r = krb5_get_init_creds_keytab(daemon->krb5.ctx, &creds, daemon->krb5.principal,
keytab, 0, NULL, options);
if (r) {
- error = krb5_get_error_message(daemon->krb5.ctx, r);
+ switch (r) {
+ // If we could not reach the KDC, we will try again after one minute
+ case KRB5_KDC_UNREACH:
+ DEBUG(daemon->ctx, "Failed to contact the KDC. Retrying in 60 seconds...\n");
+
+ // Reset the timer
+ r = sd_event_source_set_time_relative(daemon->auth_timer, S_TO_US(60));
+ if (r < 0) {
+ ERROR(daemon->ctx, "Could not reset the auth timer: %s\n", strerror(-r));
+ goto ERROR;
+ }
- ERROR(daemon->ctx, "Could not fetch credentials: %s\n", error);
- goto ERROR;
+ // Reset r
+ r = 0;
+ goto ERROR;
+
+ // Fail for everything else
+ default:
+ error = krb5_get_error_message(daemon->krb5.ctx, r);
+
+ ERROR(daemon->ctx, "Could not fetch credentials: %s\n", error);
+ goto ERROR;
+ }
}
// Determine the end time
goto ERROR;
}
- /*
- XXX This function needs some better error handling. In case the communication
- with the Kerberos server fails, we should reschedule a call very soon (maybe
- within a minute) and once the credentials have expired, we should stop the
- (re-)connection timer.
- */
-
ERROR:
if (error)
krb5_free_error_message(daemon->krb5.ctx, error);
projects / pakfire.git / commitdiff
