s3: Make TLDAP_IS_ALPHA and TLDAP_IS_ADH static functions
[Samba/kamenim.git] / examples / bind9-patches / 0004-If-tkey-gssapi-initialisation-fails-then-heck-for-th.patch
blob3130a05fd07ba83f43418d33685bce49695531a8
1 From c73ceb48ffc518e171d1d40b82ae2b5f603fe038 Mon Sep 17 00:00:00 2001
2 From: Andrew Tridgell <tridge@samba.org>
3 Date: Wed, 17 Feb 2010 15:27:44 +1100
4 Subject: [PATCH 4/5] If tkey-gssapi initialisation fails, then heck for the most common
5 configuration errors so that the admin doesn't spend all day trying to
6 work out why the config is broken.
8 ---
9 lib/dns/gssapictx.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
10 1 files changed, 48 insertions(+), 0 deletions(-)
12 diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
13 index 11eadb9..879393c 100644
14 --- a/lib/dns/gssapictx.c
15 +++ b/lib/dns/gssapictx.c
16 @@ -66,6 +66,7 @@
17 * we include SPNEGO's OID.
19 #if defined(GSSAPI)
20 +#include <krb5/krb5.h>
22 static unsigned char krb5_mech_oid_bytes[] = {
23 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02
24 @@ -191,6 +192,50 @@ log_cred(const gss_cred_id_t cred) {
26 #endif
28 +#ifdef GSSAPI
29 +/*
30 + * check for the most common configuration errors.
31 + *
32 + * The errors checked for are:
33 + * - tkey-gssapi-credential doesn't start with DNS/
34 + * - the default realm in /etc/krb5.conf and the
35 + * tkey-gssapi-credential bind config option don't match
36 + */
37 +static void dst_gssapi_check_config(const char *gss_name)
39 + const char *p;
40 + krb5_context krb5_ctx;
41 + char *krb5_realm = NULL;
43 + if (strncasecmp(gss_name, "DNS/", 4) != 0) {
44 + gss_log(ISC_LOG_ERROR, "tkey-gssapi-credential (%s) should start with 'DNS/'");
45 + return;
46 + }
48 + if (krb5_init_context(&krb5_ctx) != 0) {
49 + gss_log(ISC_LOG_ERROR, "Unable to initialise krb5 context");
50 + return;
51 + }
52 + if (krb5_get_default_realm(krb5_ctx, &krb5_realm) != 0) {
53 + gss_log(ISC_LOG_ERROR, "Unable to get krb5 default realm");
54 + krb5_free_context(krb5_ctx);
55 + return;
56 + }
57 + if (!(p = strchr(gss_name, '/'))) {
58 + gss_log(ISC_LOG_ERROR, "badly formatted tkey-gssapi-credentials (%s)", gss_name);
59 + krb5_free_context(krb5_ctx);
60 + return;
61 + }
62 + if (strcasecmp(p+1, krb5_realm) != 0) {
63 + gss_log(ISC_LOG_ERROR,"default realm from krb5.conf (%s) does not match tkey-gssapi-credential (%s)",
64 + krb5_realm, gss_name);
65 + krb5_free_context(krb5_ctx);
66 + return;
67 + }
68 + krb5_free_context(krb5_ctx);
70 +#endif
72 isc_result_t
73 dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
74 gss_cred_id_t *cred)
75 @@ -223,6 +268,8 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
76 gret = gss_import_name(&minor, &gnamebuf,
77 GSS_C_NO_OID, &gname);
78 if (gret != GSS_S_COMPLETE) {
79 + dst_gssapi_check_config((char *)array);
81 gss_log(3, "failed gss_import_name: %s",
82 gss_error_tostring(gret, minor, buf,
83 sizeof(buf)));
84 @@ -254,6 +301,7 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
85 initiate ? "initiate" : "accept",
86 (char *)gnamebuf.value,
87 gss_error_tostring(gret, minor, buf, sizeof(buf)));
88 + dst_gssapi_check_config((char *)array);
89 return (ISC_R_FAILURE);
93 1.6.3.3