From: Greg Hudson Date: Tue, 28 May 2019 16:02:00 +0000 (-0400) Subject: In klist, display ticket server if different X-Git-Tag: krb5-1.18-beta1~123 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f174919a600ab617a881500e3ead98ba9f49c62e;p=thirdparty%2Fkrb5.git In klist, display ticket server if different If the ticket server differs from the credential server, display it as an extra field. This happens most commonly when the credential is cached under the referral realm. ticket: 8811 (new) --- diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c index 4261ac96c1..a54e378780 100644 --- a/src/clients/klist/klist.c +++ b/src/clients/klist/klist.c @@ -662,25 +662,27 @@ static void show_credential(krb5_creds *cred) { krb5_error_code ret; - krb5_ticket *tkt; - char *name, *sname, *flags; + krb5_ticket *tkt = NULL; + char *name = NULL, *sname = NULL, *tktsname, *flags; int extra_field = 0, ccol = 0, i; + krb5_boolean is_config = krb5_is_config_principal(context, cred->server); ret = krb5_unparse_name(context, cred->client, &name); if (ret) { com_err(progname, ret, _("while unparsing client name")); - return; + goto cleanup; } ret = krb5_unparse_name(context, cred->server, &sname); if (ret) { com_err(progname, ret, _("while unparsing server name")); - krb5_free_unparsed_name(context, name); - return; + goto cleanup; } + if (!is_config) + (void)krb5_decode_ticket(&cred->ticket, &tkt); if (!cred->times.starttime) cred->times.starttime = cred->times.authtime; - if (!krb5_is_config_principal(context, cred->server)) { + if (!is_config) { printtime(cred->times.starttime); putchar(' '); putchar(' '); @@ -707,7 +709,7 @@ show_credential(krb5_creds *cred) extra_field++; } - if (krb5_is_config_principal(context, cred->server)) + if (is_config) print_config_data(ccol, &cred->ticket); if (cred->times.renew_till) { @@ -737,11 +739,7 @@ show_credential(krb5_creds *cred) extra_field = 0; } - if (show_etype) { - ret = krb5_decode_ticket(&cred->ticket, &tkt); - if (ret) - goto err_tkt; - + if (show_etype && tkt != NULL) { if (!extra_field) fputs("\t",stdout); else @@ -750,10 +748,6 @@ show_credential(krb5_creds *cred) etype_string(cred->keyblock.enctype)); printf("%s ", etype_string(tkt->enc_part.enctype)); extra_field++; - - err_tkt: - if (tkt != NULL) - krb5_free_ticket(context, tkt); } if (show_adtype) { @@ -792,8 +786,23 @@ show_credential(krb5_creds *cred) } } + /* Display the ticket server if it is different from the server name the + * entry was cached under (most commonly for referrals). */ + if (tkt != NULL && + !krb5_principal_compare(context, cred->server, tkt->server)) { + ret = krb5_unparse_name(context, tkt->server, &tktsname); + if (ret) { + com_err(progname, ret, _("while unparsing ticket server name")); + goto cleanup; + } + printf(_("\tTicket server: %s\n"), tktsname); + krb5_free_unparsed_name(context, tktsname); + } + +cleanup: krb5_free_unparsed_name(context, name); krb5_free_unparsed_name(context, sname); + krb5_free_ticket(context, tkt); } #include "port-sockets.h" diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py index 2b6ed5d21e..52313ae116 100755 --- a/src/tests/t_referral.py +++ b/src/tests/t_referral.py @@ -18,9 +18,9 @@ def testref(realm, nametype): shutil.copyfile(savefile, realm.ccache) realm.run(['./gcred', nametype, 'a/x.d@']) out = realm.run([klist]).split('\n') - if len(out) != 8: + if len(out) != 9: fail('unexpected number of lines in klist output') - if out[5].split()[4] != 'a/x.d@' or out[6].split()[4] != 'a/x.d@REFREALM': + if out[5].split()[4] != 'a/x.d@' or out[7].split()[4] != 'a/x.d@REFREALM': fail('unexpected service principals in klist output') # Get credentials and check that we get an error, not a referral.