URL: https://github.com/SSSD/sssd/pull/5647
Author: elkoniu
Title: #5647: krb5_child: Honor Kerberos keytab location
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5647/head:pr5647
git checkout pr5647
From 77a519a15d862cac7ed6be4de4a0ac264a2c0027 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppola...@redhat.com>
Date: Sun, 23 May 2021 03:41:03 +0200
Subject: [PATCH] krb5_child: Honor Kerberos keytab location
Kerberos keytab location can be specified per domain in sssd.conf.
If it is not specified - default path is used: /etc/krb5.keytab
The problem is that default path itself can be redefined for kerberos
by adding entry in krb5.conf:
[libdefaults]
default_keytab_name = /<PATH>/krb5.keytab
krb5_child will still use /etc/krb5.keytab as default value which
will cause an error.
This patch adds config checking to krb5_child.
If keytab parameter will be set to /etc/krb5.keytab,
krb5_child will validate it against krb5.conf and eventually
overwritte with value presented there.
---
src/man/sssd-krb5.5.xml | 2 +-
src/providers/ad/ad_opts.c | 2 +-
src/providers/krb5/krb5_child_handler.c | 22 ++++++++++++++++++++--
src/providers/krb5/krb5_opts.c | 2 +-
4 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index e46d1fbf0c..4a415ac143 100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -244,7 +244,7 @@
credentials obtained from KDCs.
</para>
<para>
- Default: /etc/krb5.keytab
+ Default: System keytab, normally <filename>/etc/krb5.keytab</filename>
</para>
</listitem>
</varlistentry>
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index e7295567a0..ed65d78c0e 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -173,7 +173,7 @@ struct dp_option ad_def_krb5_opts[] = {
{ "krb5_ccachedir", DP_OPT_STRING, { DEFAULT_CCACHE_DIR }, NULL_STRING },
{ "krb5_ccname_template", DP_OPT_STRING, NULL_STRING, NULL_STRING},
{ "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
- { "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
+ { "krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_validate", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
{ "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_backup_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index f601bb7b8e..d758df3d76 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -116,11 +116,29 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
uint32_t posix_domain = 0;
size_t username_len = 0;
errno_t ret;
+ krb5_error_code kerr;
+ char krb5_conf_keytab[MAX_KEYTAB_NAME_LEN];
keytab = dp_opt_get_cstring(kr->krb5_ctx->opts, KRB5_KEYTAB);
if (keytab == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Missing keytab option.\n");
- return EINVAL;
+ DEBUG(SSSDBG_TRACE_FUNC, "Missing krb5_keytab option for krb5_child\n");
+
+ kerr = krb5_kt_default_name(kr->krb5_ctx, krb5_conf_keytab, sizeof(krb5_conf_keytab));
+ if (kerr != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get default keytab location from krb.conf\n");
+ return EINVAL;
+ }
+ DEBUG(SSSDBG_TRACE_FUNC, "krb5_kt_default_name() returned: %s\n", krb5_conf_keytab);
+
+ // krb5_kt_default_name() can return file path with "FILE:" prefix,
+ // it need to be removed before sending result to krb5_child
+ if (0 == strncmp(krb5_conf_keytab, "FILE:", strlen("FILE:"))) {
+ keytab = krb5_conf_keytab + strlen("FILE:");
+ } else {
+ keytab = krb5_conf_keytab;
+ }
+
+ DEBUG(SSSDBG_TRACE_FUNC, "krb5_child will default to: %s\n", keytab);
}
validate = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) ? 1 : 0;
diff --git a/src/providers/krb5/krb5_opts.c b/src/providers/krb5/krb5_opts.c
index 47a101bdb5..a72617e623 100644
--- a/src/providers/krb5/krb5_opts.c
+++ b/src/providers/krb5/krb5_opts.c
@@ -29,7 +29,7 @@ struct dp_option default_krb5_opts[] = {
{ "krb5_ccachedir", DP_OPT_STRING, { DEFAULT_CCACHE_DIR }, NULL_STRING },
{ "krb5_ccname_template", DP_OPT_STRING, NULL_STRING, NULL_STRING},
{ "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER },
- { "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING },
+ { "krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_validate", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_backup_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
