summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOndrej Kos <okos@redhat.com>2012-10-09 11:34:56 +0200
committerJakub Hrozek <jhrozek@redhat.com>2012-10-10 22:32:47 +0200
commit89cc2dac478c899aaaacb75d7448e3c651723f74 (patch)
treebc8ccca5a1f154b4a32d29ec25b9f5704cfa8b60
parent245c6b5db07249ecead23263f15c5c68c641134d (diff)
downloadsssd-89cc2dac478c899aaaacb75d7448e3c651723f74.tar.gz
sssd-89cc2dac478c899aaaacb75d7448e3c651723f74.tar.bz2
sssd-89cc2dac478c899aaaacb75d7448e3c651723f74.zip
Add more info about ticket validation
https://fedorahosted.org/sssd/ticket/1499 Adds log message about not finding appropriate entry in keytab and using the last keytab entry when validation is enabled. Adds more information about validation into manpage.
-rw-r--r--src/man/sssd-krb5.5.xml8
-rw-r--r--src/providers/krb5/krb5_child.c8
2 files changed, 15 insertions, 1 deletions
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index f4fd1cb7..2e2e638d 100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -231,7 +231,13 @@
<term>krb5_validate (boolean)</term>
<listitem>
<para>
- Verify with the help of krb5_keytab that the TGT obtained has not been spoofed.
+ Verify with the help of krb5_keytab that the TGT
+ obtained has not been spoofed. The keytab is checked for
+ entries sequentially, and the first entry with matching
+ realm is used for validation. If no entry matches the last
+ one is used. This can be utilized to achieve validation in
+ enviroments with cross-realm trust by placing appropriate
+ keytab entry as the last one or the only one.
</para>
<para>
Default: false
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index b2d5bdae..00da7ea3 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -696,6 +696,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
krb5_keytab_entry entry;
krb5_verify_init_creds_opt opt;
krb5_principal validation_princ = NULL;
+ bool realm_entry_found = false;
memset(&keytab, 0, sizeof(keytab));
kerr = krb5_kt_resolve(kr->ctx, kr->keytab, &keytab);
@@ -736,10 +737,17 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
if (krb5_realm_compare(kr->ctx, validation_princ, kr->princ)) {
DEBUG(SSSDBG_TRACE_INTERNAL,
("Found keytab entry with the realm of the credential.\n"));
+ realm_entry_found = true;
break;
}
}
+ if (!realm_entry_found) {
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ ("Keytab entry with the realm of the credential not found "
+ "in keytab. Using the last entry.\n"));
+ }
+
/* Close the keytab here. Even though we're using cursors, the file
* handle is stored in the krb5_keytab structure, and it gets
* overwritten when the verify_init_creds() call below creates its own