When "use kerberos keytab = yes" in smb.conf is set with samba-3.2.8
and
the environment variable KRB5_KTNAME is not set with the value using
prefix "FILE:" or the default_keytab in /etc/krb5.conf is set without
the prefix i.e.
default_keytab_name = /etc/v5srvtab
then the function smb_krb5_open_keytab() returns KRB5_KT_UNKNOWN_TYPE.
If smb_krb5_open_keytab with a filename "/etc/v5srvtab" it would work
fine, however if the "default" keytab is used the expectation is that
it
must have a prefix "FILE:" or "WRFILE:".
Is this the correct logic? It appears that the loop
while (next_token_talloc(mem_ctx, &tmp, &kt_str, ",")) {
Should have the test
if (tmp[0] == '/')
found_valid_name = True;
Glenn
kerberos_keytab.c
ads_keytab_add_entry()
ret = smb_krb5_open_keytab(context, NULL, True, &keytab);
if (ret) {
DEBUG(1,("ads_keytab_add_entry: smb_krb5_open_keytab
failed (%s)\n", error_message(ret)));
goto out;
}
libsmb/clikrb5.c
smb_krb5_open_keytab(krb5_context context,
const char *keytab_name_req,
bool write_access,
krb5_keytab *keytab)
)
/* we need to handle more complex keytab_strings, like:
* "ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab" */
ret = krb5_kt_default_name(context, &keytab_string[0],
MAX_KEYTAB_NAME_LEN - 2);
if (ret) {
goto out;
}
DEBUG(10,("smb_krb5_open_keytab: krb5_kt_default_name returned
%s\n", keytab_string));
tmp = talloc_strdup(mem_ctx, keytab_string);
if (!tmp) {
ret = ENOMEM;
goto out;
}
if (strncmp(tmp, "ANY:", 4) == 0) {
tmp += 4;
}
memset(&keytab_string, '\0', sizeof(keytab_string));
while (next_token_talloc(mem_ctx, &tmp, &kt_str, ","))
{
if (strncmp(kt_str, "WRFILE:", 7) == 0) {
found_valid_name = True;
tmp = kt_str;
tmp += 7;
}
if (strncmp(kt_str, "FILE:", 5) == 0) {
found_valid_name = True;
tmp = kt_str;
tmp += 5;
}
if (found_valid_name) {
if (tmp[0] != '/') {
ret = KRB5_KT_BADNAME;
goto out;
}
tmp = talloc_asprintf(mem_ctx, "%s:%s",
pragma,
tmp);
if (!tmp) {
ret = ENOMEM;
goto out;
}
break;
}
}
if (!found_valid_name) {
ret = KRB5_KT_UNKNOWN_TYPE;
goto out;
}
On Mon, Feb 16, 2009 at 08:33:47AM -0700, Glenn Machin wrote:> > When "use kerberos keytab = yes" in smb.conf is set with samba-3.2.8 and > the environment variable KRB5_KTNAME is not set with the value using > prefix "FILE:" or the default_keytab in /etc/krb5.conf is set without > the prefix i.e. > default_keytab_name = /etc/v5srvtab > > then the function smb_krb5_open_keytab() returns KRB5_KT_UNKNOWN_TYPE. > > If smb_krb5_open_keytab with a filename "/etc/v5srvtab" it would work > fine, however if the "default" keytab is used the expectation is that it > must have a prefix "FILE:" or "WRFILE:". > > Is this the correct logic? It appears that the loop > while (next_token_talloc(mem_ctx, &tmp, &kt_str, ",")) { > > Should have the test > > if (tmp[0] == '/') > found_valid_name = True;Looks correct to me. Here is the patch I'll add. Thanks, Jeremy. -------------- next part -------------- diff --git a/source/libsmb/clikrb5.c b/source/libsmb/clikrb5.c index 66dd5f6..9fd4914 100644 --- a/source/libsmb/clikrb5.c +++ b/source/libsmb/clikrb5.c @@ -1749,6 +1749,11 @@ done: tmp += 5; } + if (tmp[0] == '/') { + /* Treat as a FILE: keytab definition. */ + found_valid_name = true; + } + if (found_valid_name) { if (tmp[0] != '/') { ret = KRB5_KT_BADNAME;