From 2f4e8fbdf1d4ba1e00fcab93af91fe4f4f40250d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 20 Jul 2010 18:35:50 +0200
Subject: Validate keytab at startup

In addition to validating the keytab everytime a TGT is requested, we
also validate the keytab on back end startup to give early warning that
the keytab is not usable.

Fixes: #556
---
 src/providers/ldap/sdap_child_helpers.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'src/providers/ldap/sdap_child_helpers.c')

diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c
index 58b757ef..1b122485 100644
--- a/src/providers/ldap/sdap_child_helpers.c
+++ b/src/providers/ldap/sdap_child_helpers.c
@@ -29,6 +29,7 @@
 #include <fcntl.h>
 
 #include "util/util.h"
+#include "util/sss_krb5.h"
 #include "providers/ldap/ldap_common.h"
 #include "providers/ldap/sdap_async_private.h"
 #include "providers/child_common.h"
@@ -455,6 +456,21 @@ int setup_child(struct sdap_id_ctx *ctx)
         return EOK;
     }
 
+    if (mech && (strcasecmp(mech, "GSSAPI") == 0)) {
+        ret = sss_krb5_verify_keytab(dp_opt_get_string(ctx->opts->basic,
+                                                       SDAP_SASL_AUTHID),
+                                     dp_opt_get_string(ctx->opts->basic,
+                                                       SDAP_KRB5_REALM),
+                                     dp_opt_get_string(ctx->opts->basic,
+                                                       SDAP_KRB5_KEYTAB));
+
+        if (ret != EOK) {
+            DEBUG(0, ("Could not verify keytab\n"))
+            return ret;
+        }
+
+    }
+
     if (debug_to_file != 0 && ldap_child_debug_fd == -1) {
         ret = open_debug_file_ex("ldap_child", &debug_filep);
         if (ret != EOK) {
-- 
cgit