From: Ben Kaduk <kaduk@mit.edu>
Date: Mon, 19 May 2014 20:23:45 +0000 (-0400)
Subject: Do not default to host/ for client keytabs
X-Git-Tag: krb5-1.13-alpha1~132
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6c4bd36bd000c8f5ab1b8dacd5d4101831fe576e;p=thirdparty%2Fkrb5.git

Do not default to host/ for client keytabs

When the normal (acceptor) keytab is being used to obtain initial
credentials, it is reasonable to use the default hostbased service
principal (host/fully.qualified.localhost.domain) when no client
principal is given.  This behavior is not very reasonable when
the default client keytab is being used, as host/ credentials are
not normally client credentials.

Make kinit -i match up with the GSS-API behavior when client keytabs
are in use, using the name of the first entry in the keytab when
no name is explicitly given.

ticket: 7892
---

diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
index d9033eca99..c442c5371b 100644
--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
@@ -25,6 +25,7 @@
  */
 
 #include "autoconf.h"
+#include <k5-int.h>
 #include "k5-platform.h"        /* for asprintf */
 #include <krb5.h>
 #include "extern.h"
@@ -470,6 +471,7 @@ k5_begin(opts, k5)
     int flags = opts->enterprise ? KRB5_PRINCIPAL_PARSE_ENTERPRISE : 0;
     krb5_ccache defcache = NULL;
     krb5_principal defcache_princ = NULL, princ;
+    krb5_keytab keytab;
     const char *deftype = NULL;
     char *defrealm, *name;
 
@@ -533,6 +535,21 @@ k5_begin(opts, k5)
             com_err(progname, code, _("while building principal"));
             goto cleanup;
         }
+    } else if (opts->action == INIT_KT && opts->use_client_keytab) {
+        /* Use the first entry from the client keytab. */
+        code = krb5_kt_client_default(k5->ctx, &keytab);
+        if (code) {
+            com_err(progname, code,
+                    _("When resolving the default client keytab"));
+            goto cleanup;
+        }
+        code = k5_kt_get_principal(k5->ctx, keytab, &k5->me);
+        krb5_kt_close(k5->ctx, keytab);
+        if (code) {
+            com_err(progname, code,
+                    _("When determining client principal name from keytab"));
+            goto cleanup;
+        }
     } else if (opts->action == INIT_KT) {
         /* Use the default host/service name. */
         code = krb5_sname_to_principal(k5->ctx, NULL, NULL, KRB5_NT_SRV_HST,