From 2f4e8fbdf1d4ba1e00fcab93af91fe4f4f40250d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 20 Jul 2010 18:35:50 +0200
Subject: Validate keytab at startup

In addition to validating the keytab everytime a TGT is requested, we
also validate the keytab on back end startup to give early warning that
the keytab is not usable.

Fixes: #556
---
 src/providers/ldap/ldap_child.c | 51 +++--------------------------------------
 1 file changed, 3 insertions(+), 48 deletions(-)

(limited to 'src/providers/ldap/ldap_child.c')

diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index 17c26855e..f51040a7f 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -143,10 +143,6 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
     krb5_error_code krberr;
     krb5_timestamp kdc_time_offset;
     int kdc_time_offset_usec;
-    krb5_kt_cursor cursor;
-    krb5_keytab_entry entry;
-    char *principal;
-    bool found;
     int ret;
 
     krberr = krb5_init_context(&context);
@@ -227,50 +223,9 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
     }
 
     /* Verify the keytab */
-    krberr = krb5_kt_start_seq_get(context, keytab, &cursor);
-    if (krberr) {
-        DEBUG(0, ("Cannot read keytab [%s].\n", keytab_name));
-
-        sss_log(SSS_LOG_ERR, "Error reading keytab file [%s]: [%d][%s]. "
-                             "Unable to create GSSAPI-encrypted LDAP connection.",
-                             keytab_name, krberr,
-                             sss_krb5_get_error_message(context, krberr));
-
-        ret = EFAULT;
-        goto done;
-    }
-
-    found = false;
-    while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
-        krb5_unparse_name(context, entry.principal, &principal);
-        if (strcmp(full_princ, principal) == 0) {
-            found = true;
-        }
-        free(principal);
-        krb5_free_keytab_entry_contents(context, &entry);
-
-        if (found) {
-            break;
-        }
-    }
-    krberr = krb5_kt_end_seq_get(context, keytab, &cursor);
-    if (krberr) {
-        DEBUG(0, ("Could not close keytab.\n"));
-        sss_log(SSS_LOG_ERR, "Could not close keytab file [%s].",
-                             keytab_name);
-        ret = EFAULT;
-        goto done;
-    }
-
-    if (!found) {
-        DEBUG(0, ("Principal [%s] not found in keytab [%s]\n",
-                  full_princ, keytab_name));
-        sss_log(SSS_LOG_ERR, "Error processing keytab file [%s]: "
-                             "Principal [%s] was not found. "
-                             "Unable to create GSSAPI-encrypted LDAP connection.",
-                             keytab_name, full_princ);
-
-        ret = EFAULT;
+    ret = sss_krb5_verify_keytab_ex(full_princ, keytab_name, context, keytab);
+    if (ret) {
+        DEBUG(2, ("Unable to verify principal is present in the keytab\n"));
         goto done;
     }
 
-- 
cgit