Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id 9CB173E640; Wed,  6 Apr 2011 16:11:29 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id p36KBTiv031781; Wed, 6 Apr 2011 16:11:29 -0400
Received: from mailhub-dmz-4.mit.edu (MAILHUB-DMZ-4.MIT.EDU [18.7.62.38]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id p36JrItM028750 for <krb5-bugs-incoming@PCH.mit.edu>; Wed, 6 Apr 2011 15:53:19 -0400
Received: from dmz-mailsec-scanner-7.mit.edu (DMZ-MAILSEC-SCANNER-7.MIT.EDU [18.7.68.36]) by mailhub-dmz-4.mit.edu (8.13.8/8.9.2) with ESMTP id p36Jr0ti000372 for <krb5-bugs@mit.edu>; Wed, 6 Apr 2011 15:53:18 -0400
X-Auditid: 12074424-b7cacae000003d70-3f-4d9cc485b28b
Authentication-Results: symauth.service.identifier
Received: from sh6.exchange.ms (sh6.exchange.ms [64.71.238.88]) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 0B.8C.15728.684CC9D4; Wed,  6 Apr 2011 15:52:38 -0400 (EDT)
Received: from outbound.mse3.exchange.ms (unknown [10.0.25.203]) by sh6.exchange.ms (Postfix) with ESMTP id 57B8311C390 for <krb5-bugs@mit.edu>; Wed,  6 Apr 2011 15:54:57 -0400 (EDT)
X-Mimeole: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: Default principal name in the acceptor cred corresponds to first entry in associated keytab.
Date: Wed, 6 Apr 2011 15:52:13 -0400
Message-ID: <23447137FA0DAA4D95EF535FF356BE4606343BEE@mse3be2.mse3.exchange.ms>
X-MS-Has-Attach: 
X-MS-Tnef-Correlator: 
Thread-Topic: Default principal name in the acceptor cred corresponds to first entry in associated keytab.
Thread-Index: Acv0lB+gN6lSp96eRt+wHTYTUUwCtg==
From: "Sriram Nambakam" <snambakam@likewise.com>
To: <krb5-bugs@mit.edu>
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrAKsWRWlGSWpSXmKPExsXi4P4uQrftyBxfg03tohYND4+zOzB6NJ05 yhzAGMVlk5Kak1mWWqRvl8CVMXPWC5aCKSoVl9dcZmpgPCXRxcjJISFgIrFh8wxWEJtRwEhi 97lXrBBxMYkL99azdTFycQgJnGCUmPD4GROEs4tR4uL+02wQVXoSyxZPYQGxmQW0JI5camIE sXkFBCVOznwCFOcAiutJtG1khCjRlli28DUziC0skCoxeed9sGUsAioS6+/NYYdo9ZdY+K2B EWK8oMSi2XuYYQ76t+shG8hIEYEsiS33cyBMPYn2ZhWQCjYBA4mX56+AVYsIiEs8Wd/OBrFV Q+LpicnMExhFZiG5cxaSO2ch3DkLyZ0LGFlWMcqm5Fbp5iZm5hSnJusWJyfm5aUW6Zrr5WaW 6KWmlG5iBEaBELuLyg7G5kNKhxgFOBiVeHiTO+f4CrEmlhVX5h5ilORgUhLlLToEFOJLyk+p zEgszogvKs1JLT7EKMHBrCTCa/p6lq8Qb0piZVVqUT5MSpqDRUmcd56kuq+QQHpiSWp2ampB ahFMlomD/RCjDAeHkgTv48NAkwWLUtNTK9Iyc0qQ1XCCCC6QNTxAay6DFPIWFyTmFmemQxSd YtTlmDt56j5GIZa8/LxUKXHedSBFAiBFGaV5cMNgCe0So6yUMC8jAwODEA/QNcBAQJV/xSgO DABh3osgU3gy80rgNr0COoIJ6IitU2aDHFGSiJCSamAMK1Lo+hEu3zu9rcD5MOcVn41X06+H vfQp8Obfv/B9ZbzuitADj/h/pPKrqNoaCGX3vDN41Lojiftj4AIRiVvhUrHuPvce+57mbaza 2vq4ub1j8a2N2wN8vq2UuWwu8u3NwbSFN4KfPWqKbY78qzDtTVfQfcenx5vN5iysbZykuCT1 rPbkuiAlluKMREMt5qLiRADgwqYwYwMAAA==
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by pch.mit.edu id p36JrItM028750
X-Mailman-Approved-At: Wed, 06 Apr 2011 15:54:46 -0400
CC: Arlene Berry <aberry@likewise.com>
X-Beenthere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
X-RT-Original-Encoding: us-ascii
Content-Length: 4014

If the name in the acceptor credential has not been specified yet
(because the gss-accept-sec-context call was not run yet), a call to
gss_inquire_cred using this credential must return the principal name
from the first entry in the associated keytab.

I have discussed this implementation with Greg Hudson.

Index: src/lib/gssapi/krb5/inq_cred.c
===================================================================
--- src/lib/gssapi/krb5/inq_cred.c	(revision 56276)
+++ src/lib/gssapi/krb5/inq_cred.c	(working copy)
@@ -145,15 +145,30 @@
         lifetime = GSS_C_INDEFINITE;
 
     if (name) {
-        if (cred->name &&
-            (code = kg_duplicate_name(context, cred->name,
-                                      KG_INIT_NAME_INTERN, &ret_name)))
{
-            k5_mutex_unlock(&cred->lock);
-            *minor_status = code;
-            save_error_info(*minor_status, context);
-            ret = GSS_S_FAILURE;
-            goto fail;
+        if (cred->name)
+        {
+           if (code = kg_duplicate_name(context, cred->name,
+                                          KG_INIT_NAME_INTERN,
&ret_name)) {
+                k5_mutex_unlock(&cred->lock);
+                *minor_status = code;
+                save_error_info(*minor_status, context);
+                ret = GSS_S_FAILURE;
+                goto fail;
+           }
         }
+        else if ((cred->usage == GSS_C_ACCEPT ||cred->usage ==
GSS_C_BOTH) &&
+                 cred->keytab != NULL)
+        {
+            if (code = kg_get_principal_name_from_keytab(context,
cred->keytab,
+
KG_INIT_NAME_INTERN,
+                                                    &ret_name)) {
+                 k5_mutex_unlock(&cred->lock);
+                 *minor_status = code;
+                 save_error_info(*minor_status, context);
+                 ret = GSS_S_FAILURE;
+                 goto fail;
+            }
+        }
     }
 
     if (mechanisms) {
Index: src/lib/gssapi/krb5/gssapiP_krb5.h
===================================================================
--- src/lib/gssapi/krb5/gssapiP_krb5.h	(revision 56276)
+++ src/lib/gssapi/krb5/gssapiP_krb5.h	(working copy)
@@ -892,6 +892,12 @@
                                gss_name_t name,
                                gss_buffer_t exp_composite_name);
 
+krb5_error_code
+kg_get_principal_name_from_keytab(krb5_context     context,
+                                  krb5_keytab      kt,
+                                  krb5_flags       flags,
+                                  krb5_gss_name_t* dst);
+
 OM_uint32
 krb5_gss_map_name_to_any(OM_uint32 *minor_status,
                          gss_name_t name,
Index: src/lib/gssapi/krb5/naming_exts.c
===================================================================
--- src/lib/gssapi/krb5/naming_exts.c	(revision 56276)
+++ src/lib/gssapi/krb5/naming_exts.c	(working copy)
@@ -720,3 +720,55 @@
 }
 #endif
 
+krb5_error_code
+kg_get_principal_name_from_keytab(krb5_context     context,
+                                  krb5_keytab      kt,
+                                  krb5_flags       flags,
+                                  krb5_gss_name_t* dst)
+{
+    krb5_error_code    code;
+    krb5_kt_cursor     cursor;
+    krb5_keytab_entry  entry;
+    krb5_keytab_entry* pEntry = NULL;
+    krb5_gss_name_t    name;
+    int                end_seq = 0;
+
+    code = krb5_kt_start_seq_get(context, kt, &cursor);
+    if (code != 0)
+    {
+        goto cleanup;
+    }
+
+    end_seq = 1;
+
+    code = krb5_kt_next_entry(context, kt, &entry, &cursor);
+    if (code != 0)
+    {
+        goto cleanup;
+    }
+
+    pEntry = &entry;
+
+    code = kg_init_name(context, entry.principal, NULL, flags, &name);
+    if (code != 0)
+    {
+        goto cleanup;
+    }
+
+    *dst = name;
+
+cleanup:
+
+    if (pEntry)
+    {
+        (void) krb5_free_keytab_entry_contents(context, pEntry);
+    }
+
+    if (end_seq)
+    {
+        (void) krb5_kt_end_seq_get(context, kt, &cursor);
+    }
+
+    return code;
+}
+