krb5 commit: In klist, display ticket server if different
Greg Hudson
ghudson at mit.edu
Wed May 29 12:58:49 EDT 2019
https://github.com/krb5/krb5/commit/f174919a600ab617a881500e3ead98ba9f49c62e
commit f174919a600ab617a881500e3ead98ba9f49c62e
Author: Greg Hudson <ghudson at mit.edu>
Date: Tue May 28 12:02:00 2019 -0400
In klist, display ticket server if different
If the ticket server differs from the credential server, display it as
an extra field. This happens most commonly when the credential is
cached under the referral realm.
ticket: 8811 (new)
src/clients/klist/klist.c | 41 +++++++++++++++++++++++++----------------
src/tests/t_referral.py | 4 ++--
2 files changed, 27 insertions(+), 18 deletions(-)
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index 4261ac9..a54e378 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -662,25 +662,27 @@ static void
show_credential(krb5_creds *cred)
{
krb5_error_code ret;
- krb5_ticket *tkt;
- char *name, *sname, *flags;
+ krb5_ticket *tkt = NULL;
+ char *name = NULL, *sname = NULL, *tktsname, *flags;
int extra_field = 0, ccol = 0, i;
+ krb5_boolean is_config = krb5_is_config_principal(context, cred->server);
ret = krb5_unparse_name(context, cred->client, &name);
if (ret) {
com_err(progname, ret, _("while unparsing client name"));
- return;
+ goto cleanup;
}
ret = krb5_unparse_name(context, cred->server, &sname);
if (ret) {
com_err(progname, ret, _("while unparsing server name"));
- krb5_free_unparsed_name(context, name);
- return;
+ goto cleanup;
}
+ if (!is_config)
+ (void)krb5_decode_ticket(&cred->ticket, &tkt);
if (!cred->times.starttime)
cred->times.starttime = cred->times.authtime;
- if (!krb5_is_config_principal(context, cred->server)) {
+ if (!is_config) {
printtime(cred->times.starttime);
putchar(' ');
putchar(' ');
@@ -707,7 +709,7 @@ show_credential(krb5_creds *cred)
extra_field++;
}
- if (krb5_is_config_principal(context, cred->server))
+ if (is_config)
print_config_data(ccol, &cred->ticket);
if (cred->times.renew_till) {
@@ -737,11 +739,7 @@ show_credential(krb5_creds *cred)
extra_field = 0;
}
- if (show_etype) {
- ret = krb5_decode_ticket(&cred->ticket, &tkt);
- if (ret)
- goto err_tkt;
-
+ if (show_etype && tkt != NULL) {
if (!extra_field)
fputs("\t",stdout);
else
@@ -750,10 +748,6 @@ show_credential(krb5_creds *cred)
etype_string(cred->keyblock.enctype));
printf("%s ", etype_string(tkt->enc_part.enctype));
extra_field++;
-
- err_tkt:
- if (tkt != NULL)
- krb5_free_ticket(context, tkt);
}
if (show_adtype) {
@@ -792,8 +786,23 @@ show_credential(krb5_creds *cred)
}
}
+ /* Display the ticket server if it is different from the server name the
+ * entry was cached under (most commonly for referrals). */
+ if (tkt != NULL &&
+ !krb5_principal_compare(context, cred->server, tkt->server)) {
+ ret = krb5_unparse_name(context, tkt->server, &tktsname);
+ if (ret) {
+ com_err(progname, ret, _("while unparsing ticket server name"));
+ goto cleanup;
+ }
+ printf(_("\tTicket server: %s\n"), tktsname);
+ krb5_free_unparsed_name(context, tktsname);
+ }
+
+cleanup:
krb5_free_unparsed_name(context, name);
krb5_free_unparsed_name(context, sname);
+ krb5_free_ticket(context, tkt);
}
#include "port-sockets.h"
diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py
index 2b6ed5d..52313ae 100755
--- a/src/tests/t_referral.py
+++ b/src/tests/t_referral.py
@@ -18,9 +18,9 @@ def testref(realm, nametype):
shutil.copyfile(savefile, realm.ccache)
realm.run(['./gcred', nametype, 'a/x.d@'])
out = realm.run([klist]).split('\n')
- if len(out) != 8:
+ if len(out) != 9:
fail('unexpected number of lines in klist output')
- if out[5].split()[4] != 'a/x.d@' or out[6].split()[4] != 'a/x.d at REFREALM':
+ if out[5].split()[4] != 'a/x.d@' or out[7].split()[4] != 'a/x.d at REFREALM':
fail('unexpected service principals in klist output')
# Get credentials and check that we get an error, not a referral.
More information about the cvs-krb5
mailing list