summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2014-10-11 17:39:21 +0200
committerJakub Hrozek <jhrozek@redhat.com>2014-11-05 19:54:52 +0100
commit0348c74bad010d35f92400c749a7acc2fea8b2cb (patch)
tree8bcaa44684c0e6b58e0ec4dca6f19997c7a8521d
parent45414c12aa933a33d9a635cc212c448c858c6bab (diff)
downloadsssd-0348c74bad010d35f92400c749a7acc2fea8b2cb.tar.gz
sssd-0348c74bad010d35f92400c749a7acc2fea8b2cb.tar.xz
sssd-0348c74bad010d35f92400c749a7acc2fea8b2cb.zip
LDAP: Move sss_krb5_verify_keytab_ex to ldap_child
The function was called from one place only, so it makes no sense to keep it in a shared module. Moreover, the function should only be called from code that runs as root. Reviewed-by: Michal Židek <mzidek@redhat.com>
-rw-r--r--src/providers/ldap/ldap_child.c79
-rw-r--r--src/util/sss_krb5.c76
-rw-r--r--src/util/sss_krb5.h3
3 files changed, 78 insertions, 80 deletions
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index e5779b709..b8b4b0ad7 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -160,6 +160,83 @@ set_child_debugging(krb5_context ctx)
return EOK;
}
+static int lc_verify_keytab_ex(const char *principal,
+ const char *keytab_name,
+ krb5_context context,
+ krb5_keytab keytab)
+{
+ bool found;
+ char *kt_principal;
+ krb5_error_code krberr;
+ krb5_kt_cursor cursor;
+ krb5_keytab_entry entry;
+
+ krberr = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if (krberr) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Cannot read keytab [%s].\n", KEYTAB_CLEAN_NAME);
+
+ sss_log(SSS_LOG_ERR, "Error reading keytab file [%s]: [%d][%s]. "
+ "Unable to create GSSAPI-encrypted LDAP "
+ "connection.",
+ KEYTAB_CLEAN_NAME, krberr,
+ sss_krb5_get_error_message(context, krberr));
+
+ return EIO;
+ }
+
+ found = false;
+ while ((krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
+ krberr = krb5_unparse_name(context, entry.principal, &kt_principal);
+ if (krberr) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Could not parse keytab entry\n");
+ sss_log(SSS_LOG_ERR, "Could not parse keytab entry\n");
+ return EIO;
+ }
+
+ if (strcmp(principal, kt_principal) == 0) {
+ found = true;
+ }
+ free(kt_principal);
+ krberr = sss_krb5_free_keytab_entry_contents(context, &entry);
+ if (krberr) {
+ /* This should never happen. The API docs for this function
+ * specify only success for this function
+ */
+ DEBUG(SSSDBG_CRIT_FAILURE,"Could not free keytab entry contents\n");
+ /* This is non-fatal, so we'll continue here */
+ }
+
+ if (found) {
+ break;
+ }
+ }
+
+ krberr = krb5_kt_end_seq_get(context, keytab, &cursor);
+ if (krberr) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not close keytab.\n");
+ sss_log(SSS_LOG_ERR, "Could not close keytab file [%s].",
+ KEYTAB_CLEAN_NAME);
+ return EIO;
+ }
+
+ if (!found) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Principal [%s] not found in keytab [%s]\n",
+ principal,
+ KEYTAB_CLEAN_NAME);
+ sss_log(SSS_LOG_ERR, "Error processing keytab file [%s]: "
+ "Principal [%s] was not found. "
+ "Unable to create GSSAPI-encrypted LDAP connection.",
+ KEYTAB_CLEAN_NAME, principal);
+
+ return EFAULT;
+ }
+
+ return EOK;
+}
+
static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
const char *realm_str,
const char *princ_str,
@@ -287,7 +364,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
}
/* Verify the keytab */
- ret = sss_krb5_verify_keytab_ex(full_princ, keytab_name, context, keytab);
+ ret = lc_verify_keytab_ex(full_princ, keytab_name, context, keytab);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
"Unable to verify principal is present in the keytab\n");
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index b4012593d..9eb34e17d 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -247,82 +247,6 @@ done:
return ret;
}
-int sss_krb5_verify_keytab_ex(const char *principal, const char *keytab_name,
- krb5_context context, krb5_keytab keytab)
-{
- bool found;
- char *kt_principal;
- krb5_error_code krberr;
- krb5_kt_cursor cursor;
- krb5_keytab_entry entry;
-
- krberr = krb5_kt_start_seq_get(context, keytab, &cursor);
- if (krberr) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Cannot read keytab [%s].\n", KEYTAB_CLEAN_NAME);
-
- sss_log(SSS_LOG_ERR, "Error reading keytab file [%s]: [%d][%s]. "
- "Unable to create GSSAPI-encrypted LDAP "
- "connection.",
- KEYTAB_CLEAN_NAME, krberr,
- sss_krb5_get_error_message(context, krberr));
-
- return EIO;
- }
-
- found = false;
- while((krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
- krberr = krb5_unparse_name(context, entry.principal, &kt_principal);
- if (krberr) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Could not parse keytab entry\n");
- sss_log(SSS_LOG_ERR, "Could not parse keytab entry\n");
- return EIO;
- }
-
- if (strcmp(principal, kt_principal) == 0) {
- found = true;
- }
- free(kt_principal);
- krberr = sss_krb5_free_keytab_entry_contents(context, &entry);
- if (krberr) {
- /* This should never happen. The API docs for this function
- * specify only success for this function
- */
- DEBUG(SSSDBG_CRIT_FAILURE,"Could not free keytab entry contents\n");
- /* This is non-fatal, so we'll continue here */
- }
-
- if (found) {
- break;
- }
- }
-
- krberr = krb5_kt_end_seq_get(context, keytab, &cursor);
- if (krberr) {
- DEBUG(SSSDBG_FATAL_FAILURE, "Could not close keytab.\n");
- sss_log(SSS_LOG_ERR, "Could not close keytab file [%s].",
- KEYTAB_CLEAN_NAME);
- return EIO;
- }
-
- if (!found) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Principal [%s] not found in keytab [%s]\n",
- principal,
- KEYTAB_CLEAN_NAME);
- sss_log(SSS_LOG_ERR, "Error processing keytab file [%s]: "
- "Principal [%s] was not found. "
- "Unable to create GSSAPI-encrypted LDAP connection.",
- KEYTAB_CLEAN_NAME, principal);
-
- return EFAULT;
- }
-
- return EOK;
-}
-
-
enum matching_mode {MODE_NORMAL, MODE_PREFIX, MODE_POSTFIX};
/**
* We only have primary and instances stored separately, we need to
diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
index 83c720975..afa0d1943 100644
--- a/src/util/sss_krb5.h
+++ b/src/util/sss_krb5.h
@@ -70,9 +70,6 @@ void KRB5_CALLCONV sss_krb5_get_init_creds_opt_free (krb5_context context,
void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name);
-int sss_krb5_verify_keytab_ex(const char *principal, const char *keytab_name,
- krb5_context context, krb5_keytab keytab);
-
krb5_error_code find_principal_in_keytab(krb5_context ctx,
krb5_keytab keytab,
const char *pattern_primary,