author | Neng Xue <neng.xue@oracle.com> |
Mon, 26 Sep 2016 15:58:55 -0700 | |
changeset 6978 | 14cbeb78966a |
parent 6867 | 87f7fd05f888 |
permissions | -rw-r--r-- |
6867
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
1 |
# |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
2 |
# This patch provides support in kerberos for root acquiring a default cred via |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
3 |
# either a root, host service principal or sam account name keys in the keytab |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
4 |
# if root doesn't have a cred already. Note that if root has a client keytab |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
5 |
# provisioned then that will be used instead. |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
6 |
# |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
7 |
# This is Solaris specific behavior that MIT will not take upstream. |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
8 |
# Patch source: in-house |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
9 |
# |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
10 |
|
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
11 |
--- a/src/lib/gssapi/krb5/acquire_cred.c |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
12 |
+++ b/src/lib/gssapi/krb5/acquire_cred.c |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
13 |
@@ -77,6 +77,7 @@ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
14 |
#else |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
15 |
#include <strings.h> |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
16 |
#endif |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
17 |
+#include <ctype.h> |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
18 |
|
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
19 |
#ifdef USE_LEASH |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
20 |
#ifdef _WIN64 |
6978
14cbeb78966a
24669827 Update Userland krb5 to MIT 1.14.4
Neng Xue <neng.xue@oracle.com>
parents:
6867
diff
changeset
|
21 |
@@ -88,6 +89,9 @@ static void (*pLeash_AcquireInitialTicketsIfNeeded)(krb5_context,krb5_principal, |
6867
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
22 |
static HANDLE hLeashDLL = INVALID_HANDLE_VALUE; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
23 |
#endif |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
24 |
|
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
25 |
+/* for solaris root fallback check */ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
26 |
+static char defktname[BUFSIZ]; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
27 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
28 |
#ifndef LEAN_CLIENT |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
29 |
k5_mutex_t gssint_krb5_keytab_lock = K5_MUTEX_PARTIAL_INITIALIZER; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
30 |
static char *krb5_gss_keytab = NULL; |
6978
14cbeb78966a
24669827 Update Userland krb5 to MIT 1.14.4
Neng Xue <neng.xue@oracle.com>
parents:
6867
diff
changeset
|
31 |
@@ -590,6 +594,151 @@ kg_cred_set_initial_refresh(krb5_context context, krb5_gss_cred_id_rec *cred, |
6867
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
32 |
set_refresh_time(context, cred->ccache, refresh); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
33 |
} |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
34 |
|
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
35 |
+#define SAM_ACCOUNT_LEN 17 /* 15:hostname + 1:$ + 1:\0 */ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
36 |
+krb5_error_code |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
37 |
+get_sam_account_name(char **name) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
38 |
+{ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
39 |
+ char *p, localname[SAM_ACCOUNT_LEN]; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
40 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
41 |
+ if (name == NULL) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
42 |
+ return (EINVAL); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
43 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
44 |
+ if (gethostname(localname, SAM_ACCOUNT_LEN) != 0) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
45 |
+ return (errno); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
46 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
47 |
+ localname[SAM_ACCOUNT_LEN - 2] = '\0'; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
48 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
49 |
+ if ((p = strchr(localname, '.')) != NULL) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
50 |
+ *p = '\0'; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
51 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
52 |
+ for (p = localname; *p; p++) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
53 |
+ *p = toupper(*p); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
54 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
55 |
+ (void) strlcat(localname, "$", SAM_ACCOUNT_LEN); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
56 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
57 |
+ *name = strdup(localname); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
58 |
+ if (*name == NULL) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
59 |
+ return (ENOMEM); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
60 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
61 |
+ return (0); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
62 |
+} |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
63 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
64 |
+krb5_error_code krb5_kt_find_realm(krb5_context, krb5_keytab, krb5_principal, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
65 |
+ krb5_data *); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
66 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
67 |
+static krb5_error_code |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
68 |
+get_root_initcred_keytab(krb5_context context, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
69 |
+ krb5_creds *kcreds, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
70 |
+ krb5_gss_cred_id_rec *gsscred, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
71 |
+ const char *name, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
72 |
+ krb5_int32 type, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
73 |
+ krb5_get_init_creds_opt *opt) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
74 |
+{ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
75 |
+ krb5_principal client_princ; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
76 |
+ krb5_error_code code; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
77 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
78 |
+ if (type == KRB5_NT_SRV_HST) { |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
79 |
+ code = krb5_sname_to_principal(context, NULL, name, type, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
80 |
+ &client_princ); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
81 |
+ } else { |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
82 |
+ /* Assuming KRB5_NT_PRINCIPAL */ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
83 |
+ code = krb5_parse_name(context, name, &client_princ); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
84 |
+ } |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
85 |
+ if (code) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
86 |
+ return code; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
87 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
88 |
+ if (krb5_is_referral_realm(&client_princ->realm)) { |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
89 |
+ krb5_data realm; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
90 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
91 |
+ code = krb5_kt_find_realm(context, gsscred->client_keytab, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
92 |
+ client_princ, &realm); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
93 |
+ if (code == 0) { |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
94 |
+ krb5_free_data_contents(context, &client_princ->realm); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
95 |
+ client_princ->realm.length = realm.length; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
96 |
+ client_princ->realm.data = realm.data; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
97 |
+ } else { |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
98 |
+ /* Try to set a useful error message */ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
99 |
+ char *princ_name = NULL; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
100 |
+ char kt_name[BUFSIZ]; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
101 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
102 |
+ (void) krb5_unparse_name(context, client_princ, &princ_name); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
103 |
+ (void) krb5_kt_get_name(context, gsscred->client_keytab, kt_name, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
104 |
+ BUFSIZ); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
105 |
+ krb5_set_error_message(context, code, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
106 |
+ _("Failed to find realm for %s in " |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
107 |
+ "keytab %s"), |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
108 |
+ princ_name != NULL ? princ_name : "unknown", |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
109 |
+ kt_name); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
110 |
+ krb5_free_unparsed_name(context, princ_name); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
111 |
+ } |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
112 |
+ } |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
113 |
+ if (code) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
114 |
+ goto cleanup; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
115 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
116 |
+ code = krb5_get_init_creds_keytab(context, kcreds, client_princ, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
117 |
+ gsscred->client_keytab, 0, NULL, opt); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
118 |
+ if (code == 0) { |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
119 |
+ /* set the gsscred name to that of the princ for which an init cred was |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
120 |
+ * acquired. */ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
121 |
+ if (gsscred->name != NULL) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
122 |
+ (void) kg_release_name(context, &gsscred->name); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
123 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
124 |
+ code = kg_init_name(context, client_princ, NULL, NULL, NULL, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
125 |
+ KG_INIT_NAME_NO_COPY, &gsscred->name); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
126 |
+ /* Since KG_INIT_NAME_NO_COPY is set do not free client_princ if |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
127 |
+ * kg_init_name succeeds. */ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
128 |
+ if (code == 0) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
129 |
+ return 0; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
130 |
+ else |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
131 |
+ krb5_free_cred_contents(context, kcreds); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
132 |
+ } |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
133 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
134 |
+cleanup: |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
135 |
+ krb5_free_principal(context, client_princ); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
136 |
+ return code; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
137 |
+} |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
138 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
139 |
+/* |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
140 |
+ * This implements long time Solaris behavior where processes running as root |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
141 |
+ * will try to acquire an init cred via the default/system keytab. The root, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
142 |
+ * host and SAM princs are tried in that order until one succeeds or they all |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
143 |
+ * fail. |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
144 |
+ */ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
145 |
+static krb5_error_code |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
146 |
+root_init_cred_kt_fallback(krb5_context context, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
147 |
+ krb5_creds *kcreds, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
148 |
+ krb5_gss_cred_id_rec *gsscred, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
149 |
+ krb5_get_init_creds_opt *opt) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
150 |
+{ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
151 |
+ char *sam_name = NULL; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
152 |
+ krb5_error_code code; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
153 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
154 |
+ /* Try the root/<FQDN> service princ in system keytab */ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
155 |
+ code = get_root_initcred_keytab(context, kcreds, gsscred, "root", |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
156 |
+ KRB5_NT_SRV_HST, opt); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
157 |
+ if (code == 0) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
158 |
+ goto out; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
159 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
160 |
+ /* Try the host/<FQDN> service princ in system keytab if the root princ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
161 |
+ * wasn't found */ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
162 |
+ code = get_root_initcred_keytab(context, kcreds, gsscred, "host", |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
163 |
+ KRB5_NT_SRV_HST, opt); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
164 |
+ if (code == 0) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
165 |
+ goto out; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
166 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
167 |
+ /* Try the SAM account princ in system keytab if the host service princ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
168 |
+ * wasn't found for MS interop sake */ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
169 |
+ code = get_sam_account_name(&sam_name); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
170 |
+ if (code) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
171 |
+ goto out; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
172 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
173 |
+ code = get_root_initcred_keytab(context, kcreds, gsscred, sam_name, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
174 |
+ KRB5_NT_PRINCIPAL, opt); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
175 |
+ free(sam_name); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
176 |
+out: |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
177 |
+ return code; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
178 |
+} |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
179 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
180 |
/* Get initial credentials using the supplied password or client keytab. */ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
181 |
static krb5_error_code |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
182 |
get_initial_cred(krb5_context context, krb5_gss_cred_id_rec *cred) |
6978
14cbeb78966a
24669827 Update Userland krb5 to MIT 1.14.4
Neng Xue <neng.xue@oracle.com>
parents:
6867
diff
changeset
|
183 |
@@ -609,8 +758,41 @@ get_initial_cred(krb5_context context, krb5_gss_cred_id_rec *cred) |
6867
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
184 |
cred->password, NULL, NULL, 0, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
185 |
NULL, opt); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
186 |
} else if (cred->client_keytab != NULL) { |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
187 |
- code = krb5_get_init_creds_keytab(context, &creds, cred->name->princ, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
188 |
- cred->client_keytab, 0, NULL, opt); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
189 |
+ if (krb5_getuid() == 0) { |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
190 |
+ char clientktname[BUFSIZ]; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
191 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
192 |
+ /* assuming we only need to get the default keytab name once */ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
193 |
+ if (defktname[0] == '\0') { |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
194 |
+ code = krb5_kt_default_name(context, defktname, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
195 |
+ sizeof(defktname)); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
196 |
+ if (code) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
197 |
+ goto cleanup; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
198 |
+ } |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
199 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
200 |
+ code = krb5_kt_get_name(context, cred->client_keytab, clientktname, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
201 |
+ sizeof(clientktname)); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
202 |
+ if (code) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
203 |
+ goto cleanup; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
204 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
205 |
+ /* |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
206 |
+ * If the client keytab name is the same as the system default |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
207 |
+ * keytab and we are root then we need to use the Solaris root |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
208 |
+ * fallback behavior in root_init_cred_kt_fallback(). |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
209 |
+ */ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
210 |
+ if (strcmp(defktname, clientktname) == 0) { |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
211 |
+ code = root_init_cred_kt_fallback(context, &creds, cred, opt); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
212 |
+ } else { |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
213 |
+ code = krb5_get_init_creds_keytab(context, &creds, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
214 |
+ cred->name->princ, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
215 |
+ cred->client_keytab, 0, NULL, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
216 |
+ opt); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
217 |
+ } |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
218 |
+ } else { |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
219 |
+ code = krb5_get_init_creds_keytab(context, &creds, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
220 |
+ cred->name->princ, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
221 |
+ cred->client_keytab, 0, NULL, |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
222 |
+ opt); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
223 |
+ } |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
224 |
} else { |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
225 |
code = KRB5_KT_NOTFOUND; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
226 |
} |
6978
14cbeb78966a
24669827 Update Userland krb5 to MIT 1.14.4
Neng Xue <neng.xue@oracle.com>
parents:
6867
diff
changeset
|
227 |
@@ -700,6 +882,23 @@ acquire_init_cred(krb5_context context, |
6867
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
228 |
krb5_clear_error_message(context); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
229 |
code = 0; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
230 |
} |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
231 |
+ /* |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
232 |
+ * The logic below is involved in providing support for Solaris |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
233 |
+ * behavior where root processes will fall back to acquiring an initial |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
234 |
+ * cred via the system/default keytab. The idea is that if the |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
235 |
+ * client_keytab could not be resolved or it doesn't exist then set the |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
236 |
+ * client_keytab field to the system/default keytab. |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
237 |
+ */ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
238 |
+ if (krb5_getuid() == 0) { |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
239 |
+ if (cred->client_keytab == NULL || |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
240 |
+ krb5_kt_have_content(context, cred->client_keytab) != 0) { |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
241 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
242 |
+ if (cred->client_keytab != NULL) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
243 |
+ krb5_kt_close(context, cred->client_keytab); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
244 |
+ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
245 |
+ code = krb5_kt_default(context, &cred->client_keytab); |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
246 |
+ } |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
247 |
+ } |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
248 |
} |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
249 |
if (code) |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
250 |
goto error; |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
251 |
--- a/src/lib/krb5/keytab/Makefile.in |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
252 |
+++ b/src/lib/krb5/keytab/Makefile.in |
6978
14cbeb78966a
24669827 Update Userland krb5 to MIT 1.14.4
Neng Xue <neng.xue@oracle.com>
parents:
6867
diff
changeset
|
253 |
@@ -13,6 +13,7 @@ STLIBOBJS= \ |
6867
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
254 |
ktremove.o \ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
255 |
ktfns.o \ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
256 |
kt_file.o \ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
257 |
+ kt_findrealm.o \ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
258 |
kt_memory.o \ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
259 |
kt_srvtab.o \ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
260 |
read_servi.o \ |
6978
14cbeb78966a
24669827 Update Userland krb5 to MIT 1.14.4
Neng Xue <neng.xue@oracle.com>
parents:
6867
diff
changeset
|
261 |
@@ -26,6 +27,7 @@ OBJS= \ |
6867
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
262 |
$(OUTPRE)ktremove.$(OBJEXT) \ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
263 |
$(OUTPRE)ktfns.$(OBJEXT) \ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
264 |
$(OUTPRE)kt_file.$(OBJEXT) \ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
265 |
+ $(OUTPRE)kt_findrealm.$(OBJEXT) \ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
266 |
$(OUTPRE)kt_memory.$(OBJEXT) \ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
267 |
$(OUTPRE)kt_srvtab.$(OBJEXT) \ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
268 |
$(OUTPRE)read_servi.$(OBJEXT) \ |
6978
14cbeb78966a
24669827 Update Userland krb5 to MIT 1.14.4
Neng Xue <neng.xue@oracle.com>
parents:
6867
diff
changeset
|
269 |
@@ -39,6 +41,7 @@ SRCS= \ |
6867
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
270 |
$(srcdir)/ktremove.c \ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
271 |
$(srcdir)/ktfns.c \ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
272 |
$(srcdir)/kt_file.c \ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
273 |
+ $(srcdir)/kt_findrealm.c \ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
274 |
$(srcdir)/kt_memory.c \ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
275 |
$(srcdir)/kt_srvtab.c \ |
87f7fd05f888
22937668 Init auth through keytab as root doesn't work after credentials have expired
Will Fiveash <will.fiveash@oracle.com>
parents:
diff
changeset
|
276 |
$(srcdir)/read_servi.c \ |