Handle Kerberos credentials when becoming users other than root.

[profile.git] / .profile.d / krb5.bashrc

diff --git a/.profile.d/krb5.bashrc b/.profile.d/krb5.bashrc
index b5e50fb..973101f 100644 (file)
--- a/.profile.d/krb5.bashrc
+++ b/.profile.d/krb5.bashrc
@@ -3,7 +3,7 @@ alias pssh='ssh -o preferredauthentications=password,keyboard-interactive'
 
 if [ -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then
   if tty -s; then
-    if [ $UID -gt 0 ]; then
+    if [ ! "$SUDO_UID" ]; then
       if klist -s 2>/dev/null; then
         # We already have a ticket cache.  Renew it.
         kinit -R &>/dev/null
@@ -55,14 +55,21 @@ if [ -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then
         # By now we should have found a cache if there's one to find.
         klist -s 2>/dev/null || kinit
       fi
-    elif [ -n "$KRB5CCNAME" ]; then
+    elif [ ! -z "$KRB5CCNAME" ]; then
       # Don't break permissions of inherited cache under sudo.
       cache="${KRB5CCNAME##FILE:}"
       if [ ! "$cache" = "$KRB5CCNAME" ]; then
         ccname="${cache/_$SUDO_UID/_sudo_$SUDO_UID}_$$"
-        cat "$cache" > "$ccname"
         export KRB5CCNAME="FILE:$ccname"
-        klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit
+        if cat "$cache" > "$ccname" 2>/dev/null; then
+          klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit $PRINCIPAL
+        else
+          # XXX: Don't kinit every time if we aren't root.
+          # TODO: Split the "set my cache" and "get my credentials" parts so
+          #       that becoming a user other than root will work without
+          #       extraneous kinits.
+          rm "$ccname" 2>/dev/null
+        fi
         trap "kdestroy 2>/dev/null" EXIT
       fi
     fi