From 2f4f9054aac8bef83272d690a4868653a3a5bd0d Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 5 Aug 2010 22:41:32 -0400 Subject: Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68 --- ipa-client/ipa-getkeytab.c | 36 +++++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 15 deletions(-) (limited to 'ipa-client') diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c index d55355aab..4bbbf1c7c 100644 --- a/ipa-client/ipa-getkeytab.c +++ b/ipa-client/ipa-getkeytab.c @@ -69,14 +69,19 @@ static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *s sasl_interact_t *in = NULL; int ret = LDAP_OTHER; krb5_principal princ = (krb5_principal)priv_data; + krb5_context krbctx; + char *outname = NULL; if (!ld) return LDAP_PARAM_ERROR; + krb5_init_context(&krbctx); + for (in = sit; in && in->id != SASL_CB_LIST_END; in++) { switch(in->id) { case SASL_CB_USER: - in->result = princ->data[0].data; - in->len = princ->data[0].length; + krb5_unparse_name(krbctx, princ, &outname); + in->result = outname; + in->len = strlen(outname); ret = LDAP_SUCCESS; break; case SASL_CB_GETREALM: @@ -90,7 +95,8 @@ static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *s ret = LDAP_OTHER; } } - return ret; + krb5_free_context(krbctx); + return ret; } static void free_keys_contents(krb5_context krbctx, struct keys_container *keys) @@ -809,19 +815,19 @@ int main(int argc, char *argv[]) } if (NULL == bindpw) { - krberr = krb5_cc_default(krbctx, &ccache); - if (krberr) { - fprintf(stderr, "Kerberos Credential Cache not found\n" - "Do you have a Kerberos Ticket?\n"); - exit(5); - } + krberr = krb5_cc_default(krbctx, &ccache); + if (krberr) { + fprintf(stderr, "Kerberos Credential Cache not found\n" + "Do you have a Kerberos Ticket?\n"); + exit(5); + } - krberr = krb5_cc_get_principal(krbctx, ccache, &uprinc); - if (krberr) { - fprintf(stderr, "Kerberos User Principal not found\n" - "Do you have a valid Credential Cache?\n"); - exit(6); - } + krberr = krb5_cc_get_principal(krbctx, ccache, &uprinc); + if (krberr) { + fprintf(stderr, "Kerberos User Principal not found\n" + "Do you have a valid Credential Cache?\n"); + exit(6); + } } krberr = krb5_kt_resolve(krbctx, ktname, &kt); -- cgit