In klist, display ticket server if different

If the ticket server differs from the credential server, display it as
an extra field.  This happens most commonly when the credential is
cached under the referral realm.

ticket: 8811 (new)

diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index 4261ac96c18413d261747468ea6a66e8af3c0cf8..a54e378780cd6324c6222c9ae80ca4eace3871b4 100644 (file)
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -662,25 +662,27 @@ static void
 show_credential(krb5_creds *cred)
 {
     krb5_error_code ret;
-    krb5_ticket *tkt;
-    char *name, *sname, *flags;
+    krb5_ticket *tkt = NULL;
+    char *name = NULL, *sname = NULL, *tktsname, *flags;
     int extra_field = 0, ccol = 0, i;
+    krb5_boolean is_config = krb5_is_config_principal(context, cred->server);
 
     ret = krb5_unparse_name(context, cred->client, &name);
     if (ret) {
         com_err(progname, ret, _("while unparsing client name"));
-        return;
+        goto cleanup;
     }
     ret = krb5_unparse_name(context, cred->server, &sname);
     if (ret) {
         com_err(progname, ret, _("while unparsing server name"));
-        krb5_free_unparsed_name(context, name);
-        return;
+        goto cleanup;
     }
+    if (!is_config)
+        (void)krb5_decode_ticket(&cred->ticket, &tkt);
     if (!cred->times.starttime)
         cred->times.starttime = cred->times.authtime;
 
-    if (!krb5_is_config_principal(context, cred->server)) {
+    if (!is_config) {
         printtime(cred->times.starttime);
         putchar(' ');
         putchar(' ');
@@ -707,7 +709,7 @@ show_credential(krb5_creds *cred)
         extra_field++;
     }
 
-    if (krb5_is_config_principal(context, cred->server))
+    if (is_config)
         print_config_data(ccol, &cred->ticket);
 
     if (cred->times.renew_till) {
@@ -737,11 +739,7 @@ show_credential(krb5_creds *cred)
         extra_field = 0;
     }
 
-    if (show_etype) {
-        ret = krb5_decode_ticket(&cred->ticket, &tkt);
-        if (ret)
-            goto err_tkt;
-
+    if (show_etype && tkt != NULL) {
         if (!extra_field)
             fputs("\t",stdout);
         else
@@ -750,10 +748,6 @@ show_credential(krb5_creds *cred)
                etype_string(cred->keyblock.enctype));
         printf("%s ", etype_string(tkt->enc_part.enctype));
         extra_field++;
-
-    err_tkt:
-        if (tkt != NULL)
-            krb5_free_ticket(context, tkt);
     }
 
     if (show_adtype) {
@@ -792,8 +786,23 @@ show_credential(krb5_creds *cred)
         }
     }
 
+    /* Display the ticket server if it is different from the server name the
+     * entry was cached under (most commonly for referrals). */
+    if (tkt != NULL &&
+        !krb5_principal_compare(context, cred->server, tkt->server)) {
+        ret = krb5_unparse_name(context, tkt->server, &tktsname);
+        if (ret) {
+            com_err(progname, ret, _("while unparsing ticket server name"));
+            goto cleanup;
+        }
+        printf(_("\tTicket server: %s\n"), tktsname);
+        krb5_free_unparsed_name(context, tktsname);
+    }
+
+cleanup:
     krb5_free_unparsed_name(context, name);
     krb5_free_unparsed_name(context, sname);
+    krb5_free_ticket(context, tkt);
 }
 
 #include "port-sockets.h"

diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py
index 2b6ed5d21e2863c3daccf5ffddb9f9b910f1af81..52313ae116714413f8a08daaf1da36b6a4c976c4 100755 (executable)
--- a/src/tests/t_referral.py
+++ b/src/tests/t_referral.py
@@ -18,9 +18,9 @@ def testref(realm, nametype):
     shutil.copyfile(savefile, realm.ccache)
     realm.run(['./gcred', nametype, 'a/x.d@'])
     out = realm.run([klist]).split('\n')
-    if len(out) != 8:
+    if len(out) != 9:
         fail('unexpected number of lines in klist output')
-    if out[5].split()[4] != 'a/x.d@' or out[6].split()[4] != 'a/x.d@REFREALM':
+    if out[5].split()[4] != 'a/x.d@' or out[7].split()[4] != 'a/x.d@REFREALM':
         fail('unexpected service principals in klist output')
 
 # Get credentials and check that we get an error, not a referral.