If the initial attempt to refresh credentials in the RPCSEC_GSS client

side fails, the entry in the cache is left with no valid context (gd_ctx == GSS_C_NO_CONTEXT). As such, subsequent hits on the cache will result in persistent authentication failure, even after the user has done a kinit or similar and acquired a new valid TGT. This patch adds a test for that case upon a cache hit and calls rpc_gss_init() to make another attempt at getting valid credentials. It also moves the setting of gc_proc to before the import of the principal name to ensure that, if that case fails, it will be detected as a failure after going to "out:". Reviewed by: dfr Approved by: kib (mentor)
2009-06-24 18:30:14 +00:00 · 2009-06-24 18:30:14 +00:00 · a5268d56f6
commit a5268d56f6
parent e13ea48de6
1 changed files with 15 additions and 3 deletions
--- a/sys/rpc/rpcsec_gss/rpcsec_gss.c
+++ b/sys/rpc/rpcsec_gss/rpcsec_gss.c
@ -193,6 +193,7 @@ rpc_gss_secfind(CLIENT *clnt, struct ucred *cred, const char *principal,
 	uint32_t		h, th;
 	AUTH			*auth;
 	struct rpc_gss_data	*gd, *tgd;
+	rpc_gss_options_ret_t	options;

 	if (rpc_gss_count > RPC_GSS_MAX) {
 		while (rpc_gss_count > RPC_GSS_MAX) {
@ -231,6 +232,17 @@ again:
 			} else {
 				sx_sunlock(&rpc_gss_lock);
 			}
+
+			/*
+			 * If the state != ESTABLISHED, try and initialize
+			 * the authenticator again. This will happen if the
+			 * user's credentials have expired. It may succeed now,
+			 * if they have done a kinit or similar.
+			 */
+			if (gd->gd_state != RPCSEC_GSS_ESTABLISHED) {
+				memset(&options, 0, sizeof (options));
+				(void) rpc_gss_init(gd->gd_auth, &options);
+			}
 			return (gd->gd_auth);
 		}
 	}
@ -730,6 +742,9 @@ rpc_gss_init(AUTH *auth, rpc_gss_options_ret_t *options_ret)
 	gd->gd_state = RPCSEC_GSS_CONTEXT;
 	mtx_unlock(&gd->gd_lock);

+	gd->gd_cred.gc_proc = RPCSEC_GSS_INIT;
+	gd->gd_cred.gc_seq = 0;
+
 	principal_desc.value = (void *)gd->gd_principal;
 	principal_desc.length = strlen(gd->gd_principal);
 	maj_stat = gss_import_name(&min_stat, &principal_desc,
@ -741,9 +756,6 @@ rpc_gss_init(AUTH *auth, rpc_gss_options_ret_t *options_ret)
 	}

 	/* GSS context establishment loop. */
-	gd->gd_cred.gc_proc = RPCSEC_GSS_INIT;
-	gd->gd_cred.gc_seq = 0;
-
 	memset(&recv_token, 0, sizeof(recv_token));
 	memset(&gr, 0, sizeof(gr));
 	memset(options_ret, 0, sizeof(*options_ret));