diff --git a/kadmin/ext.c b/kadmin/ext.c index 8bf10be74..90d3328cd 100644 --- a/kadmin/ext.c +++ b/kadmin/ext.c @@ -48,12 +48,17 @@ do_ext_keytab(krb5_principal principal, void *data) krb5_keyblock *k = NULL; size_t i; int n_k = 0; + char *unparsed = NULL; ret = kadm5_get_principal(kadm_handle, principal, &princ, KADM5_PRINCIPAL|KADM5_KVNO|KADM5_KEY_DATA); if (ret) return ret; + ret = krb5_unparse_name(context, principal, &unparsed); + if (ret) + goto out; + if (princ.n_key_data) { keys = calloc(sizeof(*keys), princ.n_key_data); if (keys == NULL) { @@ -62,15 +67,22 @@ do_ext_keytab(krb5_principal principal, void *data) } for (i = 0; i < princ.n_key_data; i++) { krb5_key_data *kd = &princ.key_data[i]; + int warned = 0; /* * If the kadm5 client princ lacks get-keys then it may get * bogus keys four bytes long. */ - if (kd->key_data_length[0] == sizeof (KADM5_BOGUS_KEY_DATA) - 1 && - memcmp(kd->key_data_contents[0], KADM5_BOGUS_KEY_DATA, - kd->key_data_length[0]) == 0) + if ((kd->key_data_length[0] == sizeof (KADM5_BOGUS_KEY_DATA) - 1) + && (ct_memcmp(kd->key_data_contents[0], KADM5_BOGUS_KEY_DATA, + kd->key_data_length[0]) == 0)) { + if (!warned) { + krb5_warnx(context, "user lacks get-keys privilege for %s", + unparsed); + warned = 1; + } continue; + } keys[i].principal = princ.principal; keys[i].vno = kd->key_data_kvno; @@ -104,7 +116,7 @@ do_ext_keytab(krb5_principal principal, void *data) for (i = 0; i < n_k; i++) { ret = krb5_kt_add_entry(context, e->keytab, &keys[i]); if (ret) - krb5_warn(context, ret, "krb5_kt_add_entry(%d)", i); + krb5_warn(context, ret, "krb5_kt_add_entry(%lu)", (unsigned long)i); } out: @@ -113,6 +125,7 @@ do_ext_keytab(krb5_principal principal, void *data) memset(k, 0, n_k * sizeof(*k)); free(k); } + free(unparsed); free(keys); return 0; }