SSSD / sssd

Clone

865cbab KRB5: Return invalid credentials internally when attempting to renew an expired TGT

1 file Authored by jhrozek 6 years ago, Committed by lslebodn 6 years ago,
raw patch tree parent
1 file changed. 8 lines added. 0 lines removed.
src/providers/krb5/krb5_child.c
file modified
+8 -0 
    KRB5: Return invalid credentials internally when attempting to renew an expired TGT
    
    Since 1.14.2 and in particular commit
    d3348f49260998880bb7cd3b2fb72d562b1b7a64 we return ERR_NETWORK_IO for any
    krb5_child operations that receive KRB5KRB_AP_ERR_TKT_EXPIRED from libkrb5.
    
    However, when the action that krb5_child performs is ticket renewal and
    the ticket is totally expired, this can send the SSSD into offline mode.
    
    Instead, this patch converts the KRB5KRB_AP_ERR_TKT_EXPIRED code into
    sssd-internal ERR_CREDS_EXPIRED which map_krb5_error() won't map
    anymore.
    
    The effect on the deamon is that just the single renewal fails, but
    the failover code is not called and therefore sssd doesn't switch into
    offline mode.
    
    Resolves:
    https://pagure.io/SSSD/sssd/issue/3406
    
    Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
    Tested-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
file modified
+8 -0
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.