diff options
author | Ondrej Kos <okos@redhat.com> | 2012-10-09 11:34:56 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-10-10 22:32:47 +0200 |
commit | 89cc2dac478c899aaaacb75d7448e3c651723f74 (patch) | |
tree | bc8ccca5a1f154b4a32d29ec25b9f5704cfa8b60 /src/providers | |
parent | 245c6b5db07249ecead23263f15c5c68c641134d (diff) | |
download | sssd-89cc2dac478c899aaaacb75d7448e3c651723f74.tar.gz sssd-89cc2dac478c899aaaacb75d7448e3c651723f74.tar.bz2 sssd-89cc2dac478c899aaaacb75d7448e3c651723f74.zip |
Add more info about ticket validation
https://fedorahosted.org/sssd/ticket/1499
Adds log message about not finding appropriate entry in keytab and using
the last keytab entry when validation is enabled.
Adds more information about validation into manpage.
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/krb5/krb5_child.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index b2d5bdae..00da7ea3 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -696,6 +696,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) krb5_keytab_entry entry; krb5_verify_init_creds_opt opt; krb5_principal validation_princ = NULL; + bool realm_entry_found = false; memset(&keytab, 0, sizeof(keytab)); kerr = krb5_kt_resolve(kr->ctx, kr->keytab, &keytab); @@ -736,10 +737,17 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) if (krb5_realm_compare(kr->ctx, validation_princ, kr->princ)) { DEBUG(SSSDBG_TRACE_INTERNAL, ("Found keytab entry with the realm of the credential.\n")); + realm_entry_found = true; break; } } + if (!realm_entry_found) { + DEBUG(SSSDBG_TRACE_INTERNAL, + ("Keytab entry with the realm of the credential not found " + "in keytab. Using the last entry.\n")); + } + /* Close the keytab here. Even though we're using cursors, the file * handle is stored in the krb5_keytab structure, and it gets * overwritten when the verify_init_creds() call below creates its own |