summaryrefslogtreecommitdiff
path: root/src/providers
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2010-07-20 18:35:50 +0200
committerStephen Gallagher <sgallagh@redhat.com>2010-08-03 13:50:28 -0400
commit2f4e8fbdf1d4ba1e00fcab93af91fe4f4f40250d (patch)
tree555aa8943fe4bf30d52d2dd64bde1fe5692b0b09 /src/providers
parent13d90c2ae8413317947d392c89fffca10ec83587 (diff)
downloadsssd-2f4e8fbdf1d4ba1e00fcab93af91fe4f4f40250d.tar.gz
sssd-2f4e8fbdf1d4ba1e00fcab93af91fe4f4f40250d.tar.bz2
sssd-2f4e8fbdf1d4ba1e00fcab93af91fe4f4f40250d.zip
Validate keytab at startup
In addition to validating the keytab everytime a TGT is requested, we also validate the keytab on back end startup to give early warning that the keytab is not usable. Fixes: #556
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/ldap/ldap_child.c51
-rw-r--r--src/providers/ldap/sdap_child_helpers.c16
2 files changed, 19 insertions, 48 deletions
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index 17c26855..f51040a7 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -143,10 +143,6 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
krb5_error_code krberr;
krb5_timestamp kdc_time_offset;
int kdc_time_offset_usec;
- krb5_kt_cursor cursor;
- krb5_keytab_entry entry;
- char *principal;
- bool found;
int ret;
krberr = krb5_init_context(&context);
@@ -227,50 +223,9 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
}
/* Verify the keytab */
- krberr = krb5_kt_start_seq_get(context, keytab, &cursor);
- if (krberr) {
- DEBUG(0, ("Cannot read keytab [%s].\n", keytab_name));
-
- sss_log(SSS_LOG_ERR, "Error reading keytab file [%s]: [%d][%s]. "
- "Unable to create GSSAPI-encrypted LDAP connection.",
- keytab_name, krberr,
- sss_krb5_get_error_message(context, krberr));
-
- ret = EFAULT;
- goto done;
- }
-
- found = false;
- while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
- krb5_unparse_name(context, entry.principal, &principal);
- if (strcmp(full_princ, principal) == 0) {
- found = true;
- }
- free(principal);
- krb5_free_keytab_entry_contents(context, &entry);
-
- if (found) {
- break;
- }
- }
- krberr = krb5_kt_end_seq_get(context, keytab, &cursor);
- if (krberr) {
- DEBUG(0, ("Could not close keytab.\n"));
- sss_log(SSS_LOG_ERR, "Could not close keytab file [%s].",
- keytab_name);
- ret = EFAULT;
- goto done;
- }
-
- if (!found) {
- DEBUG(0, ("Principal [%s] not found in keytab [%s]\n",
- full_princ, keytab_name));
- sss_log(SSS_LOG_ERR, "Error processing keytab file [%s]: "
- "Principal [%s] was not found. "
- "Unable to create GSSAPI-encrypted LDAP connection.",
- keytab_name, full_princ);
-
- ret = EFAULT;
+ ret = sss_krb5_verify_keytab_ex(full_princ, keytab_name, context, keytab);
+ if (ret) {
+ DEBUG(2, ("Unable to verify principal is present in the keytab\n"));
goto done;
}
diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c
index 58b757ef..1b122485 100644
--- a/src/providers/ldap/sdap_child_helpers.c
+++ b/src/providers/ldap/sdap_child_helpers.c
@@ -29,6 +29,7 @@
#include <fcntl.h>
#include "util/util.h"
+#include "util/sss_krb5.h"
#include "providers/ldap/ldap_common.h"
#include "providers/ldap/sdap_async_private.h"
#include "providers/child_common.h"
@@ -455,6 +456,21 @@ int setup_child(struct sdap_id_ctx *ctx)
return EOK;
}
+ if (mech && (strcasecmp(mech, "GSSAPI") == 0)) {
+ ret = sss_krb5_verify_keytab(dp_opt_get_string(ctx->opts->basic,
+ SDAP_SASL_AUTHID),
+ dp_opt_get_string(ctx->opts->basic,
+ SDAP_KRB5_REALM),
+ dp_opt_get_string(ctx->opts->basic,
+ SDAP_KRB5_KEYTAB));
+
+ if (ret != EOK) {
+ DEBUG(0, ("Could not verify keytab\n"))
+ return ret;
+ }
+
+ }
+
if (debug_to_file != 0 && ldap_child_debug_fd == -1) {
ret = open_debug_file_ex("ldap_child", &debug_filep);
if (ret != EOK) {