rclone
diff --git a/‎backend/smb/kerberos.go
Lines changed: 41 additions & 10 deletions b/‎backend/smb/kerberos.go
Lines changed: 41 additions & 10 deletions
diff --git a/‎backend/smb/kerberos_test.go
Lines changed: 60 additions & 0 deletions b/‎backend/smb/kerberos_test.go
Lines changed: 60 additions & 0 deletions
@@ -7,15 +7,31 @@ import (
 	"path/filepath"
 	"strings"
 	"sync"
+	"time"
 
 	"github.com/jcmturner/gokrb5/v8/client"
 	"github.com/jcmturner/gokrb5/v8/config"
 	"github.com/jcmturner/gokrb5/v8/credentials"
 )
 
 var (
+	// kerberosClient caches Kerberos clients keyed by resolved ccache path.
+	// Clients are reused unless the associated ccache file changes.
 	kerberosClient sync.Map // map[string]*client.Client
-	kerberosErr    sync.Map // map[string]error
+
+	// kerberosErr caches errors encountered when loading Kerberos clients.
+	// Prevents repeated attempts for paths that previously failed.
+	kerberosErr sync.Map // map[string]error
+
+	// kerberosCredModTime tracks the last known modification time of ccache files.
+	// Used to detect changes and trigger credential refresh.
+	kerberosCredModTime sync.Map // map[string]time.Time
+)
+
+var (
+	loadCCacheFunc      = credentials.LoadCCache
+	newClientFromCCache = client.NewFromCCache
+	loadKrbConfig       = loadKerberosConfig
 )
 
 func resolveCcachePath(ccachePath string) (string, error) {
@@ -65,30 +81,45 @@ func createKerberosClient(ccachePath string) (*client.Client, error) {
 		return nil, err
 	}
 
-	// check if we already have a client or an error for this ccache path
-	if errVal, ok := kerberosErr.Load(ccachePath); ok {
-		return nil, errVal.(error)
+	// Check if the ccache file is modified since last check
+	stat, statErr := os.Stat(ccachePath)
+	if statErr != nil {
+		kerberosErr.Store(ccachePath, statErr)
+		return nil, statErr
 	}
-	if clientVal, ok := kerberosClient.Load(ccachePath); ok {
-		return clientVal.(*client.Client), nil
+	mtime := stat.ModTime()
+
+	if oldCredModTimeVal, ok := kerberosCredModTime.Load(ccachePath); ok {
+		if oldMtime, ok := oldCredModTimeVal.(time.Time); ok && oldMtime.Equal(mtime) {
+			// ccache hasn't changed — return cached client or error
+			if errVal, ok := kerberosErr.Load(ccachePath); ok {
+				return nil, errVal.(error)
+			}
+			if clientVal, ok := kerberosClient.Load(ccachePath); ok {
+				return clientVal.(*client.Client), nil
+			}
+		}
 	}
 
-	// create a new client if not found in the map
-	cfg, err := loadKerberosConfig()
+	// ccache changed or no valid cached client — reload credentials
+	cfg, err := loadKrbConfig()
 	if err != nil {
 		kerberosErr.Store(ccachePath, err)
 		return nil, err
 	}
-	ccache, err := credentials.LoadCCache(ccachePath)
+	ccache, err := loadCCacheFunc(ccachePath)
 	if err != nil {
 		kerberosErr.Store(ccachePath, err)
 		return nil, err
 	}
-	cl, err := client.NewFromCCache(ccache, cfg)
+	cl, err := newClientFromCCache(ccache, cfg)
 	if err != nil {
 		kerberosErr.Store(ccachePath, err)
 		return nil, err
 	}
+
 	kerberosClient.Store(ccachePath, cl)
+	kerberosErr.Delete(ccachePath)
+	kerberosCredModTime.Store(ccachePath, mtime)
 	return cl, nil
 }
@@ -4,7 +4,11 @@ import (
 	"os"
 	"path/filepath"
 	"testing"
+	"time"
 
+	"github.com/jcmturner/gokrb5/v8/client"
+	"github.com/jcmturner/gokrb5/v8/config"
+	"github.com/jcmturner/gokrb5/v8/credentials"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -77,3 +81,59 @@ func TestResolveCcachePath(t *testing.T) {
 		})
 	}
 }
+
+func TestCreateKerberosClient_ReloadOnCcacheChange(t *testing.T) {
+
+	// Create temporary fake ccache file
+	tmpFile, err := os.CreateTemp("", "krb5cc_test")
+	assert.NoError(t, err)
+	defer os.Remove(tmpFile.Name())
+
+	fakeCcacheContent := []byte("CCACHE_VERSION 4\n")
+	_, err = tmpFile.Write(fakeCcacheContent)
+	assert.NoError(t, err)
+	assert.NoError(t, tmpFile.Close())
+
+	// Patch functions
+	origLoadCCache := loadCCacheFunc
+	origNewFromCCache := newClientFromCCache
+	origLoadKerberosConfig := loadKrbConfig
+
+	defer func() {
+		loadCCacheFunc = origLoadCCache
+		newClientFromCCache = origNewFromCCache
+		loadKrbConfig = origLoadKerberosConfig
+	}()
+
+	loadCallCount := 0
+	loadCCacheFunc = func(path string) (*credentials.CCache, error) {
+		loadCallCount++
+		return &credentials.CCache{}, nil
+	}
+	newClientFromCCache = func(cc *credentials.CCache, cfg *config.Config, _ ...func(*client.Settings)) (*client.Client, error) {
+		return &client.Client{}, nil
+	}
+	loadKrbConfig = func() (*config.Config, error) {
+		return &config.Config{}, nil
+	}
+
+	// First call — should trigger load
+	_, err = createKerberosClient(tmpFile.Name())
+	assert.NoError(t, err)
+	assert.Equal(t, 1, loadCallCount, "expected 1 load call")
+
+	// Second call — should reuse cached client
+	_, err = createKerberosClient(tmpFile.Name())
+	assert.NoError(t, err)
+	assert.Equal(t, 1, loadCallCount, "expected reuse on unchanged ccache")
+
+	// Simulate file update
+	time.Sleep(1 * time.Second) // ensure mtime actually changes
+	err = os.WriteFile(tmpFile.Name(), []byte("CCACHE_VERSION 4\n#updated"), 0600)
+	assert.NoError(t, err)
+
+	// Third call — should detect change and reload
+	_, err = createKerberosClient(tmpFile.Name())
+	assert.NoError(t, err)
+	assert.Equal(t, 2, loadCallCount, "expected reload on changed ccache")
+}