GNOME Bugzilla – Bug 685876
kerberos: set up primary properly
Last modified: 2012-11-09 07:42:24 UTC
I've noticed that firefox, git and other tools don't pick up the ticket I obtained with a goa enterprise account. The reason seems to be that the primary is not set up correctly. All the file contains is 'tgt'. When I use kinit to obtain a ticket, primary contains the full name of the actual ticket.
So we could use the krb5_cc_switch api to set the primary, but the kerberos library lacks a way to check if there is a valid primary currently set, so we would end up overwriting the primary every time, which could be weird. Say you used kerberos for login, and then added a second on in gnome-online-accounts, the second one would become primary. This may just be a plain old bug, though. We currently have code like: sign_in_identity (...) { if (the identity isn't known about) { if (cache type is the file cache type) { create_and_use_the_non_unique_default_cache_file } else if (cache type is the directory cache type) { create_and_use_unique_cache_file } } else { use_existing_cache_file } } we could probably change the directory cache handling bits to: } else if (cache type is the directory cache type) { if (there are no pre-existing identities) { create_and_use_the_non_unique_default_cache_file } else { create_and_use_unique_cache_file } }
Created attachment 226194 [details] [review] goaidentity: move ccache creation code to own function The details of getting a ccache object to initialize are kind of hairy, and need to be made hairier to keep the primary ccache valid and available. This commit moves the current hairy code from sign_in_identity to a new helper function. A subsequent commit will improve the logic in that helper function.
Created attachment 226195 [details] [review] goaidentity: prefer default cache if no cache available This ensures we get a cache named tkt which the kerberos libraries use by default.
This seems to correct the issue for me. One open question is whether we should use g_hash_table_size (self->priv->identities) == 0 or some new function no_identity_is_currently_signed_in (self) as the the predicate to decide whether to take ownership of the tkt name. The former avoids using the name if some identity is already known but expired.
Comment on attachment 226194 [details] [review] goaidentity: move ccache creation code to own function >diff --git a/src/goaidentity/goakerberosidentitymanager.c b/src/goaidentity/goakerberosidentitymanager.c >index fb67387..90241b4 100644 >--- a/src/goaidentity/goakerberosidentitymanager.c >+++ b/src/goaidentity/goakerberosidentitymanager.c >@@ -754,100 +754,111 @@ get_identity (GoaKerberosIdentityManager *self, > (GDestroyNotify) g_object_unref); > } > >+static krb5_error_code >+get_new_credentials_cache (GoaKerberosIdentityManager *self, >+ krb5_ccache *credentials_cache) Looks like a minor whitespace / alignment issue.
Please push to both master and gnome-3-6.
Attachment 226194 [details] pushed as a69c6fb - goaidentity: move ccache creation code to own function Attachment 226195 [details] pushed as 7d84943 - goaidentity: prefer default cache if no cache available