diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 8918fdff1d4..036242b3e5b 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -4289,24 +4289,20 @@ int main(int argc, const char *argv[]) /* For PKINIT we might need access to the pcscd socket which by default * is only allowed for authenticated users. Since PKINIT is part of * the authentication and the user is not authenticated yet, we have - * to use different privileges and can only drop it only after the TGT is - * received. The fast_uid and fast_gid are the IDs the backend is running - * with. This can be either root or the 'sssd' user. Root is allowed by - * default and the 'sssd' user is allowed with the help of the - * sssd-pcsc.rules policy-kit rule. So those IDs are a suitable choice. We - * can only call switch_creds() because after the TGT is returned we have - * to switch to the IDs of the user to store the TGT. + * to use different privileges and can only drop it after the TGT is + * received. IDs the backend (and thus 'krb5_child) is running with are + * either root or the 'sssd' user. Root is allowed by default and + * the 'sssd' user is allowed with the help of the sssd-pcsc.rules + * policy-kit rule. So those IDs are a suitable choice and needs to + * be kept until TGT is obtained. * If we are offline we have to switch to the user's credentials directly * to make sure the empty ccache is created with the expected * ownership. */ - if (IS_SC_AUTHTOK(kr->pd->authtok) && !offline) { - kerr = switch_creds(kr, kr->fast_uid, kr->fast_gid, 0, NULL, - &kr->pcsc_saved_creds); - } else { + if (!IS_SC_AUTHTOK(kr->pd->authtok) || offline) { kerr = k5c_become_user(kr->uid, kr->gid, kr->posix_domain); } if (kerr != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n"); + DEBUG(SSSDBG_CRIT_FAILURE, "k5c_become_user() failed.\n"); ret = EFAULT; goto done; }