projects / krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e873079)
pull up r24566 from trunk
authorTom Yu <tlyu@mit.edu>
Tue, 14 Dec 2010 23:10:42 +0000 (23:10 +0000)
committerTom Yu <tlyu@mit.edu>
Tue, 14 Dec 2010 23:10:42 +0000 (23:10 +0000)
 ------------------------------------------------------------------------
 r24566 | ghudson | 2010-12-14 12:28:38 -0500 (Tue, 14 Dec 2010) | 9 lines

 ticket: 6838
 tags: pullups
 target_version: 1.9

 Fix a regression in the client-side ticket renewal code where KDC
 options were not folded into the renewal request (most notably, the
 KDC_OPT_RENEWABLE flag), so we didn't request renewable renewed
 tickets.  Add a simple test case for ticket renewal.

ticket: 6838
version_fixed: 1.9
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24570 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/krb5/krb/val_renew.c patch | blob | history
src/tests/Makefile.in patch | blob | history
src/tests/t_renew.py [new file with mode: 0644] patch | blob

diff --git a/src/lib/krb5/krb/val_renew.c b/src/lib/krb5/krb/val_renew.c
index 46eff99b70a15d8d78e6520506a9178a6a8e1d19..bc3b90c3e578254d7947c66bf7e282169d1f2337 100644 (file)
--- a/src/lib/krb5/krb/val_renew.c
+++ b/src/lib/krb5/krb/val_renew.c
@@ -59,7 +59,10 @@ get_new_creds(krb5_context context, krb5_ccache ccache, krb5_creds *in_creds,
     if (code != 0)
        return code;
 
-    /* Use it to get a new credential from the KDC. */
+    /* Use KDC options from old credential as well as requested options. */
+    kdcopt |= (old_creds.ticket_flags & KDC_TKT_COMMON_MASK);
+
+    /* Use the old credential to get a new credential from the KDC. */
     code = krb5_get_cred_via_tkt(context, &old_creds, kdcopt,
                                 old_creds.addresses, in_creds, &new_creds);
     krb5_free_cred_contents(context, &old_creds);
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index cc3eafec589a546a1e3f6dbda08461c3db1e93f4..964da6ee19021b68f192ccd5735b6a297ee0acae 100644 (file)
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -66,6 +66,7 @@ check-pytests::
        $(RUNPYTEST) $(srcdir)/t_lockout.py $(PYTESTFLAGS)
        $(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS)
        $(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS)
+       $(RUNPYTEST) $(srcdir)/t_renew.py $(PYTESTFLAGS)
 
 clean::
        $(RM) kdc.conf
diff --git a/src/tests/t_renew.py b/src/tests/t_renew.py
new file mode 100644 (file)
index 0000000..1053646
--- /dev/null
+++ b/src/tests/t_renew.py
@@ -0,0 +1,16 @@
+#!/usr/bin/python
+from k5test import *
+
+realm = K5Realm(create_host=False, start_kadmind=False, get_creds=False)
+
+# Configure the realm to allow renewable tickets and acquire some.
+realm.run_kadminl('modprinc -maxrenewlife "2 days" user')
+realm.run_kadminl('modprinc -maxrenewlife "2 days" %s' % realm.krbtgt_princ)
+realm.kinit(realm.user_princ, password('user'), flags=['-r', '2d'])
+
+# Renew twice, to test that renewed tickets are renewable.
+realm.kinit(realm.user_princ, flags=['-R'])
+realm.kinit(realm.user_princ, flags=['-R'])
+realm.klist(realm.user_princ)
+
+success('Renewing credentials.')
MIT implementation of the Kerberos network authentication protocol. This repo may be rebased, so don't base your work on it. Use git://github.com/krb5/krb5 instead.