summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--aclocal/kerberos5.m44
-rw-r--r--utils/gssd/context_heimdal.c10
-rw-r--r--utils/gssd/krb5_util.c62
-rw-r--r--utils/gssd/krb5_util.h2
4 files changed, 55 insertions, 23 deletions
diff --git a/aclocal/kerberos5.m4 b/aclocal/kerberos5.m4
index b83e122..2475f50 100644
--- a/aclocal/kerberos5.m4
+++ b/aclocal/kerberos5.m4
@@ -93,6 +93,10 @@ AC_DEFUN([AC_KERBEROS_V5],[
AC_CHECK_LIB($gssapi_lib, gss_krb5_ccache_name,
AC_DEFINE(HAVE_GSS_KRB5_CCACHE_NAME, 1, [Define this if the Kerberos GSS library supports gss_krb5_ccache_name]), ,$KRBLIBS)
+ dnl Check for newer error message facility
+ AC_CHECK_LIB($gssapi_lib, krb5_get_error_message,
+ AC_DEFINE(HAVE_KRB5_GET_ERROR_MESSAGE, 1, [Define this if the function krb5_get_error_message is available]), ,$KRBLIBS)
+
dnl If they specified a directory and it didn't work, give them a warning
if test "x$krb5_with" != "x" -a "$krb5_with" != "$KRBDIR"; then
AC_MSG_WARN(Using $KRBDIR instead of requested value of $krb5_with for Kerberos!)
diff --git a/utils/gssd/context_heimdal.c b/utils/gssd/context_heimdal.c
index 5520cbc..6fb8fbd 100644
--- a/utils/gssd/context_heimdal.c
+++ b/utils/gssd/context_heimdal.c
@@ -72,14 +72,14 @@ int write_heimdal_enc_key(char **p, char *end, gss_ctx_id_t ctx)
if ((ret = krb5_init_context(&context))) {
printerr(0, "ERROR: initializing krb5_context: %s\n",
- error_message(ret));
+ gssd_k5_err_msg(NULL, ret));
goto out_err;
}
if ((ret = krb5_auth_con_getlocalsubkey(context,
ctx->auth_context, &key))){
printerr(0, "ERROR: getting auth_context key: %s\n",
- error_message(ret));
+ gssd_k5_err_msg(context, ret));
goto out_err_free_context;
}
@@ -97,7 +97,7 @@ int write_heimdal_enc_key(char **p, char *end, gss_ctx_id_t ctx)
calloc(1, enc_key.keyvalue.length)) == NULL) {
printerr(0, "ERROR: allocating memory for enc key: %s\n",
- error_message(ENOMEM));
+ gssd_k5_err_msg(context, ENOMEM));
goto out_err_free_key;
}
skd = (char *) key->keyvalue.data;
@@ -130,14 +130,14 @@ int write_heimdal_seq_key(char **p, char *end, gss_ctx_id_t ctx)
if ((ret = krb5_init_context(&context))) {
printerr(0, "ERROR: initializing krb5_context: %s\n",
- error_message(ret));
+ gssd_k5_err_msg(NULL, ret));
goto out_err;
}
if ((ret = krb5_auth_con_getlocalsubkey(context,
ctx->auth_context, &key))){
printerr(0, "ERROR: getting auth_context key: %s\n",
- error_message(ret));
+ gssd_k5_err_msg(context, ret));
goto out_err_free_context;
}
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 50773b1..87bd7e4 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -363,7 +363,7 @@ gssd_get_single_krb5_cred(krb5_context context,
kt, 0, NULL, &options))) {
printerr(0, "WARNING: %s while getting initial ticket for "
"principal '%s' using keytab '%s'\n",
- error_message(code),
+ gssd_k5_err_msg(context, code),
pname ? pname : "<unparsable>", kt_name);
goto out;
}
@@ -392,17 +392,18 @@ gssd_get_single_krb5_cred(krb5_context context,
}
if ((code = krb5_cc_resolve(context, cc_name, &ccache))) {
printerr(0, "ERROR: %s while opening credential cache '%s'\n",
- error_message(code), cc_name);
+ gssd_k5_err_msg(context, code), cc_name);
goto out;
}
if ((code = krb5_cc_initialize(context, ccache, ple->princ))) {
printerr(0, "ERROR: %s while initializing credential "
- "cache '%s'\n", error_message(code), cc_name);
+ "cache '%s'\n", gssd_k5_err_msg(context, code),
+ cc_name);
goto out;
}
if ((code = krb5_cc_store_cred(context, ccache, &my_creds))) {
printerr(0, "ERROR: %s while storing credentials in '%s'\n",
- error_message(code), cc_name);
+ gssd_k5_err_msg(context, code), cc_name);
goto out;
}
@@ -652,14 +653,14 @@ gssd_search_krb5_keytab(krb5_context context, krb5_keytab kt,
*/
if ((code = krb5_kt_get_name(context, kt, kt_name, BUFSIZ))) {
printerr(0, "ERROR: %s attempting to get keytab name\n",
- error_message(code));
+ gssd_k5_err_msg(context, code));
retval = code;
goto out;
}
if ((code = krb5_kt_start_seq_get(context, kt, &cursor))) {
printerr(0, "ERROR: %s while beginning keytab scan "
"for keytab '%s'\n",
- error_message(code), kt_name);
+ gssd_k5_err_msg(context, code), kt_name);
retval = code;
goto out;
}
@@ -669,7 +670,7 @@ gssd_search_krb5_keytab(krb5_context context, krb5_keytab kt,
&pname))) {
printerr(0, "WARNING: Skipping keytab entry because "
"we failed to unparse principal name: %s\n",
- error_message(code));
+ gssd_k5_err_msg(context, code));
k5_free_kt_entry(context, kte);
continue;
}
@@ -705,7 +706,7 @@ gssd_search_krb5_keytab(krb5_context context, krb5_keytab kt,
if ((code = krb5_kt_end_seq_get(context, kt, &cursor))) {
printerr(0, "WARNING: %s while ending keytab scan for "
"keytab '%s'\n",
- error_message(code), kt_name);
+ gssd_k5_err_msg(context, code), kt_name);
}
retval = 0;
@@ -743,7 +744,7 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *hostname,
retval = gethostname(myhostname, sizeof(myhostname));
if (retval) {
printerr(1, "%s while getting local hostname\n",
- error_message(retval));
+ gssd_k5_err_msg(context, retval));
goto out;
}
retval = get_full_hostname(myhostname, myhostname, sizeof(myhostname));
@@ -754,7 +755,7 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *hostname,
if (code) {
retval = code;
printerr(1, "%s while getting default realm name\n",
- error_message(code));
+ gssd_k5_err_msg(context, code));
goto out;
}
@@ -767,7 +768,7 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *hostname,
code = krb5_get_host_realm(context, targethostname, &realmnames);
if (code) {
printerr(0, "ERROR: %s while getting realm(s) for host '%s'\n",
- error_message(code), targethostname);
+ gssd_k5_err_msg(context, code), targethostname);
retval = code;
goto out;
}
@@ -799,7 +800,8 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *hostname,
NULL);
if (code) {
printerr(1, "%s while building principal for "
- "'%s/%s@%s'\n", error_message(code),
+ "'%s/%s@%s'\n",
+ gssd_k5_err_msg(context, code),
svcnames[j], myhostname, realm);
continue;
}
@@ -807,7 +809,8 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *hostname,
krb5_free_principal(context, princ);
if (code) {
printerr(3, "%s while getting keytab entry for "
- "'%s/%s@%s'\n", error_message(code),
+ "'%s/%s@%s'\n",
+ gssd_k5_err_msg(context, code),
svcnames[j], myhostname, realm);
} else {
printerr(3, "Success getting keytab entry for "
@@ -984,7 +987,7 @@ gssd_destroy_krb5_machine_creds(void)
code = krb5_init_context(&context);
if (code) {
printerr(0, "ERROR: %s while initializing krb5\n",
- error_message(code));
+ gssd_k5_err_msg(NULL, code));
goto out;
}
@@ -994,14 +997,14 @@ gssd_destroy_krb5_machine_creds(void)
if ((code = krb5_cc_resolve(context, ple->ccname, &ccache))) {
printerr(0, "WARNING: %s while resolving credential "
"cache '%s' for destruction\n",
- error_message(code), ple->ccname);
+ gssd_k5_err_msg(context, code), ple->ccname);
continue;
}
if ((code = krb5_cc_destroy(context, ccache))) {
printerr(0, "WARNING: %s while destroying credential "
"cache '%s'\n",
- error_message(code), ple->ccname);
+ gssd_k5_err_msg(context, code), ple->ccname);
}
}
out:
@@ -1026,14 +1029,15 @@ gssd_refresh_krb5_machine_credential(char *hostname,
code = krb5_init_context(&context);
if (code) {
printerr(0, "ERROR: %s: %s while initializing krb5 context\n",
- __FUNCTION__, error_message(code));
+ __FUNCTION__, gssd_k5_err_msg(NULL, code));
retval = code;
goto out;
}
if ((code = krb5_kt_resolve(context, keytabfile, &kt))) {
printerr(0, "ERROR: %s: %s while resolving keytab '%s'\n",
- __FUNCTION__, error_message(code), keytabfile);
+ __FUNCTION__, gssd_k5_err_msg(context, code),
+ keytabfile);
goto out;
}
@@ -1073,3 +1077,25 @@ out:
return retval;
}
+/*
+ * A common routine for getting the Kerberos error message
+ */
+const char *
+gssd_k5_err_msg(krb5_context context, krb5_error_code code)
+{
+ const char *msg = NULL;
+#if HAVE_KRB5_GET_ERROR_MESSAGE
+ if (context != NULL)
+ msg = krb5_get_error_message(context, code);
+#endif
+ if (msg != NULL)
+ return msg;
+#if HAVE_KRB5
+ return error_message(code);
+#else
+ if (context != NULL)
+ return krb5_get_err_text(context, code);
+ else
+ return error_message(code);
+#endif
+}
diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h
index 9cac202..78ad45c 100644
--- a/utils/gssd/krb5_util.h
+++ b/utils/gssd/krb5_util.h
@@ -24,6 +24,8 @@ void gssd_setup_krb5_machine_gss_ccache(char *servername);
void gssd_destroy_krb5_machine_creds(void);
int gssd_refresh_krb5_machine_credential(char *hostname,
struct gssd_k5_kt_princ *ple);
+const char *
+gssd_k5_err_msg(krb5_context context, krb5_error_code code);
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
int limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid);
generated by cgit (git 2.34.1) at 2025-07-01 23:47:42 +0000