sss_krb5.c revision 5ae539828197f032d3e2ccb27e87ccf2a1d94996
f82568a780e35e8786958c49a1259434e2088b9cniq Sumit Bose <sbose@redhat.com>
11e076839c8d5a82d55e710194d0daac51390dbdsf Copyright (C) 2009-2010 Red Hat
f82568a780e35e8786958c49a1259434e2088b9cniq This program is free software; you can redistribute it and/or modify
f82568a780e35e8786958c49a1259434e2088b9cniq it under the terms of the GNU General Public License as published by
f82568a780e35e8786958c49a1259434e2088b9cniq the Free Software Foundation; either version 3 of the License, or
f82568a780e35e8786958c49a1259434e2088b9cniq (at your option) any later version.
5bfaaf573bacb45c1cf290ce85ecc676587e8a64jim This program is distributed in the hope that it will be useful,
5bfaaf573bacb45c1cf290ce85ecc676587e8a64jim but WITHOUT ANY WARRANTY; without even the implied warranty of
5bfaaf573bacb45c1cf290ce85ecc676587e8a64jim MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
5bfaaf573bacb45c1cf290ce85ecc676587e8a64jim GNU General Public License for more details.
f82568a780e35e8786958c49a1259434e2088b9cniq You should have received a copy of the GNU General Public License
5bfaaf573bacb45c1cf290ce85ecc676587e8a64jim along with this program. If not, see <http://www.gnu.org/licenses/>.
f82568a780e35e8786958c49a1259434e2088b9cniq const char *pattern,
f82568a780e35e8786958c49a1259434e2088b9cniq const char *hostname)
f82568a780e35e8786958c49a1259434e2088b9cniqerrno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
7bccdbc7016c4ea9d196a15c391d5e629d886e34jorton const char *hostname,
f82568a780e35e8786958c49a1259434e2088b9cniq const char *desired_realm,
f82568a780e35e8786958c49a1259434e2088b9cniq const char *keytab_name,
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniq int i = 0;
f82568a780e35e8786958c49a1259434e2088b9cniq const char *realm_name;
f82568a780e35e8786958c49a1259434e2088b9cniq * The %s conversion is passed as-is, the %S conversion is translated to
f82568a780e35e8786958c49a1259434e2088b9cniq * "short host name"
f82568a780e35e8786958c49a1259434e2088b9cniq * Priority of lookup:
f82568a780e35e8786958c49a1259434e2088b9cniq * - our.hostname@REALM or host/our.hostname@REALM depending on the input
f82568a780e35e8786958c49a1259434e2088b9cniq * - SHORT.HOSTNAME$@REALM (AD domain)
f82568a780e35e8786958c49a1259434e2088b9cniq * - foobar$@REALM (AD domain)
f82568a780e35e8786958c49a1259434e2088b9cniq * - pick the first principal in the keytab
f82568a780e35e8786958c49a1259434e2088b9cniq const char *primary_patterns[] = {"%s", "%S$", "host/%s", "*$", "host/*",
f82568a780e35e8786958c49a1259434e2088b9cniq const char *realm_patterns[] = {"%s", "%s", "%s", "%s", "%s",
f82568a780e35e8786958c49a1259434e2088b9cniq "trying to select the most appropriate principal from keytab\n");
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_OP_FAILURE, "Failed to init kerberos context\n");
f82568a780e35e8786958c49a1259434e2088b9cniq "Failed to read keytab [%s]: %s\n",
f82568a780e35e8786958c49a1259434e2088b9cniq realm = talloc_asprintf(tmp_ctx, realm_patterns[i], desired_realm);
f82568a780e35e8786958c49a1259434e2088b9cniq kerr = find_principal_in_keytab(krb_ctx, keytab, primary, realm,
f82568a780e35e8786958c49a1259434e2088b9cniq if (kerr == 0) {
f82568a780e35e8786958c49a1259434e2088b9cniq } while(primary_patterns[i-1] != NULL || realm_patterns[i-1] != NULL);
f82568a780e35e8786958c49a1259434e2088b9cniq if (kerr == 0) {
f82568a780e35e8786958c49a1259434e2088b9cniq kerr = krb5_unparse_name(krb_ctx, client_princ, &principal_string);
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_FUNC_DATA, "Selected principal: %s\n", *_principal);
f82568a780e35e8786958c49a1259434e2088b9cniq kerr = sss_krb5_unparse_name_flags(krb_ctx, client_princ,
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_FUNC_DATA, "Selected primary: %s\n", *_primary);
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_FUNC_DATA, "Selected realm: %s\n", *_realm);
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_MINOR_FAILURE, "No suitable principal found in keytab\n");
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_FATAL_FAILURE, "Failed to read keytab [%s]: %s\n",
f82568a780e35e8786958c49a1259434e2088b9cniq sss_log(SSS_LOG_ERR, "Failed to read keytab [%s]: %s\n",
f82568a780e35e8786958c49a1259434e2088b9cniqint sss_krb5_verify_keytab_ex(const char *principal, const char *keytab_name,
f82568a780e35e8786958c49a1259434e2088b9cniq krberr = krb5_kt_start_seq_get(context, keytab, &cursor);
f82568a780e35e8786958c49a1259434e2088b9cniq sss_log(SSS_LOG_ERR, "Error reading keytab file [%s]: [%d][%s]. "
f82568a780e35e8786958c49a1259434e2088b9cniq "Unable to create GSSAPI-encrypted LDAP "
f82568a780e35e8786958c49a1259434e2088b9cniq "connection.",
f82568a780e35e8786958c49a1259434e2088b9cniq while((krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
f82568a780e35e8786958c49a1259434e2088b9cniq krberr = krb5_unparse_name(context, entry.principal, &kt_principal);
f82568a780e35e8786958c49a1259434e2088b9cniq "Could not parse keytab entry\n");
f82568a780e35e8786958c49a1259434e2088b9cniq krberr = sss_krb5_free_keytab_entry_contents(context, &entry);
f82568a780e35e8786958c49a1259434e2088b9cniq /* This should never happen. The API docs for this function
f82568a780e35e8786958c49a1259434e2088b9cniq * specify only success for this function
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_CRIT_FAILURE,"Could not free keytab entry contents\n");
f82568a780e35e8786958c49a1259434e2088b9cniq /* This is non-fatal, so we'll continue here */
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_FATAL_FAILURE, "Could not close keytab.\n");
f82568a780e35e8786958c49a1259434e2088b9cniq sss_log(SSS_LOG_ERR, "Could not close keytab file [%s].",
f82568a780e35e8786958c49a1259434e2088b9cniq "Principal [%s] not found in keytab [%s]\n",
f82568a780e35e8786958c49a1259434e2088b9cniq sss_log(SSS_LOG_ERR, "Error processing keytab file [%s]: "
f82568a780e35e8786958c49a1259434e2088b9cniq "Principal [%s] was not found. "
f82568a780e35e8786958c49a1259434e2088b9cniq "Unable to create GSSAPI-encrypted LDAP connection.",
f82568a780e35e8786958c49a1259434e2088b9cniqenum matching_mode {MODE_NORMAL, MODE_PREFIX, MODE_POSTFIX};
f82568a780e35e8786958c49a1259434e2088b9cniq * We only have primary and instances stored separately, we need to
f82568a780e35e8786958c49a1259434e2088b9cniq * join them to one string and compare that string.
f82568a780e35e8786958c49a1259434e2088b9cniq * @param ctx kerberos context
f82568a780e35e8786958c49a1259434e2088b9cniq * @param principal principal we want to match
f82568a780e35e8786958c49a1259434e2088b9cniq * @param pattern_primary primary part of the principal we want to
f82568a780e35e8786958c49a1259434e2088b9cniq * perform matching against. It is possible to use * wildcard
f82568a780e35e8786958c49a1259434e2088b9cniq * at the beginning or at the end of the string. If NULL, it
f82568a780e35e8786958c49a1259434e2088b9cniq * will act as "*"
f82568a780e35e8786958c49a1259434e2088b9cniq * @param pattern_realm realm part of the principal we want to perform
f82568a780e35e8786958c49a1259434e2088b9cniq * the matching against. If NULL, it will act as "*"
f82568a780e35e8786958c49a1259434e2088b9cniq const char *pattern_realm)
f82568a780e35e8786958c49a1259434e2088b9cniq const char *realm_name;
f82568a780e35e8786958c49a1259434e2088b9cniq bool ret = false;
f82568a780e35e8786958c49a1259434e2088b9cniq sss_krb5_princ_realm(ctx, principal, &realm_name, &realm_len);
f82568a780e35e8786958c49a1259434e2088b9cniq return false;
f82568a780e35e8786958c49a1259434e2088b9cniq primary_str = talloc_strdup(tmp_ctx, pattern_primary+1);
f82568a780e35e8786958c49a1259434e2088b9cniq sss_krb5_unparse_name_flags(ctx, principal, KRB5_PRINCIPAL_UNPARSE_NO_REALM,
f82568a780e35e8786958c49a1259434e2088b9cniq if (!pattern_realm || (realm_len == strlen(pattern_realm) &&
f82568a780e35e8786958c49a1259434e2088b9cniq "Principal matched to the sample (%s@%s).\n", pattern_primary,
f82568a780e35e8786958c49a1259434e2088b9cniqkrb5_error_code find_principal_in_keytab(krb5_context ctx,
f82568a780e35e8786958c49a1259434e2088b9cniq const char *pattern_realm,
f82568a780e35e8786958c49a1259434e2088b9cniq bool principal_found = false;
f82568a780e35e8786958c49a1259434e2088b9cniq if (kerr != 0) {
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_CRIT_FAILURE, "krb5_kt_start_seq_get failed.\n");
f82568a780e35e8786958c49a1259434e2088b9cniq "Trying to find principal %s@%s in keytab.\n", pattern_primary, pattern_realm);
f82568a780e35e8786958c49a1259434e2088b9cniq while ((kt_err = krb5_kt_next_entry(ctx, keytab, &entry, &cursor)) == 0) {
f82568a780e35e8786958c49a1259434e2088b9cniq principal_found = match_principal(ctx, entry.principal, pattern_primary, pattern_realm);
f82568a780e35e8786958c49a1259434e2088b9cniq kerr = sss_krb5_free_keytab_entry_contents(ctx, &entry);
f82568a780e35e8786958c49a1259434e2088b9cniq if (kerr != 0) {
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_CRIT_FAILURE, "Failed to free keytab entry.\n");
f82568a780e35e8786958c49a1259434e2088b9cniq /* Close the keytab here. Even though we're using cursors, the file
f82568a780e35e8786958c49a1259434e2088b9cniq * handle is stored in the krb5_keytab structure, and it gets
f82568a780e35e8786958c49a1259434e2088b9cniq * overwritten by other keytab calls, creating a leak. */
f82568a780e35e8786958c49a1259434e2088b9cniq if (kerr != 0) {
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_CRIT_FAILURE, "krb5_kt_end_seq_get failed.\n");
f82568a780e35e8786958c49a1259434e2088b9cniq "No principal matching %s@%s found in keytab.\n",
f82568a780e35e8786958c49a1259434e2088b9cniq /* check if we got any errors from krb5_kt_next_entry */
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_CRIT_FAILURE, "Error while reading keytab.\n");
f82568a780e35e8786958c49a1259434e2088b9cniq kerr = krb5_copy_principal(ctx, entry.principal, princ);
f82568a780e35e8786958c49a1259434e2088b9cniq if (kerr != 0) {
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_CRIT_FAILURE, "krb5_copy_principal failed.\n");
f82568a780e35e8786958c49a1259434e2088b9cniq kerr_d = sss_krb5_free_keytab_entry_contents(ctx, &entry);
f82568a780e35e8786958c49a1259434e2088b9cniq if (kerr_d != 0) {
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_CRIT_FAILURE, "Failed to free keytab entry.\n");
f82568a780e35e8786958c49a1259434e2088b9cniqconst char *KRB5_CALLCONV sss_krb5_get_error_message(krb5_context ctx,
f82568a780e35e8786958c49a1259434e2088b9cniq char *s = NULL;
f82568a780e35e8786958c49a1259434e2088b9cniq if (s == NULL) {
f82568a780e35e8786958c49a1259434e2088b9cniqvoid KRB5_CALLCONV sss_krb5_free_error_message(krb5_context ctx, const char *s)
f82568a780e35e8786958c49a1259434e2088b9cniqkrb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_alloc(
f82568a780e35e8786958c49a1259434e2088b9cniqvoid KRB5_CALLCONV sss_krb5_get_init_creds_opt_free (krb5_context context,
f82568a780e35e8786958c49a1259434e2088b9cniqvoid KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name)
f82568a780e35e8786958c49a1259434e2088b9cniqkrb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_set_expire_callback(
f82568a780e35e8786958c49a1259434e2088b9cniq return krb5_get_init_creds_opt_set_expire_callback(context, opt, cb, data);
f82568a780e35e8786958c49a1259434e2088b9cniq "krb5_get_init_creds_opt_set_expire_callback not available.\n");
f82568a780e35e8786958c49a1259434e2088b9cniq } else if (strcasecmp(str, "try") == 0 || strcasecmp(str, "demand") == 0) {
f82568a780e35e8786958c49a1259434e2088b9cniq sss_log(SSS_LOG_ALERT, "Unsupported value [%s] for option krb5_use_fast,"
f82568a780e35e8786958c49a1259434e2088b9cniq sss_log(SSS_LOG_ALERT, "This build of sssd does not support FAST. "
f82568a780e35e8786958c49a1259434e2088b9cniq "Please remove option krb5_use_fast.\n");
f82568a780e35e8786958c49a1259434e2088b9cniqkrb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_set_fast_ccache_name(
f82568a780e35e8786958c49a1259434e2088b9cniq return krb5_get_init_creds_opt_set_fast_ccache_name(context, opt,
f82568a780e35e8786958c49a1259434e2088b9cniq "krb5_get_init_creds_opt_set_fast_ccache_name not available.\n");
f82568a780e35e8786958c49a1259434e2088b9cniqkrb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_set_fast_flags(
f82568a780e35e8786958c49a1259434e2088b9cniq return krb5_get_init_creds_opt_set_fast_flags(context, opt, flags);
f82568a780e35e8786958c49a1259434e2088b9cniq "krb5_get_init_creds_opt_set_fast_flags not available.\n");
f82568a780e35e8786958c49a1259434e2088b9cniqsss_krb5_copy_component_quoting(char *dest, const krb5_data *src, int flags)
f82568a780e35e8786958c49a1259434e2088b9cniq char *q = dest;
f82568a780e35e8786958c49a1259434e2088b9cniq int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) &&
f82568a780e35e8786958c49a1259434e2088b9cniq switch (*cp) {
f82568a780e35e8786958c49a1259434e2088b9cniq case '\\':
f82568a780e35e8786958c49a1259434e2088b9cniq *q++ = '\\';
f82568a780e35e8786958c49a1259434e2088b9cniq case '\t':
f82568a780e35e8786958c49a1259434e2088b9cniq *q++ = '\\';
f82568a780e35e8786958c49a1259434e2088b9cniq *q++ = 't';
f82568a780e35e8786958c49a1259434e2088b9cniq case '\n':
f82568a780e35e8786958c49a1259434e2088b9cniq *q++ = '\\';
f82568a780e35e8786958c49a1259434e2088b9cniq *q++ = 'n';
f82568a780e35e8786958c49a1259434e2088b9cniq case '\b':
f82568a780e35e8786958c49a1259434e2088b9cniq *q++ = '\\';
f82568a780e35e8786958c49a1259434e2088b9cniq *q++ = 'b';
f82568a780e35e8786958c49a1259434e2088b9cniq case '\0':
f82568a780e35e8786958c49a1259434e2088b9cniq *q++ = '\\';
f82568a780e35e8786958c49a1259434e2088b9cniq *q++ = '0';
f82568a780e35e8786958c49a1259434e2088b9cniq return q - dest;
f82568a780e35e8786958c49a1259434e2088b9cniqsss_krb5_component_length_quoted(const krb5_data *src, int flags)
7bccdbc7016c4ea9d196a15c391d5e629d886e34jorton int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) &&
f82568a780e35e8786958c49a1259434e2088b9cniq#endif /* HAVE_KRB5_UNPARSE_NAME_FLAGS */
f82568a780e35e8786958c49a1259434e2088b9cniqsss_krb5_parse_name_flags(krb5_context context, const char *name, int flags,
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniq return krb5_parse_name_flags(context, name, flags, principal);
f82568a780e35e8786958c49a1259434e2088b9cniq if (flags != 0) {
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_MINOR_FAILURE, "krb5_parse_name_flags not available on " \
f82568a780e35e8786958c49a1259434e2088b9cniq "this plattform, names are parsed " \
f82568a780e35e8786958c49a1259434e2088b9cniq "without flags. Some features like " \
f82568a780e35e8786958c49a1259434e2088b9cniq "enterprise principals might not work " \
f82568a780e35e8786958c49a1259434e2088b9cniq "as expected.\n");
f82568a780e35e8786958c49a1259434e2088b9cniqsss_krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal,
f82568a780e35e8786958c49a1259434e2088b9cniq return krb5_unparse_name_flags(context, principal, flags, name);
f82568a780e35e8786958c49a1259434e2088b9cniq char *cp, *q;
f82568a780e35e8786958c49a1259434e2088b9cniq unsigned int totalsize = 0;
f82568a780e35e8786958c49a1259434e2088b9cniq /* omit realm if local realm */
f82568a780e35e8786958c49a1259434e2088b9cniq krb5_princ_realm(context, &p)->length = strlen(default_realm);
f82568a780e35e8786958c49a1259434e2088b9cniq totalsize += sss_krb5_component_length_quoted(krb5_princ_realm(context,
f82568a780e35e8786958c49a1259434e2088b9cniq for (i = 0; i < (int) nelem; i++) {
f82568a780e35e8786958c49a1259434e2088b9cniq totalsize += sss_krb5_component_length_quoted(krb5_princ_component(context, principal, i), flags);
f82568a780e35e8786958c49a1259434e2088b9cniq for (i = 0; i < (int) nelem; i++) {
f82568a780e35e8786958c49a1259434e2088b9cniq length = krb5_princ_component(context, principal, i)->length;
f82568a780e35e8786958c49a1259434e2088b9cniq if (i > 0)
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniq q += sss_krb5_copy_component_quoting(q, krb5_princ_realm(context, principal), flags);
f82568a780e35e8786958c49a1259434e2088b9cniq *q++ = '\0';
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniq#endif /* HAVE_KRB5_UNPARSE_NAME_FLAGS */
f82568a780e35e8786958c49a1259434e2088b9cniqvoid sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts,
f82568a780e35e8786958c49a1259434e2088b9cniq /* FIXME: The extra check for HAVE_KRB5_TICKET_TIMES is a workaround due to Heimdal
f82568a780e35e8786958c49a1259434e2088b9cniq * defining krb5_get_init_creds_opt_set_canonicalize() with a different set of
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniq * arguments. We should use a better configure check in the future.
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniq#if defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && defined(HAVE_KRB5_TICKET_TIMES)
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniq krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize);
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_OP_FAILURE, "Kerberos principal canonicalization is not available!\n");
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniqvoid sss_krb5_princ_realm(krb5_context context, krb5_const_principal princ,
f82568a780e35e8786958c49a1259434e2088b9cniqvoid sss_krb5_princ_realm(krb5_context context, krb5_const_principal princ,
f82568a780e35e8786958c49a1259434e2088b9cniqsss_krb5_free_keytab_entry_contents(krb5_context context,
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniqsss_krb5_free_keytab_entry_contents(krb5_context context,
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniq/* krb5-1.10 had struct krb5_trace_info, 1.11 has type named krb5_trace_info */
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniq#endif /* HAVE_KRB5_TRACE_INFO */
f82568a780e35e8786958c49a1259434e2088b9cniqstatic void
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniq /* Null info means destroy the callback data. */
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniq return krb5_set_trace_callback(ctx, sss_child_krb5_trace_cb, NULL);
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniq#else /* HAVE_KRB5_SET_TRACE_CALLBACK */
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniq DEBUG(SSSDBG_CONF_SETTINGS, "krb5 tracing is not available\n");
f82568a780e35e8786958c49a1259434e2088b9cniq#endif /* HAVE_KRB5_SET_TRACE_CALLBACK */
f82568a780e35e8786958c49a1259434e2088b9cniqkrb5_error_code sss_krb5_find_authdata(krb5_context context,
f82568a780e35e8786958c49a1259434e2088b9cniq return krb5_find_authdata(context, ticket_authdata, ap_req_authdata,
f82568a780e35e8786958c49a1259434e2088b9cniq kerr = krb5_cc_retrieve_cred(ctx, ccache, 0, &mcred, &cred);
f82568a780e35e8786958c49a1259434e2088b9cniq if (kerr != 0) {
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_OP_FAILURE, "krb5_cc_retrieve_cred failed.\n");
f82568a780e35e8786958c49a1259434e2088b9cniq if (kerr != 0) {
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_OP_FAILURE, "krb5_decode_ticket failed.\n");
5bfaaf573bacb45c1cf290ce85ecc676587e8a64jim kerr = krb5_server_decrypt_ticket_keytab(ctx, keytab, ticket);
f82568a780e35e8786958c49a1259434e2088b9cniq if (kerr != 0) {
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_OP_FAILURE, "krb5_server_decrypt_ticket_keytab failed.\n");
f82568a780e35e8786958c49a1259434e2088b9cniq if (kerr != 0) {
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_OP_FAILURE, "krb5_find_authdata failed.\n");
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_OP_FAILURE, "No PAC authdata available.\n");
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniq DEBUG(SSSDBG_OP_FAILURE, "More than one PAC autdata found.\n");
f82568a780e35e8786958c49a1259434e2088b9cniq if (kerr != 0) {
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniq if (kerr != 0) {
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniq DEBUG(SSSDBG_OP_FAILURE, "krb5_kt_get_entry failed.\n");
f82568a780e35e8786958c49a1259434e2088b9cniq kerr = krb5_pac_verify(ctx, pac, 0, NULL, &entry.key, NULL);
f82568a780e35e8786958c49a1259434e2088b9cniq if (kerr != 0) {
f82568a780e35e8786958c49a1259434e2088b9cniq DEBUG(SSSDBG_CRIT_FAILURE, "Failed to unset _SSS_LOOPS, "
f82568a780e35e8786958c49a1259434e2088b9cniq "sss_pac_make_request will most certainly fail.\n");
0134ffd85f3bcfd84cf0bea0f4b797a885eb78adniq if (kerr != 0) {
return kerr;
return ENOTSUP;
const char *location)
#ifdef HAVE_KRB5_CC_COLLECTION
if (kerr != 0) {
return NULL;
if (kerr != 0) {
return NULL;
if (kerr != 0) {
goto done;
done:
if (kerr != 0) {
return ret_ccname;
return NULL;