diff options
-rw-r--r-- | src/man/sssd-krb5.5.xml | 8 | ||||
-rw-r--r-- | src/providers/krb5/krb5_child.c | 8 |
2 files changed, 15 insertions, 1 deletions
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml index f4fd1cb7..2e2e638d 100644 --- a/src/man/sssd-krb5.5.xml +++ b/src/man/sssd-krb5.5.xml @@ -231,7 +231,13 @@ <term>krb5_validate (boolean)</term> <listitem> <para> - Verify with the help of krb5_keytab that the TGT obtained has not been spoofed. + Verify with the help of krb5_keytab that the TGT + obtained has not been spoofed. The keytab is checked for + entries sequentially, and the first entry with matching + realm is used for validation. If no entry matches the last + one is used. This can be utilized to achieve validation in + enviroments with cross-realm trust by placing appropriate + keytab entry as the last one or the only one. </para> <para> Default: false diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index b2d5bdae..00da7ea3 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -696,6 +696,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) krb5_keytab_entry entry; krb5_verify_init_creds_opt opt; krb5_principal validation_princ = NULL; + bool realm_entry_found = false; memset(&keytab, 0, sizeof(keytab)); kerr = krb5_kt_resolve(kr->ctx, kr->keytab, &keytab); @@ -736,10 +737,17 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) if (krb5_realm_compare(kr->ctx, validation_princ, kr->princ)) { DEBUG(SSSDBG_TRACE_INTERNAL, ("Found keytab entry with the realm of the credential.\n")); + realm_entry_found = true; break; } } + if (!realm_entry_found) { + DEBUG(SSSDBG_TRACE_INTERNAL, + ("Keytab entry with the realm of the credential not found " + "in keytab. Using the last entry.\n")); + } + /* Close the keytab here. Even though we're using cursors, the file * handle is stored in the krb5_keytab structure, and it gets * overwritten when the verify_init_creds() call below creates its own |