krb5: show error message for krb5_init_context() failures If there are typos in /etc/krb5.conf (or one of the included config snippets) krb5_init_context(), the initial call always needed to do any other operation with libkrb5, fails because /etc/krb5.conf cannot be parsed. Currently the related debug/syslog messages might be misleading, e.g. failed to read keytab. This is because SSSD does not use a global krb5 context but creates a fresh one for every new request or operation (to always use the latest settings from /etc/krb5.conf) and typically there is an error message indicating that the related operation failed but not giving more details. Since krb5_init_context() is fundamental for Kerberos support this patch tries to add as much details as libkrb5 provides in the logs if the call fails. Resolves: https://pagure.io/SSSD/sssd/issue/3586 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com>

KRB5: Do not try to remove missing ccache There was a misleading debug message in krb5_child [[sssd[krb5_child[16629]]]] [get_and_save_tgt] (0x0080): Failed to remove old ccache file [(null)], please remove it manually. Reviewed-by: Pavel Reichl <preichl@redhat.com>

krb5: add copy_ccache_into_memory() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

krb5: Check return value of sss_krb5_princ_realm sss_krb5_princ_realm set output parameter realm to NULL and len to 0 in case of failure. Clang static analysers reported warning "Null pointer passed as an argument to a 'nonnull' parameter" in function match_principal. It was possible, that realm_name with value NULL could be used in strncmp. Reviewed-by: Pavel Reichl <preichl@redhat.com>

KRB5: Move all ccache operations to krb5_child.c The credential cache operations must be now performed by the krb5_child completely, because the sssd_be process might be running as the sssd user who doesn't have access to the ccaches. src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5 until we fix Kerberos ticket renewal as non-root. Also includes a new error code that indicates that the back end should remove the old ccache attribute -- the child can't do that if it's running as the user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KRB5: Move checking for illegal RE to krb5_utils.c Otherwise we would have to link krb5_child with pcre and transfer the regex, which would be cumbersome. Check for illegal patterns when expanding the template instead. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KRB5: Move ccache-related functions to krb5_ccache.c Add a new module krb5_ccache.c that contains all ccache-related operations. The only user of this module shall be krb5_child.c as the other modules will run unprivileged and accessing the ccache requires either privileges of root or the ccache owner. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>