summaryrefslogtreecommitdiffstats
path: root/src/providers/krb5
diff options
context:
space:
mode:
authorJan Zeleny <jzeleny@redhat.com>2011-03-29 02:50:28 -0400
committerStephen Gallagher <sgallagh@redhat.com>2011-04-25 08:06:34 -0400
commitcfd79b92d3813ed53ef51ae2cf93be6287e73a27 (patch)
tree1607a23b6699d270cd6a783b0e7e9678100b5538 /src/providers/krb5
parent743475e5d730f1438bff4bb086600186adfe8311 (diff)
downloadsssd-cfd79b92d3813ed53ef51ae2cf93be6287e73a27.tar.gz
sssd-cfd79b92d3813ed53ef51ae2cf93be6287e73a27.tar.xz
sssd-cfd79b92d3813ed53ef51ae2cf93be6287e73a27.zip
Extend and move function for finding principal in keytab
The function now supports finding principal in keytab not only based on realm, but based on both realm and primary/instance parts. The function also supports * wildcard at the beginning or at the end of primary principal part. The function for finding principal has been moved to util/sss_krb5.c, so it can be used in other parts of the code.
Diffstat (limited to 'src/providers/krb5')
-rw-r--r--src/providers/krb5/krb5_child.c82
1 files changed, 2 insertions, 80 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 335da423c..1ed63f6b2 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -30,6 +30,7 @@
#include <security/pam_modules.h>
#include "util/util.h"
+#include "util/sss_krb5.h"
#include "util/user_info_msg.h"
#include "providers/child_common.h"
#include "providers/dp_backend.h"
@@ -492,85 +493,6 @@ static errno_t add_ticket_times_to_response(struct krb5_req *kr)
return ret;
}
-static krb5_error_code find_principal_in_keytab(krb5_context ctx,
- krb5_keytab keytab,
- const char *realm,
- krb5_principal *princ)
-{
- krb5_error_code kerr;
- krb5_error_code kt_err;
- krb5_error_code kerr_d;
- krb5_kt_cursor cursor;
- krb5_keytab_entry entry;
- bool principal_found = false;
-
- memset(&cursor, 0, sizeof(cursor));
- kerr = krb5_kt_start_seq_get(ctx, keytab, &cursor);
- if (kerr != 0) {
- DEBUG(1, ("krb5_kt_start_seq_get failed.\n"));
- KRB5_DEBUG(1, kerr);
- return kerr;
- }
-
- /* We look for the first entry from our realm or take the last one */
- memset(&entry, 0, sizeof(entry));
- while ((kt_err = krb5_kt_next_entry(ctx, keytab, &entry, &cursor)) == 0) {
- if (krb5_princ_realm(ctx, entry.principal)->length == strlen(realm) &&
- strncmp(krb5_princ_realm(ctx, entry.principal)->data, realm,
- krb5_princ_realm(ctx, entry.principal)->length) == 0) {
- DEBUG(9, ("Found keytab entry with the realm of the credential.\n"));
- principal_found = true;
- break;
- }
-
- kerr = krb5_free_keytab_entry_contents(ctx, &entry);
- if (kerr != 0) {
- DEBUG(1, ("Failed to free keytab entry.\n"));
- }
- memset(&entry, 0, sizeof(entry));
- }
-
- /* Close the keytab here. Even though we're using cursors, the file
- * handle is stored in the krb5_keytab structure, and it gets
- * overwritten by other keytab calls, creating a leak. */
- kerr = krb5_kt_end_seq_get(ctx, keytab, &cursor);
- if (kerr != 0) {
- DEBUG(1, ("krb5_kt_end_seq_get failed.\n"));
- goto done;
- }
-
- if (!principal_found) {
- kerr = KRB5_KT_NOTFOUND;
- DEBUG(1, ("No principal from realm [%s] found in keytab.\n", realm));
- goto done;
- }
-
- /* check if we got any errors from krb5_kt_next_entry */
- if (kt_err != 0 && kt_err != KRB5_KT_END) {
- DEBUG(1, ("Error while reading keytab.\n"));
- KRB5_DEBUG(1, kerr);
- goto done;
- }
-
- kerr = krb5_copy_principal(ctx, entry.principal, princ);
- if (kerr != 0) {
- DEBUG(1, ("krb5_copy_principal failed.\n"));
- KRB5_DEBUG(1, kerr);
- goto done;
- }
-
- kerr = 0;
-
-done:
- kerr_d = krb5_free_keytab_entry_contents(ctx, &entry);
- if (kerr_d != 0) {
- DEBUG(1, ("Failed to free keytab entry.\n"));
- KRB5_DEBUG(1, kerr_d);
- }
-
- return kerr;
-}
-
static krb5_error_code validate_tgt(struct krb5_req *kr)
{
krb5_error_code kerr;
@@ -1338,7 +1260,7 @@ static krb5_error_code check_fast_ccache(krb5_context ctx, const char *realm,
goto done;
}
- kerr = find_principal_in_keytab(ctx, keytab, realm, &client_princ);
+ kerr = find_principal_in_keytab(ctx, keytab, NULL, realm, &client_princ);
if (kerr != 0) {
DEBUG(1, ("find_principal_in_keytab failed.\n"));
goto done;