diff options
| author | Ondrej Kos <okos@redhat.com> | 2012-10-09 11:34:56 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-10-10 22:32:47 +0200 |
| commit | 89cc2dac478c899aaaacb75d7448e3c651723f74 (patch) | |
| tree | bc8ccca5a1f154b4a32d29ec25b9f5704cfa8b60 | |
| parent | 245c6b5db07249ecead23263f15c5c68c641134d (diff) | |
| download | sssd-89cc2dac478c899aaaacb75d7448e3c651723f74.tar.gz sssd-89cc2dac478c899aaaacb75d7448e3c651723f74.tar.xz sssd-89cc2dac478c899aaaacb75d7448e3c651723f74.zip | |
Add more info about ticket validation
https://fedorahosted.org/sssd/ticket/1499
Adds log message about not finding appropriate entry in keytab and using
the last keytab entry when validation is enabled.
Adds more information about validation into manpage.
| -rw-r--r-- | src/man/sssd-krb5.5.xml | 8 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_child.c | 8 |
2 files changed, 15 insertions, 1 deletions
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml index f4fd1cb73..2e2e638da 100644 --- a/src/man/sssd-krb5.5.xml +++ b/src/man/sssd-krb5.5.xml @@ -231,7 +231,13 @@ <term>krb5_validate (boolean)</term> <listitem> <para> - Verify with the help of krb5_keytab that the TGT obtained has not been spoofed. + Verify with the help of krb5_keytab that the TGT + obtained has not been spoofed. The keytab is checked for + entries sequentially, and the first entry with matching + realm is used for validation. If no entry matches the last + one is used. This can be utilized to achieve validation in + enviroments with cross-realm trust by placing appropriate + keytab entry as the last one or the only one. </para> <para> Default: false diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index b2d5bdaeb..00da7ea35 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -696,6 +696,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) krb5_keytab_entry entry; krb5_verify_init_creds_opt opt; krb5_principal validation_princ = NULL; + bool realm_entry_found = false; memset(&keytab, 0, sizeof(keytab)); kerr = krb5_kt_resolve(kr->ctx, kr->keytab, &keytab); @@ -736,10 +737,17 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) if (krb5_realm_compare(kr->ctx, validation_princ, kr->princ)) { DEBUG(SSSDBG_TRACE_INTERNAL, ("Found keytab entry with the realm of the credential.\n")); + realm_entry_found = true; break; } } + if (!realm_entry_found) { + DEBUG(SSSDBG_TRACE_INTERNAL, + ("Keytab entry with the realm of the credential not found " + "in keytab. Using the last entry.\n")); + } + /* Close the keytab here. Even though we're using cursors, the file * handle is stored in the krb5_keytab structure, and it gets * overwritten when the verify_init_creds() call below creates its own |