summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-10-02 07:12:48 +1000
committerAndrew Bartlett <abartlet@samba.org>2010-10-02 00:16:52 +0000
commit87698dc2a1adb52c381b35f5cc80437f91e75798 (patch)
treef55a98cbe974717402bd855349b5d7325e5fc81e
parent7b9a6645b11dff64e04c2ddb0cabc9145c0f029f (diff)
downloadsamba-87698dc2a1adb52c381b35f5cc80437f91e75798.tar.gz
samba-87698dc2a1adb52c381b35f5cc80437f91e75798.tar.bz2
samba-87698dc2a1adb52c381b35f5cc80437f91e75798.zip
s4-kerberos Don't regenerate key values for each alias in keytab
Instead, store the same key value under the multiple alias names. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Oct 2 00:16:52 UTC 2010 on sn-devel-104
-rw-r--r--source4/auth/kerberos/kerberos_util.c78
1 files changed, 35 insertions, 43 deletions
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index f83fd786c0..27cbeb06a2 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -507,8 +507,7 @@ krb5_error_code smb_krb5_open_keytab(TALLOC_CTX *mem_ctx,
}
static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
- const char *princ_string,
- krb5_principal princ,
+ struct principal_container **principals,
krb5_principal salt_princ,
int kvno,
const char *password_s,
@@ -517,13 +516,9 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
krb5_keytab keytab,
const char **error_string)
{
- int i;
+ unsigned int i, p;
krb5_error_code ret;
krb5_data password;
- TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
- if (!mem_ctx) {
- return ENOMEM;
- }
password.data = discard_const_p(char *, password_s);
password.length = strlen(password_s);
@@ -536,32 +531,33 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
ret = create_kerberos_key_from_string(smb_krb5_context->krb5_context,
salt_princ, &password, &entry.keyblock, enctypes[i]);
if (ret != 0) {
- talloc_free(mem_ctx);
return ret;
}
- entry.principal = princ;
- entry.vno = kvno;
- ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, keytab, &entry);
- if (ret != 0) {
- *error_string = talloc_asprintf(parent_ctx, "Failed to add enctype %d entry for %s(kvno %d) to keytab: %s\n",
- (int)enctypes[i],
- princ_string,
- kvno,
- smb_get_krb5_error_message(smb_krb5_context->krb5_context,
- ret, mem_ctx));
- talloc_free(mem_ctx);
- krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
- return ret;
- }
+ entry.vno = kvno;
+
+ for (p=0; principals[p]; p++) {
+ entry.principal = principals[p]->principal;
+ ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, keytab, &entry);
+ if (ret != 0) {
+ char *k5_error_string = smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ ret, NULL);
+ *error_string = talloc_asprintf(parent_ctx, "Failed to add enctype %d entry for %s(kvno %d) to keytab: %s\n",
+ (int)enctypes[i],
+ principals[p]->string_form,
+ kvno,
+ k5_error_string);
+ talloc_free(k5_error_string);
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
+ return ret;
+ }
- DEBUG(5, ("Added %s(kvno %d) to keytab (enctype %d)\n",
- princ_string, kvno,
- (int)enctypes[i]));
-
+ DEBUG(5, ("Added %s(kvno %d) to keytab (enctype %d)\n",
+ principals[p]->string_form, kvno,
+ (int)enctypes[i]));
+ }
krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
}
- talloc_free(mem_ctx);
return 0;
}
@@ -573,7 +569,6 @@ static krb5_error_code create_keytab(TALLOC_CTX *parent_ctx,
bool add_old,
const char **error_string)
{
- unsigned int i;
krb5_error_code ret;
const char *password_s;
const char *old_secret;
@@ -624,27 +619,24 @@ static krb5_error_code create_keytab(TALLOC_CTX *parent_ctx,
return ret;
}
- /* Walk over the principals */
- for (i=0; principals[i]; i++) {
- ret = keytab_add_keys(mem_ctx, principals[i]->string_form, principals[i]->principal,
+ ret = keytab_add_keys(mem_ctx, principals,
+ salt_princ,
+ kvno, password_s, smb_krb5_context,
+ enctypes, keytab, error_string);
+ if (ret) {
+ talloc_free(mem_ctx);
+ return ret;
+ }
+
+ if (old_secret) {
+ ret = keytab_add_keys(mem_ctx, principals,
salt_princ,
- kvno, password_s, smb_krb5_context,
+ kvno - 1, old_secret, smb_krb5_context,
enctypes, keytab, error_string);
if (ret) {
talloc_free(mem_ctx);
return ret;
}
-
- if (old_secret) {
- ret = keytab_add_keys(mem_ctx, principals[i]->string_form, principals[i]->principal,
- salt_princ,
- kvno - 1, old_secret, smb_krb5_context,
- enctypes, keytab, error_string);
- if (ret) {
- talloc_free(mem_ctx);
- return ret;
- }
- }
}
talloc_free(mem_ctx);