On Tue, Oct 09, 2012 at 11:38:57AM +0200, Ondrej Kos wrote: > https://fedorahosted.org/sssd/ticket/1499 > > Adds log message about not finding appropriate entry in keytab and using > the last keytab entry when validation is enabled. > > Adds more information about validation into manpage. > > Patch is attached. > > O. > -- > Ondrej Kos > Associate Software Engineer > Identity Management > Red Hat Czech > > phone: +420-532-294-558 > cell: +420-736-417-909 > ext: 82-62558 > loc: 1/5C Brno 1 office > irc: okos @ #brno
> diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml > index > f4fd1cb73941e23d8e39d234bf8fd2ae8ae54554..a67e4215f7e897afb37708695e56459cfa968f25 > 100644 > --- a/src/man/sssd-krb5.5.xml > +++ b/src/man/sssd-krb5.5.xml > @@ -231,7 +231,12 @@ > <term>krb5_validate (boolean)</term> > <listitem> > <para> > - Verify with the help of krb5_keytab that the TGT > obtained has not been spoofed. > + Verify with the help of krb5_keytab that the TGT > + obtained has not been spoofed. If there's no > entry with > + corresponding realm found in keytab, the last > one is used. > + This can be utilized to achieve validation in > enviroments > + with cross-realm trust by placing appropriate > keytab entry > + as the last one. For completeness I would add that the first entry with a matching realm is taken. This might be important to know because pam_krb5 uses a more elaborate scheme. For a future version we might want to add an option to switch to the scheme used by pam_krb5. bye, Sumit > </para> > <para> > Default: false > diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c > index > b2d5bdaeb9d4b1ac8de12055a4d6bb5a7f48a7f1..ff6a30147bb9d7edac7bab364d5d9004451f6ffb > 100644 > --- a/src/providers/krb5/krb5_child.c > +++ b/src/providers/krb5/krb5_child.c > @@ -696,6 +696,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) > krb5_keytab_entry entry; > krb5_verify_init_creds_opt opt; > krb5_principal validation_princ = NULL; > + bool entry_found = false; > > memset(&keytab, 0, sizeof(keytab)); > kerr = krb5_kt_resolve(kr->ctx, kr->keytab, &keytab); > @@ -736,10 +737,17 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) > if (krb5_realm_compare(kr->ctx, validation_princ, kr->princ)) { > DEBUG(SSSDBG_TRACE_INTERNAL, > ("Found keytab entry with the realm of the > credential.\n")); > + entry_found = true; > break; > } > } > > + if (!entry_found) { > + DEBUG(SSSDBG_TRACE_INTERNAL, > + ("Keytab entry with the realm of the credential not found " > + "in keytab. Using the last entry.\n")); > + } > + > /* Close the keytab here. Even though we're using cursors, the file > * handle is stored in the krb5_keytab structure, and it gets > * overwritten when the verify_init_creds() call below creates its own just a nitpick. entry_found is a bit misleading, because we always find an entry, at least the last one. e.g. realm_entry_found would be more precise. bye, Sumit _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel