lib/krb5_wrap: implement krb5_cc_get_lifetime for MIT Kerberos

In case krb5_cc_get_lifetime is not available, iterate over
existing tickets in the keytab, find the one marked as TKT_FLAG_INITIAL,
and use its lifetime. This is how it is implemented in Heimdal and
how it was suggested to be done by MIT Kerberos developers.

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 16c690108ff32cd4d1b04465cbd08b59b6f9eb1b..572d39ebf5ab7cfc0afa469510ad3ccee1cc6675 100644 (file)
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2144,34 +2144,37 @@ krb5_error_code smb_krb5_cc_get_lifetime(krb5_context context,
                                         krb5_ccache id,
                                         time_t *t)
 {
-       krb5_error_code rc;
-       krb5_creds mcreds;
-       krb5_creds creds;
+       krb5_cc_cursor cursor;
+       krb5_error_code kerr;
+       krb5_creds cred;
        krb5_timestamp now;
 
-       ZERO_STRUCT(mcreds);
-
-       mcreds.ticket_flags = TKT_FLG_INITIAL;
+       *t = 0;
 
-       rc = krb5_cc_retrieve_cred(context,
-                                  id,
-                                  KRB5_TC_MATCH_FLAGS,
-                                  &mcreds,
-                                  &creds);
-       if (rc != 0) {
-               return rc;
+       kerr = krb5_timeofday(context, &now);
+       if (kerr) {
+               return kerr;
        }
 
-       rc = krb5_timeofday(context, &now);
-       if (rc != 0) {
-               return rc;
+       kerr = krb5_cc_start_seq_get(context, id, &cursor);
+       if (kerr) {
+               return kerr;
        }
 
-       *t = (time_t) (creds.times.endtime - now);
+       while ((kerr = krb5_cc_next_cred(context, id, &cursor, &cred)) == 0) {
+               if (cred.ticket_flags & TKT_FLG_INITIAL) {
+                       if (now < cred.times.endtime) {
+                               *t = (time_t) (cred.times.endtime - now);
+                       }
+                       krb5_free_cred_contents(context, &cred);
+                       break;
+               }
+               krb5_free_cred_contents(context, &cred);
+       }
 
-       krb5_free_creds(context, &creds);
+       krb5_cc_end_seq_get(context, id, &cursor);
 
-       return 0;
+       return kerr;
 }
 #endif /* HAVE_KRB5_CC_GET_LIFETIME */