From 6cce5018d687c467ff59687dbad9709b475f94f4 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Nov 25 2020 08:14:10 +0000
Subject: Refresh-manually-acquired-creds-from-client-keytab.patch


patch_name: Refresh-manually-acquired-creds-from-client-keytab.patch
present_in_specfile: true
location_in_specfile: 10

---

diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index acc1868..4062f47 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -557,15 +557,23 @@ set_refresh_time(krb5_context context, krb5_ccache ccache,
 krb5_boolean
 kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred)
 {
-    krb5_timestamp now;
+    krb5_timestamp now, soon;
 
     if (krb5_timeofday(context, &now))
         return FALSE;
+    soon = ts_incr(now, 30);
     if (cred->refresh_time != 0 && !ts_after(cred->refresh_time, now)) {
-        set_refresh_time(context, cred->ccache,
-                         ts_incr(cred->refresh_time, 30));
+        set_refresh_time(context, cred->ccache, soon);
         return TRUE;
     }
+
+    /* If the creds will expire soon, try to refresh even if they weren't
+     * acquired with a client keytab. */
+    if (ts_after(soon, cred->expire)) {
+        set_refresh_time(context, cred->ccache, soon);
+        return TRUE;
+    }
+
     return FALSE;
 }
 
diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py
index e474a27..7847b3e 100755
--- a/src/tests/gssapi/t_client_keytab.py
+++ b/src/tests/gssapi/t_client_keytab.py
@@ -124,4 +124,22 @@ realm.kinit(realm.user_princ, password('user'))
 realm.run(['./t_ccselect', phost], env=bad_cktname,
           expected_msg=realm.user_princ)
 
+mark('refresh of manually acquired creds')
+
+# Test 17: no name/ccache specified, manually acquired creds which
+# will expire soon.  Verify that creds are refreshed using the current
+# client name, with refresh_time set in the refreshed ccache.
+realm.kinit('bob', password('bob'), ['-l', '15s'])
+realm.run(['./t_ccselect', phost], expected_msg='bob')
+realm.run([klist, '-C'], expected_msg='refresh_time = ')
+
+# Test 18: no name/ccache specified, manually acquired creds with a
+# client principal not present in the client keytab.  A refresh is
+# attempted but fails, and an expired ticket error results.
+realm.kinit(realm.admin_princ, password('admin'), ['-l', '-1s'])
+msgs = ('Getting initial credentials for user/admin@KRBTEST.COM',
+        '/Matching credential not found')
+realm.run(['./t_ccselect', phost], expected_code=1,
+          expected_msg='Ticket expired', expected_trace=msgs)
+
 success('Client keytab tests')