fix ccache handling for leave operation

Resolves: jira#SSSD-6420

0001-tools-fix-ccache-handling-for-leave-operation.patch

@@ -0,0 +1,69 @@
+From f648ae06012d1de137f12095d1bd7aaacb382042 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 10 Jan 2024 09:18:20 +0100
+Subject: [PATCH] tools: fix ccache handling for leave operation
+
+krb5_cc_initialize() must be called before anything can be written into
+a ccache.
+
+While checking the available credential types the order/preference was
+not respected.
+
+Resolves: https://issues.redhat.com/browse/SSSD-6420
+---
+ tools/realm-client.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/tools/realm-client.c b/tools/realm-client.c
+index c386e64..06420ea 100644
+--- a/tools/realm-client.c
++++ b/tools/realm-client.c
+@@ -498,13 +498,16 @@ are_credentials_supported (GVariant *supported,
+ 	GVariantIter iter;
+ 	const gchar *type;
+ 	const gchar *owner;
+-
+-	g_variant_iter_init (&iter, supported);
+-	while (g_variant_iter_loop (&iter, "(&s&s)", &type, &owner)) {
+-		if (g_strcmp0 (credential_type_1, type) == 0 ||
+-		    g_strcmp0 (credential_type_2, type) == 0) {
+-			*ret_owner = owner;
+-			return type;
++	const gchar *list[] = {credential_type_1, credential_type_2, NULL};
++	size_t c;
++
++	for (c = 0; list[c] != NULL; c++) {
++		g_variant_iter_init (&iter, supported);
++		while (g_variant_iter_loop (&iter, "(&s&s)", &type, &owner)) {
++			if (g_strcmp0 (list[c], type) == 0) {
++				*ret_owner = owner;
++				return type;
++			}
+ 		}
+ 	}
+ 
+@@ -622,8 +625,6 @@ copy_to_ccache (krb5_context krb5,
+ 	memset (&mcred, 0, sizeof (mcred));
+ 	mcred.client = principal;
+ 	mcred.server = server;
+-	mcred.times.starttime = g_get_real_time () / G_TIME_SPAN_MILLISECOND;
+-	mcred.times.endtime = mcred.times.starttime;
+ 
+ 	code = krb5_cc_retrieve_cred (krb5, def_ccache, KRB5_TC_MATCH_TIMES,
+ 	                              &mcred, &creds);
+@@ -639,6 +640,12 @@ copy_to_ccache (krb5_context krb5,
+ 		return FALSE;
+ 	}
+ 
++	code = krb5_cc_initialize (krb5, ccache, creds.client);
++	if (code != 0) {
++		g_debug ("krb5_cc_initialize failed: %s", krb5_get_error_message (krb5, code));
++		return FALSE;
++	}
++
+ 	code = krb5_cc_store_cred (krb5, ccache, &creds);
+ 	krb5_free_cred_contents (krb5, &creds);
+ 
+-- 
+2.43.0
+

realmd.spec

@@ -1,6 +1,6 @@
 Name:    realmd
 Version: 0.17.1
-Release: 8%{?dist}
+Release: 9%{?dist}
 Summary: Kerberos realm enrollment service
 License: LGPL-2.1-or-later
 URL:     https://gitlab.freedesktop.org/realmd/realmd
@@ -10,6 +10,7 @@ Patch0001: 0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch
 Patch0002: 0002-service-fix-error-message-when-removing-host-from-AD.patch
 Patch0003: 0003-doc-fix-reference-in-realmd.conf-man-page.patch
 Patch0004: 0001-sssd-package-fix.patch
+Patch0005: 0001-tools-fix-ccache-handling-for-leave-operation.patch
 
 BuildRequires: make
 BuildRequires: gcc
@@ -96,6 +97,10 @@ make check
 %doc ChangeLog
 
 %changelog
+* Fri Feb 09 2024 Sumit Bose <sbose@redhat.com> - 0.17.1-9
+- fix ccache handling for leave operation
+  Resolves: jira#SSSD-6420
+
 * Mon Feb 05 2024 Sumit Bose <sbose@redhat.com> - 0.17.1-8
 - improve sssd package handling due to removed sssd meta package
   Resolves: rhbz#2255725