[krbdev.mit.edu #8010] git commit
Greg Hudson via RT
rt at krbdev.mit.edu
Mon Sep 13 23:55:15 EDT 2021
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8010 >
Improve gss_store_cred() behavior
Select an output credential cache using similar logic to kinit. Do
not require the target cache to be initialized.
Try to use the per-thread cache set by gss_krb5_ccache_name() if no
output cache was specified via a cred store.
When the destination is a collection, honor the default_cred flag by
switching the primary cache to the selected output cache. When the
destination is not a collection, ignore the default_cred flag.
(Previously the default_cred flag was mandatory for gss_store_cred()
even though it is an advisory flag, and ignored for
gss_store_cred_into() even if no ccache was specified in the cred
store.)
Honor the overwrite_cred flag by refusing to replace an initialized
cache if it is not set. Stop using gss_acquire_cred() for this
purpose as it could go out and fetch credentials from a client keytab.
Perform atomic replacement of the target cache when possible, using
krb5_cc_move().
Add a test harness for calling gss_store_cred() or
gss_store_cred_into() and a suite of tests. Fix a broken trace log
message for krb5_cc_move() and update the expected trace logs for an
existing t_credstore.py test.
https://github.com/krb5/krb5/commit/3f5a348287646d65700854650fe668b9c4249013
Author: Greg Hudson <ghudson at mit.edu>
Commit: 3f5a348287646d65700854650fe668b9c4249013
Branch: master
.gitignore | 1 +
doc/appdev/gssapi.rst | 15 +++-
src/include/k5-trace.h | 2 +-
src/lib/gssapi/krb5/store_cred.c | 145 +++++++++++++++++--------------------
src/tests/gssapi/Makefile.in | 14 +++--
src/tests/gssapi/t_credstore.py | 4 +-
src/tests/gssapi/t_store_cred.c | 114 ++++++++++++++++++++++++++++++
src/tests/gssapi/t_store_cred.py | 80 +++++++++++++++++++++
8 files changed, 285 insertions(+), 90 deletions(-)
More information about the krb5-bugs
mailing list