diff options
author | Pavel Březina <pbrezina@redhat.com> | 2012-09-25 15:02:12 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-10-02 16:54:16 +0200 |
commit | 798a227df11f49147fa43e515910ec11e21e0caa (patch) | |
tree | 356c7503ea08a7e37a9e6aac73db2c1390e1df3b | |
parent | fa893b2796b002f709e9416f134bc8df8c08cf8d (diff) | |
download | sssd-798a227df11f49147fa43e515910ec11e21e0caa.tar.gz sssd-798a227df11f49147fa43e515910ec11e21e0caa.tar.xz sssd-798a227df11f49147fa43e515910ec11e21e0caa.zip |
remove left over principal selection
https://fedorahosted.org/sssd/ticket/1303
Domain start up was taking too long when there are many principals
in a kerberos keytab. We were looking up in the keytab two times.
The first time we try to select a proper principal and remember it.
The second call happens almost right after the first one and
it is just a check if the principal exists in the keytab, without
any output information other than success/failure. It is
probably a left over from https://fedorahosted.org/sssd/ticket/781.
This patch removes the second call.
-rw-r--r-- | src/providers/ldap/sdap_child_helpers.c | 21 | ||||
-rw-r--r-- | src/util/sss_krb5.c | 102 | ||||
-rw-r--r-- | src/util/sss_krb5.h | 4 |
3 files changed, 0 insertions, 127 deletions
diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c index eeb5e5f03..7a59a42ea 100644 --- a/src/providers/ldap/sdap_child_helpers.c +++ b/src/providers/ldap/sdap_child_helpers.c @@ -453,7 +453,6 @@ static errno_t set_tgt_child_timeout(struct tevent_req *req, int setup_child(struct sdap_id_ctx *ctx) { int ret; - const char *mech; unsigned v; FILE *debug_filep; const char *realm; @@ -463,26 +462,6 @@ int setup_child(struct sdap_id_ctx *ctx) realm = dp_opt_get_string(ctx->opts->basic, SDAP_KRB5_REALM); } - mech = dp_opt_get_string(ctx->opts->basic, - SDAP_SASL_MECH); - if (!mech) { - return EOK; - } - - if (mech && (strcasecmp(mech, "GSSAPI") == 0)) { - ret = sss_krb5_verify_keytab(dp_opt_get_string(ctx->opts->basic, - SDAP_SASL_AUTHID), - realm, - dp_opt_get_string(ctx->opts->basic, - SDAP_KRB5_KEYTAB)); - - if (ret != EOK) { - DEBUG(0, ("Could not verify keytab\n")); - return ret; - } - - } - if (debug_to_file != 0 && ldap_child_debug_fd == -1) { ret = open_debug_file_ex("ldap_child", &debug_filep); if (ret != EOK) { diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c index 24229f8b3..cce8d9021 100644 --- a/src/util/sss_krb5.c +++ b/src/util/sss_krb5.c @@ -200,108 +200,6 @@ done: return ret; } - -int sss_krb5_verify_keytab(const char *principal, - const char *realm_str, - const char *keytab_name) -{ - krb5_context context = NULL; - krb5_keytab keytab = NULL; - krb5_error_code krberr; - int ret; - char *full_princ = NULL; - char *realm_name = NULL; - char *default_realm = NULL; - TALLOC_CTX *tmp_ctx; - - tmp_ctx = talloc_new(NULL); - if (!tmp_ctx) { - return ENOMEM; - } - - krberr = krb5_init_context(&context); - if (krberr) { - DEBUG(2, ("Failed to init kerberos context\n")); - ret = EFAULT; - goto done; - } - - if (keytab_name) { - krberr = krb5_kt_resolve(context, keytab_name, &keytab); - } else { - krberr = krb5_kt_default(context, &keytab); - } - - if (krberr) { - DEBUG(SSSDBG_FATAL_FAILURE, - ("Failed to read keytab file: %s\n", - KEYTAB_CLEAN_NAME, - sss_krb5_get_error_message(context, krberr))); - ret = EFAULT; - goto done; - } - - if (!realm_str) { - krberr = krb5_get_default_realm(context, &default_realm); - if (krberr) { - DEBUG(2, ("Failed to get default realm name: %s\n", - sss_krb5_get_error_message(context, krberr))); - ret = EFAULT; - goto done; - } - - realm_name = talloc_strdup(tmp_ctx, default_realm); - krb5_free_default_realm(context, default_realm); - if (!realm_name) { - ret = ENOMEM; - goto done; - } - } else { - realm_name = talloc_strdup(tmp_ctx, realm_str); - if (!realm_name) { - ret = ENOMEM; - goto done; - } - } - - if (principal) { - if (!strchr(principal, '@')) { - full_princ = talloc_asprintf(tmp_ctx, "%s@%s", - principal, realm_name); - } else { - full_princ = talloc_strdup(tmp_ctx, principal); - } - } else { - char hostname[512]; - - ret = gethostname(hostname, 511); - if (ret == -1) { - ret = errno; - goto done; - } - hostname[511] = '\0'; - - ret = select_principal_from_keytab(tmp_ctx, hostname, realm_name, - keytab_name, &full_princ, NULL, NULL); - if (ret) goto done; - } - if (!full_princ) { - ret = ENOMEM; - goto done; - } - DEBUG(4, ("Principal name is: [%s]\n", full_princ)); - - ret = sss_krb5_verify_keytab_ex(full_princ, keytab_name, context, keytab); - if (ret) goto done; - - ret = EOK; -done: - if (keytab) krb5_kt_close(context, keytab); - if (context) krb5_free_context(context); - talloc_free(tmp_ctx); - return ret; -} - int sss_krb5_verify_keytab_ex(const char *principal, const char *keytab_name, krb5_context context, krb5_keytab keytab) { diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h index 22d2c96eb..15dd1e6a6 100644 --- a/src/util/sss_krb5.h +++ b/src/util/sss_krb5.h @@ -71,10 +71,6 @@ krb5_error_code check_for_valid_tgt(krb5_context context, krb5_ccache ccache, const char *realm, const char *client_princ_str, bool *result); -int sss_krb5_verify_keytab(const char *principal, - const char *realm_str, - const char *keytab_name); - int sss_krb5_verify_keytab_ex(const char *principal, const char *keytab_name, krb5_context context, krb5_keytab keytab); |