Fix a regression in the client-side ticket renewal code where KDC
authorGreg Hudson <ghudson@mit.edu>
Tue, 14 Dec 2010 17:28:38 +0000 (17:28 +0000)
committerGreg Hudson <ghudson@mit.edu>
Tue, 14 Dec 2010 17:28:38 +0000 (17:28 +0000)
options were not folded into the renewal request (most notably, the
KDC_OPT_RENEWABLE flag), so we didn't request renewable renewed
tickets.  Add a simple test case for ticket renewal.

ticket: 6838
tags: pullups
target_version: 1.9

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24566 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/krb5/krb/val_renew.c
src/tests/Makefile.in
src/tests/t_renew.py [new file with mode: 0644]

index 46eff99b70a15d8d78e6520506a9178a6a8e1d19..bc3b90c3e578254d7947c66bf7e282169d1f2337 100644 (file)
@@ -59,7 +59,10 @@ get_new_creds(krb5_context context, krb5_ccache ccache, krb5_creds *in_creds,
     if (code != 0)
        return code;
 
-    /* Use it to get a new credential from the KDC. */
+    /* Use KDC options from old credential as well as requested options. */
+    kdcopt |= (old_creds.ticket_flags & KDC_TKT_COMMON_MASK);
+
+    /* Use the old credential to get a new credential from the KDC. */
     code = krb5_get_cred_via_tkt(context, &old_creds, kdcopt,
                                 old_creds.addresses, in_creds, &new_creds);
     krb5_free_cred_contents(context, &old_creds);
index cc3eafec589a546a1e3f6dbda08461c3db1e93f4..964da6ee19021b68f192ccd5735b6a297ee0acae 100644 (file)
@@ -66,6 +66,7 @@ check-pytests::
        $(RUNPYTEST) $(srcdir)/t_lockout.py $(PYTESTFLAGS)
        $(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS)
        $(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS)
+       $(RUNPYTEST) $(srcdir)/t_renew.py $(PYTESTFLAGS)
 
 clean::
        $(RM) kdc.conf
diff --git a/src/tests/t_renew.py b/src/tests/t_renew.py
new file mode 100644 (file)
index 0000000..1053646
--- /dev/null
@@ -0,0 +1,16 @@
+#!/usr/bin/python
+from k5test import *
+
+realm = K5Realm(create_host=False, start_kadmind=False, get_creds=False)
+
+# Configure the realm to allow renewable tickets and acquire some.
+realm.run_kadminl('modprinc -maxrenewlife "2 days" user')
+realm.run_kadminl('modprinc -maxrenewlife "2 days" %s' % realm.krbtgt_princ)
+realm.kinit(realm.user_princ, password('user'), flags=['-r', '2d'])
+
+# Renew twice, to test that renewed tickets are renewable.
+realm.kinit(realm.user_princ, flags=['-R'])
+realm.kinit(realm.user_princ, flags=['-R'])
+realm.klist(realm.user_princ)
+
+success('Renewing credentials.')