#define LIBDIR "%{LIBDIR}"
+/* For compatibility with MIT, {USERCONFIG} would be better */
+#define CLIENT_KEYTAB_DEFAULT "FILE:%{WINDOWS}\\krb5clientkt"
+
#endif /* RC_INVOKED */
static krb5_error_code
-get_keytab(krb5_context context, krb5_keytab *keytab)
+get_system_keytab(krb5_context context, krb5_keytab *keytab)
{
krb5_error_code kret;
return (kret);
}
+static krb5_error_code
+get_client_keytab(krb5_context context,
+ krb5_const_principal principal,
+ krb5_keytab *keytab)
+{
+ krb5_error_code ret;
+ char *name = NULL;
+
+ ret = _krb5_kt_client_default_name(context, &name);
+ if (ret == 0)
+ ret = krb5_kt_resolve(context, name, keytab);
+ if (ret == 0 && principal) {
+ krb5_keytab_entry entry;
+
+ ret = krb5_kt_get_entry(context, *keytab, principal,
+ 0, 0, &entry);
+ if (ret == 0)
+ krb5_kt_free_entry(context, &entry);
+ }
+ krb5_xfree(name);
+
+ if (ret)
+ ret = get_system_keytab(context, keytab);
+
+ return ret;
+}
+
/*
* This function produces a cred with a MEMORY ccache containing a TGT
* acquired with a password.
if (kret)
goto end;
}
- kret = get_keytab(context, &keytab);
+ kret = get_client_keytab(context, handle->principal, &keytab);
if (kret)
goto end;
ret = GSS_S_FAILURE;
- kret = get_keytab(context, &handle->keytab);
+ kret = get_system_keytab(context, &handle->keytab);
if (kret)
goto end;
}
return KRB5_KT_NOTFOUND;
}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_kt_client_default_name(krb5_context context, char **name)
+{
+ const char *tmp;
+
+ tmp = secure_getenv("KRB5_CLIENT_KTNAME");
+ if (tmp == NULL)
+ tmp = krb5_config_get_string(context, NULL,
+ "libdefaults",
+ "default_client_keytab_name", NULL);
+ if (tmp == NULL)
+ tmp = CLIENT_KEYTAB_DEFAULT;
+
+ return _krb5_expand_path_tokens(context, tmp, 1, name);
+}
#define KEYTAB_DEFAULT "FILE:" SYSCONFDIR "/krb5.keytab"
#define KEYTAB_DEFAULT_MODIFY "FILE:" SYSCONFDIR "/krb5.keytab"
+#ifndef CLIENT_KEYTAB_DEFAULT
+#define CLIENT_KEYTAB_DEFAULT "FILE:" LOCALSTATEDIR "/user/%{euid}/client.keytab";
+#endif
#define MODULI_FILE SYSCONFDIR "/krb5.moduli"
_krb5_crc_update
_krb5_get_krbtgt
_krb5_build_authenticator
+ _krb5_kt_client_default_name
; Shared with libkdc
_krb5_AES_SHA1_string_to_default_iterator
{ "date_format", krb5_config_string, NULL, 0 },
{ "default_as_etypes", krb5_config_string, NULL, 0 },
{ "default_ccache_name", krb5_config_string, NULL, 0 },
+ { "default_client_keytab_name", krb5_config_string, NULL, 0 },
{ "default_cc_name", krb5_config_string, NULL, 0 },
{ "default_cc_type", krb5_config_string, NULL, 0 },
{ "default_etypes", krb5_config_string, NULL, 0 },
_krb5_crc_update;
_krb5_get_krbtgt;
_krb5_build_authenticator;
+ _krb5_kt_client_default_name;
# Shared with libkdc
_krb5_AES_SHA1_string_to_default_iterator;