KRB5CCNAME fixes.

Always pass KRB5CCNAME to became.  Though many vendors' sudo
configurations will retain it in the environment there is no guarantee
that will happen.
Canonicalise KRB5CCNAME which may sometimes be set to a file path
without the FILE: prefix, eg by krenew.

diff --git a/.profile.d/krb5.bashrc b/.profile.d/krb5.bashrc
index 4c5f71d..9c56dda 100644 (file)
--- a/.profile.d/krb5.bashrc
+++ b/.profile.d/krb5.bashrc
@@ -4,6 +4,11 @@ alias pssh='ssh -o preferredauthentications=password,keyboard-interactive'
 unalias kinit 2>/dev/null
 if [ 1 = 0 -a -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then
   if [ -t 0 ]; then
+    # Canonicalise the cache name.
+    if [ -n "$KRB5CCNAME" -a "${KRB5CCNAME##*:}" = "$KRB5CCNAME" ]; then
+      export KRB5CCNAME="FILE:$KRB5CCNAME"
+    fi
+
     if [ ! "$SUDO_UID" ]; then
       if klist -s 2>/dev/null; then
         # We already have a ticket cache.  Renew it.

diff --git a/opt/bin/become b/opt/bin/become
index e874ae5..f39fc49 100755 (executable)
--- a/opt/bin/become
+++ b/opt/bin/become
@@ -53,6 +53,7 @@ if exec 3>"$file" && exec <"$file" && rm "$file"; then
     if [ $kerberos = 1 ]; then
       ccname=$(klist 2>/dev/null | sed -n 's/^Ticket cache: FILE://p')
       if [ -f "$ccname" ]; then
+        echo >&3 "export KRB5CCNAME='$KRB5CCNAME'"
         openssl=$(find_working openssl)
         if [ -n "$openssl" ]; then
           echo >&3 "KRB5OPENSSL='$openssl'"