summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPavel Březina <pbrezina@redhat.com>2012-09-25 15:02:12 +0200
committerJakub Hrozek <jhrozek@redhat.com>2012-10-02 16:54:16 +0200
commit798a227df11f49147fa43e515910ec11e21e0caa (patch)
tree356c7503ea08a7e37a9e6aac73db2c1390e1df3b
parentfa893b2796b002f709e9416f134bc8df8c08cf8d (diff)
downloadsssd-798a227df11f49147fa43e515910ec11e21e0caa.tar.gz
sssd-798a227df11f49147fa43e515910ec11e21e0caa.tar.xz
sssd-798a227df11f49147fa43e515910ec11e21e0caa.zip
remove left over principal selection
https://fedorahosted.org/sssd/ticket/1303 Domain start up was taking too long when there are many principals in a kerberos keytab. We were looking up in the keytab two times. The first time we try to select a proper principal and remember it. The second call happens almost right after the first one and it is just a check if the principal exists in the keytab, without any output information other than success/failure. It is probably a left over from https://fedorahosted.org/sssd/ticket/781. This patch removes the second call.
-rw-r--r--src/providers/ldap/sdap_child_helpers.c21
-rw-r--r--src/util/sss_krb5.c102
-rw-r--r--src/util/sss_krb5.h4
3 files changed, 0 insertions, 127 deletions
diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c
index eeb5e5f03..7a59a42ea 100644
--- a/src/providers/ldap/sdap_child_helpers.c
+++ b/src/providers/ldap/sdap_child_helpers.c
@@ -453,7 +453,6 @@ static errno_t set_tgt_child_timeout(struct tevent_req *req,
int setup_child(struct sdap_id_ctx *ctx)
{
int ret;
- const char *mech;
unsigned v;
FILE *debug_filep;
const char *realm;
@@ -463,26 +462,6 @@ int setup_child(struct sdap_id_ctx *ctx)
realm = dp_opt_get_string(ctx->opts->basic, SDAP_KRB5_REALM);
}
- mech = dp_opt_get_string(ctx->opts->basic,
- SDAP_SASL_MECH);
- if (!mech) {
- return EOK;
- }
-
- if (mech && (strcasecmp(mech, "GSSAPI") == 0)) {
- ret = sss_krb5_verify_keytab(dp_opt_get_string(ctx->opts->basic,
- SDAP_SASL_AUTHID),
- realm,
- dp_opt_get_string(ctx->opts->basic,
- SDAP_KRB5_KEYTAB));
-
- if (ret != EOK) {
- DEBUG(0, ("Could not verify keytab\n"));
- return ret;
- }
-
- }
-
if (debug_to_file != 0 && ldap_child_debug_fd == -1) {
ret = open_debug_file_ex("ldap_child", &debug_filep);
if (ret != EOK) {
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index 24229f8b3..cce8d9021 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -200,108 +200,6 @@ done:
return ret;
}
-
-int sss_krb5_verify_keytab(const char *principal,
- const char *realm_str,
- const char *keytab_name)
-{
- krb5_context context = NULL;
- krb5_keytab keytab = NULL;
- krb5_error_code krberr;
- int ret;
- char *full_princ = NULL;
- char *realm_name = NULL;
- char *default_realm = NULL;
- TALLOC_CTX *tmp_ctx;
-
- tmp_ctx = talloc_new(NULL);
- if (!tmp_ctx) {
- return ENOMEM;
- }
-
- krberr = krb5_init_context(&context);
- if (krberr) {
- DEBUG(2, ("Failed to init kerberos context\n"));
- ret = EFAULT;
- goto done;
- }
-
- if (keytab_name) {
- krberr = krb5_kt_resolve(context, keytab_name, &keytab);
- } else {
- krberr = krb5_kt_default(context, &keytab);
- }
-
- if (krberr) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- ("Failed to read keytab file: %s\n",
- KEYTAB_CLEAN_NAME,
- sss_krb5_get_error_message(context, krberr)));
- ret = EFAULT;
- goto done;
- }
-
- if (!realm_str) {
- krberr = krb5_get_default_realm(context, &default_realm);
- if (krberr) {
- DEBUG(2, ("Failed to get default realm name: %s\n",
- sss_krb5_get_error_message(context, krberr)));
- ret = EFAULT;
- goto done;
- }
-
- realm_name = talloc_strdup(tmp_ctx, default_realm);
- krb5_free_default_realm(context, default_realm);
- if (!realm_name) {
- ret = ENOMEM;
- goto done;
- }
- } else {
- realm_name = talloc_strdup(tmp_ctx, realm_str);
- if (!realm_name) {
- ret = ENOMEM;
- goto done;
- }
- }
-
- if (principal) {
- if (!strchr(principal, '@')) {
- full_princ = talloc_asprintf(tmp_ctx, "%s@%s",
- principal, realm_name);
- } else {
- full_princ = talloc_strdup(tmp_ctx, principal);
- }
- } else {
- char hostname[512];
-
- ret = gethostname(hostname, 511);
- if (ret == -1) {
- ret = errno;
- goto done;
- }
- hostname[511] = '\0';
-
- ret = select_principal_from_keytab(tmp_ctx, hostname, realm_name,
- keytab_name, &full_princ, NULL, NULL);
- if (ret) goto done;
- }
- if (!full_princ) {
- ret = ENOMEM;
- goto done;
- }
- DEBUG(4, ("Principal name is: [%s]\n", full_princ));
-
- ret = sss_krb5_verify_keytab_ex(full_princ, keytab_name, context, keytab);
- if (ret) goto done;
-
- ret = EOK;
-done:
- if (keytab) krb5_kt_close(context, keytab);
- if (context) krb5_free_context(context);
- talloc_free(tmp_ctx);
- return ret;
-}
-
int sss_krb5_verify_keytab_ex(const char *principal, const char *keytab_name,
krb5_context context, krb5_keytab keytab)
{
diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
index 22d2c96eb..15dd1e6a6 100644
--- a/src/util/sss_krb5.h
+++ b/src/util/sss_krb5.h
@@ -71,10 +71,6 @@ krb5_error_code check_for_valid_tgt(krb5_context context,
krb5_ccache ccache, const char *realm,
const char *client_princ_str, bool *result);
-int sss_krb5_verify_keytab(const char *principal,
- const char *realm_str,
- const char *keytab_name);
-
int sss_krb5_verify_keytab_ex(const char *principal, const char *keytab_name,
krb5_context context, krb5_keytab keytab);