ticket: 6838

version_fixed: 1.9 status: resolved pull up r24566 from trunk ------------------------------------------------------------------------ r24566 | ghudson | 2010-12-14 12:28:38 -0500 (Tue, 14 Dec 2010) | 9 lines ticket: 6838 tags: pullups target_version: 1.9 Fix a regression in the client-side ticket renewal code where KDC options were not folded into the renewal request (most notably, the KDC_OPT_RENEWABLE flag), so we didn't request renewable renewed tickets. Add a simple test case for ticket renewal. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24570 dc483132-0cff-0310-8789-dd5450dbe970
aadamowski · Dec 14, 2010 · 3074a10 · 3074a10
1 parent ebdc78b
commit 3074a10
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 1 deletion.
diff --git a/src/lib/krb5/krb/val_renew.c b/src/lib/krb5/krb/val_renew.c
@@ -59,7 +59,10 @@ get_new_creds(krb5_context context, krb5_ccache ccache, krb5_creds *in_creds,
     if (code != 0)
 	return code;
 
-    /* Use it to get a new credential from the KDC. */
+    /* Use KDC options from old credential as well as requested options. */
+    kdcopt |= (old_creds.ticket_flags & KDC_TKT_COMMON_MASK);
+
+    /* Use the old credential to get a new credential from the KDC. */
     code = krb5_get_cred_via_tkt(context, &old_creds, kdcopt,
 				 old_creds.addresses, in_creds, &new_creds);
     krb5_free_cred_contents(context, &old_creds);

diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
@@ -66,6 +66,7 @@ check-pytests::
 	$(RUNPYTEST) $(srcdir)/t_lockout.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS)
+	$(RUNPYTEST) $(srcdir)/t_renew.py $(PYTESTFLAGS)
 
 clean::
 	$(RM) kdc.conf

diff --git a/src/tests/t_renew.py b/src/tests/t_renew.py
@@ -0,0 +1,16 @@
+#!/usr/bin/python
+from k5test import *
+
+realm = K5Realm(create_host=False, start_kadmind=False, get_creds=False)
+
+# Configure the realm to allow renewable tickets and acquire some.
+realm.run_kadminl('modprinc -maxrenewlife "2 days" user')
+realm.run_kadminl('modprinc -maxrenewlife "2 days" %s' % realm.krbtgt_princ)
+realm.kinit(realm.user_princ, password('user'), flags=['-r', '2d'])
+
+# Renew twice, to test that renewed tickets are renewable.
+realm.kinit(realm.user_princ, flags=['-R'])
+realm.kinit(realm.user_princ, flags=['-R'])
+realm.klist(realm.user_princ)
+
+success('Renewing credentials.')