rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0066-LDAP-Move-sss_krb5_verify_keytab_ex-to-ldap_child.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   e543c9d626dd9ae2c4419f0d768897dc2bae585a
  2.   SOURCES
  3.   0066-LDAP-Move-sss_krb5_verify_keytab_ex-to-ldap_child.patch
Blob History Raw
905b4d 
From 73bd041e84e13ac96af4c057882c386fa437b202 Mon Sep 17 00:00:00 2001
905b4d 
From: Jakub Hrozek <jhrozek@redhat.com>
905b4d 
Date: Sat, 11 Oct 2014 17:39:21 +0200
905b4d 
Subject: [PATCH 66/71] LDAP: Move sss_krb5_verify_keytab_ex to ldap_child
905b4d 
MIME-Version: 1.0
905b4d 
Content-Type: text/plain; charset=UTF-8
905b4d 
Content-Transfer-Encoding: 8bit
905b4d
905b4d 
The function was called from one place only, so it makes no sense to
905b4d 
keep it in a shared module. Moreover, the function should only be
905b4d 
called from code that runs as root.
905b4d
905b4d 
Reviewed-by: Michal Židek <mzidek@redhat.com>
905b4d 
---
905b4d 
 src/providers/ldap/ldap_child.c | 79 ++++++++++++++++++++++++++++++++++++++++-
905b4d 
 src/util/sss_krb5.c             | 76 ---------------------------------------
905b4d 
 src/util/sss_krb5.h             |  3 --
905b4d 
 3 files changed, 78 insertions(+), 80 deletions(-)
905b4d
905b4d 
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
905b4d 
index e5779b70906d90ab855677f04a154e179f2163c6..b8b4b0ad7cfffc7db52b5ca3d9b9a74f12480070 100644
905b4d 
--- a/src/providers/ldap/ldap_child.c
905b4d 
+++ b/src/providers/ldap/ldap_child.c
905b4d 
@@ -160,6 +160,83 @@ set_child_debugging(krb5_context ctx)
905b4d 
     return EOK;
905b4d 
 }
905b4d
905b4d 
+static int lc_verify_keytab_ex(const char *principal,
905b4d 
+                               const char *keytab_name,
905b4d 
+                               krb5_context context,
905b4d 
+                               krb5_keytab keytab)
905b4d 
+{
905b4d 
+    bool found;
905b4d 
+    char *kt_principal;
905b4d 
+    krb5_error_code krberr;
905b4d 
+    krb5_kt_cursor cursor;
905b4d 
+    krb5_keytab_entry entry;
905b4d 
+
905b4d 
+    krberr = krb5_kt_start_seq_get(context, keytab, &cursor);
905b4d 
+    if (krberr) {
905b4d 
+        DEBUG(SSSDBG_FATAL_FAILURE,
905b4d 
+              "Cannot read keytab [%s].\n", KEYTAB_CLEAN_NAME);
905b4d 
+
905b4d 
+        sss_log(SSS_LOG_ERR, "Error reading keytab file [%s]: [%d][%s]. "
905b4d 
+                             "Unable to create GSSAPI-encrypted LDAP "
905b4d 
+                             "connection.",
905b4d 
+                             KEYTAB_CLEAN_NAME, krberr,
905b4d 
+                             sss_krb5_get_error_message(context, krberr));
905b4d 
+
905b4d 
+        return EIO;
905b4d 
+    }
905b4d 
+
905b4d 
+    found = false;
905b4d 
+    while ((krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
905b4d 
+        krberr = krb5_unparse_name(context, entry.principal, &kt_principal);
905b4d 
+        if (krberr) {
905b4d 
+            DEBUG(SSSDBG_FATAL_FAILURE,
905b4d 
+                  "Could not parse keytab entry\n");
905b4d 
+            sss_log(SSS_LOG_ERR, "Could not parse keytab entry\n");
905b4d 
+            return EIO;
905b4d 
+        }
905b4d 
+
905b4d 
+        if (strcmp(principal, kt_principal) == 0) {
905b4d 
+            found = true;
905b4d 
+        }
905b4d 
+        free(kt_principal);
905b4d 
+        krberr = sss_krb5_free_keytab_entry_contents(context, &entry);
905b4d 
+        if (krberr) {
905b4d 
+            /* This should never happen. The API docs for this function
905b4d 
+             * specify only success for this function
905b4d 
+             */
905b4d 
+            DEBUG(SSSDBG_CRIT_FAILURE,"Could not free keytab entry contents\n");
905b4d 
+            /* This is non-fatal, so we'll continue here */
905b4d 
+        }
905b4d 
+
905b4d 
+        if (found) {
905b4d 
+            break;
905b4d 
+        }
905b4d 
+    }
905b4d 
+
905b4d 
+    krberr = krb5_kt_end_seq_get(context, keytab, &cursor);
905b4d 
+    if (krberr) {
905b4d 
+        DEBUG(SSSDBG_FATAL_FAILURE, "Could not close keytab.\n");
905b4d 
+        sss_log(SSS_LOG_ERR, "Could not close keytab file [%s].",
905b4d 
+                             KEYTAB_CLEAN_NAME);
905b4d 
+        return EIO;
905b4d 
+    }
905b4d 
+
905b4d 
+    if (!found) {
905b4d 
+        DEBUG(SSSDBG_FATAL_FAILURE,
905b4d 
+              "Principal [%s] not found in keytab [%s]\n",
905b4d 
+               principal,
905b4d 
+               KEYTAB_CLEAN_NAME);
905b4d 
+        sss_log(SSS_LOG_ERR, "Error processing keytab file [%s]: "
905b4d 
+                             "Principal [%s] was not found. "
905b4d 
+                             "Unable to create GSSAPI-encrypted LDAP connection.",
905b4d 
+                             KEYTAB_CLEAN_NAME, principal);
905b4d 
+
905b4d 
+        return EFAULT;
905b4d 
+    }
905b4d 
+
905b4d 
+    return EOK;
905b4d 
+}
905b4d 
+
905b4d 
 static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
905b4d 
                                                const char *realm_str,
905b4d 
                                                const char *princ_str,
905b4d 
@@ -287,7 +364,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
905b4d 
     }
905b4d
905b4d 
     /* Verify the keytab */
905b4d 
-    ret = sss_krb5_verify_keytab_ex(full_princ, keytab_name, context, keytab);
905b4d 
+    ret = lc_verify_keytab_ex(full_princ, keytab_name, context, keytab);
905b4d 
     if (ret) {
905b4d 
         DEBUG(SSSDBG_OP_FAILURE,
905b4d 
                 "Unable to verify principal is present in the keytab\n");
905b4d 
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
905b4d 
index b4012593d96bc951143e4bb2ba7a91d118b1a53c..9eb34e17dc1059da9c346d4635a9f3e283308328 100644
905b4d 
--- a/src/util/sss_krb5.c
905b4d 
+++ b/src/util/sss_krb5.c
905b4d 
@@ -247,82 +247,6 @@ done:
905b4d 
     return ret;
905b4d 
 }
905b4d
905b4d 
-int sss_krb5_verify_keytab_ex(const char *principal, const char *keytab_name,
905b4d 
-                              krb5_context context, krb5_keytab keytab)
905b4d 
-{
905b4d 
-    bool found;
905b4d 
-    char *kt_principal;
905b4d 
-    krb5_error_code krberr;
905b4d 
-    krb5_kt_cursor cursor;
905b4d 
-    krb5_keytab_entry entry;
905b4d 
-
905b4d 
-    krberr = krb5_kt_start_seq_get(context, keytab, &cursor);
905b4d 
-    if (krberr) {
905b4d 
-        DEBUG(SSSDBG_FATAL_FAILURE,
905b4d 
-              "Cannot read keytab [%s].\n", KEYTAB_CLEAN_NAME);
905b4d 
-
905b4d 
-        sss_log(SSS_LOG_ERR, "Error reading keytab file [%s]: [%d][%s]. "
905b4d 
-                             "Unable to create GSSAPI-encrypted LDAP "
905b4d 
-                             "connection.",
905b4d 
-                             KEYTAB_CLEAN_NAME, krberr,
905b4d 
-                             sss_krb5_get_error_message(context, krberr));
905b4d 
-
905b4d 
-        return EIO;
905b4d 
-    }
905b4d 
-
905b4d 
-    found = false;
905b4d 
-    while((krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
905b4d 
-        krberr = krb5_unparse_name(context, entry.principal, &kt_principal);
905b4d 
-        if (krberr) {
905b4d 
-            DEBUG(SSSDBG_FATAL_FAILURE,
905b4d 
-                  "Could not parse keytab entry\n");
905b4d 
-            sss_log(SSS_LOG_ERR, "Could not parse keytab entry\n");
905b4d 
-            return EIO;
905b4d 
-        }
905b4d 
-
905b4d 
-        if (strcmp(principal, kt_principal) == 0) {
905b4d 
-            found = true;
905b4d 
-        }
905b4d 
-        free(kt_principal);
905b4d 
-        krberr = sss_krb5_free_keytab_entry_contents(context, &entry);
905b4d 
-        if (krberr) {
905b4d 
-            /* This should never happen. The API docs for this function
905b4d 
-             * specify only success for this function
905b4d 
-             */
905b4d 
-            DEBUG(SSSDBG_CRIT_FAILURE,"Could not free keytab entry contents\n");
905b4d 
-            /* This is non-fatal, so we'll continue here */
905b4d 
-        }
905b4d 
-
905b4d 
-        if (found) {
905b4d 
-            break;
905b4d 
-        }
905b4d 
-    }
905b4d 
-
905b4d 
-    krberr = krb5_kt_end_seq_get(context, keytab, &cursor);
905b4d 
-    if (krberr) {
905b4d 
-        DEBUG(SSSDBG_FATAL_FAILURE, "Could not close keytab.\n");
905b4d 
-        sss_log(SSS_LOG_ERR, "Could not close keytab file [%s].",
905b4d 
-                             KEYTAB_CLEAN_NAME);
905b4d 
-        return EIO;
905b4d 
-    }
905b4d 
-
905b4d 
-    if (!found) {
905b4d 
-        DEBUG(SSSDBG_FATAL_FAILURE,
905b4d 
-              "Principal [%s] not found in keytab [%s]\n",
905b4d 
-               principal,
905b4d 
-               KEYTAB_CLEAN_NAME);
905b4d 
-        sss_log(SSS_LOG_ERR, "Error processing keytab file [%s]: "
905b4d 
-                             "Principal [%s] was not found. "
905b4d 
-                             "Unable to create GSSAPI-encrypted LDAP connection.",
905b4d 
-                             KEYTAB_CLEAN_NAME, principal);
905b4d 
-
905b4d 
-        return EFAULT;
905b4d 
-    }
905b4d 
-
905b4d 
-    return EOK;
905b4d 
-}
905b4d 
-
905b4d 
-
905b4d 
 enum matching_mode {MODE_NORMAL, MODE_PREFIX, MODE_POSTFIX};
905b4d 
 /**
905b4d 
  * We only have primary and instances stored separately, we need to
905b4d 
diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
905b4d 
index 83c72097594dc24de1f8ac93d5394b6766a449f4..afa0d1943d8a23ae1543ae3874b5abbfbb4b3372 100644
905b4d 
--- a/src/util/sss_krb5.h
905b4d 
+++ b/src/util/sss_krb5.h
905b4d 
@@ -70,9 +70,6 @@ void KRB5_CALLCONV sss_krb5_get_init_creds_opt_free (krb5_context context,
905b4d
905b4d 
 void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name);
905b4d
905b4d 
-int sss_krb5_verify_keytab_ex(const char *principal, const char *keytab_name,
905b4d 
-                              krb5_context context, krb5_keytab keytab);
905b4d 
-
905b4d 
 krb5_error_code find_principal_in_keytab(krb5_context ctx,
905b4d 
                                          krb5_keytab keytab,
905b4d 
                                          const char *pattern_primary,
905b4d 
--
905b4d 
1.9.3
905b4d

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation