1
/*___INFO__MARK_BEGIN__*/
2
/*************************************************************************
4
* The Contents of this file are made available subject to the terms of
5
* the Sun Industry Standards Source License Version 1.2
7
* Sun Microsystems Inc., March, 2001
10
* Sun Industry Standards Source License Version 1.2
11
* =================================================
12
* The contents of this file are subject to the Sun Industry Standards
13
* Source License Version 1.2 (the "License"); You may not use this file
14
* except in compliance with the License. You may obtain a copy of the
15
* License at http://gridengine.sunsource.net/Gridengine_SISSL_license.html
17
* Software provided under this License is provided on an "AS IS" basis,
18
* WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING,
19
* WITHOUT LIMITATION, WARRANTIES THAT THE SOFTWARE IS FREE OF DEFECTS,
20
* MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE, OR NON-INFRINGING.
21
* See the License for the specific provisions governing your rights and
22
* obligations concerning the Software.
24
* The Initial Developer of the Original Code is: Sun Microsystems, Inc.
26
* Copyright: 2001 by Sun Microsystems, Inc.
28
* All Rights Reserved.
30
************************************************************************/
31
/*___INFO__MARK_END__*/
38
#include <sys/types.h>
40
#include <sys/socket.h>
41
#include <netinet/in.h>
44
#include "basis_types.h"
45
#include "sge_all_listsL.h"
52
#include "sge_uidgid.h"
61
#include "krb5.h" /* Kerberos stuff */
66
* krb_renew_tgts - Renew TGTs on behalf of the job client. This routine
67
* gets the TGT out of the job entry, decrypts it, and checks to see if
68
* the TGT needs renewing. If it does, it renews the TGT and stores the
69
* new TGT back into the job entry. This routine is executed in both the
70
* qmaster and the execd.
73
#define FLAGS2OPTS(flags) (flags & KDC_TKT_COMMON_MASK)
80
static u_long32 next_time = 0;
81
u_long32 now = sge_get_gmt();
83
krb5_context context = krb_context();
84
krb5_timestamp time_now;
85
krb_global_data_t *gsd = krb_gsd();
87
DENTER(TOP_LAYER, "krb_renew_tgts");
90
if ((now = sge_get_gmt())<next_time) {
95
if ((rc = krb5_timeofday(context, &time_now))) {
96
ERROR((SGE_EVENT, MSG_KRB_KRB5TIMEOFDAYFAILEDX_S ,
102
/* renew job TGT's */
104
for_each(job, joblist) {
107
krb5_creds ** tgt_creds = NULL;
109
const char *tgtstr = NULL;
113
/* get TGT out of job entry */
115
if ((tgtstr = lGetString(job, JB_tgt))) {
117
tgtbuf.data = krb_str2bin(tgtstr, NULL, &tgtbuf.length);
121
/* decrypt the TGT using the daemon key */
123
if ((rc = krb_decrypt_tgt_creds(&tgtbuf, &tgt_creds))) {
125
ERROR((SGE_EVENT, MSG_KRB_COULDNOTDECRYPTTGTFORJOBXY_DS,
126
sge_u32c(lGetUlong(job, JB_job_number)),
131
if (rc == 0 && tgt_creds) {
133
krb5_creds *tgt = *tgt_creds;
136
* If TGT is renewable and TGT expiration time is not past
137
* and is within the SGE renewal threshold and the TGT
138
* renewal period is not past, then renew the TGT
141
if (tgt->ticket_flags & KDC_OPT_RENEWABLE &&
142
tgt->times.endtime > time_now &&
143
tgt->times.renew_till > time_now &&
144
tgt->times.endtime < time_now + gsd->tgt_renew_threshold) {
146
krb5_creds *new_creds[2];
149
memset(new_creds, 0, sizeof(new_creds));
150
memset(&creds, 0 ,sizeof(creds));
154
if (((rc = krb5_copy_principal(context, (*tgt_creds)->server,
156
((rc = krb5_copy_principal(context, (*tgt_creds)->client,
158
((rc = krb5_get_cred_via_tkt(context, tgt,
159
FLAGS2OPTS(tgt->ticket_flags)|KDC_OPT_RENEW,
160
tgt->addresses, &creds, &new_creds[0])))) {
162
ERROR((SGE_EVENT, MSG_KRB_COULDNOTRENEWTGTFORJOBXY_DS,
163
sge_u32c(lGetUlong(job, JB_job_number)),
168
krb5_free_cred_contents(context, &creds);
173
/* store the new TGT back into the job entry */
177
if ((rc = krb_encrypt_tgt_creds(new_creds, &outbuf))) {
179
ERROR((SGE_EVENT, MSG_KRB_COULDNOTECRYPTTGTFORJOBXY_DS,
180
sge_u32c(lGetUlong(job, JB_job_number)),
185
lSetString(job, JB_tgt,
186
krb_bin2str(outbuf.data, outbuf.length, NULL));
189
/* if we are called by the execd, also store the
190
new TGT in the credentials cache of the user */
192
if (!strcmp(prognames[EXECD], gsd->progname)) {
194
int retries = MAX_NIS_RETRIES;
195
struct passwd *pw = NULL;
197
while (retries-- && !pw)
198
pw = getpwnam(lGetString(job, JB_owner));
202
if ((krb_store_forwarded_tgt(pw->pw_uid,
203
lGetUlong(job, JB_job_number),
206
ERROR((SGE_EVENT, MSG_KRB_COULDNOTSTORERENEWEDTGTFORXJOBY_SD,
207
lGetString(job, JB_owner),
208
sge_u32c(lGetUlong(job, JB_job_number))));
213
ERROR((SGE_EVENT, MSG_KRB_COULDNOTGETUSERIDFORXY_SD , lGetString(job, JB_owner),
214
sge_u32c(lGetUlong(job, JB_job_number))));
219
krb5_xfree(outbuf.data);
223
if (!mconf_get_simulate_jobs()) {
224
job_write_spool_file(job, 0, NULL, SPOOL_DEFAULT);;
228
krb5_free_creds(context, new_creds[0]);
235
krb5_xfree(tgtbuf.data);
238
krb5_free_tgt_creds(context, tgt_creds);
244
next_time = now + gsd->tgt_renew_interval;