1
From c73ceb48ffc518e171d1d40b82ae2b5f603fe038 Mon Sep 17 00:00:00 2001
2
From: Andrew Tridgell <tridge@samba.org>
3
Date: Wed, 17 Feb 2010 15:27:44 +1100
4
Subject: [PATCH 4/5] If tkey-gssapi initialisation fails, then heck for the most common
5
configuration errors so that the admin doesn't spend all day trying to
6
work out why the config is broken.
9
lib/dns/gssapictx.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
10
1 files changed, 48 insertions(+), 0 deletions(-)
12
diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
13
index 11eadb9..879393c 100644
14
--- a/lib/dns/gssapictx.c
15
+++ b/lib/dns/gssapictx.c
17
* we include SPNEGO's OID.
20
+#include <krb5/krb5.h>
22
static unsigned char krb5_mech_oid_bytes[] = {
23
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02
24
@@ -191,6 +192,50 @@ log_cred(const gss_cred_id_t cred) {
30
+ * check for the most common configuration errors.
32
+ * The errors checked for are:
33
+ * - tkey-gssapi-credential doesn't start with DNS/
34
+ * - the default realm in /etc/krb5.conf and the
35
+ * tkey-gssapi-credential bind config option don't match
37
+static void dst_gssapi_check_config(const char *gss_name)
40
+ krb5_context krb5_ctx;
41
+ char *krb5_realm = NULL;
43
+ if (strncasecmp(gss_name, "DNS/", 4) != 0) {
44
+ gss_log(ISC_LOG_ERROR, "tkey-gssapi-credential (%s) should start with 'DNS/'");
48
+ if (krb5_init_context(&krb5_ctx) != 0) {
49
+ gss_log(ISC_LOG_ERROR, "Unable to initialise krb5 context");
52
+ if (krb5_get_default_realm(krb5_ctx, &krb5_realm) != 0) {
53
+ gss_log(ISC_LOG_ERROR, "Unable to get krb5 default realm");
54
+ krb5_free_context(krb5_ctx);
57
+ if (!(p = strchr(gss_name, '/'))) {
58
+ gss_log(ISC_LOG_ERROR, "badly formatted tkey-gssapi-credentials (%s)", gss_name);
59
+ krb5_free_context(krb5_ctx);
62
+ if (strcasecmp(p+1, krb5_realm) != 0) {
63
+ gss_log(ISC_LOG_ERROR,"default realm from krb5.conf (%s) does not match tkey-gssapi-credential (%s)",
64
+ krb5_realm, gss_name);
65
+ krb5_free_context(krb5_ctx);
68
+ krb5_free_context(krb5_ctx);
73
dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
75
@@ -223,6 +268,8 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
76
gret = gss_import_name(&minor, &gnamebuf,
77
GSS_C_NO_OID, &gname);
78
if (gret != GSS_S_COMPLETE) {
79
+ dst_gssapi_check_config((char *)array);
81
gss_log(3, "failed gss_import_name: %s",
82
gss_error_tostring(gret, minor, buf,
84
@@ -254,6 +301,7 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
85
initiate ? "initiate" : "accept",
86
(char *)gnamebuf.value,
87
gss_error_tostring(gret, minor, buf, sizeof(buf)));
88
+ dst_gssapi_check_config((char *)array);
89
return (ISC_R_FAILURE);