oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

gssapi: support for client keytab in gss_acquire_cred (#383)

Browse Source 
For compatibility with MIT Kerberos, support automatic acquisition of initiator
credentials if a client keytab is available. The default path on non-Windows is
/var/heimdal/user/%{euid}/client.keytab, but can be overriden with the
KRB5_CLIENT_KTNAME environment variable or the default_client_keytab_name
configuration option. If a client keytab does not exist, or exists but does not
contain the principal for which initiator credentials are being acquired, the
system keytab is tried.
This commit is contained in:
Luke Howard
2018-12-31 16:13:20 +11:00
parent 58b77bb485
commit af0d8ef677
7 changed files with 55 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
lib/gssapi/krb5/acquire_cred.c
View File

@@ -58,7 +58,7 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
static krb5_error_code
get_keytab(krb5_context context, krb5_keytab *keytab)
get_system_keytab(krb5_context context, krb5_keytab *keytab)
{
krb5_error_code kret;
@@ -80,6 +80,33 @@ get_keytab(krb5_context context, krb5_keytab *keytab)
return (kret);
}
static krb5_error_code
get_client_keytab(krb5_context context,
krb5_const_principal principal,
krb5_keytab *keytab)
{
krb5_error_code ret;
char *name = NULL;
ret = _krb5_kt_client_default_name(context, &name);
if (ret == 0)
ret = krb5_kt_resolve(context, name, keytab);
if (ret == 0 && principal) {
krb5_keytab_entry entry;
ret = krb5_kt_get_entry(context, *keytab, principal,
0, 0, &entry);
if (ret == 0)
krb5_kt_free_entry(context, &entry);
}
krb5_xfree(name);
if (ret)
ret = get_system_keytab(context, keytab);
return ret;
}
/*
* This function produces a cred with a MEMORY ccache containing a TGT
* acquired with a password.
@@ -292,7 +319,7 @@ try_keytab:
if (kret)
goto end;
}
kret = get_keytab(context, &keytab);
kret = get_client_keytab(context, handle->principal, &keytab);
if (kret)
goto end;
@@ -380,7 +407,7 @@ acquire_acceptor_cred(OM_uint32 * minor_status,
ret = GSS_S_FAILURE;
kret = get_keytab(context, &handle->keytab);
kret = get_system_keytab(context, &handle->keytab);
if (kret)
goto end;