Re: [nfs-utils PATCH] gssd: Don't assume the machine account will be in uppercase

Steve Dickson <SteveD@xxxxxxxxxx> · Wed, 4 Nov 2015 16:50:00 -0500

On 10/01/2015 01:31 PM, Scott Mayhew wrote:
> find_keytab_entry() first looks for an entry of the form
> <HOSTNAME>$@<DOMAIN>, which corresponds to the Active Directory machine
> account.  It assumes that <HOSTNAME> will be in uppercase because that's
> how the entry is created if the machine is joined to the domain using
> Samba.
> 
> But that's not necessarily the case if the another identity management
> solution is used... for example a keytab entry for a machine account
> created by Centrify will match the actual computer account in Active
> Directory, whether that be in upper case, lower case, or mixed case.
> 
> So first look for an entry that matches the unmodified hostname and then
> convert it to uppercase and try again only if that failed.
> 
> Signed-off-by: Scott Mayhew <smayhew@xxxxxxxxxx>
Committed... 

steved.

> ---
>  utils/gssd/krb5_util.c | 16 ++++++++++++++--
>  1 file changed, 14 insertions(+), 2 deletions(-)
> 
> diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
> index ecf17a2..f48de2c 100644
> --- a/utils/gssd/krb5_util.c
> +++ b/utils/gssd/krb5_util.c
> @@ -801,7 +801,7 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *tgtname,
>  	char *default_realm = NULL;
>  	char *realm;
>  	char *k5err = NULL;
> -	int tried_all = 0, tried_default = 0;
> +	int tried_all = 0, tried_default = 0, tried_upper = 0;
>  	krb5_principal princ;
>  	const char *notsetstr = "not set";
>  	char *adhostoverride;
> @@ -835,7 +835,6 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *tgtname,
>  	        strcpy(myhostad, myhostname);
>  	        for (i = 0; myhostad[i] != 0; ++i) {
>  	          if (myhostad[i] == '.') break;
> -	          myhostad[i] = toupper(myhostad[i]);
>  	        }
>  	        myhostad[i] = '$';
>  	        myhostad[i+1] = 0;
> @@ -936,6 +935,19 @@ find_keytab_entry(krb5_context context, krb5_keytab kt, const char *tgtname,
>  				k5err = gssd_k5_err_msg(context, code);
>  				printerr(3, "%s while getting keytab entry for '%s'\n",
>  					 k5err, spn);
> +				/*
> +				 * We tried the active directory machine account
> +				 * with the hostname part as-is and failed...
> +				 * convert it to uppercase and try again before
> +				 * moving on to the svcname
> +				 */
> +				if (strcmp(svcnames[j],"$") == 0 && !tried_upper) {
> +					for (i = 0; myhostad[i] != '$'; ++i) {
> +						myhostad[i] = toupper(myhostad[i]);
> +					}
> +					j--;
> +					tried_upper = 1;
> +				}
>  			} else {
>  				printerr(3, "Success getting keytab entry for '%s'\n",spn);
>  				retval = 0;
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html