key in the keytab given
* a keytab handle and a gssd_k5_kt_princ structure.
@@ -348,6 +370,8 @@ gssd_get_single_krb5_cred(krb5_context context,
memset(&my_creds, 0, sizeof(my_creds));
+ if (!nocache && !use_memcache)
+ nocache = gssd_check_if_cc_exists(ple);
/*
* Workaround for clock skew among NFS server, NFS client and KDC
* 300 because clock skew must be within 300sec for kerberos
--
1.8.3.1
