The server_renew_identity( ) routine makes sure that the server's credentials are valid.
/******
*
* server_renew_identity -- Make sure that credentials are still valid, and
* renew them if they are not.
*
*
* This routine is called (with the current credentials) whenever a task
* is about to be attempted that requires valid credentials. For an
ex-
* ample, see the cleanup code in "main()" above. A valid credential will
* nevertheless be considered invalid if it will expire within time_left
* seconds. This gives a margin of time between the validity check that
* occurs here and the actual use of the credential.
*
*
Called from main() (but can be called from elsewhere).
*
******/
void server_renew_identity(
unsigned_char_p_t prin_name, /*
Server's principal name. */
sec_login_handle_t login_context, /* Server's login context. */
unsigned_char_p_t keytab, /* Local key file.
*/
unsigned32 time_left, /* Amount of "margin" -- see above. */
unsigned32 *status) /* To return status.
*/
{
signed32 expiration;
time_t current_time;
sec_passwd_rec_t *keydata;
sec_login_auth_src_t auth_src;
boolean32 reset_pwd;
*status = error_status_ok;
/* Get the lifetime for the
server's Ticket-Granting-Ticket (TGT). */
/* Note that sec_login_get_expiration() returns a nonzero */
/* status for an uncertified login
context. This is not */
/* an error. Hence the special error checking... */
sec_login_get_expiration(login_context,
&expiration,
status);
/* Get current time... */
time(¤t_time);
/* Now, if the expiration time is sooner than the desired "time */
/* left"...
*/
if (expiration < (current_time + time_left))
{
/* Refresh the server's
authenticated identity... */
sec_login_refresh_identity(login_context,
status);
/*
Get key from local file... */
sec_key_mgmt_get_key(rpc_c_authn_dce_secret,
keytab,
prin_name,
0,
(void**)&keydata,
status);
/* Validate the login context... */
sec_login_validate_identity(login_context,
keydata,
&reset_pwd,
&auth_src,
status);
}
}
The server initialization code need then only make the following calls to establish server authentication and obtain valid credentials:
/* Register server authentication information... */
rpc_server_register_auth_info(server_principal_name,
rpc_c_authn_dce_secret,
NULL,
KEYTAB,
&status);
/*
Assume new identity... */
server_get_identity(server_principal_name,
&login_context,
(unsigned_char_p_t)KEYTAB,
&status);
Once the server has been running for a while, so that credentials may have expired, the server calls server_renew_identity( ) before undertaking any task that requires valid credentials. For example, a server typically needs to call this operation before attempting to clean up its name space before shutting down.