oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Improve kgetcred support for name canon rules and document

Browse Source
This commit is contained in:
Nicolas Williams
2011-10-20 13:16:34 -05:00
parent f4471b11d6
commit e1be4482ac
2 changed files with 19 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
kuser/kgetcred.1
View File

@@ -48,10 +48,16 @@
.Fl Fl enctype= Ns Ar enctype .Fl Fl enctype= Ns Ar enctype
.Xc .Xc
.Oc .Oc
.Op Fl name-type= Ns Ar name-type
.Op Fl Fl no-transit-check .Op Fl Fl no-transit-check
.Op Fl Fl version .Op Fl Fl version
.Op Fl Fl help .Op Fl Fl help
.Ar service .Ar service
.Nm
.Op options
.Fl name-type= Ns Ar SRV_HST
.Ar service
.Ar hostname
.Sh DESCRIPTION .Sh DESCRIPTION
.Nm .Nm
obtains a ticket for a service. obtains a ticket for a service.
@@ -59,16 +65,25 @@ Usually tickets for services are obtained automatically when needed
but sometimes for some odd reason you want to obtain a particular but sometimes for some odd reason you want to obtain a particular
ticket or of a special type. ticket or of a special type.
.Pp .Pp
The second form applies hostname canonicalization using local name
canonicalization rules just as applications normally would, possibly
enabling canonicalization via referrals.
.Pp
Supported options: Supported options:
.Bl -tag -width Ds .Bl -tag -width Ds
.It Fl Fl canonicalize .It Fl Fl canonicalize
requests that the KDC canonicalize the principal. requests that the KDC canonicalize the principal.
.It Fl Fl name-type= Ns Ar name-type
the name-type to use when parsing the principal name.
.It Fl c Ar cache , Fl Fl cache= Ns Ar cache .It Fl c Ar cache , Fl Fl cache= Ns Ar cache
the credential cache to use. the credential cache to use.
.It Fl Fl delegation-credential-cache= Ns Ar cache
the credential cache to use for delegation.
.It Fl e Ar enctype , Fl Fl enctype= Ns Ar enctype .It Fl e Ar enctype , Fl Fl enctype= Ns Ar enctype
encryption type to use. encryption type to use.
.It Fl Fl no-transit-check .It Fl Fl no-transit-check
requests that the KDC doesn't do transit checking. requests that the KDC doesn't do transit checking.
.It Fl Fl forwardable
.It Fl Fl version .It Fl Fl version
.It Fl Fl help .It Fl Fl help
.El .El

34
kuser/kgetcred.c
View File

@@ -189,7 +189,6 @@ main(int argc, char **argv)
if (nametype_str) { if (nametype_str) {
int32_t nametype; int32_t nametype;
int do_sn2p = 1;
char *sname = NULL; char *sname = NULL;
char *hname = NULL; char *hname = NULL;
@@ -197,46 +196,15 @@ main(int argc, char **argv)
if (ret) if (ret)
krb5_err(context, 1, ret, "krb5_parse_nametype"); krb5_err(context, 1, ret, "krb5_parse_nametype");
if (nametype == KRB5_NT_SRV_HST) { if (nametype == KRB5_NT_SRV_HST && argc == 2) {
if (argc == 1) {
char *cp;
for (cp = sname; *cp; cp++) {
if (cp[0] == '\\') {
cp++;
} else if (cp[0] == '@' && cp[1] != '\0') {
/* If a realm is given we assume no canon is needed */
do_sn2p = 0;
break;
}
}
if (do_sn2p) {
sname = argv[0];
for (cp = sname; *cp; cp++) {
if (cp[0] == '\\') {
cp++;
} else if (cp[0] == '/') {
*cp = '\0';
hname = cp + 1;
} else if (cp[0] == '@') {
*cp = '\0';
break;
}
}
}
} else if (argc == 2) {
sname = argv[0]; sname = argv[0];
hname = argv[1]; hname = argv[1];
} else if (argc != 0) {
usage(1);
}
ret = krb5_sname_to_principal(context, hname, sname, ret = krb5_sname_to_principal(context, hname, sname,
KRB5_NT_SRV_HST, &server); KRB5_NT_SRV_HST, &server);
if (ret) if (ret)
krb5_err(context, 1, ret, "krb5_sname_to_principal %s/%s", krb5_err(context, 1, ret, "krb5_sname_to_principal %s/%s",
(sname && *sname) ? sname : "<default>", (sname && *sname) ? sname : "<default>",
(hname && *hname) ? hname : "<default>"); (hname && *hname) ? hname : "<default>");
} else { } else {
if (argc != 1) if (argc != 1)
usage(1); usage(1);