summaryrefslogtreecommitdiffstats
path: root/ipa-client
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2010-08-05 22:41:32 -0400
committerRob Crittenden <rcritten@redhat.com>2010-08-16 17:13:56 -0400
commit2f4f9054aac8bef83272d690a4868653a3a5bd0d (patch)
treeaa1ef1ff947f002337e32dda202c8135c1eeaad9 /ipa-client
parent81ae7c3a605ba13c6479c7bccc44190228f8ed07 (diff)
downloadfreeipa-2f4f9054aac8bef83272d690a4868653a3a5bd0d.tar.gz
freeipa-2f4f9054aac8bef83272d690a4868653a3a5bd0d.tar.xz
freeipa-2f4f9054aac8bef83272d690a4868653a3a5bd0d.zip
Enable a host to retrieve a keytab for all its services.
Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
Diffstat (limited to 'ipa-client')
-rw-r--r--ipa-client/ipa-getkeytab.c36
1 files changed, 21 insertions, 15 deletions
diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
index d55355aab..4bbbf1c7c 100644
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -69,14 +69,19 @@ static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *s
sasl_interact_t *in = NULL;
int ret = LDAP_OTHER;
krb5_principal princ = (krb5_principal)priv_data;
+ krb5_context krbctx;
+ char *outname = NULL;
if (!ld) return LDAP_PARAM_ERROR;
+ krb5_init_context(&krbctx);
+
for (in = sit; in && in->id != SASL_CB_LIST_END; in++) {
switch(in->id) {
case SASL_CB_USER:
- in->result = princ->data[0].data;
- in->len = princ->data[0].length;
+ krb5_unparse_name(krbctx, princ, &outname);
+ in->result = outname;
+ in->len = strlen(outname);
ret = LDAP_SUCCESS;
break;
case SASL_CB_GETREALM:
@@ -90,7 +95,8 @@ static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *s
ret = LDAP_OTHER;
}
}
- return ret;
+ krb5_free_context(krbctx);
+ return ret;
}
static void free_keys_contents(krb5_context krbctx, struct keys_container *keys)
@@ -809,19 +815,19 @@ int main(int argc, char *argv[])
}
if (NULL == bindpw) {
- krberr = krb5_cc_default(krbctx, &ccache);
- if (krberr) {
- fprintf(stderr, "Kerberos Credential Cache not found\n"
- "Do you have a Kerberos Ticket?\n");
- exit(5);
- }
+ krberr = krb5_cc_default(krbctx, &ccache);
+ if (krberr) {
+ fprintf(stderr, "Kerberos Credential Cache not found\n"
+ "Do you have a Kerberos Ticket?\n");
+ exit(5);
+ }
- krberr = krb5_cc_get_principal(krbctx, ccache, &uprinc);
- if (krberr) {
- fprintf(stderr, "Kerberos User Principal not found\n"
- "Do you have a valid Credential Cache?\n");
- exit(6);
- }
+ krberr = krb5_cc_get_principal(krbctx, ccache, &uprinc);
+ if (krberr) {
+ fprintf(stderr, "Kerberos User Principal not found\n"
+ "Do you have a valid Credential Cache?\n");
+ exit(6);
+ }
}
krberr = krb5_kt_resolve(krbctx, ktname, &kt);