krb5_error_code KRB5_CALLCONV krb5_kt_register(krb5_context,
const struct _krb5_kt_ops *);
+krb5_error_code k5_kt_get_principal(krb5_context context, krb5_keytab keytab,
+ krb5_principal *princ_out);
+
krb5_error_code krb5_principal2salt_norealm(krb5_context, krb5_const_principal,
krb5_data *);
{
return krb5_x((keytab)->ops->end_get,(context, keytab, cursor));
}
+
+/*
+ * In a couple of places we need to get a principal name from a keytab: when
+ * verifying credentials against a keytab, and when querying the name of a
+ * default GSS acceptor cred. Keytabs do not have the concept of a default
+ * principal like ccaches do, so for now we just return the first principal
+ * listed in the keytab, or an error if it's not iterable. In the future we
+ * could consider elevating this to a public API and giving keytab types an
+ * operation to return a default principal, and maybe extending the file format
+ * and tools to support it. Returns KRB5_KT_NOTFOUND if the keytab is empty
+ * or non-iterable.
+ */
+krb5_error_code
+k5_kt_get_principal(krb5_context context, krb5_keytab keytab,
+ krb5_principal *princ_out)
+{
+ krb5_error_code ret;
+ krb5_kt_cursor cursor;
+ krb5_keytab_entry kte;
+
+ *princ_out = NULL;
+ ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if (ret)
+ return KRB5_KT_NOTFOUND;
+ ret = krb5_kt_next_entry(context, keytab, &kte, &cursor);
+ (void)krb5_kt_end_seq_get(context, keytab, &cursor);
+ if (ret)
+ return (ret == KRB5_KT_END) ? KRB5_KT_NOTFOUND : ret;
+ ret = krb5_copy_principal(context, kte.principal, princ_out);
+ krb5_kt_free_entry(context, &kte);
+ return ret;
+}
#endif /* LEAN_CLIENT */
return FALSE;
}
-/* Set *server_out to the first principal name in keytab. */
-static krb5_error_code
-get_first_keytab_princ(krb5_context context, krb5_keytab keytab,
- krb5_principal *server_out)
-{
- krb5_error_code ret;
- krb5_kt_cursor cursor;
- krb5_keytab_entry kte;
-
- ret = krb5_kt_start_seq_get(context, keytab, &cursor);
- if (ret)
- return ret;
- ret = krb5_kt_next_entry(context, keytab, &kte, &cursor);
- (void)krb5_kt_end_seq_get(context, keytab, &cursor);
- if (ret)
- return ret;
- ret = krb5_copy_principal(context, kte.principal, server_out);
- krb5_kt_free_entry(context, &kte);
- return ret;
-}
-
static krb5_error_code
copy_creds_except(krb5_context context, krb5_ccache incc,
krb5_ccache outcc, krb5_principal princ)
if (ret)
goto cleanup;
} else {
- /* Use the first principal name in the keytab. */
- ret = get_first_keytab_princ(context, keytab, &server);
+ /* Use a principal name from the keytab. */
+ ret = k5_kt_get_principal(context, keytab, &server);
if (ret) {
/* There's no keytab, or it's empty, or we can't read it.
* Allow this unless configuration demands verification. */
initialize_kv5m_error_table
initialize_prof_error_table
k5_free_serverlist
+k5_kt_get_principal
k5_locate_kdc
k5_plugin_free_modules
k5_plugin_load
; new in 1.10
krb5_sname_match @384
+ k5_kt_get_principal @385 ; PRIVATE GSSAPI