static const char *renew_life = NULL;
static const char *ticket_life = NULL;
+int disallow_getting_krbtgt = -1;
int name_constraints = -1;
static int help_flag;
"name-constraints", 'n', arg_negative_flag, &name_constraints,
"disable credentials cache name constraints"
},
+ {
+ "disallow-getting-krbtgt", 0, arg_flag, &disallow_getting_krbtgt,
+ "disable fetching krbtgt from the cache"
+ },
{
"renewable-life", 'r', arg_string, &renew_life,
"renewable lifetime of system tickets", "time"
ccache->mode = mode;
}
+ if (disallow_getting_krbtgt == -1) {
+ disallow_getting_krbtgt =
+ krb5_config_get_bool_default(kcm_context, NULL, FALSE, "kcm",
+ "disallow-getting-krbtgt", NULL);
+ }
+
/* enqueue default actions for credentials cache */
ret = kcm_ccache_enqueue_default(kcm_context, ccache, NULL);
return ret;
}
+ if (disallow_getting_krbtgt &&
+ mcreds.client->name.name_string.len == 2 &&
+ strcmp(mcreds.client->name.name_string.val[0], KRB5_TGS_NAME) == 0)
+ {
+ free(name);
+ krb5_free_creds_contents(context, &mcreds);
+ return KRB5_FCC_PERM;
+ }
+
ret = kcm_ccache_resolve_client(context, client, opcode,
name, &ccache);
if (ret) {