question about krb5_verify_init_creds() and verify_ap_req_nofail

[Will Fiveash]

On Tue, Jan 11, 2011 at 01:05:18PM -0500, Greg Hudson wrote:
> On Mon, 2011-01-10 at 18:31 -0500, Will Fiveash wrote:
> > What
> > confuses me is that the MIT code (and Solaris to a lesser degree) does a
> > number of things that could cause krb5_verify_init_creds() to return an
> > error before checking the setting of KRB5_CONF_VERIFY_AP_REQ_NOFAIL and
> > I'm wondering if this is correct.  Basically shouldn't
> > verify_ap_req_nofail be checked first and if it is false just return 0?
> 
> I believe the code matches the intent, which is:
> 
>   By default, succeed if and only if:
>     - No keying material is available
>     - A key is available and verification using that key succeeds
>   If verify_ap_req_nofail is set, succeed if and only if:
>     - A key is available and verification using that key succeeds
> 
> So, only the specific failure of "no keying material is available"
> should consult the value of verify_ap_req_nofail.

But if a default keytab does not exist then:

    if (keytab_arg) {
        keytab = keytab_arg;
    } else {
        if ((ret = krb5_kt_default(context, &keytab)))
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
            goto cleanup;
    }

will goto cleanup and cause an error to be returned.  If
verify_ap_req_nofail is not set, why should the lack of a keytab cause
krb5_verify_init_creds() to return an error?

-- 
Will Fiveash
Oracle
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>