Catching more principals in ads_keytab_verify_ticket()
Michael Brown
mbrown at fensystems.co.uk
Sat Mar 12 10:09:04 GMT 2005
On Fri, 11 Mar 2005, Jeremy Allison wrote:
> > Just a reminder.
> > This patch works in conjunction with Michael Brown's patch to
> > kerberos_verify.c.
> > If you don't want to use that patch, then essentially the same thing
> > needs to be done in kerberos_verify.c for these names to be matched and
> > used there.
>
> Yes, but I can't use his patch as-is due to the memory leak of not freeing
> the keytab entry after reading.
>
> This is why I *hate* kerberos. No one ever writes working kerberos code. Ever.
> Not even me - I bet even when I've fixed it there's another problem somewhere... :-).
Are you sure it needs to be freed? I was basing it on the keytab
iteration code in MIT's klist.c, which does:
while ((code = krb5_kt_next_entry(kcontext, kt, &entry, &cursor)) == 0) {
if ((code = krb5_unparse_name(kcontext, entry.principal, &pname))) {
com_err(progname, code, "while unparsing principal name");
exit(1);
}
... several printf statements ...
krb5_free_unparsed_name(kcontext, pname);
}
I added code to always free the unparsed name, even if the loop aborts
(since we don't just exit() in kerberos_verify.c). From looking at
kinit.c, I assumed that krb5_kt_next_entry() returned a pointer to a
static structure in entry, in which case freeing it would be a bad idea.
Heimdal may be different, of course; I don't know.
Michael
More information about the samba-technical
mailing list