diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2012-02-23 21:56:07 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-03-04 17:42:18 -0500 |
| commit | 10478ac8a1105f6971f245315b5b943b47631e71 (patch) | |
| tree | d5cfeda06f1ec523c4f677ec7ee7d33706ba6cd3 /ipa-client | |
| parent | 55f89dc68940e3a4376fb80e97dbd0f2773c6ed1 (diff) | |
| download | freeipa-10478ac8a1105f6971f245315b5b943b47631e71.tar.gz freeipa-10478ac8a1105f6971f245315b5b943b47631e71.tar.xz freeipa-10478ac8a1105f6971f245315b5b943b47631e71.zip | |
Only warn if ipa-getkeytab doesn't get all requested enctypes.
Older client machines may request DES keys not supported in newer
KDCs. Thsi was causing the entire request to fail as well as client
enrollment.
https://fedorahosted.org/freeipa/ticket/2424
Diffstat (limited to 'ipa-client')
| -rw-r--r-- | ipa-client/ipa-getkeytab.c | 37 |
1 files changed, 32 insertions, 5 deletions
diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c index 28ef5b5a5..aa9336f2e 100644 --- a/ipa-client/ipa-getkeytab.c +++ b/ipa-client/ipa-getkeytab.c @@ -548,6 +548,7 @@ static int ldap_set_keytab(krb5_context krbctx, int kvno, i; ber_tag_t rtag; ber_int_t *encs = NULL; + int successful_keys = 0; /* cant' return more than nkeys, sometimes less */ encs = calloc(keys->nkeys + 1, sizeof(ber_int_t)); @@ -587,12 +588,14 @@ static int ldap_set_keytab(krb5_context krbctx, goto error_out; } +#ifdef LDAP_OPT_X_SASL_NOCANON /* Don't do DNS canonicalization */ ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON); if (ret != LDAP_SUCCESS) { fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n")); goto error_out; } +#endif version = LDAP_VERSION3; ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version); @@ -620,7 +623,13 @@ static int ldap_set_keytab(krb5_context krbctx, LDAP_SASL_QUIET, ldap_sasl_interact, princ); if (ret != LDAP_SUCCESS) { - fprintf(stderr, _("SASL Bind failed!\n")); + char *msg=NULL; +#ifdef LDAP_OPT_DIAGNOSTIC_MESSAGE + ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, + (void*)&msg); +#endif + fprintf(stderr, "SASL Bind failed %s (%d) %s!\n", + ldap_err2string(ret), ret, msg ? msg : ""); goto error_out; } } @@ -705,16 +714,34 @@ static int ldap_set_keytab(krb5_context krbctx, rtag = ber_scanf(sctrl, "{i{", &kvno); if (rtag == LBER_ERROR) { - fprintf(stderr, _("ber_scanf() failed, Invalid control ?!\n")); + fprintf(stderr, _("ber_scanf() failed, unable to find kvno ?!\n")); goto error_out; } for (i = 0; i < keys->nkeys; i++) { ret = ber_scanf(sctrl, "{i}", &encs[i]); if (ret == LBER_ERROR) { - fprintf(stderr, _("ber_scanf() failed, Invalid control ?!\n")); - goto error_out; - } + char enc[79]; /* fit std terminal or truncate */ + krb5_error_code krberr; + krberr = krb5_enctype_to_string( + keys->ksdata[i].enctype, enc, 79); + if (krberr) { + fprintf(stderr, _("Failed to retrieve " + "encryption type type #%d\n"), + keys->ksdata[i].enctype); + } else { + fprintf(stderr, _("Failed to retrieve " + "encryption type %s (#%d)\n"), + enc, keys->ksdata[i].enctype); + } + } else { + successful_keys++; + } + } + + if (successful_keys == 0) { + fprintf(stderr, _("Failed to retrieve any keys")); + goto error_out; } ret = filter_keys(krbctx, keys, encs); |