Skip Menu |

Subject: kdb5_ldap_stash_service_password() stash file logic needs tweaking
In kdb5_ldap_stash_service_password() there is a call to
profile_get_string() at line 127 which is:

profile_get_string (util_context->profile, KDB_MODULE_SECTION,
"ldap_service_password_file", NULL, &file_name);

The problem with this code is that if one has a [dbmodules] section in
krb5.conf but it doesn't contain an assignment for
ldap_service_password_file then file_name ends up being NULL and the
kdb5_ldap_util stashsrvpw command fails with a Failed to open file
error. The code at line 127 should be:

profile_get_string (util_context->profile, KDB_MODULE_SECTION,
^^^^^ this as the default value instead of NULL
Download (untitled) / with headers
text/plain 1.4KiB
I did a full review of LDAP service password file selection.

* When the KDC or kadmind connects to the LDAP server and needs a bind
password, it looks for the ldap_service_password_file variable in the
realm's dbmodules section or in [dbdefaults]. If the variable is not
found in either place, there is no default value, and the LDAP
connection fails.

* kdb5_ldap_util stashsrvpw does the following:

- it looks up the database_module variable in [realms] -> realm, and
in [dbdefaults] if no value is present in the realm subsection.

- if a database_module variable is found, it looks up the
ldap_service_password_file in the named subsection of [dbmodules], with
no error checking. If no value is present, the code tries to

- if no database_module variable is found, it uses a hardcoded
default of "usr/local/var/service_passwd". This default is not used by
the KDC or kadmind, and does not use the build prefix.

I think the libkdb_ldap logic is find, but the kdb5_ldap_util logic is
seriously confused. We should make the following changes to be
consistent with libkdb_ldap:

* If database_module is not present in the realm subsection, the
default should be realm name (to be consistent with
kdb5.c:get_conf_section()). [dbdefaults] should not be consulted for
database_module, as kdb5.c does not do that.

* If ldap_service_password_file is not present in the chosen
[dbmodules] subsection, the command should fail rather than using a
hardcoded default.
I didn't get those changes quite right.

If kdb5_util does not find ldap_service_password_file in the realm's
dbmodules section, it should try in [dbdefaults] before failing out.
(So, it should not be looking in [dbdefaults] for database_module, but it
should be looking there for ldap_service_password_file.)
Subject: git commit

Fix kdb5_ldap_util stashsrvpw password file logic

kdb5_ldap_util stashsrvpw has several inconsistencies with the
password file determination in libkdb_ldap, and could try to fopen() a
NULL filename in some cases. Factor out the determination of the
configured password file and make it consistent with libkdb_ldap.
DEF_SERVICE_PASSWD_FILE is no longer used after these changes, as it
is not respected by libkdb_ldap.

Reported by Will Fiveash.
Author: Greg Hudson <>
Commit: e2d7a66f48bcf3da846faf39d6433a122ae0be3c
Branch: master
.../kdb/ldap/ldap_util/kdb5_ldap_services.c | 74 +++++++++++++-------
.../kdb/ldap/ldap_util/kdb5_ldap_services.h | 2 -
2 files changed, 49 insertions(+), 27 deletions(-)