From d50b0d2dbc3dcdf9e8ec4db73a2ffd2e612d224a Mon Sep 17 00:00:00 2001
From: Paymon MARANDI <paymon@encs.concordia.ca>
Date: Fri, 27 Mar 2026 11:24:07 -0400
Subject: [PATCH] krb5: make sure keytab is a FILE before checking for access

KCM: and API: are other cases besides MEMORY:

Resolves: https://github.com/SSSD/sssd/issues/8555
Signed-off-by: Paymon MARANDI <paymon@encs.concordia.ca>
---
 src/providers/krb5/krb5_keytab.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/src/providers/krb5/krb5_keytab.c b/src/providers/krb5/krb5_keytab.c
index f9e5687be3..6cc755040e 100644
--- a/src/providers/krb5/krb5_keytab.c
+++ b/src/providers/krb5/krb5_keytab.c
@@ -157,16 +157,17 @@ krb5_error_code copy_keytab_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx,
         }
         kerr = 0;
         goto done;
-    }
-
-    if (faccessat(AT_FDCWD, sep+1, R_OK, AT_EACCESS) != 0) {
-        saved_errno = errno;
-        DEBUG(SSSDBG_CRIT_FAILURE,
-              "keytab [%s] is not readable: [%d][%s].\n",
-              keytab_file, saved_errno, sss_strerror(saved_errno));
+    } else if ((strncmp(keytab_name, "DIR:", sizeof("DIR:") -1) == 0) ||
+               (strncmp(keytab_name, "FILE:", sizeof("FILE:") -1) == 0)) {
+        if (faccessat(AT_FDCWD, sep + 1, R_OK, AT_EACCESS) != 0) {
+            saved_errno = errno;
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "keytab [%s] is not readable: [%d][%s].\n",
+                  keytab_file, saved_errno, sss_strerror(saved_errno));
 
-        kerr = KRB5KRB_ERR_GENERIC;
-        goto done;
+            kerr = KRB5KRB_ERR_GENERIC;
+            goto done;
+        }
     }
 
     kerr = sss_krb5_kt_have_content(kctx, keytab);