diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2010-07-20 18:35:50 +0200 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-08-03 13:50:28 -0400 |
commit | 2f4e8fbdf1d4ba1e00fcab93af91fe4f4f40250d (patch) | |
tree | 555aa8943fe4bf30d52d2dd64bde1fe5692b0b09 /src/providers/ldap/ldap_child.c | |
parent | 13d90c2ae8413317947d392c89fffca10ec83587 (diff) | |
download | sssd-2f4e8fbdf1d4ba1e00fcab93af91fe4f4f40250d.tar.gz sssd-2f4e8fbdf1d4ba1e00fcab93af91fe4f4f40250d.tar.bz2 sssd-2f4e8fbdf1d4ba1e00fcab93af91fe4f4f40250d.zip |
Validate keytab at startup
In addition to validating the keytab everytime a TGT is requested, we
also validate the keytab on back end startup to give early warning that
the keytab is not usable.
Fixes: #556
Diffstat (limited to 'src/providers/ldap/ldap_child.c')
-rw-r--r-- | src/providers/ldap/ldap_child.c | 51 |
1 files changed, 3 insertions, 48 deletions
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c index 17c26855..f51040a7 100644 --- a/src/providers/ldap/ldap_child.c +++ b/src/providers/ldap/ldap_child.c @@ -143,10 +143,6 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx, krb5_error_code krberr; krb5_timestamp kdc_time_offset; int kdc_time_offset_usec; - krb5_kt_cursor cursor; - krb5_keytab_entry entry; - char *principal; - bool found; int ret; krberr = krb5_init_context(&context); @@ -227,50 +223,9 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx, } /* Verify the keytab */ - krberr = krb5_kt_start_seq_get(context, keytab, &cursor); - if (krberr) { - DEBUG(0, ("Cannot read keytab [%s].\n", keytab_name)); - - sss_log(SSS_LOG_ERR, "Error reading keytab file [%s]: [%d][%s]. " - "Unable to create GSSAPI-encrypted LDAP connection.", - keytab_name, krberr, - sss_krb5_get_error_message(context, krberr)); - - ret = EFAULT; - goto done; - } - - found = false; - while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){ - krb5_unparse_name(context, entry.principal, &principal); - if (strcmp(full_princ, principal) == 0) { - found = true; - } - free(principal); - krb5_free_keytab_entry_contents(context, &entry); - - if (found) { - break; - } - } - krberr = krb5_kt_end_seq_get(context, keytab, &cursor); - if (krberr) { - DEBUG(0, ("Could not close keytab.\n")); - sss_log(SSS_LOG_ERR, "Could not close keytab file [%s].", - keytab_name); - ret = EFAULT; - goto done; - } - - if (!found) { - DEBUG(0, ("Principal [%s] not found in keytab [%s]\n", - full_princ, keytab_name)); - sss_log(SSS_LOG_ERR, "Error processing keytab file [%s]: " - "Principal [%s] was not found. " - "Unable to create GSSAPI-encrypted LDAP connection.", - keytab_name, full_princ); - - ret = EFAULT; + ret = sss_krb5_verify_keytab_ex(full_princ, keytab_name, context, keytab); + if (ret) { + DEBUG(2, ("Unable to verify principal is present in the keytab\n")); goto done; } |