From 782e71d568957e05233f63fa8dca7cc53ba1afa1 Mon Sep 17 00:00:00 2001
From: Russ Allbery <eagle@eyrie.org>
Date: Mon, 6 Jan 2014 21:09:00 -0800
Subject: Fix wallet-rekey on keytabs containing multiple principals

Fix wallet-rekey on keytabs containing multiple principals.  Previous
versions assumed one could concatenate keytab files together to make a
valid keytab file, which doesn't work with some Kerberos libraries.
This caused new keys downloaded for principals after the first to be
discarded.  As a side effect of this fix, wallet-rekey always appends
new keys directly to the existing keytab file, and never creates a
backup copy of that file.

Change-Id: I5f863239ce4ebba66b35ff09454f2897367bd359
Reviewed-on: https://gerrit.stanford.edu/1369
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
---
 tests/client/rekey-t.in | 18 +++++++-----------
 1 file changed, 7 insertions(+), 11 deletions(-)

(limited to 'tests/client')

diff --git a/tests/client/rekey-t.in b/tests/client/rekey-t.in
index 0cfcb5d..c6d0e41 100644
--- a/tests/client/rekey-t.in
+++ b/tests/client/rekey-t.in
@@ -45,7 +45,7 @@ elif [ -z '@REMCTLD@' ] ; then
     rm krb5.conf
     skip_all 'No remctld found'
 else
-    plan 9
+    plan 8
 fi
 remctld_start '@REMCTLD@' "$SOURCE/data/basic.conf"
 wallet="$BUILD/../client/wallet-rekey"
@@ -68,31 +68,27 @@ ok '...and the keytab was untouched' cmp keytab data/fake-keytab-foreign
 rm -f keytab
 
 # Rekeying a keytab where we can't retrieve the principal should produce an
-# error message and abort when it's the first principal.
+# error message.
 cp data/fake-keytab-unknown keytab
 ok_program 'unknown wallet-rekey' 1 \
 'wallet: Unknown keytab service/real-keytab
 wallet: error rekeying for principal service/real-keytab
-wallet: aborting, keytab unchanged' \
+wallet: no rekeyable principals found' \
     "$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet keytab
 ok '...and the keytab was untouched' cmp keytab data/fake-keytab-unknown
 rm -f keytab
 
-# Rekeying a keytab where we can't retrieve a later principal should leave the
-# original keytab as keytab.old and store, in the new keytab, only the things
-# that it was able to rekey.
+# Rekeying a keytab where we can't retrieve a later principal should add the
+# things we were able to download and produce a warning.
 cp data/fake-keytab-partial keytab
 ok_program 'partial wallet-rekey' 1 \
 'wallet: Unknown keytab service/real-keytab
-wallet: error rekeying for principal service/real-keytab
-wallet: partial failure to rekey keytab keytab, old keytab left in keytab.old'\
+wallet: error rekeying for principal service/real-keytab'\
     "$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet keytab
 ktutil_list keytab klist-seen
 ktutil_list data/fake-keytab-partial-result klist-good
 ok '...and the rekeyed keytab is correct' cmp klist-seen klist-good
-ok '...and the backup keytab is correct' \
-    cmp keytab.old data/fake-keytab-partial
-rm -f keytab keytab.old klist-seen klist-good
+rm -f keytab klist-seen klist-good
 
 # Clean up.
 rm -f autocreated krb5.conf
-- 
cgit v1.2.3