PreviousNext

The server_renew_identity Routine

The server_renew_identity( ) routine makes sure that the server's credentials are valid.

/******
*
* server_renew_identity -- Make sure that credentials are still valid, and
* renew them if they are not.
*
*
* This routine is called (with the current credentials) whenever a task
* is about to be attempted that requires valid credentials. For an ex-
* ample, see the cleanup code in "main()" above. A valid credential will
* nevertheless be considered invalid if it will expire within time_left
* seconds. This gives a margin of time between the validity check that
* occurs here and the actual use of the credential.
*
* Called from main() (but can be called from elsewhere).
*
******/

void server_renew_identity(
unsigned_char_p_t prin_name, /* Server's principal name. */
sec_login_handle_t login_context, /* Server's login context. */
unsigned_char_p_t keytab, /* Local key file. */
unsigned32 time_left, /* Amount of "margin" -- see above. */
unsigned32 *status) /* To return status. */
{
signed32 expiration;
time_t current_time;
sec_passwd_rec_t *keydata;
sec_login_auth_src_t auth_src;
boolean32 reset_pwd;

*status = error_status_ok;

/* Get the lifetime for the server's Ticket-Granting-Ticket (TGT). */
/* Note that sec_login_get_expiration() returns a nonzero */
/* status for an uncertified login context. This is not */
/* an error. Hence the special error checking... */
sec_login_get_expiration(login_context,
&expiration,
status);

/* Get current time... */
time(&current_time);

/* Now, if the expiration time is sooner than the desired "time */
/* left"... */
if (expiration < (current_time + time_left))
{
/* Refresh the server's authenticated identity... */
sec_login_refresh_identity(login_context,
status);

/* Get key from local file... */
sec_key_mgmt_get_key(rpc_c_authn_dce_secret,
keytab,
prin_name,
0,
(void**)&keydata,
status);

/* Validate the login context... */
sec_login_validate_identity(login_context,
keydata,
&reset_pwd,
&auth_src,
status);
}

}

The server initialization code need then only make the following calls to establish server authentication and obtain valid credentials:

/* Register server authentication information... */
rpc_server_register_auth_info(server_principal_name,
rpc_c_authn_dce_secret,
NULL,
KEYTAB,
&status);

/* Assume new identity... */
server_get_identity(server_principal_name,
&login_context,
(unsigned_char_p_t)KEYTAB,
&status);

Once the server has been running for a while, so that credentials may have expired, the server calls server_renew_identity( ) before undertaking any task that requires valid credentials. For example, a server typically needs to call this operation before attempting to clean up its name space before shutting down.