From 55d9bf151b100db9bf52e8f968e33f3ae1d234f5 Mon Sep 17 00:00:00 2001 From: Olga Kornievskaia Date: Mon, 24 Mar 2025 08:40:32 -0400 Subject: [PATCH 1/2] gssd: unconditionally use krb5_get_init_creds_opt_alloc Note: This patch has a context difference from the upstream version because RHEL 8 does not have c8659457 ("gssd: We never use the nocache param of gssd_check_if_cc_exists()") or f066f87b ("gssd: enable forcing cred renewal using the keytab"). Original commit message: Modern kerberos API uses krb5_get_init_creds_opt_alloc() for managing its options for credential data structure. Signed-off-by: Olga Kornievskaia Signed-off-by: Steve Dickson (cherry picked from commit 9b3f949331c6541a358fc28bac323533f94d7e0b) Signed-off-by: Scott Mayhew --- utils/gssd/krb5_util.c | 37 ++++++++++--------------------------- 1 file changed, 10 insertions(+), 27 deletions(-) diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index a1a77a2f..871add74 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -370,12 +370,7 @@ gssd_get_single_krb5_cred(krb5_context context, struct gssd_k5_kt_princ *ple, int nocache) { -#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS - krb5_get_init_creds_opt *init_opts = NULL; -#else - krb5_get_init_creds_opt options; -#endif - krb5_get_init_creds_opt *opts; + krb5_get_init_creds_opt *opts = NULL; krb5_creds my_creds; krb5_ccache ccache = NULL; char kt_name[BUFSIZ]; @@ -413,33 +408,23 @@ gssd_get_single_krb5_cred(krb5_context context, if ((krb5_unparse_name(context, ple->princ, &pname))) pname = NULL; -#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS - code = krb5_get_init_creds_opt_alloc(context, &init_opts); + code = krb5_get_init_creds_opt_alloc(context, &opts); if (code) { k5err = gssd_k5_err_msg(context, code); printerr(0, "ERROR: %s allocating gic options\n", k5err); goto out; } - if (krb5_get_init_creds_opt_set_addressless(context, init_opts, 1)) +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS + if (krb5_get_init_creds_opt_set_addressless(context, opts, 1)) printerr(1, "WARNING: Unable to set option for addressless " "tickets. May have problems behind a NAT.\n"); -#ifdef TEST_SHORT_LIFETIME - /* set a short lifetime (for debugging only!) */ - printerr(1, "WARNING: Using (debug) short machine cred lifetime!\n"); - krb5_get_init_creds_opt_set_tkt_life(init_opts, 5*60); +#else + krb5_get_init_creds_opt_set_address_list(opts, NULL); #endif - opts = init_opts; - -#else /* HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS */ - - krb5_get_init_creds_opt_init(&options); - krb5_get_init_creds_opt_set_address_list(&options, NULL); #ifdef TEST_SHORT_LIFETIME /* set a short lifetime (for debugging only!) */ - printerr(0, "WARNING: Using (debug) short machine cred lifetime!\n"); - krb5_get_init_creds_opt_set_tkt_life(&options, 5*60); -#endif - opts = &options; + printerr(1, "WARNING: Using (debug) short machine cred lifetime!\n"); + krb5_get_init_creds_opt_set_tkt_life(opts, 5*60); #endif if ((code = krb5_get_init_creds_keytab(context, &my_creds, ple->princ, @@ -500,10 +485,8 @@ gssd_get_single_krb5_cred(krb5_context context, printerr(2, "%s(0x%lx): principal '%s' ccache:'%s'\n", __func__, tid, pname, cc_name); out: -#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ADDRESSLESS - if (init_opts) - krb5_get_init_creds_opt_free(context, init_opts); -#endif + if (opts) + krb5_get_init_creds_opt_free(context, opts); if (pname) k5_free_unparsed_name(context, pname); if (ccache) -- 2.43.0