From patchwork Fri Jan  7 14:11:45 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeff Layton <jlayton@samba.org>
X-Patchwork-Id: 464031
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id p07ECHTC020473
	for <patchwork-linux-cifs@patchwork.kernel.org>;
	Fri, 7 Jan 2011 14:12:19 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752644Ab1AGOMB (ORCPT
	<rfc822;patchwork-linux-cifs@patchwork.kernel.org>);
	Fri, 7 Jan 2011 09:12:01 -0500
Received: from mail-vw0-f46.google.com ([209.85.212.46]:41933 "EHLO
	mail-vw0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753530Ab1AGOMA (ORCPT
	<rfc822; linux-cifs@vger.kernel.org>); Fri, 7 Jan 2011 09:12:00 -0500
Received: by mail-vw0-f46.google.com with SMTP id 16so7137210vws.19
	for <linux-cifs@vger.kernel.org>;
	Fri, 07 Jan 2011 06:12:00 -0800 (PST)
Received: by 10.220.178.4 with SMTP id bk4mr5403862vcb.181.1294409520094;
	Fri, 07 Jan 2011 06:12:00 -0800 (PST)
Received: from salusa.poochiereds.net (cpe-071-070-153-003.nc.res.rr.com
	[71.70.153.3])
	by mx.google.com with ESMTPS id e18sm9784812vbm.5.2011.01.07.06.11.57
	(version=SSLv3 cipher=RC4-MD5);
	Fri, 07 Jan 2011 06:11:58 -0800 (PST)
From: Jeff Layton <jlayton@samba.org>
To: linux-cifs@vger.kernel.org
Cc: niallain@gmail.com
Subject: [PATCH 5/5] cifs.upcall: add keytab support for unattended mounts
Date: Fri,  7 Jan 2011 09:11:45 -0500
Message-Id: <1294409505-2999-6-git-send-email-jlayton@samba.org>
X-Mailer: git-send-email 1.7.3.4
In-Reply-To: <1294409505-2999-1-git-send-email-jlayton@samba.org>
References: <1294409505-2999-1-git-send-email-jlayton@samba.org>
Sender: linux-cifs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-cifs.vger.kernel.org>
X-Mailing-List: linux-cifs@vger.kernel.org
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by
	milter-greylist-4.2.6 (demeter1.kernel.org [140.211.167.41]);
	Fri, 07 Jan 2011 14:12:19 +0000 (UTC)


diff --git a/cifs.upcall.c b/cifs.upcall.c
index 3dbcd6e..479517c 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -54,6 +54,7 @@
 
 #define	CIFS_DEFAULT_KRB5_DIR		"/tmp"
 #define	CIFS_DEFAULT_KRB5_PREFIX	"krb5cc_"
+#define CIFS_DEFAULT_KRB5_KEYTAB	"/etc/krb5.keytab"
 
 #define	MAX_CCNAME_LEN			PATH_MAX + 5
 
@@ -185,6 +186,78 @@ static int krb5cc_filter(const struct dirent *dirent)
 		return 0;
 }
 
+static char *
+init_cc_from_keytab(const char *keytab_name, const char *user)
+{
+	krb5_context context = NULL;
+	krb5_error_code ret;
+	krb5_creds my_creds;
+	krb5_keytab keytab = NULL;
+	krb5_principal me = NULL;
+	krb5_ccache cc = NULL;
+	char *ccname = NULL;
+
+	memset((char *) &my_creds, 0, sizeof(my_creds));
+
+	ret = krb5_init_context(&context);
+	if (ret) {
+		syslog(LOG_DEBUG, "krb5_init_context: %d", (int)ret);
+		goto icfk_cleanup;
+	}
+
+	ret = krb5_kt_resolve(context, keytab_name, &keytab);
+	if (ret) {
+		syslog(LOG_DEBUG, "krb5_kt_resolve: %d", (int)ret);
+		goto icfk_cleanup;
+	}
+
+	ret = krb5_parse_name(context, user, &me);
+	if (ret) {
+		syslog(LOG_DEBUG, "krb5_parse_name: %d", (int)ret);
+		goto icfk_cleanup;
+	}
+
+	ret = krb5_get_init_creds_keytab(context, &my_creds, me,
+			keytab, 0, NULL, NULL);
+	if (ret) {
+		syslog(LOG_DEBUG, "krb5_get_init_creds_keytab: %d", (int)ret);
+		goto icfk_cleanup;
+	}
+
+	ret = krb5_cc_default(context, &cc);
+	if (ret) {
+		syslog(LOG_DEBUG, "krb5_cc_default: %d", (int)ret);
+		goto icfk_cleanup;
+	}
+
+	ret = krb5_cc_initialize(context, cc, me);
+	if (ret) {
+		syslog(LOG_DEBUG, "krb5_cc_initialize: %d", (int)ret);
+		goto icfk_cleanup;
+	}
+
+	ret = krb5_cc_store_cred(context, cc, &my_creds);
+	if (ret)
+		syslog(LOG_DEBUG, "krb5_cc_store_cred: %d", (int)ret);
+
+	ccname = strdup(krb5_cc_default_name(context));
+	if (ccname == NULL)
+		syslog(LOG_ERR, "Unable to allocate memory");
+icfk_cleanup:
+	my_creds.client = 0;
+	krb5_free_cred_contents(context, &my_creds);
+
+	if (me)
+		krb5_free_principal(context, me);
+	if (cc)
+		krb5_cc_close(context, cc);
+	if (keytab)
+		krb5_kt_close(context, keytab);
+	if (context)
+		krb5_free_context(context);
+	return ccname;
+}
+
 /* search for a credcache that looks like a likely candidate */
 static char *find_krb5_cc(const char *dirname, uid_t uid)
 {
@@ -702,6 +775,7 @@ int main(const int argc, char *const argv[])
 	struct decoded_args arg;
 	const char *oid;
 	uid_t uid;
+	char *keytab_name = CIFS_DEFAULT_KRB5_KEYTAB;
 
 	hostbuf[0] = '\0';
 	memset(&arg, 0, sizeof(arg));
@@ -793,6 +867,10 @@ int main(const int argc, char *const argv[])
 	}
 	ccname = find_krb5_cc(CIFS_DEFAULT_KRB5_DIR, uid);
 
+	/* Couldn't find credcache? Try to use keytab */
+	if (ccname == NULL && arg.username != NULL)
+		ccname = init_cc_from_keytab(keytab_name, arg.username);
+
 	host = arg.hostname;
 
 	// do mech specific authorization