1 files changed, 32 insertions, 0 deletions

diff --git a/src/lib/krb5/keytab/ktfns.c b/src/lib/krb5/keytab/ktfns.c
index a06689c4dc..53d0b83648 100644
--- a/src/lib/krb5/keytab/ktfns.c
+++ b/src/lib/krb5/keytab/ktfns.c
@@ -97,4 +97,36 @@ krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab,
 {
     return krb5_x((keytab)->ops->end_get,(context, keytab, cursor));
 }
+
+/*
+ * In a couple of places we need to get a principal name from a keytab: when
+ * verifying credentials against a keytab, and when querying the name of a
+ * default GSS acceptor cred.  Keytabs do not have the concept of a default
+ * principal like ccaches do, so for now we just return the first principal
+ * listed in the keytab, or an error if it's not iterable.  In the future we
+ * could consider elevating this to a public API and giving keytab types an
+ * operation to return a default principal, and maybe extending the file format
+ * and tools to support it.  Returns KRB5_KT_NOTFOUND if the keytab is empty
+ * or non-iterable.
+ */
+krb5_error_code
+k5_kt_get_principal(krb5_context context, krb5_keytab keytab,
+                    krb5_principal *princ_out)
+{
+    krb5_error_code ret;
+    krb5_kt_cursor cursor;
+    krb5_keytab_entry kte;
+
+    *princ_out = NULL;
+    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if (ret)
+        return KRB5_KT_NOTFOUND;
+    ret = krb5_kt_next_entry(context, keytab, &kte, &cursor);
+    (void)krb5_kt_end_seq_get(context, keytab, &cursor);
+    if (ret)
+        return (ret == KRB5_KT_END) ? KRB5_KT_NOTFOUND : ret;
+    ret = krb5_copy_principal(context, kte.principal, princ_out);
+    krb5_kt_free_entry(context, &kte);
+    return ret;
+}
 #endif /* LEAN_CLIENT */