in auth/kerberos/src/krb.cpp [498:561]
std::string renew_gmsa_ticket( krb_ticket_info_t* krb_ticket, std::string domain_name,
std::string username, std::string password, CF_logger& cf_logger )
{
std::string renewed_krb_ticket_path;
std::pair<int, std::string> gmsa_ticket_result;
std::string krb_cc_name = krb_ticket->krb_file_path;
std::string log_message;
// gMSA kerberos ticket generation needs to have ldap over kerberos
// if the ticket exists for the machine/user already reuse it for getting gMSA password else
// retry the ticket creation again after generating user/machine kerberos ticket
int num_retries = 2;
for ( int i = 0; i < num_retries; i++ )
{
gmsa_ticket_result = fetch_gmsa_password_and_create_krb_ticket(
krb_ticket->domain_name, krb_ticket, krb_cc_name, cf_logger );
if ( gmsa_ticket_result.first != 0 )
{
if ( i == 0 )
{
log_message = "WARNING: Cannot get gMSA krb ticket because of expired user/machine "
"ticket, will be retried automatically, service_account_name = " +
krb_ticket->service_account_name;
cf_logger.logger( LOG_WARNING, log_message.c_str() );
}
else
{
log_message = "ERROR: Cannot get gMSA krb ticket using account " +
krb_ticket->service_account_name;
cf_logger.logger( LOG_ERR, log_message.c_str() );
std::cerr << Util::getCurrentTime() << '\t'
<< "ERROR: Cannot get gMSA krb ticket using account" << std::endl;
}
// if tickets are created in domainless mode
std::string domainless_user = krb_ticket->domainless_user;
if ( !domainless_user.empty() && domainless_user == username )
{
std::pair<int, std::string> status =
Util::generate_krb_ticket_using_username_and_password( domain_name, username,
password, cf_logger );
if ( status.first < 0 )
{
log_message =
"ERROR " + std::to_string( status.first ) + ": Cannot get user krb ticket";
cf_logger.logger( LOG_ERR, log_message.c_str() );
std::cerr << Util::getCurrentTime() << '\t'
<< "ERROR: Cannot get user krb ticket" << std::endl;
}
}
else
{
break;
}
}
else
{
renewed_krb_ticket_path = krb_cc_name;
i++;
}
}
return renewed_krb_ticket_path;
}