Validate keytab at startup

In addition to validating the keytab everytime a TGT is requested, we
also validate the keytab on back end startup to give early warning that
the keytab is not usable.

Fixes: #556

1 files changed, 9 insertions, 0 deletions

diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
index 60994e123..bc7a4f8a2 100644
--- a/src/util/sss_krb5.h
+++ b/src/util/sss_krb5.h
@@ -24,6 +24,7 @@
 #include "config.h"
 
 #include <stdbool.h>
+#include <talloc.h>
 
 #ifdef HAVE_KRB5_KRB5_H
 #include <krb5/krb5.h>
@@ -47,4 +48,12 @@ void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name)
 
 krb5_error_code check_for_valid_tgt(const char *ccname, const char *realm,
                                     const char *client_princ_str, bool *result);
+
+int sss_krb5_verify_keytab(const char *principal,
+                           const char *realm_str,
+                           const char *keytab_name);
+
+int sss_krb5_verify_keytab_ex(const char *principal, const char *keytab_name,
+                              krb5_context context, krb5_keytab keytab);
+
 #endif /* __SSS_KRB5_H__ */