diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-08-05 22:41:32 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-08-16 17:13:56 -0400 |
| commit | 2f4f9054aac8bef83272d690a4868653a3a5bd0d (patch) | |
| tree | aa1ef1ff947f002337e32dda202c8135c1eeaad9 /ipa-client | |
| parent | 81ae7c3a605ba13c6479c7bccc44190228f8ed07 (diff) | |
| download | freeipa-2f4f9054aac8bef83272d690a4868653a3a5bd0d.tar.gz freeipa-2f4f9054aac8bef83272d690a4868653a3a5bd0d.tar.xz freeipa-2f4f9054aac8bef83272d690a4868653a3a5bd0d.zip | |
Enable a host to retrieve a keytab for all its services.
Using the host service principal one should be able to retrieve a keytab
for other services for the host using ipa-getkeytab. This required a number
of changes:
- allow hosts in the service's managedby to write krbPrincipalKey
- automatically add the host to managedby when a service is created
- fix ipa-getkeytab to return the entire prinicpal and not just the
first data element. It was returning "host" from the service tgt
and not host/ipa.example.com
- fix the display of the managedby attribute in the service plugin
This led to a number of changes in the service unit tests. I took the
opportunity to switch to the Declarative scheme and tripled the number
of tests we were doing. This shed some light on a few bugs in the plugin:
- if a service had a bad usercertificate it was impossible to delete the
service. I made it a bit more flexible.
- I added a summary for the mod and find commands
- has_keytab wasn't being set in the find output
ticket 68
Diffstat (limited to 'ipa-client')
| -rw-r--r-- | ipa-client/ipa-getkeytab.c | 36 |
1 files changed, 21 insertions, 15 deletions
diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c index d55355aab..4bbbf1c7c 100644 --- a/ipa-client/ipa-getkeytab.c +++ b/ipa-client/ipa-getkeytab.c @@ -69,14 +69,19 @@ static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *s sasl_interact_t *in = NULL; int ret = LDAP_OTHER; krb5_principal princ = (krb5_principal)priv_data; + krb5_context krbctx; + char *outname = NULL; if (!ld) return LDAP_PARAM_ERROR; + krb5_init_context(&krbctx); + for (in = sit; in && in->id != SASL_CB_LIST_END; in++) { switch(in->id) { case SASL_CB_USER: - in->result = princ->data[0].data; - in->len = princ->data[0].length; + krb5_unparse_name(krbctx, princ, &outname); + in->result = outname; + in->len = strlen(outname); ret = LDAP_SUCCESS; break; case SASL_CB_GETREALM: @@ -90,7 +95,8 @@ static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *s ret = LDAP_OTHER; } } - return ret; + krb5_free_context(krbctx); + return ret; } static void free_keys_contents(krb5_context krbctx, struct keys_container *keys) @@ -809,19 +815,19 @@ int main(int argc, char *argv[]) } if (NULL == bindpw) { - krberr = krb5_cc_default(krbctx, &ccache); - if (krberr) { - fprintf(stderr, "Kerberos Credential Cache not found\n" - "Do you have a Kerberos Ticket?\n"); - exit(5); - } + krberr = krb5_cc_default(krbctx, &ccache); + if (krberr) { + fprintf(stderr, "Kerberos Credential Cache not found\n" + "Do you have a Kerberos Ticket?\n"); + exit(5); + } - krberr = krb5_cc_get_principal(krbctx, ccache, &uprinc); - if (krberr) { - fprintf(stderr, "Kerberos User Principal not found\n" - "Do you have a valid Credential Cache?\n"); - exit(6); - } + krberr = krb5_cc_get_principal(krbctx, ccache, &uprinc); + if (krberr) { + fprintf(stderr, "Kerberos User Principal not found\n" + "Do you have a valid Credential Cache?\n"); + exit(6); + } } krberr = krb5_kt_resolve(krbctx, ktname, &kt); |