|
 |
cb4cef |
From 4c2f596da5ddb8a1687a4f9c969d5a8dcd2cbcc7 Mon Sep 17 00:00:00 2001
|
|
|
cb4cef |
From: Robbie Harwood <rharwood@redhat.com>
|
|
|
cb4cef |
Date: Thu, 3 Jun 2021 16:03:07 -0400
|
|
|
cb4cef |
Subject: [PATCH] Allow kinit with keytab to defer canonicalization
|
|
|
cb4cef |
|
|
|
cb4cef |
[ghudson@mit.edu: added tests]
|
|
|
cb4cef |
|
|
|
cb4cef |
ticket: 9012 (new)
|
|
|
cb4cef |
(cherry picked from commit 5e6a6efc5df689d9fb8730d0227167ffbb6ece0e)
|
|
|
cb4cef |
(cherry picked from commit 090c7319652466339e3e6482bdd1b5a294638dff)
|
|
|
cb4cef |
---
|
|
|
cb4cef |
src/clients/kinit/kinit.c | 11 -----------
|
|
|
cb4cef |
src/tests/t_keytab.py | 13 +++++++++++++
|
|
|
cb4cef |
2 files changed, 13 insertions(+), 11 deletions(-)
|
|
|
cb4cef |
|
|
|
cb4cef |
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
|
|
|
cb4cef |
index d1f5d74c3..5a6d7237c 100644
|
|
|
cb4cef |
--- a/src/clients/kinit/kinit.c
|
|
|
cb4cef |
+++ b/src/clients/kinit/kinit.c
|
|
|
cb4cef |
@@ -510,17 +510,6 @@ k5_begin(struct k_opts *opts, struct k5_data *k5)
|
|
|
cb4cef |
_("when creating default server principal name"));
|
|
|
cb4cef |
goto cleanup;
|
|
|
cb4cef |
}
|
|
|
cb4cef |
- if (k5->me->realm.data[0] == 0) {
|
|
|
cb4cef |
- ret = krb5_unparse_name(k5->ctx, k5->me, &k5->name);
|
|
|
cb4cef |
- if (ret == 0) {
|
|
|
cb4cef |
- com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN,
|
|
|
cb4cef |
- _("(principal %s)"), k5->name);
|
|
|
cb4cef |
- } else {
|
|
|
cb4cef |
- com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN,
|
|
|
cb4cef |
- _("for local services"));
|
|
|
cb4cef |
- }
|
|
|
cb4cef |
- goto cleanup;
|
|
|
cb4cef |
- }
|
|
|
cb4cef |
} else if (k5->out_cc != NULL) {
|
|
|
cb4cef |
/* If the output ccache is initialized, use its principal. */
|
|
|
cb4cef |
if (krb5_cc_get_principal(k5->ctx, k5->out_cc, &princ) == 0)
|
|
|
cb4cef |
diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py
|
|
|
cb4cef |
index 850375c92..a9adebb26 100755
|
|
|
cb4cef |
--- a/src/tests/t_keytab.py
|
|
|
cb4cef |
+++ b/src/tests/t_keytab.py
|
|
|
cb4cef |
@@ -41,6 +41,19 @@ realm.kinit(realm.user_princ, flags=['-i'],
|
|
|
cb4cef |
expected_msg='keytab specified, forcing -k')
|
|
|
cb4cef |
realm.klist(realm.user_princ)
|
|
|
cb4cef |
|
|
|
cb4cef |
+# Test default principal for -k. This operation requires
|
|
|
cb4cef |
+# canonicalization against the keytab in krb5_get_init_creds_keytab()
|
|
|
cb4cef |
+# as the krb5_sname_to_principal() result won't have a realm. Try
|
|
|
cb4cef |
+# with and without without fallback processing since the code paths
|
|
|
cb4cef |
+# are different.
|
|
|
cb4cef |
+mark('default principal for -k')
|
|
|
cb4cef |
+realm.run([kinit, '-k'])
|
|
|
cb4cef |
+realm.klist(realm.host_princ)
|
|
|
cb4cef |
+no_canon_conf = {'libdefaults': {'dns_canonicalize_hostname': 'false'}}
|
|
|
cb4cef |
+no_canon = realm.special_env('no_canon', False, krb5_conf=no_canon_conf)
|
|
|
cb4cef |
+realm.run([kinit, '-k'], env=no_canon)
|
|
|
cb4cef |
+realm.klist(realm.host_princ)
|
|
|
cb4cef |
+
|
|
|
cb4cef |
# Test extracting keys with multiple key versions present.
|
|
|
cb4cef |
mark('multi-kvno extract')
|
|
|
cb4cef |
os.remove(realm.keytab)
|