diff options
| author | Jon Robertson <jonrober@stanford.edu> | 2009-12-16 20:19:16 -0800 |
|---|---|---|
| committer | Jon Robertson <jonrober@stanford.edu> | 2009-12-16 20:19:16 -0800 |
| commit | 362ee72bcf4a1aea83c17c24ab7bd4f4936b479d (patch) | |
| tree | 2d82de32001d09c380d17b55e1927e6084512232 /perl/Wallet | |
| parent | 2c4bd7c22d5c530e74421c2e353e0356920ccb9a (diff) | |
Improvements for keytab existance checks and keytab creation
* Fixed keytab existence check to avoid failures when called by a principal
with permissions only on specific principals.
* Better error cases for non-existant keytabs in several places.
* Skipped limiting keytabs to certain enctypes when no enctypes are given.
Diffstat (limited to 'perl/Wallet')
| -rw-r--r-- | perl/Wallet/Kadmin/Heimdal.pm | 46 |
1 files changed, 30 insertions, 16 deletions
diff --git a/perl/Wallet/Kadmin/Heimdal.pm b/perl/Wallet/Kadmin/Heimdal.pm index 06564d2..a9c83a2 100644 --- a/perl/Wallet/Kadmin/Heimdal.pm +++ b/perl/Wallet/Kadmin/Heimdal.pm @@ -62,7 +62,7 @@ sub kadmin_client { ############################################################################## # Check whether a given principal already exists in Kerberos. Returns true if -# so, false otherwise. Throws an exception if kadmin fails. +# so, false otherwise. Throws an exception if an error. sub exists { my ($self, $principal) = @_; return unless $self->valid_principal ($principal); @@ -70,11 +70,15 @@ sub exists { $principal .= '@' . $Wallet::Config::KEYTAB_REALM; } my $kadmin = $self->{client}; - my @names = $kadmin->getPrincipals ($principal); - if (@names) { - return 1; + my $princdata = eval { $kadmin->getPrincipal ($principal) }; + + if ($@) { + die $@; + return 0; + } elsif ($princdata) { + return 1; } else { - return 0; + return 0; } } @@ -86,10 +90,13 @@ sub addprinc { unless ($self->valid_principal ($principal)) { die "invalid principal name $principal\n"; } - return 1 if $self->exists ($principal); + + my $exists = eval { $self->exists ($principal) }; if ($Wallet::Config::KEYTAB_REALM) { $principal .= '@' . $Wallet::Config::KEYTAB_REALM; } + die "error adding principal $principal: $@" if $@; + return 1 if $exists; # The way Heimdal::Kadm5 works, we create a principal object, create the # actual principal set inactive, then randomize it and activate it. @@ -131,21 +138,28 @@ sub ktadd { my $kadmin = $self->{client}; my $princdata = eval { $kadmin->getPrincipal ($principal) }; + if ($@) { + die "error creating keytab for $principal: $@"; + } elsif (!$princdata) { + die "error creating keytab for $principal: principal does not exist"; + } # Remove enctypes we don't want in this keytab. Must find all current # keytypes, then remove those that do not match. - my (%wanted); - my $alltypes = $princdata->getKeytypes (); - foreach (@enctypes) { $wanted{$_} = 1 } - foreach my $key (@{$alltypes}) { - my $keytype = ${$key}[0]; - next if exists $wanted{$keytype}; - eval { $princdata->delKeytypes ($keytype) }; - die "error removing keytype $keytype from the keytab: $@" if $@; + if (@enctypes) { + my (%wanted); + my $alltypes = $princdata->getKeytypes (); + foreach (@enctypes) { $wanted{$_} = 1 } + foreach my $key (@{$alltypes}) { + my $keytype = ${$key}[0]; + next if exists $wanted{$keytype}; + eval { $princdata->delKeytypes ($keytype) }; + die "error removing keytype $keytype from the keytab: $@" if $@; + } + eval { $kadmin->modifyPrincipal ($princdata) }; } - eval { $kadmin->modifyPrincipal ($princdata) }; - my $retval = eval { $kadmin->extractKeytab ($princdata, $file) }; + eval { $kadmin->extractKeytab ($princdata, $file) }; die "error creating keytab for principal: $@" if $@; return 1; |