From 8e5bd0be20055cf54041caf81a0d82dbd91902d5 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Nov 28 2017 13:55:48 +0000
Subject: krb5: show error message for krb5_init_context() failures


If there are typos in /etc/krb5.conf (or one of the included config
snippets) krb5_init_context(), the initial call always needed to do any
other operation with libkrb5, fails because /etc/krb5.conf cannot be
parsed.

Currently the related debug/syslog messages might be misleading, e.g.
failed to read keytab. This is because SSSD does not use a global krb5
context but creates a fresh one for every new request or operation (to
always use the latest settings from /etc/krb5.conf) and typically there
is an error message indicating that the related operation failed but not
giving more details.

Since krb5_init_context() is fundamental for Kerberos support this patch
tries to add as much details as libkrb5 provides in the logs if the call
fails.

Resolves:
https://pagure.io/SSSD/sssd/issue/3586

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 2c10819750a8d920ab755eba1278e6e20e684e93)
(cherry picked from commit dbe54141c36006809cc5fcf9ad729405c0a9292c)

---

diff --git a/src/providers/krb5/krb5_ccache.c b/src/providers/krb5/krb5_ccache.c
index f9bb25e..2e28276 100644
--- a/src/providers/krb5/krb5_ccache.c
+++ b/src/providers/krb5/krb5_ccache.c
@@ -299,7 +299,7 @@ static errno_t sss_open_ccache_as_user(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
-    kerr = krb5_init_context(&cc->context);
+    kerr = sss_krb5_init_context(&cc->context);
     if (kerr) {
         ret = EIO;
         goto done;
@@ -565,9 +565,9 @@ errno_t get_ccache_file_data(const char *ccache_file, const char *client_name,
     const char *realm_name;
     int realm_length;
 
-    kerr = krb5_init_context(&ctx);
+    kerr = sss_krb5_init_context(&ctx);
     if (kerr != 0) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "krb5_init_context failed.\n");
+        DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_init_context failed.\n");
         goto done;
     }
 
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index 1b2aabe..c949db0 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -103,7 +103,7 @@ static errno_t sss_get_system_ccname_template(TALLOC_CTX *mem_ctx,
 
     *ccname = NULL;
 
-    ret = krb5_init_context(&ctx);
+    ret = sss_krb5_init_context(&ctx);
     if (ret) return ret;
 
     ret = krb5_get_profile(ctx, &p);
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index 957f302..869679d 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -581,7 +581,7 @@ static krb5_error_code privileged_krb5_setup(struct input_buffer *ibuf)
     krb5_error_code kerr;
     char *keytab_name;
 
-    kerr = krb5_init_context(&ibuf->context);
+    kerr = sss_krb5_init_context(&ibuf->context);
     if (kerr != 0) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Failed to init kerberos context\n");
         return kerr;
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index df4d52b..e76cd86 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -368,7 +368,7 @@ sdap_gssapi_get_default_realm(TALLOC_CTX *mem_ctx)
     krb5_error_code krberr;
     krb5_context context = NULL;
 
-    krberr = krb5_init_context(&context);
+    krberr = sss_krb5_init_context(&context);
     if (krberr) {
         DEBUG(SSSDBG_OP_FAILURE, "Failed to init kerberos context\n");
         goto done;
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index 0b57925..8224fc1 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -111,7 +111,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
         return ENOMEM;
     }
 
-    kerr = krb5_init_context(&krb_ctx);
+    kerr = sss_krb5_init_context(&krb_ctx);
     if (kerr) {
         DEBUG(SSSDBG_OP_FAILURE, "Failed to init kerberos context\n");
         ret = EFAULT;
@@ -1094,9 +1094,9 @@ bool sss_krb5_realm_has_proxy(const char *realm)
         return false;
     }
 
-    kerr = krb5_init_context(&context);
+    kerr = sss_krb5_init_context(&context);
     if (kerr != 0) {
-        DEBUG(SSSDBG_OP_FAILURE, "krb5_init_context failed.\n");
+        DEBUG(SSSDBG_OP_FAILURE, "sss_krb5_init_context failed.\n");
         return false;
     }
 
@@ -1135,3 +1135,22 @@ done:
 
     return res;
 }
+
+krb5_error_code sss_krb5_init_context(krb5_context *context)
+{
+    krb5_error_code kerr;
+    const char *msg;
+
+    kerr = krb5_init_context(context);
+    if (kerr != 0) {
+        /* It is safe to call (sss_)krb5_get_error_message() with NULL as first
+         * argument. */
+        msg = sss_krb5_get_error_message(NULL, kerr);
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              "Failed to init kerberos context [%s]\n", msg);
+        sss_log(SSS_LOG_CRIT, "Failed to init kerberos context [%s]\n", msg);
+        sss_krb5_free_error_message(NULL, msg);
+    }
+
+    return kerr;
+}
diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
index ac0f608..d67af91 100644
--- a/src/util/sss_krb5.h
+++ b/src/util/sss_krb5.h
@@ -186,4 +186,7 @@ krb5_error_code sss_krb5_kt_have_content(krb5_context context,
                                          krb5_keytab keytab);
 
 bool sss_krb5_realm_has_proxy(const char *realm);
+
+krb5_error_code sss_krb5_init_context(krb5_context *context);
+
 #endif /* __SSS_KRB5_H__ */