Removed warnings from krb5_util.c

[nfs-utils.git] / utils / gssd / krb5_util.c

diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 1295f5776eb78bc6e6154d8e80ca111fbbe8c3a2..f071600de4adbfb0667b6cf81f02c892ca9884aa 100644 (file)
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -224,6 +224,13 @@ gssd_find_existing_krb5_ccache(uid_t uid, char *dirname, struct dirent **d)
                                free(namelist[i]);
                                continue;
                        }
+                       if (uid == 0 && !root_uses_machine_creds && 
+                               strstr(namelist[i]->d_name, "_machine_")) {
+                               printerr(3, "CC file '%s' not available to root\n",
+                                        statname);
+                               free(namelist[i]);
+                               continue;
+                       }
                        if (!query_krb5_ccache(buf, &princname, &realm)) {
                                printerr(3, "CC file '%s' is expired or corrupt\n",
                                         statname);
@@ -292,61 +299,6 @@ gssd_find_existing_krb5_ccache(uid_t uid, char *dirname, struct dirent **d)
        return err;
 }
 
-
-#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
-/*
- * this routine obtains a credentials handle via gss_acquire_cred()
- * then calls gss_krb5_set_allowable_enctypes() to limit the encryption
- * types negotiated.
- *
- * XXX Should call some function to determine the enctypes supported
- * by the kernel. (Only need to do that once!)
- *
- * Returns:
- *     0 => all went well
- *     -1 => there was an error
- */
-
-int
-limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid)
-{
-       u_int maj_stat, min_stat;
-       gss_cred_id_t credh;
-       gss_OID_set_desc  desired_mechs;
-       krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC,
-                                   ENCTYPE_DES_CBC_MD5,
-                                   ENCTYPE_DES_CBC_MD4 };
-       int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
-
-       /* We only care about getting a krb5 cred */
-       desired_mechs.count = 1;
-       desired_mechs.elements = &krb5oid;
-
-       maj_stat = gss_acquire_cred(&min_stat, NULL, 0,
-                                   &desired_mechs, GSS_C_INITIATE,
-                                   &credh, NULL, NULL);
-
-       if (maj_stat != GSS_S_COMPLETE) {
-               if (get_verbosity() > 0)
-                       pgsserr("gss_acquire_cred",
-                               maj_stat, min_stat, &krb5oid);
-               return -1;
-       }
-
-       maj_stat = gss_set_allowable_enctypes(&min_stat, credh, &krb5oid,
-                                            num_enctypes, &enctypes);
-       if (maj_stat != GSS_S_COMPLETE) {
-               pgsserr("gss_set_allowable_enctypes",
-                       maj_stat, min_stat, &krb5oid);
-               gss_release_cred(&min_stat, &credh);
-               return -1;
-       }
-       sec->cred = credh;
-
-       return 0;
-}
-#endif /* HAVE_SET_ALLOWABLE_ENCTYPES */
-
 /*
  * Obtain credentials via a key in the keytab given
  * a keytab handle and a gssd_k5_kt_princ structure.
@@ -661,24 +613,32 @@ out:
  * and has *any* instance (hostname), return 1.
  * Otherwise return 0, indicating no match.
  */
+#ifdef HAVE_KRB5
 static int
-realm_and_service_match(krb5_context context, krb5_principal p,
-                       const char *realm, const char *service)
+realm_and_service_match(krb5_principal p, const char *realm, const char *service)
 {
-#ifdef HAVE_KRB5
        /* Must have two components */
        if (p->length != 2)
                return 0;
+
        if ((strlen(realm) == p->realm.length)
            && (strncmp(realm, p->realm.data, p->realm.length) == 0)
            && (strlen(service) == p->data[0].length)
            && (strncmp(service, p->data[0].data, p->data[0].length) == 0))
                return 1;
+
+       return 0;
+}
 #else
+static int
+realm_and_service_match(krb5_context context, krb5_principal p,
+                       const char *realm, const char *service)
+{
        const char *name, *inst;
 
        if (p->name.name_string.len != 2)
                return 0;
+
        name = krb5_principal_get_comp_string(context, p, 0);
        inst = krb5_principal_get_comp_string(context, p, 1);
        if (name == NULL || inst == NULL)
@@ -686,9 +646,10 @@ realm_and_service_match(krb5_context context, krb5_principal p,
        if ((strcmp(realm, p->realm) == 0)
            && (strcmp(service, name) == 0))
                return 1;
-#endif
+
        return 0;
 }
+#endif
 
 /*
  * Search the given keytab file looking for an entry with the given
@@ -710,7 +671,7 @@ gssd_search_krb5_keytab(krb5_context context, krb5_keytab kt,
        krb5_kt_cursor cursor;
        krb5_error_code code;
        struct gssd_k5_kt_princ *ple;
-       int retval = -1;
+       int retval = -1, status;
        char kt_name[BUFSIZ];
        char *pname;
        char *k5err = NULL;
@@ -753,8 +714,12 @@ gssd_search_krb5_keytab(krb5_context context, krb5_keytab kt,
                printerr(4, "Processing keytab entry for principal '%s'\n",
                         pname);
                /* Use the first matching keytab entry found */
-               if ((realm_and_service_match(context, kte->principal, realm,
-                                            service))) {
+#ifdef HAVE_KRB5
+               status = realm_and_service_match(kte->principal, realm, service);
+#else
+               status = realm_and_service_match(context, kte->principal, realm, service);
+#endif
+               if (status) {
                        printerr(4, "We WILL use this entry (%s)\n", pname);
                        ple = get_ple_by_princ(context, kte->principal);
                        /*
@@ -1304,3 +1269,68 @@ gssd_k5_get_default_realm(char **def_realm)
 
        krb5_free_context(context);
 }
+
+#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+/*
+ * this routine obtains a credentials handle via gss_acquire_cred()
+ * then calls gss_krb5_set_allowable_enctypes() to limit the encryption
+ * types negotiated.
+ *
+ * XXX Should call some function to determine the enctypes supported
+ * by the kernel. (Only need to do that once!)
+ *
+ * Returns:
+ *     0 => all went well
+ *     -1 => there was an error
+ */
+
+int
+limit_krb5_enctypes(struct rpc_gss_sec *sec)
+{
+       u_int maj_stat, min_stat;
+       gss_cred_id_t credh;
+       gss_OID_set_desc  desired_mechs;
+       krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC,
+                                   ENCTYPE_DES_CBC_MD5,
+                                   ENCTYPE_DES_CBC_MD4 };
+       int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
+       extern int num_krb5_enctypes;
+       extern krb5_enctype *krb5_enctypes;
+
+       /* We only care about getting a krb5 cred */
+       desired_mechs.count = 1;
+       desired_mechs.elements = &krb5oid;
+
+       maj_stat = gss_acquire_cred(&min_stat, NULL, 0,
+                                   &desired_mechs, GSS_C_INITIATE,
+                                   &credh, NULL, NULL);
+
+       if (maj_stat != GSS_S_COMPLETE) {
+               if (get_verbosity() > 0)
+                       pgsserr("gss_acquire_cred",
+                               maj_stat, min_stat, &krb5oid);
+               return -1;
+       }
+
+       /*
+        * If we failed for any reason to produce global
+        * list of supported enctypes, use local default here.
+        */
+       if (krb5_enctypes == NULL)
+               maj_stat = gss_set_allowable_enctypes(&min_stat, credh,
+                                       &krb5oid, num_enctypes, enctypes);
+       else
+               maj_stat = gss_set_allowable_enctypes(&min_stat, credh,
+                                       &krb5oid, num_krb5_enctypes, krb5_enctypes);
+
+       if (maj_stat != GSS_S_COMPLETE) {
+               pgsserr("gss_set_allowable_enctypes",
+                       maj_stat, min_stat, &krb5oid);
+               gss_release_cred(&min_stat, &credh);
+               return -1;
+       }
+       sec->cred = credh;
+
+       return 0;
+}
+#endif /* HAVE_SET_ALLOWABLE_ENCTYPES */