From patchwork Wed Oct 4 17:32:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Olga Kornievskaia X-Patchwork-Id: 13409112 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2010AE7C4E2 for ; Wed, 4 Oct 2023 17:32:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243433AbjJDRcs (ORCPT ); Wed, 4 Oct 2023 13:32:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46654 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243438AbjJDRcs (ORCPT ); Wed, 4 Oct 2023 13:32:48 -0400 Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 854E6A6 for ; Wed, 4 Oct 2023 10:32:44 -0700 (PDT) Received: by mail-io1-xd2a.google.com with SMTP id ca18e2360f4ac-7a29359c80bso112339f.0 for ; Wed, 04 Oct 2023 10:32:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696440764; x=1697045564; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Z5M5nZmgd0eT5+pfJkgYu11F2ceb5YStJf+SJwFlEFc=; b=cfhEvJDhI+NuD1aNwQC90mrOqlHT/NUoUK7TCWi/Q3Pw3/zsqf1foKQ+fNZ6DLTg2k 58k4YWYPY7Ix2VfQbXiTiRzlvFViPokJ2Eir71qXDGE7P20G60anLODuv+wA+EUvQgg2 4zhn5HEonCpkab8aSW5Z64bMVTXmQMs1+hNYddpkjjElFOpWe6TxX15WhWFlFWTXAI5+ +jV4Qn+PwnaTm6HhmFDRhPdebFcskDoR3q3Saufp3t6djE7L4jjdHHYNasxhrOWa5vbB ftD/VUcH5apGHU2XnIM3oFjZJflFQhmxI7qbvFHTKqYAaI+b21ui09QzUGwmORO/yne0 jIyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696440764; x=1697045564; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Z5M5nZmgd0eT5+pfJkgYu11F2ceb5YStJf+SJwFlEFc=; b=pQit0Mjj4hxqZcDU2ea7Z5vELaySCIMGfHG2HeukRzufQa9f8UAzS1LkpO4M6n3pIE t9bSEIEY41lS+Kn+89PYFAhklv1od55Nd+ipc27OAIZyru5MP4Dm028ckfAzvqs1Jqrk JLzXLZcSYqIcrB2ouqLUxw4+IMnJIugAvZmjcAA4a5pBIbCJUrMXPoaaC+IExnEqnhoe no+f+nldXf33SRjDm4Dv+tYPu1mqZU0SRrlbu+L+27EcA3NhHIZ7AxUKITvbZQvvrrNi CvCbNK1zSQOEZau4jg1dt7IDpbUUqoJZ23NBvWjO5d6duxpoIbojogiPV481zQyAMETD XxvQ== X-Gm-Message-State: AOJu0YxkpvC6l58ezTQjNkHpVtOpyT+BXSivY08CdNB5htaTUfsX13+3 vmdroipAgnp7T41FRlj1sux06VORWYg= X-Google-Smtp-Source: AGHT+IHqkOB8dt2Pt4Wt0ooF4YzLxGMJQqCdtkla03F/QWxvYnwGLxkHoGsq272zlL4k6GufhRn0aA== X-Received: by 2002:a05:6602:1a07:b0:79d:1c65:9bde with SMTP id bo7-20020a0566021a0700b0079d1c659bdemr3401342iob.1.1696440763843; Wed, 04 Oct 2023 10:32:43 -0700 (PDT) Received: from kolga-mac-1.attlocal.net ([2600:1700:6a10:2e90:d99c:94dd:ccd6:fb22]) by smtp.gmail.com with ESMTPSA id u23-20020a6be417000000b007870289f4fdsm1066598iog.51.2023.10.04.10.32.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Oct 2023 10:32:43 -0700 (PDT) From: Olga Kornievskaia To: steved@redhat.com Cc: linux-nfs@vger.kernel.org Subject: [PATCH v2 1/1] gss-api: expose gss major/minor error in authgss_refresh() Date: Wed, 4 Oct 2023 13:32:36 -0400 Message-Id: <20231004173240.46924-2-olga.kornievskaia@gmail.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: <20231004173240.46924-1-olga.kornievskaia@gmail.com> References: <20231004173240.46924-1-olga.kornievskaia@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: Olga Kornievskaia When the client calls into the libtirpc to establish security context, the errors that occurred are squashed. Instead, extend authgss_refresh to propagate back the gss major/minor error codes to the caller. --- v2 fix a compiler warning reported by Steve Dickson Signed-off-by: Olga Kornievskaia --- src/auth_gss.c | 14 ++++++++------ tirpc/rpc/auth_gss.h | 2 ++ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/src/auth_gss.c b/src/auth_gss.c index e317664..3127b92 100644 --- a/src/auth_gss.c +++ b/src/auth_gss.c @@ -184,6 +184,7 @@ authgss_create(CLIENT *clnt, gss_name_t name, struct rpc_gss_sec *sec) AUTH *auth, *save_auth; struct rpc_gss_data *gd; OM_uint32 min_stat = 0; + rpc_gss_options_ret_t ret; gss_log_debug("in authgss_create()"); @@ -229,8 +230,12 @@ authgss_create(CLIENT *clnt, gss_name_t name, struct rpc_gss_sec *sec) save_auth = clnt->cl_auth; clnt->cl_auth = auth; - if (!authgss_refresh(auth, NULL)) + memset(&ret, 0, sizeof(rpc_gss_options_ret_t)); + if (!authgss_refresh(auth, &ret)) { auth = NULL; + sec->major_status = ret.major_status; + sec->minor_status = ret.minor_status; + } else authgss_auth_get(auth); /* Reference for caller */ @@ -619,12 +624,9 @@ _rpc_gss_refresh(AUTH *auth, rpc_gss_options_ret_t *options_ret) } static bool_t -authgss_refresh(AUTH *auth, void *dummy) +authgss_refresh(AUTH *auth, void *ret) { - rpc_gss_options_ret_t ret; - - memset(&ret, 0, sizeof(ret)); - return _rpc_gss_refresh(auth, &ret); + return _rpc_gss_refresh(auth, (rpc_gss_options_ret_t *)ret); } bool_t diff --git a/tirpc/rpc/auth_gss.h b/tirpc/rpc/auth_gss.h index f2af6e9..a530d42 100644 --- a/tirpc/rpc/auth_gss.h +++ b/tirpc/rpc/auth_gss.h @@ -64,6 +64,8 @@ struct rpc_gss_sec { rpc_gss_svc_t svc; /* service */ gss_cred_id_t cred; /* cred handle */ u_int req_flags; /* req flags for init_sec_context */ + int major_status; + int minor_status; }; /* Private data required for kernel implementation */ From patchwork Wed Oct 4 17:32:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Olga Kornievskaia X-Patchwork-Id: 13409116 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CAA74E7C4E8 for ; Wed, 4 Oct 2023 17:32:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243498AbjJDRcx (ORCPT ); Wed, 4 Oct 2023 13:32:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46714 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243676AbjJDRcx (ORCPT ); Wed, 4 Oct 2023 13:32:53 -0400 Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E5222AD for ; Wed, 4 Oct 2023 10:32:47 -0700 (PDT) Received: by mail-io1-xd2a.google.com with SMTP id ca18e2360f4ac-7a2874d2820so1523139f.1 for ; Wed, 04 Oct 2023 10:32:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696440767; x=1697045567; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=hIrUaub9xbgh9JA6eu/SKHUdTohV+B8D2DY3q1ptAy8=; b=TM3hkiE1jNcwqgDj/87Y07KeoUXcW8OsLwFNvsiB3L8tSy/aNvxVvUq+Q2ruQa13X4 B4T5w29KYlyjAidIIJ0SV+Z1GyAgVtZ32CNNGKf/ao1QSmLUWW4A55JZ+xVKeJ0zwvgW gZaiEBUFGIStCigdAiywamjt74NdNJdktkdJkFOxlQ1RUMsSYxJ5Fw2gtwevEKTE+d9f CrPElEGwpIxWcSEEEmuZPquem15A9fAW9BHAdfZMd0okuitL4FC8vAFhWwhqML5IRVd3 uSrINFvmD0HnrQ3BC6+B6BydrYPCws786kglpcyhrHQsNX7apBJ4kO6yv4cHVGAonPeY bA4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696440767; x=1697045567; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hIrUaub9xbgh9JA6eu/SKHUdTohV+B8D2DY3q1ptAy8=; b=CibLNqzUx0oH/Mh2cZrJ4EwRqrHh52DHwmqn5Hx5PUr4Vl0RW53t3A5ynXU7TQmqEK 7HrEM7Re/1sRLPghOdu45JdyK9iTHc9ZQZi59guOsV0CjIOLkwOJmtp5mO4nDXmoKU0h RsD0nyNeAXKrgtLcSq58S2KxOFFsSgKGlSF0SjcpJ7V2aRQfdM1LXlo1oW/v/DgdmzcY rt2KWCdzgH8LTiu7v8TZrDLE4RzC8C9YO2/vtwykRaqkJG216xpd7c8w4H1bDMH6ZpfI y69JSr3bMpX7goL3bGZRsykcg9x4YHM3aMRjpOheMzXRx5l+83AUGC/Z6YQ291Qn8mgl UuGQ== X-Gm-Message-State: AOJu0Yyd/KAVMw/+7i8JonWyT9P+ZG0aL9YhHuBIkv+WG0Axc21MyF+M 7zXwW+nyZyijsj24W5TZrrg= X-Google-Smtp-Source: AGHT+IGCcVQKwTI0/+fNTbYf7kWFfTgBRs/iBo/4wjqeksm5zcnFQiVa+YTF5rQt4FjvAXmH+FXxaQ== X-Received: by 2002:a05:6602:3a11:b0:79f:922b:3809 with SMTP id by17-20020a0566023a1100b0079f922b3809mr3229009iob.1.1696440767201; Wed, 04 Oct 2023 10:32:47 -0700 (PDT) Received: from kolga-mac-1.attlocal.net ([2600:1700:6a10:2e90:d99c:94dd:ccd6:fb22]) by smtp.gmail.com with ESMTPSA id u23-20020a6be417000000b007870289f4fdsm1066598iog.51.2023.10.04.10.32.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Oct 2023 10:32:46 -0700 (PDT) From: Olga Kornievskaia To: steved@redhat.com Cc: linux-nfs@vger.kernel.org Subject: [PATCH 2/3] nfs-utils: gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for machine credentials Date: Wed, 4 Oct 2023 13:32:39 -0400 Message-Id: <20231004173240.46924-5-olga.kornievskaia@gmail.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: <20231004173240.46924-1-olga.kornievskaia@gmail.com> References: <20231004173240.46924-1-olga.kornievskaia@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: Olga Kornievskaia During context establishment, when the client received KRB5_AP_ERR_BAD_INTEGRITY error, it might be due to the server updating its key material. To handle such error, get a new service ticket and re-try the AP_REQ. Signed-off-by: Olga Kornievskaia --- utils/gssd/gssd_proc.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index 4fb6b72d..e5cc1d98 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -412,13 +412,27 @@ create_auth_rpc_client(struct clnt_info *clp, tid, tgtname); auth = authgss_create_default(rpc_clnt, tgtname, &sec); if (!auth) { + if (sec.minor_status == KRB5KRB_AP_ERR_BAD_INTEGRITY) { + printerr(2, "WARNING: server=%s failed context " + "creation with KRB5_AP_ERR_BAD_INTEGRITY\n", + clp->servername); + if (cred == GSS_C_NO_CREDENTIAL) + retval = gssd_refresh_krb5_machine_credential(clp->servername, + "*", NULL, 1); + if (!retval) { + auth = authgss_create_default(rpc_clnt, tgtname, + &sec); + if (auth) + goto success; + } + } /* Our caller should print appropriate message */ printerr(2, "WARNING: Failed to create krb5 context for " "user with uid %d for server %s\n", uid, tgtname); goto out_fail; } - +success: /* Success !!! */ rpc_clnt->cl_auth = auth; *clnt_return = rpc_clnt; From patchwork Wed Oct 4 17:32:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Olga Kornievskaia X-Patchwork-Id: 13409115 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 39131E7C4E7 for ; Wed, 4 Oct 2023 17:32:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243630AbjJDRcw (ORCPT ); Wed, 4 Oct 2023 13:32:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46688 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243498AbjJDRcw (ORCPT ); Wed, 4 Oct 2023 13:32:52 -0400 Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1A82CA7 for ; Wed, 4 Oct 2023 10:32:49 -0700 (PDT) Received: by mail-il1-x12c.google.com with SMTP id e9e14a558f8ab-34f69780037so101805ab.1 for ; Wed, 04 Oct 2023 10:32:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696440768; x=1697045568; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=5D5Kvm1BHqxw7OkRLtU/qxcvETM83IthKpPkvjPcRF4=; b=WiFKTPaCvJrB09Ff32MaSqomuUibmLr5dRxW8ODodnt4MKn+lBYNMIrfWdY6g2tp22 ZdJ9wLPI9dFQsqf8N7bP5WcBbZAkxqpoaHyokvIAViFmpSukPpSrZNGAEj0QnxvS5a1S 4DkH9ixsRiURCoCXgv+xcz+3ok5jJBHKmo4Ay8Sh/AY0jed1F3L6VSWJ3GbJbklZfgDw +57xyMtLjPCMaf/oVWr3azZcVgR+HtUEcmA7m81eXpUzzGDV73rMURpd/jpbwoS0BGKg mEFfH2VWZnEfBR/uV17orMhFbSGsmKhzReDZtMCpxPzJAENBWfHPKoUV3kmysBzUQts8 XF8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696440768; x=1697045568; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5D5Kvm1BHqxw7OkRLtU/qxcvETM83IthKpPkvjPcRF4=; b=uPRTMPnBHlq4+bgYzaPdDMstsYJAFUmeR9XkXVYBt4WtkUBbvo82s+w7ZF9LyRH35Y 36GJ7ILOfyAewU8UXWIHHNFPoINJJAhd+27alG4aCwb95WP0CfZprxXkYHAq7QV21U6X kLD71AbFY63EobkWLKb+SW7M7k+aFjc2bOKQZ6C9GAMyuj6Dt21dfegQamnRu6q4U51J RSuuIQLGUNCO9MhocFmb98n1EH5WnSr8XhQObI1u8stzdU71Y1Ez3bHf5shWjSZbkl7U bHnjwyP3jT62ZlQEJxBnj5IqNi4dfwe1oolzQzonVPQUBi2Edkp/7VBc7rJ+ZniXhf1n DmEA== X-Gm-Message-State: AOJu0YzfxWC8ovG9A8W4mTJO8q09WxLYE52a8quiEX7sjQkQ7edxGk3G KfrzBlxLuAXQPXZF2/VMuCLEx7f62pQ= X-Google-Smtp-Source: AGHT+IFiAs8kNDhmNjSDrfNxEgCTYoAvtPVxjDH4Amk0Lyvfg3DVMVwFtFlAstg7nFRWmtHielv75Q== X-Received: by 2002:a05:6602:368c:b0:792:7c78:55be with SMTP id bf12-20020a056602368c00b007927c7855bemr2906412iob.0.1696440768408; Wed, 04 Oct 2023 10:32:48 -0700 (PDT) Received: from kolga-mac-1.attlocal.net ([2600:1700:6a10:2e90:d99c:94dd:ccd6:fb22]) by smtp.gmail.com with ESMTPSA id u23-20020a6be417000000b007870289f4fdsm1066598iog.51.2023.10.04.10.32.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Oct 2023 10:32:47 -0700 (PDT) From: Olga Kornievskaia To: steved@redhat.com Cc: linux-nfs@vger.kernel.org Subject: [PATCH 3/3] nfs-utils: gssd: handle KRB5_AP_ERR_BAD_INTEGRITY for user credentials Date: Wed, 4 Oct 2023 13:32:40 -0400 Message-Id: <20231004173240.46924-6-olga.kornievskaia@gmail.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) In-Reply-To: <20231004173240.46924-1-olga.kornievskaia@gmail.com> References: <20231004173240.46924-1-olga.kornievskaia@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org From: Olga Kornievskaia Unlike the machine credential case, we can't throw away the ticket cache and use the keytab to renew the credentials. Instead, we need to remove the service ticket for the server that returned KRB5_AP_ERR_BAD_INTEGRITY and try again. Signed-off-by: Olga Kornievskaia --- utils/gssd/gssd_proc.c | 2 ++ utils/gssd/krb5_util.c | 42 ++++++++++++++++++++++++++++++++++++++++++ utils/gssd/krb5_util.h | 1 + 3 files changed, 45 insertions(+) diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index e5cc1d98..a96647df 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -419,6 +419,8 @@ create_auth_rpc_client(struct clnt_info *clp, if (cred == GSS_C_NO_CREDENTIAL) retval = gssd_refresh_krb5_machine_credential(clp->servername, "*", NULL, 1); + else + retval = gssd_k5_remove_bad_service_cred(clp->servername); if (!retval) { auth = authgss_create_default(rpc_clnt, tgtname, &sec); diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index f6ce1fec..6f66ef4f 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -1553,6 +1553,48 @@ gssd_acquire_user_cred(gss_cred_id_t *gss_cred) return ret; } +/* Removed a service ticket for nfs/ from the ticket cache + */ +int +gssd_k5_remove_bad_service_cred(char *name) +{ + krb5_creds in_creds, out_creds; + krb5_error_code ret; + krb5_context context; + krb5_ccache cache; + krb5_principal principal; + int retflags = KRB5_TC_MATCH_SRV_NAMEONLY; + char srvname[1024]; + + ret = krb5_init_context(&context); + if (ret) + goto out_cred; + ret = krb5_cc_default(context, &cache); + if (ret) + goto out_free_context; + ret = krb5_cc_get_principal(context, cache, &principal); + if (ret) + goto out_close_cache; + memset(&in_creds, 0, sizeof(in_creds)); + in_creds.client = principal; + sprintf(srvname, "nfs/%s", name); + ret = krb5_parse_name(context, srvname, &in_creds.server); + if (ret) + goto out_free_principal; + ret = krb5_cc_retrieve_cred(context, cache, retflags, &in_creds, &out_creds); + if (ret) + goto out_free_principal; + ret = krb5_cc_remove_cred(context, cache, 0, &out_creds); +out_free_principal: + krb5_free_principal(context, principal); +out_close_cache: + krb5_cc_close(context, cache); +out_free_context: + krb5_free_context(context); +out_cred: + return ret; +} + #ifdef HAVE_SET_ALLOWABLE_ENCTYPES /* * this routine obtains a credentials handle via gss_acquire_cred() diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h index 62c91a0e..7ef87018 100644 --- a/utils/gssd/krb5_util.h +++ b/utils/gssd/krb5_util.h @@ -22,6 +22,7 @@ char *gssd_k5_err_msg(krb5_context context, krb5_error_code code); void gssd_k5_get_default_realm(char **def_realm); int gssd_acquire_user_cred(gss_cred_id_t *gss_cred); +int gssd_k5_remove_bad_service_cred(char *srvname); #ifdef HAVE_SET_ALLOWABLE_ENCTYPES extern int limit_to_legacy_enctypes;