Validate keytab at startup

In addition to validating the keytab everytime a TGT is requested, we
also validate the keytab on back end startup to give early warning that
the keytab is not usable.

Fixes: #556

1 files changed, 16 insertions, 0 deletions

diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c
index 58b757efd..1b1224859 100644
--- a/src/providers/ldap/sdap_child_helpers.c
+++ b/src/providers/ldap/sdap_child_helpers.c
@@ -29,6 +29,7 @@
 #include <fcntl.h>
 
 #include "util/util.h"
+#include "util/sss_krb5.h"
 #include "providers/ldap/ldap_common.h"
 #include "providers/ldap/sdap_async_private.h"
 #include "providers/child_common.h"
@@ -455,6 +456,21 @@ int setup_child(struct sdap_id_ctx *ctx)
         return EOK;
     }
 
+    if (mech && (strcasecmp(mech, "GSSAPI") == 0)) {
+        ret = sss_krb5_verify_keytab(dp_opt_get_string(ctx->opts->basic,
+                                                       SDAP_SASL_AUTHID),
+                                     dp_opt_get_string(ctx->opts->basic,
+                                                       SDAP_KRB5_REALM),
+                                     dp_opt_get_string(ctx->opts->basic,
+                                                       SDAP_KRB5_KEYTAB));
+
+        if (ret != EOK) {
+            DEBUG(0, ("Could not verify keytab\n"))
+            return ret;
+        }
+
+    }
+
     if (debug_to_file != 0 && ldap_child_debug_fd == -1) {
         ret = open_debug_file_ex("ldap_child", &debug_filep);
         if (ret != EOK) {