diff options
| -rw-r--r-- | Makefile.am | 3 | ||||
| -rw-r--r-- | NEWS | 6 | ||||
| -rw-r--r-- | client/keytab.c | 43 | ||||
| -rw-r--r-- | tests/client/basic-t.in | 28 | ||||
| -rwxr-xr-x | tests/data/cmd-fake | 13 | ||||
| -rw-r--r-- | tests/data/fake-keytab-old | bin | 0 -> 334 bytes |
6 files changed, 62 insertions, 31 deletions
diff --git a/Makefile.am b/Makefile.am index ed66448..7e5a5ba 100644 --- a/Makefile.am +++ b/Makefile.am @@ -26,7 +26,8 @@ EXTRA_DIST = LICENSE autogen client/wallet.pod config/allow-extract \ tests/data/allow-extract tests/data/cmd-fake tests/data/fake-data \ tests/data/fake-kadmin tests/data/fake-keytab \ tests/data/fake-keytab-2 tests/data/fake-keytab-merge \ - tests/data/fake-srvtab tests/data/wallet.conf tests/libtest.sh + tests/data/fake-keytab-old tests/data/fake-srvtab \ + tests/data/wallet.conf tests/libtest.sh noinst_LIBRARIES = portable/libportable.a util/libutil.a portable_libportable_a_SOURCES = portable/dummy.c @@ -2,6 +2,12 @@ wallet 0.7 (unreleased) + When creating a srvtab based on a just-downloaded keytab, extract the + srvtab key before merging the keytab into an existing file. + Otherwise, if the new keys had a lower kvno than the old keys + (possible after deleting and recreating the object), the wrong key + would be extracted for the srvtab. + keytab-backend now passes kadmin.local ktadd its options in a specific order to satisfy the picky option parser. diff --git a/client/keytab.c b/client/keytab.c index a3e35ed..872cd48 100644 --- a/client/keytab.c +++ b/client/keytab.c @@ -24,41 +24,35 @@ ** duplicate kvnos correctly. Dies on any error. */ static void -merge_keytab(krb5_context ctx, const char *name, const char *data, - size_t length) +merge_keytab(krb5_context ctx, const char *newfile, const char *file) { - char *tempfile, *oldfile; + char *oldfile; krb5_keytab old = NULL, temp = NULL; krb5_kt_cursor cursor; krb5_keytab_entry entry; krb5_error_code status; - tempfile = concat(name, ".new", (char *) 0); - oldfile = concat("WRFILE:", name, (char *) 0); - overwrite_file(tempfile, data, length); memset(&entry, 0, sizeof(entry)); + oldfile = concat("WRFILE:", file, (char *) 0); status = krb5_kt_resolve(ctx, oldfile, &old); if (status != 0) - die_krb5(ctx, status, "cannot open keytab %s", name); + die_krb5(ctx, status, "cannot open keytab %s", file); free(oldfile); - status = krb5_kt_resolve(ctx, tempfile, &temp); + status = krb5_kt_resolve(ctx, newfile, &temp); if (status != 0) - die_krb5(ctx, status, "cannot open temporary keytab %s", tempfile); + die_krb5(ctx, status, "cannot open temporary keytab %s", newfile); status = krb5_kt_start_seq_get(ctx, temp, &cursor); if (status != 0) - die_krb5(ctx, status, "cannot read temporary keytab %s", tempfile); + die_krb5(ctx, status, "cannot read temporary keytab %s", newfile); while ((status = krb5_kt_next_entry(ctx, temp, &entry, &cursor)) == 0) { status = krb5_kt_add_entry(ctx, old, &entry); if (status != 0) - die_krb5(ctx, status, "cannot write to keytab %s", name); + die_krb5(ctx, status, "cannot write to keytab %s", file); krb5_free_keytab_entry_contents(ctx, &entry); } if (status != KRB5_KT_END) - die_krb5(ctx, status, "error reading temporary keytab %s", tempfile); + die_krb5(ctx, status, "error reading temporary keytab %s", newfile); krb5_kt_end_seq_get(ctx, temp, &cursor); - if (unlink(tempfile) < 0) - sysdie("unlink of temporary keytab file %s failed", tempfile); - free(tempfile); if (old != NULL) krb5_kt_close(ctx, old); if (temp != NULL) @@ -109,6 +103,7 @@ get_keytab(struct remctl *r, krb5_context ctx, const char *type, const char *name, const char *file, const char *srvtab) { const char *command[5]; + char *tempfile; char *data = NULL; size_t length = 0; int status; @@ -128,11 +123,19 @@ get_keytab(struct remctl *r, krb5_context ctx, const char *type, warn("no data returned by wallet server"); return 255; } - if (access(file, F_OK) == 0) - merge_keytab(ctx, file, data, length); - else + if (access(file, F_OK) == 0) { + tempfile = concat(file, ".new", (char *) 0); + overwrite_file(tempfile, data, length); + if (srvtab != NULL) + write_srvtab(ctx, srvtab, name, tempfile); + merge_keytab(ctx, tempfile, file); + if (unlink(tempfile) < 0) + sysdie("unlink of temporary keytab file %s failed", tempfile); + free(tempfile); + } else { write_file(file, data, length); - if (srvtab != NULL) - write_srvtab(ctx, srvtab, name, file); + if (srvtab != NULL) + write_srvtab(ctx, srvtab, name, file); + } return 0; } diff --git a/tests/client/basic-t.in b/tests/client/basic-t.in index d983786..807d9e9 100644 --- a/tests/client/basic-t.in +++ b/tests/client/basic-t.in @@ -12,7 +12,7 @@ . "@abs_top_srcdir@/tests/libtest.sh" # Print the number of tests. -total=27 +total=30 count=1 echo "$total" @@ -82,7 +82,7 @@ rm -f output output.bak keytab keytab.bak srvtab srvtab.bak sync-kaserver # Now, we can finally run our tests. First, basic operations. runsuccess "" "$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet \ - get file -f output fake-test + -f output get file fake-test if cmp output data/fake-data >/dev/null 2>&1 ; then printcount "ok" else @@ -94,7 +94,7 @@ else printcount "ok" fi runsuccess "" "$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet \ - get file -f output fake-test + -f output get file fake-test if cmp output data/fake-data >/dev/null 2>&1 ; then printcount "ok" else @@ -127,7 +127,7 @@ fi rm -f output output.bak # Test keytab support. -runsuccess "" "$wallet" get -f keytab keytab service/fake-srvtab +runsuccess "" "$wallet" -f keytab get keytab service/fake-srvtab if cmp keytab data/fake-keytab >/dev/null 2>&1 ; then printcount "ok" rm keytab @@ -141,7 +141,7 @@ else fi # Test srvtab support. -runsuccess "" "$wallet" get keytab -f keytab -S srvtab service/fake-srvtab +runsuccess "" "$wallet" -f keytab -S srvtab get keytab service/fake-srvtab if cmp keytab data/fake-keytab >/dev/null 2>&1 ; then printcount "ok" else @@ -153,7 +153,7 @@ if [ -f sync-kaserver ] ; then else printcount "not ok" fi -runsuccess "" "$wallet" get keytab -f keytab -S srvtab service/fake-srvtab +runsuccess "" "$wallet" -f keytab -S srvtab get keytab service/fake-srvtab if cmp keytab data/fake-keytab >/dev/null 2>&1 ; then printcount "ok" else @@ -188,6 +188,22 @@ else printcount "not ok" fi +# Test srvtab download into a merged keytab with an older version. +cp data/fake-keytab-old keytab +runsuccess "" "$wallet" -f keytab -S srvtab get keytab service/fake-srvtab +if [ -f sync-kaserver ] ; then + printcount "ok" + rm sync-kaserver +else + printcount "not ok" +fi +if cmp srvtab data/fake-srvtab >/dev/null 2>&1 ; then + printcount "ok" +else + printcount "not ok" +fi +rm -f keytab srvtab + # Test various other client functions and errors. runsuccess "This is a fake keytab." "$wallet" get keytab service/fake-output runsuccess "Some stuff about file fake-test" \ diff --git a/tests/data/cmd-fake b/tests/data/cmd-fake index 4b97f43..a8d979a 100755 --- a/tests/data/cmd-fake +++ b/tests/data/cmd-fake @@ -50,11 +50,16 @@ setattr) fi case "$1" in service/fake-srvtab) - if [ "$3" != "kaserver" ] ; then - echo "Invalid attribute value $3" >&2 - exit 1 + if [ "$3" = "kaserver" ] ; then + touch sync-kaserver + else + if [ "$3" = "" ] ; then + rm sync-kaserver + else + echo "Invalid attribute value $3" >&2 + exit 1 + fi fi - touch sync-kaserver ;; *) echo "Looking at sync attribute of wrong keytab" >&2 diff --git a/tests/data/fake-keytab-old b/tests/data/fake-keytab-old Binary files differnew file mode 100644 index 0000000..6a13fd6 --- /dev/null +++ b/tests/data/fake-keytab-old |