From 0348c74bad010d35f92400c749a7acc2fea8b2cb Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Sat, 11 Oct 2014 17:39:21 +0200 Subject: LDAP: Move sss_krb5_verify_keytab_ex to ldap_child MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The function was called from one place only, so it makes no sense to keep it in a shared module. Moreover, the function should only be called from code that runs as root. Reviewed-by: Michal Židek --- src/util/sss_krb5.c | 76 ----------------------------------------------------- src/util/sss_krb5.h | 3 --- 2 files changed, 79 deletions(-) (limited to 'src/util') diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c index b4012593..9eb34e17 100644 --- a/src/util/sss_krb5.c +++ b/src/util/sss_krb5.c @@ -247,82 +247,6 @@ done: return ret; } -int sss_krb5_verify_keytab_ex(const char *principal, const char *keytab_name, - krb5_context context, krb5_keytab keytab) -{ - bool found; - char *kt_principal; - krb5_error_code krberr; - krb5_kt_cursor cursor; - krb5_keytab_entry entry; - - krberr = krb5_kt_start_seq_get(context, keytab, &cursor); - if (krberr) { - DEBUG(SSSDBG_FATAL_FAILURE, - "Cannot read keytab [%s].\n", KEYTAB_CLEAN_NAME); - - sss_log(SSS_LOG_ERR, "Error reading keytab file [%s]: [%d][%s]. " - "Unable to create GSSAPI-encrypted LDAP " - "connection.", - KEYTAB_CLEAN_NAME, krberr, - sss_krb5_get_error_message(context, krberr)); - - return EIO; - } - - found = false; - while((krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){ - krberr = krb5_unparse_name(context, entry.principal, &kt_principal); - if (krberr) { - DEBUG(SSSDBG_FATAL_FAILURE, - "Could not parse keytab entry\n"); - sss_log(SSS_LOG_ERR, "Could not parse keytab entry\n"); - return EIO; - } - - if (strcmp(principal, kt_principal) == 0) { - found = true; - } - free(kt_principal); - krberr = sss_krb5_free_keytab_entry_contents(context, &entry); - if (krberr) { - /* This should never happen. The API docs for this function - * specify only success for this function - */ - DEBUG(SSSDBG_CRIT_FAILURE,"Could not free keytab entry contents\n"); - /* This is non-fatal, so we'll continue here */ - } - - if (found) { - break; - } - } - - krberr = krb5_kt_end_seq_get(context, keytab, &cursor); - if (krberr) { - DEBUG(SSSDBG_FATAL_FAILURE, "Could not close keytab.\n"); - sss_log(SSS_LOG_ERR, "Could not close keytab file [%s].", - KEYTAB_CLEAN_NAME); - return EIO; - } - - if (!found) { - DEBUG(SSSDBG_FATAL_FAILURE, - "Principal [%s] not found in keytab [%s]\n", - principal, - KEYTAB_CLEAN_NAME); - sss_log(SSS_LOG_ERR, "Error processing keytab file [%s]: " - "Principal [%s] was not found. " - "Unable to create GSSAPI-encrypted LDAP connection.", - KEYTAB_CLEAN_NAME, principal); - - return EFAULT; - } - - return EOK; -} - - enum matching_mode {MODE_NORMAL, MODE_PREFIX, MODE_POSTFIX}; /** * We only have primary and instances stored separately, we need to diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h index 83c72097..afa0d194 100644 --- a/src/util/sss_krb5.h +++ b/src/util/sss_krb5.h @@ -70,9 +70,6 @@ void KRB5_CALLCONV sss_krb5_get_init_creds_opt_free (krb5_context context, void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name); -int sss_krb5_verify_keytab_ex(const char *principal, const char *keytab_name, - krb5_context context, krb5_keytab keytab); - krb5_error_code find_principal_in_keytab(krb5_context ctx, krb5_keytab keytab, const char *pattern_primary, -- cgit