From 87698dc2a1adb52c381b35f5cc80437f91e75798 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 2 Oct 2010 07:12:48 +1000 Subject: s4-kerberos Don't regenerate key values for each alias in keytab Instead, store the same key value under the multiple alias names. Andrew Bartlett Autobuild-User: Andrew Bartlett Autobuild-Date: Sat Oct 2 00:16:52 UTC 2010 on sn-devel-104 --- source4/auth/kerberos/kerberos_util.c | 78 ++++++++++++++++------------------- 1 file changed, 35 insertions(+), 43 deletions(-) (limited to 'source4') diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c index f83fd786c0..27cbeb06a2 100644 --- a/source4/auth/kerberos/kerberos_util.c +++ b/source4/auth/kerberos/kerberos_util.c @@ -507,8 +507,7 @@ krb5_error_code smb_krb5_open_keytab(TALLOC_CTX *mem_ctx, } static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx, - const char *princ_string, - krb5_principal princ, + struct principal_container **principals, krb5_principal salt_princ, int kvno, const char *password_s, @@ -517,13 +516,9 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx, krb5_keytab keytab, const char **error_string) { - int i; + unsigned int i, p; krb5_error_code ret; krb5_data password; - TALLOC_CTX *mem_ctx = talloc_new(parent_ctx); - if (!mem_ctx) { - return ENOMEM; - } password.data = discard_const_p(char *, password_s); password.length = strlen(password_s); @@ -536,32 +531,33 @@ static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx, ret = create_kerberos_key_from_string(smb_krb5_context->krb5_context, salt_princ, &password, &entry.keyblock, enctypes[i]); if (ret != 0) { - talloc_free(mem_ctx); return ret; } - entry.principal = princ; - entry.vno = kvno; - ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, keytab, &entry); - if (ret != 0) { - *error_string = talloc_asprintf(parent_ctx, "Failed to add enctype %d entry for %s(kvno %d) to keytab: %s\n", - (int)enctypes[i], - princ_string, - kvno, - smb_get_krb5_error_message(smb_krb5_context->krb5_context, - ret, mem_ctx)); - talloc_free(mem_ctx); - krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock); - return ret; - } + entry.vno = kvno; + + for (p=0; principals[p]; p++) { + entry.principal = principals[p]->principal; + ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, keytab, &entry); + if (ret != 0) { + char *k5_error_string = smb_get_krb5_error_message(smb_krb5_context->krb5_context, + ret, NULL); + *error_string = talloc_asprintf(parent_ctx, "Failed to add enctype %d entry for %s(kvno %d) to keytab: %s\n", + (int)enctypes[i], + principals[p]->string_form, + kvno, + k5_error_string); + talloc_free(k5_error_string); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock); + return ret; + } - DEBUG(5, ("Added %s(kvno %d) to keytab (enctype %d)\n", - princ_string, kvno, - (int)enctypes[i])); - + DEBUG(5, ("Added %s(kvno %d) to keytab (enctype %d)\n", + principals[p]->string_form, kvno, + (int)enctypes[i])); + } krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock); } - talloc_free(mem_ctx); return 0; } @@ -573,7 +569,6 @@ static krb5_error_code create_keytab(TALLOC_CTX *parent_ctx, bool add_old, const char **error_string) { - unsigned int i; krb5_error_code ret; const char *password_s; const char *old_secret; @@ -624,27 +619,24 @@ static krb5_error_code create_keytab(TALLOC_CTX *parent_ctx, return ret; } - /* Walk over the principals */ - for (i=0; principals[i]; i++) { - ret = keytab_add_keys(mem_ctx, principals[i]->string_form, principals[i]->principal, + ret = keytab_add_keys(mem_ctx, principals, + salt_princ, + kvno, password_s, smb_krb5_context, + enctypes, keytab, error_string); + if (ret) { + talloc_free(mem_ctx); + return ret; + } + + if (old_secret) { + ret = keytab_add_keys(mem_ctx, principals, salt_princ, - kvno, password_s, smb_krb5_context, + kvno - 1, old_secret, smb_krb5_context, enctypes, keytab, error_string); if (ret) { talloc_free(mem_ctx); return ret; } - - if (old_secret) { - ret = keytab_add_keys(mem_ctx, principals[i]->string_form, principals[i]->principal, - salt_princ, - kvno - 1, old_secret, smb_krb5_context, - enctypes, keytab, error_string); - if (ret) { - talloc_free(mem_ctx); - return ret; - } - } } talloc_free(mem_ctx); -- cgit