Add default_ccache_name profile variable

Like default_keytab_name and default_client_keytab_name,
default_ccache_name is subject to parameter expansion.

ticket: 7220 (new)

diff --git a/doc/rst_source/conf.py b/doc/rst_source/conf.py
index c5534ab74fe9102385eb201a361ad4dc7c417310..c4203a24cba50b2854fadc7525e20bfe82ce7e5f 100644 (file)
--- a/doc/rst_source/conf.py
+++ b/doc/rst_source/conf.py
@@ -233,6 +233,7 @@ rst_epilog += '.. |libdir| replace:: %s\n' % libdir
 rst_epilog += '.. |kdcdir| replace:: %s\\ ``/krb5kdc``\n' % localstatedir
 rst_epilog += '.. |sysconfdir| replace:: %s\n' % sysconfdir
 rst_epilog += '''
+.. |ccache| replace:: ``/tmp/krb5cc_<uid>``
 .. |clkeytab| replace:: ``/etc/krb5.client-keytab``
 .. |keytab| replace:: ``/etc/krb5.keytab``
 .. |krb5conf| replace:: ``/etc/krb5.conf``

diff --git a/doc/rst_source/krb_admins/conf_files/krb5_conf.rst b/doc/rst_source/krb_admins/conf_files/krb5_conf.rst
index d9c3ffbd75f2b0659b109bfa421a31cae62d8a36..26a8818f39ea7678def2a0dad0a03a5e330d8064 100644 (file)
--- a/doc/rst_source/krb_admins/conf_files/krb5_conf.rst
+++ b/doc/rst_source/krb_admins/conf_files/krb5_conf.rst
@@ -134,6 +134,11 @@ The libdefaults section may contain any of the following relations:
     library will tolerate before assuming that a Kerberos message is
     invalid.  The default value is 300 seconds, or five minutes.
 
+**default_ccache_name**
+    This relation specifies the name of the default credential cache.
+    The default is |ccache|.  This relation is subject to parameter
+    expansion (see below).
+
 **default_client_keytab_name**
     This relation specifies the name of the default keytab for
     obtaining client credentials.  The default is |clkeytab|.  This

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 6c539e8f45d716e385689e22598fe21d0dba081f..86fe65055d228b476f7258e00239b2f16d35399c 100644 (file)
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -198,6 +198,7 @@ typedef INT64_TYPE krb5_int64;
 #define KRB5_CONF_DB_MODULE_DIR                  "db_module_dir"
 #define KRB5_CONF_DEFAULT                        "default"
 #define KRB5_CONF_DEFAULT_REALM                  "default_realm"
+#define KRB5_CONF_DEFAULT_CCACHE_NAME            "default_ccache_name"
 #define KRB5_CONF_DEFAULT_CLIENT_KEYTAB_NAME     "default_client_keytab_name"
 #define KRB5_CONF_DEFAULT_DOMAIN                 "default_domain"
 #define KRB5_CONF_DEFAULT_TKT_ENCTYPES           "default_tkt_enctypes"

diff --git a/src/lib/krb5/os/ccdefname.c b/src/lib/krb5/os/ccdefname.c
index 56e7af86399d3f9cbfc9171e1d0a5569d20b34df..cb9bb7c9384917151ff7f9bf3b653c4bfb69188b 100644 (file)
--- a/src/lib/krb5/os/ccdefname.c
+++ b/src/lib/krb5/os/ccdefname.c
@@ -26,6 +26,7 @@
 
 #define NEED_WINDOWS
 #include "k5-int.h"
+#include "os-proto.h"
 #include <stdio.h>
 
 #if defined(_WIN32)
@@ -290,7 +291,7 @@ const char * KRB5_CALLCONV
 krb5_cc_default_name(krb5_context context)
 {
     krb5_os_context os_ctx;
-    char *envstr;
+    char *profstr, *envstr;
 
     if (!context || context->magic != KV5M_CONTEXT)
         return NULL;
@@ -306,6 +307,14 @@ krb5_cc_default_name(krb5_context context)
         return os_ctx->default_ccname;
     }
 
+    if (profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS,
+                           KRB5_CONF_DEFAULT_CCACHE_NAME, NULL, NULL,
+                           &profstr) == 0 && profstr != NULL) {
+        (void)k5_expand_path_tokens(context, profstr, &os_ctx->default_ccname);
+        profile_release_string(profstr);
+        return os_ctx->default_ccname;
+    }
+
     /* Fall back on the default ccache name for the OS. */
     get_from_os(context);
     return os_ctx->default_ccname;

diff --git a/src/tests/t_ccache.py b/src/tests/t_ccache.py
index 8dac0ecad23beec0c9e4b79aa2baada3a7078f21..e85d009dde127fa3c48ce08eb5b5d4539bfa583c 100644 (file)
--- a/src/tests/t_ccache.py
+++ b/src/tests/t_ccache.py
@@ -78,4 +78,15 @@ output = realm.run_as_client([klist, '-l'], expected_code=1)
 if not output.endswith('---\n') or output.count('\n') != 2:
     fail('kdestroy -a failed to empty cache collection.')
 
+# Test parameter expansion in default_ccache_name
+realm.stop()
+conf = {'client': {'libdefaults': {
+            'default_ccache_name': 'testdir/%{null}abc%{uid}'}}}
+realm = K5Realm(krb5_conf=conf, create_kdb=False)
+del realm.env_client['KRB5CCNAME']
+uidstr = str(os.getuid())
+out = realm.run_as_client([klist], expected_code=1)
+if 'FILE:testdir/abc%s' % uidstr not in out:
+    fail('Wrong ccache in klist')
+
 success('Credential cache tests')