X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fgssd%2Fkrb5_util.c;h=f071600de4adbfb0667b6cf81f02c892ca9884aa;hp=1c10bd4d3ef414aecb21f4444e24f9e706b01e44;hb=f4321ac3466aa9d4c4e11ba232f1ff9bea561288;hpb=48d13033dcb27eb3d9ea78c39692ff7c54095950 diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index 1c10bd4..f071600 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -224,6 +224,13 @@ gssd_find_existing_krb5_ccache(uid_t uid, char *dirname, struct dirent **d) free(namelist[i]); continue; } + if (uid == 0 && !root_uses_machine_creds && + strstr(namelist[i]->d_name, "_machine_")) { + printerr(3, "CC file '%s' not available to root\n", + statname); + free(namelist[i]); + continue; + } if (!query_krb5_ccache(buf, &princname, &realm)) { printerr(3, "CC file '%s' is expired or corrupt\n", statname); @@ -606,24 +613,32 @@ out: * and has *any* instance (hostname), return 1. * Otherwise return 0, indicating no match. */ +#ifdef HAVE_KRB5 static int -realm_and_service_match(krb5_context context, krb5_principal p, - const char *realm, const char *service) +realm_and_service_match(krb5_principal p, const char *realm, const char *service) { -#ifdef HAVE_KRB5 /* Must have two components */ if (p->length != 2) return 0; + if ((strlen(realm) == p->realm.length) && (strncmp(realm, p->realm.data, p->realm.length) == 0) && (strlen(service) == p->data[0].length) && (strncmp(service, p->data[0].data, p->data[0].length) == 0)) return 1; + + return 0; +} #else +static int +realm_and_service_match(krb5_context context, krb5_principal p, + const char *realm, const char *service) +{ const char *name, *inst; if (p->name.name_string.len != 2) return 0; + name = krb5_principal_get_comp_string(context, p, 0); inst = krb5_principal_get_comp_string(context, p, 1); if (name == NULL || inst == NULL) @@ -631,9 +646,10 @@ realm_and_service_match(krb5_context context, krb5_principal p, if ((strcmp(realm, p->realm) == 0) && (strcmp(service, name) == 0)) return 1; -#endif + return 0; } +#endif /* * Search the given keytab file looking for an entry with the given @@ -655,7 +671,7 @@ gssd_search_krb5_keytab(krb5_context context, krb5_keytab kt, krb5_kt_cursor cursor; krb5_error_code code; struct gssd_k5_kt_princ *ple; - int retval = -1; + int retval = -1, status; char kt_name[BUFSIZ]; char *pname; char *k5err = NULL; @@ -698,8 +714,12 @@ gssd_search_krb5_keytab(krb5_context context, krb5_keytab kt, printerr(4, "Processing keytab entry for principal '%s'\n", pname); /* Use the first matching keytab entry found */ - if ((realm_and_service_match(context, kte->principal, realm, - service))) { +#ifdef HAVE_KRB5 + status = realm_and_service_match(kte->principal, realm, service); +#else + status = realm_and_service_match(context, kte->principal, realm, service); +#endif + if (status) { printerr(4, "We WILL use this entry (%s)\n", pname); ple = get_ple_by_princ(context, kte->principal); /* @@ -1265,7 +1285,7 @@ gssd_k5_get_default_realm(char **def_realm) */ int -limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid) +limit_krb5_enctypes(struct rpc_gss_sec *sec) { u_int maj_stat, min_stat; gss_cred_id_t credh; @@ -1274,6 +1294,8 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid) ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4 }; int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]); + extern int num_krb5_enctypes; + extern krb5_enctype *krb5_enctypes; /* We only care about getting a krb5 cred */ desired_mechs.count = 1; @@ -1290,8 +1312,17 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid) return -1; } - maj_stat = gss_set_allowable_enctypes(&min_stat, credh, &krb5oid, - num_enctypes, &enctypes); + /* + * If we failed for any reason to produce global + * list of supported enctypes, use local default here. + */ + if (krb5_enctypes == NULL) + maj_stat = gss_set_allowable_enctypes(&min_stat, credh, + &krb5oid, num_enctypes, enctypes); + else + maj_stat = gss_set_allowable_enctypes(&min_stat, credh, + &krb5oid, num_krb5_enctypes, krb5_enctypes); + if (maj_stat != GSS_S_COMPLETE) { pgsserr("gss_set_allowable_enctypes", maj_stat, min_stat, &krb5oid);