Skip to content

Commit

Permalink
LDAP: Move sss_krb5_verify_keytab_ex to ldap_child
Browse files Browse the repository at this point in the history 
The function was called from one place only, so it makes no sense to
keep it in a shared module. Moreover, the function should only be
called from code that runs as root.

Reviewed-by: Michal Židek <[email protected]>
  • Loading branch information
@jhrozek
jhrozek committed Nov 5, 2014
1 parent 45414c1 commit 0348c74
Show file tree
Hide file tree
Showing 3 changed files with 78 additions and 80 deletions.
79 changes: 78 additions & 1 deletion src/providers/ldap/ldap_child.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,83 @@ set_child_debugging(krb5_context ctx)
return EOK;
}

static int lc_verify_keytab_ex(const char *principal,
const char *keytab_name,
krb5_context context,
krb5_keytab keytab)
{
bool found;
char *kt_principal;
krb5_error_code krberr;
krb5_kt_cursor cursor;
krb5_keytab_entry entry;

krberr = krb5_kt_start_seq_get(context, keytab, &cursor);
if (krberr) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Cannot read keytab [%s].\n", KEYTAB_CLEAN_NAME);

sss_log(SSS_LOG_ERR, "Error reading keytab file [%s]: [%d][%s]. "
"Unable to create GSSAPI-encrypted LDAP "
"connection.",
KEYTAB_CLEAN_NAME, krberr,
sss_krb5_get_error_message(context, krberr));

return EIO;
}

found = false;
while ((krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
krberr = krb5_unparse_name(context, entry.principal, &kt_principal);
if (krberr) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Could not parse keytab entry\n");
sss_log(SSS_LOG_ERR, "Could not parse keytab entry\n");
return EIO;
}

if (strcmp(principal, kt_principal) == 0) {
found = true;
}
free(kt_principal);
krberr = sss_krb5_free_keytab_entry_contents(context, &entry);
if (krberr) {
/* This should never happen. The API docs for this function
* specify only success for this function
*/
DEBUG(SSSDBG_CRIT_FAILURE,"Could not free keytab entry contents\n");
/* This is non-fatal, so we'll continue here */
}

if (found) {
break;
}
}

krberr = krb5_kt_end_seq_get(context, keytab, &cursor);
if (krberr) {
DEBUG(SSSDBG_FATAL_FAILURE, "Could not close keytab.\n");
sss_log(SSS_LOG_ERR, "Could not close keytab file [%s].",
KEYTAB_CLEAN_NAME);
return EIO;
}

if (!found) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Principal [%s] not found in keytab [%s]\n",
principal,
KEYTAB_CLEAN_NAME);
sss_log(SSS_LOG_ERR, "Error processing keytab file [%s]: "
"Principal [%s] was not found. "
"Unable to create GSSAPI-encrypted LDAP connection.",
KEYTAB_CLEAN_NAME, principal);

return EFAULT;
}

return EOK;
}

static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
const char *realm_str,
const char *princ_str,
Expand Down Expand Up @@ -287,7 +364,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
}

/* Verify the keytab */
ret = sss_krb5_verify_keytab_ex(full_princ, keytab_name, context, keytab);
ret = lc_verify_keytab_ex(full_princ, keytab_name, context, keytab);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
"Unable to verify principal is present in the keytab\n");
Expand Down
76 changes: 0 additions & 76 deletions src/util/sss_krb5.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -247,82 +247,6 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
return ret;
}

int sss_krb5_verify_keytab_ex(const char *principal, const char *keytab_name,
krb5_context context, krb5_keytab keytab)
{
bool found;
char *kt_principal;
krb5_error_code krberr;
krb5_kt_cursor cursor;
krb5_keytab_entry entry;

krberr = krb5_kt_start_seq_get(context, keytab, &cursor);
if (krberr) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Cannot read keytab [%s].\n", KEYTAB_CLEAN_NAME);

sss_log(SSS_LOG_ERR, "Error reading keytab file [%s]: [%d][%s]. "
"Unable to create GSSAPI-encrypted LDAP "
"connection.",
KEYTAB_CLEAN_NAME, krberr,
sss_krb5_get_error_message(context, krberr));

return EIO;
}

found = false;
while((krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
krberr = krb5_unparse_name(context, entry.principal, &kt_principal);
if (krberr) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Could not parse keytab entry\n");
sss_log(SSS_LOG_ERR, "Could not parse keytab entry\n");
return EIO;
}

if (strcmp(principal, kt_principal) == 0) {
found = true;
}
free(kt_principal);
krberr = sss_krb5_free_keytab_entry_contents(context, &entry);
if (krberr) {
/* This should never happen. The API docs for this function
* specify only success for this function
*/
DEBUG(SSSDBG_CRIT_FAILURE,"Could not free keytab entry contents\n");
/* This is non-fatal, so we'll continue here */
}

if (found) {
break;
}
}

krberr = krb5_kt_end_seq_get(context, keytab, &cursor);
if (krberr) {
DEBUG(SSSDBG_FATAL_FAILURE, "Could not close keytab.\n");
sss_log(SSS_LOG_ERR, "Could not close keytab file [%s].",
KEYTAB_CLEAN_NAME);
return EIO;
}

if (!found) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Principal [%s] not found in keytab [%s]\n",
principal,
KEYTAB_CLEAN_NAME);
sss_log(SSS_LOG_ERR, "Error processing keytab file [%s]: "
"Principal [%s] was not found. "
"Unable to create GSSAPI-encrypted LDAP connection.",
KEYTAB_CLEAN_NAME, principal);

return EFAULT;
}

return EOK;
}


enum matching_mode {MODE_NORMAL, MODE_PREFIX, MODE_POSTFIX};
/**
* We only have primary and instances stored separately, we need to
Expand Down
3 changes: 0 additions & 3 deletions src/util/sss_krb5.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,9 +70,6 @@ void KRB5_CALLCONV sss_krb5_get_init_creds_opt_free (krb5_context context,

void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name);

int sss_krb5_verify_keytab_ex(const char *principal, const char *keytab_name,
krb5_context context, krb5_keytab keytab);

krb5_error_code find_principal_in_keytab(krb5_context ctx,
krb5_keytab keytab,
const char *pattern_primary,
Expand Down

0 comments on commit 0348c74

Please sign in to comment.