From f174919a600ab617a881500e3ead98ba9f49c62e Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 28 May 2019 12:02:00 -0400 Subject: [PATCH] In klist, display ticket server if different If the ticket server differs from the credential server, display it as an extra field. This happens most commonly when the credential is cached under the referral realm. ticket: 8811 (new) --- src/clients/klist/klist.c | 41 ++++++++++++++++++++++++--------------- src/tests/t_referral.py | 4 ++-- 2 files changed, 27 insertions(+), 18 deletions(-) diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c index 4261ac96c1..a54e378780 100644 --- a/src/clients/klist/klist.c +++ b/src/clients/klist/klist.c @@ -662,25 +662,27 @@ static void show_credential(krb5_creds *cred) { krb5_error_code ret; - krb5_ticket *tkt; - char *name, *sname, *flags; + krb5_ticket *tkt = NULL; + char *name = NULL, *sname = NULL, *tktsname, *flags; int extra_field = 0, ccol = 0, i; + krb5_boolean is_config = krb5_is_config_principal(context, cred->server); ret = krb5_unparse_name(context, cred->client, &name); if (ret) { com_err(progname, ret, _("while unparsing client name")); - return; + goto cleanup; } ret = krb5_unparse_name(context, cred->server, &sname); if (ret) { com_err(progname, ret, _("while unparsing server name")); - krb5_free_unparsed_name(context, name); - return; + goto cleanup; } + if (!is_config) + (void)krb5_decode_ticket(&cred->ticket, &tkt); if (!cred->times.starttime) cred->times.starttime = cred->times.authtime; - if (!krb5_is_config_principal(context, cred->server)) { + if (!is_config) { printtime(cred->times.starttime); putchar(' '); putchar(' '); @@ -707,7 +709,7 @@ show_credential(krb5_creds *cred) extra_field++; } - if (krb5_is_config_principal(context, cred->server)) + if (is_config) print_config_data(ccol, &cred->ticket); if (cred->times.renew_till) { @@ -737,11 +739,7 @@ show_credential(krb5_creds *cred) extra_field = 0; } - if (show_etype) { - ret = krb5_decode_ticket(&cred->ticket, &tkt); - if (ret) - goto err_tkt; - + if (show_etype && tkt != NULL) { if (!extra_field) fputs("\t",stdout); else @@ -750,10 +748,6 @@ show_credential(krb5_creds *cred) etype_string(cred->keyblock.enctype)); printf("%s ", etype_string(tkt->enc_part.enctype)); extra_field++; - - err_tkt: - if (tkt != NULL) - krb5_free_ticket(context, tkt); } if (show_adtype) { @@ -792,8 +786,23 @@ show_credential(krb5_creds *cred) } } + /* Display the ticket server if it is different from the server name the + * entry was cached under (most commonly for referrals). */ + if (tkt != NULL && + !krb5_principal_compare(context, cred->server, tkt->server)) { + ret = krb5_unparse_name(context, tkt->server, &tktsname); + if (ret) { + com_err(progname, ret, _("while unparsing ticket server name")); + goto cleanup; + } + printf(_("\tTicket server: %s\n"), tktsname); + krb5_free_unparsed_name(context, tktsname); + } + +cleanup: krb5_free_unparsed_name(context, name); krb5_free_unparsed_name(context, sname); + krb5_free_ticket(context, tkt); } #include "port-sockets.h" diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py index 2b6ed5d21e..52313ae116 100755 --- a/src/tests/t_referral.py +++ b/src/tests/t_referral.py @@ -18,9 +18,9 @@ def testref(realm, nametype): shutil.copyfile(savefile, realm.ccache) realm.run(['./gcred', nametype, 'a/x.d@']) out = realm.run([klist]).split('\n') - if len(out) != 8: + if len(out) != 9: fail('unexpected number of lines in klist output') - if out[5].split()[4] != 'a/x.d@' or out[6].split()[4] != 'a/x.d@REFREALM': + if out[5].split()[4] != 'a/x.d@' or out[7].split()[4] != 'a/x.d@REFREALM': fail('unexpected service principals in klist output') # Get credentials and check that we get an error, not a referral. -- 2.47.2