IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Only warn if ipa-getkeytab doesn't get all requested enctypes.

Browse Source 
Older client machines may request DES keys not supported in newer
KDCs. Thsi was causing the entire request to fail as well as client
enrollment.

https://fedorahosted.org/freeipa/ticket/2424
This commit is contained in:
Rob Crittenden 2012-02-23 21:56:07 -05:00
parent 55f89dc689
commit 10478ac8a1
1 changed files with 32 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
ipa-client/ipa-getkeytab.c
View File

@ -548,6 +548,7 @@ static int ldap_set_keytab(krb5_context krbctx,
int kvno, i; int kvno, i;
ber_tag_t rtag; ber_tag_t rtag;
ber_int_t *encs = NULL; ber_int_t *encs = NULL;
int successful_keys = 0;
/* cant' return more than nkeys, sometimes less */ /* cant' return more than nkeys, sometimes less */
encs = calloc(keys->nkeys + 1, sizeof(ber_int_t)); encs = calloc(keys->nkeys + 1, sizeof(ber_int_t));
@ -587,12 +588,14 @@ static int ldap_set_keytab(krb5_context krbctx,
goto error_out; goto error_out;
} }
#ifdef LDAP_OPT_X_SASL_NOCANON
/* Don't do DNS canonicalization */ /* Don't do DNS canonicalization */
ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON); ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
if (ret != LDAP_SUCCESS) { if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n")); fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
goto error_out; goto error_out;
} }
#endif
version = LDAP_VERSION3; version = LDAP_VERSION3;
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version); ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
@ -620,7 +623,13 @@ static int ldap_set_keytab(krb5_context krbctx,
LDAP_SASL_QUIET, LDAP_SASL_QUIET,
ldap_sasl_interact, princ); ldap_sasl_interact, princ);
if (ret != LDAP_SUCCESS) { if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("SASL Bind failed!\n")); char *msg=NULL;
#ifdef LDAP_OPT_DIAGNOSTIC_MESSAGE
ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE,
(void*)&msg);
#endif
fprintf(stderr, "SASL Bind failed %s (%d) %s!\n",
ldap_err2string(ret), ret, msg ? msg : "");
goto error_out; goto error_out;
} }
} }
@ -705,16 +714,34 @@ static int ldap_set_keytab(krb5_context krbctx,
rtag = ber_scanf(sctrl, "{i{", &kvno); rtag = ber_scanf(sctrl, "{i{", &kvno);
if (rtag == LBER_ERROR) { if (rtag == LBER_ERROR) {
fprintf(stderr, _("ber_scanf() failed, Invalid control ?!\n")); fprintf(stderr, _("ber_scanf() failed, unable to find kvno ?!\n"));
goto error_out; goto error_out;
} }
for (i = 0; i < keys->nkeys; i++) { for (i = 0; i < keys->nkeys; i++) {
ret = ber_scanf(sctrl, "{i}", &encs[i]); ret = ber_scanf(sctrl, "{i}", &encs[i]);
if (ret == LBER_ERROR) { if (ret == LBER_ERROR) {
fprintf(stderr, _("ber_scanf() failed, Invalid control ?!\n")); char enc[79]; /* fit std terminal or truncate */
goto error_out; krb5_error_code krberr;
} krberr = krb5_enctype_to_string(
keys->ksdata[i].enctype, enc, 79);
if (krberr) {
fprintf(stderr, _("Failed to retrieve "
"encryption type type #%d\n"),
keys->ksdata[i].enctype);
} else {
fprintf(stderr, _("Failed to retrieve "
"encryption type %s (#%d)\n"),
enc, keys->ksdata[i].enctype);
}
} else {
successful_keys++;
}
}
if (successful_keys == 0) {
fprintf(stderr, _("Failed to retrieve any keys"));
goto error_out;
} }
ret = filter_keys(krbctx, keys, encs); ret = filter_keys(krbctx, keys, encs);