|
1 # |
|
2 # Make MIT Kerberos use Solaris RPC and RPCSEC_GSS instead of libgssrpc. |
|
3 # |
|
4 # MIT Kerberos bundles the RPC and RPCSEC_GSS implementation with the |
|
5 # source in separate libgssrpc library. The RPC implementation is based on |
|
6 # an ancient SUN donated code. It is inferior to the RPC implementation in |
|
7 # Solaris libc in features and possibly in performance too. Also introducing |
|
8 # a duplicate implementation would not be wise. |
|
9 # |
|
10 # The patch modifies MIT code to use the standard RPC and RPCSEC_GSS in Solaris. |
|
11 # |
|
12 # Specifically: |
|
13 # - it modifies the Makefiles not to build libgssrpc and not to link with it |
|
14 # - related to above, it strips libgssrpc from krb5-config |
|
15 # - moves xdr_alloc.c out of libgssrpc and fixes it for 64-bit |
|
16 # - includes correct headers - rpc/rpc.h instead of gssrpc/rpc.h |
|
17 # - modifies net-server code to support TI-RPC (transport independent, XTI) |
|
18 # - implement kadmin protocol and incr. prop. using Solaris RPCSEC_GSS |
|
19 # - reverts MIT modification to iprop, that were needed for RPC differences |
|
20 # - server side support for RPCSEC_GSS base changepw protocol |
|
21 # - recognize sunw_dbprop_* config options for backward compatibility |
|
22 # - defines several functions to locate servers (admin, cpw, kiprop,...) |
|
23 # - updates generated dependencies for kadm_host_srv_names.so to build |
|
24 # - defines xdr_u_int32 and xdr_int32 |
|
25 # |
|
26 # This patch is Solaris specific and is not intended for upstream contribution. |
|
27 # In the future MIT might provide support for system native RPC implementation. |
|
28 # Patch source: in-house |
|
29 # |
|
30 diff -pur old/src/build-tools/krb5-config.in new/src/build-tools/krb5-config.in |
|
31 --- old/src/build-tools/krb5-config.in |
|
32 +++ new/src/build-tools/krb5-config.in |
|
33 @@ -97,9 +97,6 @@ while test $# != 0; do |
|
34 gssapi) |
|
35 library=gssapi |
|
36 ;; |
|
37 - gssrpc) |
|
38 - library=gssrpc |
|
39 - ;; |
|
40 kadm-client) |
|
41 library=kadm_client |
|
42 ;; |
|
43 @@ -142,7 +139,6 @@ if test -n "$do_help"; then |
|
44 echo "Libraries:" |
|
45 echo " krb5 Kerberos 5 application" |
|
46 echo " gssapi GSSAPI application with Kerberos 5 bindings" |
|
47 - echo " gssrpc GSSAPI RPC application" |
|
48 echo " kadm-client Kadmin client" |
|
49 echo " kadm-server Kadmin server" |
|
50 echo " kdb Application that accesses the kerberos database" |
|
51 @@ -232,17 +228,10 @@ if test -n "$do_libs"; then |
|
52 |
|
53 if test $library = 'kadm_server'; then |
|
54 lib_flags="$lib_flags -lkadm5srv_mit -lkdb5 $KDB5_DB_LIB" |
|
55 - library=gssrpc |
|
56 fi |
|
57 |
|
58 if test $library = 'kadm_client'; then |
|
59 lib_flags="$lib_flags -lkadm5clnt_mit" |
|
60 - library=gssrpc |
|
61 - fi |
|
62 - |
|
63 - if test $library = 'gssrpc'; then |
|
64 - lib_flags="$lib_flags -lgssrpc" |
|
65 - library=gssapi |
|
66 fi |
|
67 |
|
68 if test $library = 'gssapi'; then |
|
69 diff -pur old/src/config/pre.in new/src/config/pre.in |
|
70 --- old/src/config/pre.in |
|
71 +++ new/src/config/pre.in |
|
72 @@ -317,7 +317,7 @@ KDB5_PLUGIN_LIBS = @KDB5_PLUGIN_LIBS@ |
|
73 KADMCLNT_DEPLIB = $(TOPLIBD)/libkadm5clnt_mit$(DEPLIBEXT) |
|
74 KADMSRV_DEPLIB = $(TOPLIBD)/libkadm5srv_mit$(DEPLIBEXT) |
|
75 KDB5_DEPLIB = $(TOPLIBD)/libkdb5$(DEPLIBEXT) |
|
76 -GSSRPC_DEPLIB = $(TOPLIBD)/libgssrpc$(DEPLIBEXT) |
|
77 +GSSRPC_DEPLIB = # empty |
|
78 GSS_DEPLIB = $(TOPLIBD)/libgssapi_krb5$(DEPLIBEXT) |
|
79 KRB5_DEPLIB = $(TOPLIBD)/libkrb5$(DEPLIBEXT) |
|
80 CRYPTO_DEPLIB = $(TOPLIBD)/libk5crypto$(DEPLIBEXT) |
|
81 @@ -398,7 +398,7 @@ KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_ |
|
82 KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) |
|
83 GSS_LIBS = $(GSS_KRB5_LIB) |
|
84 # needs fixing if ever used on Mac OS X! |
|
85 -GSSRPC_LIBS = -lgssrpc $(GSS_LIBS) |
|
86 +GSSRPC_LIBS = $(GSS_LIBS) |
|
87 KADM_COMM_LIBS = $(GSSRPC_LIBS) |
|
88 # need fixing if ever used on Mac OS X! |
|
89 KADMSRV_LIBS = -lkadm5srv_mit $(HESIOD_LIBS) $(KDB5_LIBS) $(KADM_COMM_LIBS) |
|
90 diff -pur old/src/include/iprop.h new/src/include/iprop.h |
|
91 --- old/src/include/iprop.h |
|
92 +++ new/src/include/iprop.h |
|
93 @@ -6,8 +6,7 @@ |
|
94 #ifndef _IPROP_H_RPCGEN |
|
95 #define _IPROP_H_RPCGEN |
|
96 |
|
97 -#include <gssrpc/rpc.h> |
|
98 - |
|
99 +#include <rpc/rpc.h> |
|
100 |
|
101 #ifdef __cplusplus |
|
102 extern "C" { |
|
103 diff -pur old/src/include/k5-int.h new/src/include/k5-int.h |
|
104 --- old/src/include/k5-int.h |
|
105 +++ new/src/include/k5-int.h |
|
106 @@ -217,11 +217,14 @@ typedef unsigned char u_char; |
|
107 #define KRB5_CONF_HTTP_ANCHORS "http_anchors" |
|
108 #define KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME "ignore_acceptor_hostname" |
|
109 #define KRB5_CONF_IPROP_ENABLE "iprop_enable" |
|
110 +#define KRB5_CONF_SUNW_DBPROP_ENABLE "sunw_dbprop_enable" |
|
111 #define KRB5_CONF_IPROP_LOGFILE "iprop_logfile" |
|
112 #define KRB5_CONF_IPROP_MASTER_ULOGSIZE "iprop_master_ulogsize" |
|
113 +#define KRB5_CONF_SUNW_DBPROP_MASTER_ULOGSIZE "sunw_dbprop_master_ulogsize" |
|
114 #define KRB5_CONF_IPROP_PORT "iprop_port" |
|
115 #define KRB5_CONF_IPROP_RESYNC_TIMEOUT "iprop_resync_timeout" |
|
116 #define KRB5_CONF_IPROP_SLAVE_POLL "iprop_slave_poll" |
|
117 +#define KRB5_CONF_SUNW_DBPROP_SLAVE_POLL "sunw_dbprop_slave_poll" |
|
118 #define KRB5_CONF_K5LOGIN_AUTHORITATIVE "k5login_authoritative" |
|
119 #define KRB5_CONF_K5LOGIN_DIRECTORY "k5login_directory" |
|
120 #define KRB5_CONF_KADMIND_PORT "kadmind_port" |
|
121 diff -pur old/src/kadmin/dbutil/kadm5_create.c new/src/kadmin/dbutil/kadm5_create.c |
|
122 --- old/src/kadmin/dbutil/kadm5_create.c |
|
123 +++ new/src/kadmin/dbutil/kadm5_create.c |
|
124 @@ -158,11 +158,20 @@ static int add_admin_princs(void *handle |
|
125 ADMIN_LIFETIME))) |
|
126 goto clean_and_exit; |
|
127 |
|
128 + if ((ret = add_admin_sname_princ(handle, context, |
|
129 + KADM5_CHANGEPW_HOST_SERVICE, realm, |
|
130 + KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE, |
|
131 + ADMIN_LIFETIME))) |
|
132 + goto clean_and_exit; |
|
133 + |
|
134 +/* kadmin/admin unusable with Solaris rpcsec_gss */ |
|
135 +#if 0 |
|
136 if ((ret = add_admin_princ(handle, context, |
|
137 KADM5_ADMIN_SERVICE, realm, |
|
138 KRB5_KDB_DISALLOW_TGT_BASED, |
|
139 ADMIN_LIFETIME))) |
|
140 goto clean_and_exit; |
|
141 +#endif |
|
142 |
|
143 if ((ret = add_admin_princ(handle, context, |
|
144 KADM5_CHANGEPW_SERVICE, realm, |
|
145 diff -pur old/src/kadmin/server/ipropd_svc.c new/src/kadmin/server/ipropd_svc.c |
|
146 --- old/src/kadmin/server/ipropd_svc.c |
|
147 +++ new/src/kadmin/server/ipropd_svc.c |
|
148 @@ -134,6 +134,8 @@ iprop_get_updates_1_svc(kdb_last_t *arg, |
|
149 kadm5_server_handle_t handle = global_server_handle; |
|
150 char *client_name = 0, *service_name = 0; |
|
151 char obuf[256] = {0}; |
|
152 + gss_name_t name = NULL; |
|
153 + OM_uint32 min_stat; |
|
154 |
|
155 /* default return code */ |
|
156 ret.ret = UPDATE_ERROR; |
|
157 @@ -172,8 +174,14 @@ iprop_get_updates_1_svc(kdb_last_t *arg, |
|
158 DPRINT("%s: clprinc=`%s'\n\tsvcprinc=`%s'\n", whoami, client_name, |
|
159 service_name); |
|
160 |
|
161 + if (!(name = rqst2name(rqstp))) { |
|
162 + krb5_klog_syslog(LOG_ERR, |
|
163 + _("%s: Couldn't obtain client's name"), |
|
164 + whoami); |
|
165 + goto out; |
|
166 + } |
|
167 if (!kadm5int_acl_check(handle->context, |
|
168 - rqst2name(rqstp), |
|
169 + name, |
|
170 ACL_IPROP, |
|
171 NULL, |
|
172 NULL)) { |
|
173 @@ -221,6 +229,8 @@ out: |
|
174 debprret(whoami, ret.ret, ret.lastentry.last_sno); |
|
175 free(client_name); |
|
176 free(service_name); |
|
177 + if (name) |
|
178 + gss_release_name(&min_stat, &name); |
|
179 return (&ret); |
|
180 } |
|
181 |
|
182 @@ -251,6 +261,18 @@ ipropx_resync(uint32_t vers, struct svc_ |
|
183 int pret, fret; |
|
184 FILE *p; |
|
185 kadm5_server_handle_t handle = global_server_handle; |
|
186 + /* |
|
187 + * The following two definitions are dead code in upstream krb5. |
|
188 + * |
|
189 + * OM_uint32 min_stat; |
|
190 + * gss_name_t name = NULL; |
|
191 + * |
|
192 + * They come from initial Sun donation of iprop. |
|
193 + * For Solaris specific RPC implementation we need them back. |
|
194 + * If upstream removes the dead code, hopefuly placing this comment |
|
195 + * in this place will result in an easy-to-debug patch error, |
|
196 + * rather then failure to compile. |
|
197 + */ |
|
198 OM_uint32 min_stat; |
|
199 gss_name_t name = NULL; |
|
200 char *client_name = NULL, *service_name = NULL; |
|
201 @@ -301,8 +323,14 @@ ipropx_resync(uint32_t vers, struct svc_ |
|
202 DPRINT("%s: clprinc=`%s'\n\tsvcprinc=`%s'\n", |
|
203 whoami, client_name, service_name); |
|
204 |
|
205 + if (!(name = rqst2name(rqstp))) { |
|
206 + krb5_klog_syslog(LOG_ERR, |
|
207 + _("%s: Couldn't obtain client's name"), |
|
208 + whoami); |
|
209 + goto out; |
|
210 + } |
|
211 if (!kadm5int_acl_check(handle->context, |
|
212 - rqst2name(rqstp), |
|
213 + name, |
|
214 ACL_IPROP, |
|
215 NULL, |
|
216 NULL)) { |
|
217 @@ -449,6 +477,7 @@ iprop_full_resync_ext_1_svc(uint32_t *ar |
|
218 return ipropx_resync(*argp, rqstp); |
|
219 } |
|
220 |
|
221 +#if 0 |
|
222 static int |
|
223 check_iprop_rpcsec_auth(struct svc_req *rqstp) |
|
224 { |
|
225 @@ -521,6 +550,7 @@ fail_name: |
|
226 gss_release_name(&min_stat, &name); |
|
227 return success; |
|
228 } |
|
229 +#endif |
|
230 |
|
231 void |
|
232 krb5_iprop_prog_1(struct svc_req *rqstp, |
|
233 @@ -534,6 +564,7 @@ krb5_iprop_prog_1(struct svc_req *rqstp, |
|
234 char *(*local)(/* union XXX *, struct svc_req * */); |
|
235 char *whoami = "krb5_iprop_prog_1"; |
|
236 |
|
237 +#if 0 |
|
238 if (!check_iprop_rpcsec_auth(rqstp)) { |
|
239 krb5_klog_syslog(LOG_ERR, _("authentication attempt failed: %s, RPC " |
|
240 "authentication flavor %d"), |
|
241 @@ -542,6 +573,7 @@ krb5_iprop_prog_1(struct svc_req *rqstp, |
|
242 svcerr_weakauth(transp); |
|
243 return; |
|
244 } |
|
245 +#endif |
|
246 |
|
247 switch (rqstp->rq_proc) { |
|
248 case NULLPROC: |
|
249 diff -pur old/src/kadmin/server/kadm_rpc_svc.c new/src/kadmin/server/kadm_rpc_svc.c |
|
250 --- old/src/kadmin/server/kadm_rpc_svc.c |
|
251 +++ new/src/kadmin/server/kadm_rpc_svc.c |
|
252 @@ -5,7 +5,7 @@ |
|
253 */ |
|
254 |
|
255 #include <k5-int.h> |
|
256 -#include <gssrpc/rpc.h> |
|
257 +#include <rpc/rpc.h> |
|
258 #include <gssapi/gssapi_krb5.h> /* for gss_nt_krb5_name */ |
|
259 #include <syslog.h> |
|
260 #include <kadm5/kadm_rpc.h> |
|
261 @@ -63,8 +63,7 @@ void kadm_1(rqstp, transp) |
|
262 bool_t (*xdr_argument)(), (*xdr_result)(); |
|
263 char *(*local)(); |
|
264 |
|
265 - if (rqstp->rq_cred.oa_flavor != AUTH_GSSAPI && |
|
266 - !check_rpcsec_auth(rqstp)) { |
|
267 + if (rqstp->rq_cred.oa_flavor != RPCSEC_GSS) { |
|
268 krb5_klog_syslog(LOG_ERR, "Authentication attempt failed: %s, " |
|
269 "RPC authentication flavor %d", |
|
270 client_addr(rqstp->rq_xprt), |
|
271 @@ -246,6 +245,8 @@ void kadm_1(rqstp, transp) |
|
272 return; |
|
273 } |
|
274 |
|
275 +#if 0 |
|
276 + |
|
277 static int |
|
278 check_rpcsec_auth(struct svc_req *rqstp) |
|
279 { |
|
280 @@ -337,3 +338,4 @@ gss_to_krb5_name_1(struct svc_req *rqstp |
|
281 free(str); |
|
282 return success; |
|
283 } |
|
284 +#endif |
|
285 diff -pur old/src/kadmin/server/ovsec_kadmd.c new/src/kadmin/server/ovsec_kadmd.c |
|
286 --- old/src/kadmin/server/ovsec_kadmd.c |
|
287 +++ new/src/kadmin/server/ovsec_kadmd.c |
|
288 @@ -45,10 +45,9 @@ |
|
289 #include <unistd.h> |
|
290 #include <netinet/in.h> |
|
291 #include <netdb.h> |
|
292 -#include <gssrpc/rpc.h> |
|
293 +#include <rpc/rpc.h> |
|
294 #include <gssapi/gssapi.h> |
|
295 #include "gssapiP_krb5.h" /* for kg_get_context */ |
|
296 -#include <gssrpc/auth_gssapi.h> |
|
297 #include <kadm5/admin.h> |
|
298 #include <kadm5/kadm_rpc.h> |
|
299 #include <kadm5/server_acl.h> |
|
300 @@ -57,6 +56,8 @@ |
|
301 #include <string.h> |
|
302 #include "kadm5/server_internal.h" /* XXX for kadm5_server_handle_t */ |
|
303 #include <kdb_log.h> |
|
304 +#include <rpc/rpcsec_gss.h> |
|
305 +#include <kadm5/kadm_rpc.h> |
|
306 |
|
307 #include "misc.h" |
|
308 |
|
309 @@ -347,19 +348,20 @@ main(int argc, char *argv[]) |
|
310 OM_uint32 minor_status; |
|
311 gss_buffer_desc in_buf; |
|
312 gss_OID nt_krb5_name_oid = (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME; |
|
313 - auth_gssapi_name names[4]; |
|
314 + char *names[4]; |
|
315 kadm5_config_params params; |
|
316 verto_ctx *vctx; |
|
317 const char *pid_file = NULL; |
|
318 char **db_args = NULL, **tmpargs; |
|
319 int ret, i, db_args_size = 0, strong_random = 1, proponly = 0; |
|
320 + char **tmp_srv_names; |
|
321 + krb5_principal princ; |
|
322 + char *pos; |
|
323 |
|
324 setlocale(LC_ALL, ""); |
|
325 setvbuf(stderr, NULL, _IONBF, 0); |
|
326 |
|
327 - names[0].name = names[1].name = names[2].name = names[3].name = NULL; |
|
328 - names[0].type = names[1].type = names[2].type = names[3].type = |
|
329 - nt_krb5_name_oid; |
|
330 + names[0] = names[1] = names[2] = names[3] = NULL; |
|
331 |
|
332 progname = (strrchr(argv[0], '/') != NULL) ? strrchr(argv[0], '/') + 1 : |
|
333 argv[0]; |
|
334 @@ -463,28 +465,88 @@ main(int argc, char *argv[]) |
|
335 if (!(params.mask & KADM5_CONFIG_ACL_FILE)) |
|
336 fail_to_start(0, _("Missing required ACL file configuration")); |
|
337 |
|
338 - ret = setup_loop(proponly, &vctx); |
|
339 + ret = kadm5_get_adm_host_srv_names(context, params.realm, &tmp_srv_names); |
|
340 if (ret) |
|
341 - fail_to_start(ret, _("initializing network")); |
|
342 + fail_to_start(ret, _("building GSSAPI auth names")); |
|
343 + names[0] = strdup(tmp_srv_names[0]); |
|
344 + if (names[0] == NULL) |
|
345 + fail_to_start(ENOMEM, _("copying GSSAPI auth names")); |
|
346 + free_srv_names(tmp_srv_names); |
|
347 + tmp_srv_names = NULL; |
|
348 |
|
349 - names[0].name = build_princ_name(KADM5_ADMIN_SERVICE, params.realm); |
|
350 - names[1].name = build_princ_name(KADM5_CHANGEPW_SERVICE, params.realm); |
|
351 - if (names[0].name == NULL || names[1].name == NULL) |
|
352 - fail_to_start(0, _("Cannot build GSSAPI auth names")); |
|
353 + ret = kadm5_get_cpw_host_srv_names(context, params.realm, &tmp_srv_names); |
|
354 + if (ret) |
|
355 + fail_to_start(ret, _("building GSSAPI auth names")); |
|
356 + names[1] = strdup(tmp_srv_names[0]); |
|
357 + if (names[1] == NULL) |
|
358 + fail_to_start(ENOMEM, _("copying GSSAPI auth names")); |
|
359 + free_srv_names(tmp_srv_names); |
|
360 + tmp_srv_names = NULL; |
|
361 + |
|
362 + if (params.iprop_enabled == TRUE) { |
|
363 + ret = kadm5_get_kiprop_host_srv_names(context, params.realm, |
|
364 + &tmp_srv_names); |
|
365 + if (ret) |
|
366 + fail_to_start(ret, _("building GSSAPI auth names")); |
|
367 + names[2] = strdup(tmp_srv_names[0]); |
|
368 + if (names[2] == NULL) |
|
369 + fail_to_start(ENOMEM, _("copying GSSAPI auth names")); |
|
370 + free_srv_names(tmp_srv_names); |
|
371 + tmp_srv_names = NULL; |
|
372 + |
|
373 + /* |
|
374 + * For hierarchical incremental propagation we need kadmind |
|
375 + * on slave KDCs to register local hostbased kiprop service principal, |
|
376 + * not the one for admin server. For least surprise on upgrade we |
|
377 + * register both. |
|
378 + */ |
|
379 + ret = krb5_sname_to_principal(context, NULL, KADM5_KIPROP_HOST_SERVICE, |
|
380 + KRB5_NT_SRV_HST, &princ); |
|
381 + if (ret) |
|
382 + fail_to_start(ret, _("building GSSAPI auth names")); |
|
383 + ret = krb5_unparse_name(context, princ, &names[3]); |
|
384 + if (ret) |
|
385 + fail_to_start(ret, _("building GSSAPI auth names")); |
|
386 + if ((pos = strchr(names[3], '@')) != NULL) |
|
387 + *pos = '\0'; |
|
388 + if ((pos = strchr(names[3], '/')) != NULL) |
|
389 + *pos = '@'; |
|
390 + } |
|
391 |
|
392 ret = setup_kdb_keytab(); |
|
393 if (ret) |
|
394 fail_to_start(0, _("Cannot set up KDB keytab")); |
|
395 - |
|
396 +#if 0 |
|
397 if (svcauth_gssapi_set_names(names, 2) == FALSE) |
|
398 fail_to_start(0, _("Cannot set GSSAPI authentication names")); |
|
399 +#endif |
|
400 + if (!rpc_gss_set_svc_name(names[0], "kerberos_v5", 0, KADM, KADMVERS)) |
|
401 + fail_to_start(0, _("Cannot set GSSAPI authentication names")); |
|
402 + if (!rpc_gss_set_svc_name(names[1], "kerberos_v5", 0, KADM, KADMVERS)) |
|
403 + fail_to_start(0, _("Cannot set GSSAPI authentication names")); |
|
404 + if (params.iprop_enabled == TRUE) { |
|
405 + if (!rpc_gss_set_svc_name(names[2], "kerberos_v5", 0, |
|
406 + KRB5_IPROP_PROG, KRB5_IPROP_VERS)) |
|
407 + fail_to_start(0, _("Cannot set GSSAPI authentication names")); |
|
408 + if (strcmp(names[2], names[3])){ |
|
409 + if (!rpc_gss_set_svc_name(names[3], "kerberos_v5", 0, |
|
410 + KRB5_IPROP_PROG, KRB5_IPROP_VERS)) |
|
411 + fail_to_start(0, _("Cannot set GSSAPI authentication names")); |
|
412 + |
|
413 + } |
|
414 + } |
|
415 |
|
416 /* if set_names succeeded, this will too */ |
|
417 - in_buf.value = names[1].name; |
|
418 - in_buf.length = strlen(names[1].name) + 1; |
|
419 + in_buf.value = names[1]; |
|
420 + in_buf.length = strlen(names[1]); |
|
421 (void)gss_import_name(&minor_status, &in_buf, nt_krb5_name_oid, |
|
422 &gss_changepw_name); |
|
423 |
|
424 + ret = setup_loop(proponly, &vctx); |
|
425 + if (ret) |
|
426 + fail_to_start(ret, _("initializing network")); |
|
427 + |
|
428 +#if 0 |
|
429 svcauth_gssapi_set_log_badauth2_func(log_badauth, NULL); |
|
430 svcauth_gssapi_set_log_badverf_func(log_badverf, NULL); |
|
431 svcauth_gssapi_set_log_miscerr_func(log_miscerr, NULL); |
|
432 @@ -495,6 +557,7 @@ main(int argc, char *argv[]) |
|
433 |
|
434 if (svcauth_gss_set_svc_name(GSS_C_NO_NAME) != TRUE) |
|
435 fail_to_start(0, _("Cannot initialize GSSAPI service name")); |
|
436 +#endif |
|
437 |
|
438 ret = kadm5int_acl_init(context, 0, params.acl_file); |
|
439 if (ret) |
|
440 @@ -535,14 +598,16 @@ main(int argc, char *argv[]) |
|
441 krb5_klog_syslog(LOG_INFO, _("finished, exiting")); |
|
442 |
|
443 /* Clean up memory, etc */ |
|
444 +#if 0 |
|
445 svcauth_gssapi_unset_names(); |
|
446 +#endif |
|
447 kadm5_destroy(global_server_handle); |
|
448 loop_free(vctx); |
|
449 kadm5int_acl_finish(context, 0); |
|
450 (void)gss_release_name(&minor_status, &gss_changepw_name); |
|
451 (void)gss_release_name(&minor_status, &gss_oldchangepw_name); |
|
452 for (i = 0; i < 4; i++) |
|
453 - free(names[i].name); |
|
454 + free(names[i]); |
|
455 |
|
456 krb5_klog_close(context); |
|
457 krb5_free_context(context); |
|
458 diff -pur old/src/kadmin/server/server_stubs.c new/src/kadmin/server/server_stubs.c |
|
459 --- old/src/kadmin/server/server_stubs.c |
|
460 +++ new/src/kadmin/server/server_stubs.c |
|
461 @@ -21,10 +21,10 @@ extern gss_name_t |
|
462 extern gss_name_t gss_oldchangepw_name; |
|
463 extern void * global_server_handle; |
|
464 |
|
465 -#define CHANGEPW_SERVICE(rqstp) \ |
|
466 - (cmp_gss_names_rel_1(acceptor_name(rqstp->rq_svccred), gss_changepw_name) | \ |
|
467 - (gss_oldchangepw_name && \ |
|
468 - cmp_gss_names_rel_1(acceptor_name(rqstp->rq_svccred), \ |
|
469 +#define CHANGEPW_SERVICE(rqstp) \ |
|
470 + (cmp_gss_names_rel_1(acceptor_name(rqstp), gss_changepw_name) | \ |
|
471 + (gss_oldchangepw_name && \ |
|
472 + cmp_gss_names_rel_1(acceptor_name(rqstp), \ |
|
473 gss_oldchangepw_name))) |
|
474 |
|
475 |
|
476 @@ -33,7 +33,7 @@ static int gss_to_krb5_name(kadm5_server |
|
477 |
|
478 static int gss_name_to_string(gss_name_t gss_name, gss_buffer_desc *str); |
|
479 |
|
480 -static gss_name_t acceptor_name(gss_ctx_id_t context); |
|
481 +static gss_name_t acceptor_name(struct svc_req *rqstp); |
|
482 |
|
483 gss_name_t rqst2name(struct svc_req *rqstp); |
|
484 |
|
485 @@ -107,6 +107,8 @@ static kadm5_ret_t new_server_handle(krb |
|
486 *out_handle) |
|
487 { |
|
488 kadm5_server_handle_t handle; |
|
489 + gss_name_t name = NULL; |
|
490 + OM_uint32 min_stat; |
|
491 |
|
492 *out_handle = NULL; |
|
493 |
|
494 @@ -117,13 +119,18 @@ static kadm5_ret_t new_server_handle(krb |
|
495 *handle = *(kadm5_server_handle_t)global_server_handle; |
|
496 handle->api_version = api_version; |
|
497 |
|
498 - if (! gss_to_krb5_name(handle, rqst2name(rqstp), |
|
499 - &handle->current_caller)) { |
|
500 + if (!(name = rqst2name(rqstp))) { |
|
501 + free(handle); |
|
502 + return KADM5_FAILURE; |
|
503 + } |
|
504 + if (! gss_to_krb5_name(handle, name, &handle->current_caller)) { |
|
505 free(handle); |
|
506 + gss_release_name(&min_stat, &name); |
|
507 return KADM5_FAILURE; |
|
508 } |
|
509 |
|
510 *out_handle = handle; |
|
511 + gss_release_name(&min_stat, &name); |
|
512 return 0; |
|
513 } |
|
514 |
|
515 @@ -182,38 +189,54 @@ int setup_gss_names(struct svc_req *rqst |
|
516 gss_buffer_desc *client_name, |
|
517 gss_buffer_desc *server_name) |
|
518 { |
|
519 - OM_uint32 maj_stat, min_stat; |
|
520 - gss_name_t server_gss_name; |
|
521 + OM_uint32 min_stat; |
|
522 + gss_name_t name = NULL; |
|
523 + rpc_gss_rawcred_t *raw_cred; |
|
524 |
|
525 - if (gss_name_to_string(rqst2name(rqstp), client_name) != 0) |
|
526 + if (!(name = rqst2name(rqstp))) { |
|
527 return -1; |
|
528 - maj_stat = gss_inquire_context(&min_stat, rqstp->rq_svccred, NULL, |
|
529 - &server_gss_name, NULL, NULL, NULL, |
|
530 - NULL, NULL); |
|
531 - if (maj_stat != GSS_S_COMPLETE) { |
|
532 - gss_release_buffer(&min_stat, client_name); |
|
533 - gss_release_name(&min_stat, &server_gss_name); |
|
534 + } |
|
535 + if (gss_name_to_string(name, client_name) != 0) { |
|
536 + gss_release_name(&min_stat, &name); |
|
537 return -1; |
|
538 } |
|
539 - if (gss_name_to_string(server_gss_name, server_name) != 0) { |
|
540 + gss_release_name(&min_stat, &name); |
|
541 + |
|
542 + rpc_gss_getcred(rqstp, &raw_cred, NULL, NULL); |
|
543 + server_name->value = strdup(raw_cred->svc_principal); |
|
544 + if (server_name->value == NULL) { |
|
545 gss_release_buffer(&min_stat, client_name); |
|
546 - gss_release_name(&min_stat, &server_gss_name); |
|
547 return -1; |
|
548 } |
|
549 - gss_release_name(&min_stat, &server_gss_name); |
|
550 + server_name->length = strlen(raw_cred->svc_principal); |
|
551 + |
|
552 return 0; |
|
553 } |
|
554 |
|
555 -static gss_name_t acceptor_name(gss_ctx_id_t context) |
|
556 +static gss_name_t acceptor_name(struct svc_req *rqstp) |
|
557 { |
|
558 OM_uint32 maj_stat, min_stat; |
|
559 - gss_name_t name; |
|
560 + gss_name_t name = NULL; |
|
561 + rpc_gss_rawcred_t *raw_cred; |
|
562 + gss_buffer_desc name_buff; |
|
563 + |
|
564 + rpc_gss_getcred(rqstp, &raw_cred, NULL, NULL); |
|
565 + name_buff.value = raw_cred->svc_principal; |
|
566 + name_buff.length = strlen(raw_cred->svc_principal); |
|
567 + maj_stat = gss_import_name(&min_stat, &name_buff, |
|
568 + (gss_OID) gss_nt_krb5_name, &name); |
|
569 + if (maj_stat != GSS_S_COMPLETE) { |
|
570 + gss_release_buffer(&min_stat, &name_buff); |
|
571 + return (NULL); |
|
572 + } |
|
573 + maj_stat = gss_display_name(&min_stat, name, &name_buff, NULL); |
|
574 + if (maj_stat != GSS_S_COMPLETE) { |
|
575 + gss_release_buffer(&min_stat, &name_buff); |
|
576 + return (NULL); |
|
577 + } |
|
578 + gss_release_buffer(&min_stat, &name_buff); |
|
579 |
|
580 - maj_stat = gss_inquire_context(&min_stat, context, NULL, &name, |
|
581 - NULL, NULL, NULL, NULL, NULL); |
|
582 - if (maj_stat != GSS_S_COMPLETE) |
|
583 - return NULL; |
|
584 - return name; |
|
585 + return name; |
|
586 } |
|
587 |
|
588 static int cmp_gss_krb5_name(kadm5_server_handle_t handle, |
|
589 @@ -339,8 +362,9 @@ create_principal_2_svc(cprinc_arg *arg, |
|
590 kadm5_server_handle_t handle; |
|
591 restriction_t *rp; |
|
592 const char *errmsg = NULL; |
|
593 + gss_name_t name = NULL; |
|
594 |
|
595 - xdr_free(xdr_generic_ret, &ret); |
|
596 + xdr_free(xdr_generic_ret, (char *) &ret); |
|
597 |
|
598 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
599 goto exit_func; |
|
600 @@ -359,8 +383,12 @@ create_principal_2_svc(cprinc_arg *arg, |
|
601 goto exit_func; |
|
602 } |
|
603 |
|
604 + if (!(name = rqst2name(rqstp))) { |
|
605 + ret.code = KADM5_FAILURE; |
|
606 + goto exit_func; |
|
607 + } |
|
608 if (CHANGEPW_SERVICE(rqstp) |
|
609 - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD, |
|
610 + || !kadm5int_acl_check(handle->context, name, ACL_ADD, |
|
611 arg->rec.principal, &rp) |
|
612 || kadm5int_acl_impose_restrictions(handle->context, |
|
613 &arg->rec, &arg->mask, rp)) { |
|
614 @@ -387,6 +415,8 @@ create_principal_2_svc(cprinc_arg *arg, |
|
615 |
|
616 exit_func: |
|
617 free_server_handle(handle); |
|
618 + if (name) |
|
619 + gss_release_name(&minor_stat, &name); |
|
620 return &ret; |
|
621 } |
|
622 |
|
623 @@ -400,8 +430,9 @@ create_principal3_2_svc(cprinc3_arg *arg |
|
624 kadm5_server_handle_t handle; |
|
625 restriction_t *rp; |
|
626 const char *errmsg = NULL; |
|
627 + gss_name_t name = NULL; |
|
628 |
|
629 - xdr_free(xdr_generic_ret, &ret); |
|
630 + xdr_free(xdr_generic_ret, (char *) &ret); |
|
631 |
|
632 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
633 goto exit_func; |
|
634 @@ -420,8 +451,12 @@ create_principal3_2_svc(cprinc3_arg *arg |
|
635 goto exit_func; |
|
636 } |
|
637 |
|
638 + if (!(name = rqst2name(rqstp))) { |
|
639 + ret.code = KADM5_FAILURE; |
|
640 + goto exit_func; |
|
641 + } |
|
642 if (CHANGEPW_SERVICE(rqstp) |
|
643 - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD, |
|
644 + || !kadm5int_acl_check(handle->context, name, ACL_ADD, |
|
645 arg->rec.principal, &rp) |
|
646 || kadm5int_acl_impose_restrictions(handle->context, |
|
647 &arg->rec, &arg->mask, rp)) { |
|
648 @@ -449,6 +484,8 @@ create_principal3_2_svc(cprinc3_arg *arg |
|
649 |
|
650 exit_func: |
|
651 free_server_handle(handle); |
|
652 + if (name) |
|
653 + gss_release_name(&minor_stat, &name); |
|
654 return &ret; |
|
655 } |
|
656 |
|
657 @@ -462,8 +499,9 @@ delete_principal_2_svc(dprinc_arg *arg, |
|
658 OM_uint32 minor_stat; |
|
659 kadm5_server_handle_t handle; |
|
660 const char *errmsg = NULL; |
|
661 + gss_name_t name = NULL; |
|
662 |
|
663 - xdr_free(xdr_generic_ret, &ret); |
|
664 + xdr_free(xdr_generic_ret, (char *) &ret); |
|
665 |
|
666 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
667 goto exit_func; |
|
668 @@ -482,8 +520,12 @@ delete_principal_2_svc(dprinc_arg *arg, |
|
669 goto exit_func; |
|
670 } |
|
671 |
|
672 + if (!(name = rqst2name(rqstp))) { |
|
673 + ret.code = KADM5_FAILURE; |
|
674 + goto exit_func; |
|
675 + } |
|
676 if (CHANGEPW_SERVICE(rqstp) |
|
677 - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, |
|
678 + || !kadm5int_acl_check(handle->context, name, ACL_DELETE, |
|
679 arg->princ, NULL)) { |
|
680 ret.code = KADM5_AUTH_DELETE; |
|
681 log_unauth("kadm5_delete_principal", prime_arg, |
|
682 @@ -506,6 +548,8 @@ delete_principal_2_svc(dprinc_arg *arg, |
|
683 |
|
684 exit_func: |
|
685 free_server_handle(handle); |
|
686 + if (name) |
|
687 + gss_release_name(&minor_stat, &name); |
|
688 return &ret; |
|
689 } |
|
690 |
|
691 @@ -520,8 +564,9 @@ modify_principal_2_svc(mprinc_arg *arg, |
|
692 kadm5_server_handle_t handle; |
|
693 restriction_t *rp; |
|
694 const char *errmsg = NULL; |
|
695 + gss_name_t name = NULL; |
|
696 |
|
697 - xdr_free(xdr_generic_ret, &ret); |
|
698 + xdr_free(xdr_generic_ret, (char *) &ret); |
|
699 |
|
700 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
701 goto exit_func; |
|
702 @@ -538,8 +583,12 @@ modify_principal_2_svc(mprinc_arg *arg, |
|
703 goto exit_func; |
|
704 } |
|
705 |
|
706 + if (!(name = rqst2name(rqstp))) { |
|
707 + ret.code = KADM5_FAILURE; |
|
708 + goto exit_func; |
|
709 + } |
|
710 if (CHANGEPW_SERVICE(rqstp) |
|
711 - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, |
|
712 + || !kadm5int_acl_check(handle->context, name, ACL_MODIFY, |
|
713 arg->rec.principal, &rp) |
|
714 || kadm5int_acl_impose_restrictions(handle->context, |
|
715 &arg->rec, &arg->mask, rp)) { |
|
716 @@ -563,6 +612,8 @@ modify_principal_2_svc(mprinc_arg *arg, |
|
717 gss_release_buffer(&minor_stat, &service_name); |
|
718 exit_func: |
|
719 free_server_handle(handle); |
|
720 + if (name) |
|
721 + gss_release_name(&minor_stat, &name); |
|
722 return &ret; |
|
723 } |
|
724 |
|
725 @@ -580,8 +631,9 @@ rename_principal_2_svc(rprinc_arg *arg, |
|
726 const char *errmsg = NULL; |
|
727 size_t tlen1, tlen2, clen, slen; |
|
728 char *tdots1, *tdots2, *cdots, *sdots; |
|
729 + gss_name_t name = NULL; |
|
730 |
|
731 - xdr_free(xdr_generic_ret, &ret); |
|
732 + xdr_free(xdr_generic_ret, (char *) &ret); |
|
733 |
|
734 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
735 goto exit_func; |
|
736 @@ -607,13 +659,17 @@ rename_principal_2_svc(rprinc_arg *arg, |
|
737 slen = service_name.length; |
|
738 trunc_name(&slen, &sdots); |
|
739 |
|
740 + if (!(name = rqst2name(rqstp))) { |
|
741 + ret.code = KADM5_FAILURE; |
|
742 + goto exit_func; |
|
743 + } |
|
744 ret.code = KADM5_OK; |
|
745 if (! CHANGEPW_SERVICE(rqstp)) { |
|
746 - if (!kadm5int_acl_check(handle->context, rqst2name(rqstp), |
|
747 + if (!kadm5int_acl_check(handle->context, name, |
|
748 ACL_DELETE, arg->src, NULL)) |
|
749 ret.code = KADM5_AUTH_DELETE; |
|
750 /* any restrictions at all on the ADD kills the RENAME */ |
|
751 - if (!kadm5int_acl_check(handle->context, rqst2name(rqstp), |
|
752 + if (!kadm5int_acl_check(handle->context, name, |
|
753 ACL_ADD, arg->dest, &rp) || rp) { |
|
754 if (ret.code == KADM5_AUTH_DELETE) |
|
755 ret.code = KADM5_AUTH_INSUFFICIENT; |
|
756 @@ -661,6 +717,8 @@ rename_principal_2_svc(rprinc_arg *arg, |
|
757 gss_release_buffer(&minor_stat, &service_name); |
|
758 exit_func: |
|
759 free_server_handle(handle); |
|
760 + if (name) |
|
761 + gss_release_name(&minor_stat, &name); |
|
762 return &ret; |
|
763 } |
|
764 |
|
765 @@ -674,8 +732,9 @@ get_principal_2_svc(gprinc_arg *arg, str |
|
766 OM_uint32 minor_stat; |
|
767 kadm5_server_handle_t handle; |
|
768 const char *errmsg = NULL; |
|
769 + gss_name_t name = NULL; |
|
770 |
|
771 - xdr_free(xdr_gprinc_ret, &ret); |
|
772 + xdr_free(xdr_gprinc_ret, (char *) &ret); |
|
773 |
|
774 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
775 goto exit_func; |
|
776 @@ -696,9 +755,13 @@ get_principal_2_svc(gprinc_arg *arg, str |
|
777 goto exit_func; |
|
778 } |
|
779 |
|
780 - if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) && |
|
781 + if (!(name = rqst2name(rqstp))) { |
|
782 + ret.code = KADM5_FAILURE; |
|
783 + goto exit_func; |
|
784 + } |
|
785 + if (! cmp_gss_krb5_name(handle, name, arg->princ) && |
|
786 (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, |
|
787 - rqst2name(rqstp), |
|
788 + name, |
|
789 ACL_INQUIRE, |
|
790 arg->princ, |
|
791 NULL))) { |
|
792 @@ -723,6 +786,8 @@ get_principal_2_svc(gprinc_arg *arg, str |
|
793 gss_release_buffer(&minor_stat, &service_name); |
|
794 exit_func: |
|
795 free_server_handle(handle); |
|
796 + if (name) |
|
797 + gss_release_name(&minor_stat, &name); |
|
798 return &ret; |
|
799 } |
|
800 |
|
801 @@ -736,8 +801,9 @@ get_princs_2_svc(gprincs_arg *arg, struc |
|
802 OM_uint32 minor_stat; |
|
803 kadm5_server_handle_t handle; |
|
804 const char *errmsg = NULL; |
|
805 + gss_name_t name = NULL; |
|
806 |
|
807 - xdr_free(xdr_gprincs_ret, &ret); |
|
808 + xdr_free(xdr_gprincs_ret, (char *) &ret); |
|
809 |
|
810 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
811 goto exit_func; |
|
812 @@ -755,8 +821,12 @@ get_princs_2_svc(gprincs_arg *arg, struc |
|
813 if (prime_arg == NULL) |
|
814 prime_arg = "*"; |
|
815 |
|
816 + if (!(name = rqst2name(rqstp))) { |
|
817 + ret.code = KADM5_FAILURE; |
|
818 + goto exit_func; |
|
819 + } |
|
820 if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, |
|
821 - rqst2name(rqstp), |
|
822 + name, |
|
823 ACL_LIST, |
|
824 NULL, |
|
825 NULL)) { |
|
826 @@ -781,6 +851,8 @@ get_princs_2_svc(gprincs_arg *arg, struc |
|
827 gss_release_buffer(&minor_stat, &service_name); |
|
828 exit_func: |
|
829 free_server_handle(handle); |
|
830 + if (name) |
|
831 + gss_release_name(&minor_stat, &name); |
|
832 return &ret; |
|
833 } |
|
834 |
|
835 @@ -794,8 +866,9 @@ chpass_principal_2_svc(chpass_arg *arg, |
|
836 OM_uint32 minor_stat; |
|
837 kadm5_server_handle_t handle; |
|
838 const char *errmsg = NULL; |
|
839 + gss_name_t name = NULL; |
|
840 |
|
841 - xdr_free(xdr_generic_ret, &ret); |
|
842 + xdr_free(xdr_generic_ret, (char *) &ret); |
|
843 |
|
844 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
845 goto exit_func; |
|
846 @@ -814,11 +887,15 @@ chpass_principal_2_svc(chpass_arg *arg, |
|
847 goto exit_func; |
|
848 } |
|
849 |
|
850 - if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { |
|
851 + if (!(name = rqst2name(rqstp))) { |
|
852 + ret.code = KADM5_FAILURE; |
|
853 + goto exit_func; |
|
854 + } |
|
855 + if (cmp_gss_krb5_name(handle, name, arg->princ)) { |
|
856 ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ, |
|
857 FALSE, 0, NULL, arg->pass); |
|
858 } else if (!(CHANGEPW_SERVICE(rqstp)) && |
|
859 - kadm5int_acl_check(handle->context, rqst2name(rqstp), |
|
860 + kadm5int_acl_check(handle->context, name, |
|
861 ACL_CHANGEPW, arg->princ, NULL)) { |
|
862 ret.code = kadm5_chpass_principal((void *)handle, arg->princ, |
|
863 arg->pass); |
|
864 @@ -844,6 +921,8 @@ chpass_principal_2_svc(chpass_arg *arg, |
|
865 gss_release_buffer(&minor_stat, &service_name); |
|
866 exit_func: |
|
867 free_server_handle(handle); |
|
868 + if (name) |
|
869 + gss_release_name(&minor_stat, &name); |
|
870 return &ret; |
|
871 } |
|
872 |
|
873 @@ -857,8 +936,9 @@ chpass_principal3_2_svc(chpass3_arg *arg |
|
874 OM_uint32 minor_stat; |
|
875 kadm5_server_handle_t handle; |
|
876 const char *errmsg = NULL; |
|
877 + gss_name_t name = NULL; |
|
878 |
|
879 - xdr_free(xdr_generic_ret, &ret); |
|
880 + xdr_free(xdr_generic_ret, (char *) &ret); |
|
881 |
|
882 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
883 goto exit_func; |
|
884 @@ -877,14 +957,18 @@ chpass_principal3_2_svc(chpass3_arg *arg |
|
885 goto exit_func; |
|
886 } |
|
887 |
|
888 - if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { |
|
889 + if (!(name = rqst2name(rqstp))) { |
|
890 + ret.code = KADM5_FAILURE; |
|
891 + goto exit_func; |
|
892 + } |
|
893 + if (cmp_gss_krb5_name(handle, name, arg->princ)) { |
|
894 ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ, |
|
895 arg->keepold, |
|
896 arg->n_ks_tuple, |
|
897 arg->ks_tuple, |
|
898 arg->pass); |
|
899 } else if (!(CHANGEPW_SERVICE(rqstp)) && |
|
900 - kadm5int_acl_check(handle->context, rqst2name(rqstp), |
|
901 + kadm5int_acl_check(handle->context, name, |
|
902 ACL_CHANGEPW, arg->princ, NULL)) { |
|
903 ret.code = kadm5_chpass_principal_3((void *)handle, arg->princ, |
|
904 arg->keepold, |
|
905 @@ -913,6 +997,8 @@ chpass_principal3_2_svc(chpass3_arg *arg |
|
906 gss_release_buffer(&minor_stat, &service_name); |
|
907 exit_func: |
|
908 free_server_handle(handle); |
|
909 + if (name) |
|
910 + gss_release_name(&minor_stat, &name); |
|
911 return &ret; |
|
912 } |
|
913 |
|
914 @@ -926,8 +1012,9 @@ setv4key_principal_2_svc(setv4key_arg *a |
|
915 OM_uint32 minor_stat; |
|
916 kadm5_server_handle_t handle; |
|
917 const char *errmsg = NULL; |
|
918 + gss_name_t name = NULL; |
|
919 |
|
920 - xdr_free(xdr_generic_ret, &ret); |
|
921 + xdr_free(xdr_generic_ret, (char *) &ret); |
|
922 |
|
923 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
924 goto exit_func; |
|
925 @@ -946,8 +1033,12 @@ setv4key_principal_2_svc(setv4key_arg *a |
|
926 goto exit_func; |
|
927 } |
|
928 |
|
929 + if (!(name = rqst2name(rqstp))) { |
|
930 + ret.code = KADM5_FAILURE; |
|
931 + goto exit_func; |
|
932 + } |
|
933 if (!(CHANGEPW_SERVICE(rqstp)) && |
|
934 - kadm5int_acl_check(handle->context, rqst2name(rqstp), |
|
935 + kadm5int_acl_check(handle->context, name, |
|
936 ACL_SETKEY, arg->princ, NULL)) { |
|
937 ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, |
|
938 arg->keyblock); |
|
939 @@ -973,6 +1064,8 @@ setv4key_principal_2_svc(setv4key_arg *a |
|
940 gss_release_buffer(&minor_stat, &service_name); |
|
941 exit_func: |
|
942 free_server_handle(handle); |
|
943 + if (name) |
|
944 + gss_release_name(&minor_stat, &name); |
|
945 return &ret; |
|
946 } |
|
947 |
|
948 @@ -986,8 +1079,9 @@ setkey_principal_2_svc(setkey_arg *arg, |
|
949 OM_uint32 minor_stat; |
|
950 kadm5_server_handle_t handle; |
|
951 const char *errmsg = NULL; |
|
952 + gss_name_t name = NULL; |
|
953 |
|
954 - xdr_free(xdr_generic_ret, &ret); |
|
955 + xdr_free(xdr_generic_ret, (char *) &ret); |
|
956 |
|
957 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
958 goto exit_func; |
|
959 @@ -1006,8 +1100,12 @@ setkey_principal_2_svc(setkey_arg *arg, |
|
960 goto exit_func; |
|
961 } |
|
962 |
|
963 + if (!(name = rqst2name(rqstp))) { |
|
964 + ret.code = KADM5_FAILURE; |
|
965 + goto exit_func; |
|
966 + } |
|
967 if (!(CHANGEPW_SERVICE(rqstp)) && |
|
968 - kadm5int_acl_check(handle->context, rqst2name(rqstp), |
|
969 + kadm5int_acl_check(handle->context, name, |
|
970 ACL_SETKEY, arg->princ, NULL)) { |
|
971 ret.code = kadm5_setkey_principal((void *)handle, arg->princ, |
|
972 arg->keyblocks, arg->n_keys); |
|
973 @@ -1033,6 +1131,8 @@ setkey_principal_2_svc(setkey_arg *arg, |
|
974 gss_release_buffer(&minor_stat, &service_name); |
|
975 exit_func: |
|
976 free_server_handle(handle); |
|
977 + if (name) |
|
978 + gss_release_name(&minor_stat, &name); |
|
979 return &ret; |
|
980 } |
|
981 |
|
982 @@ -1046,8 +1146,9 @@ setkey_principal3_2_svc(setkey3_arg *arg |
|
983 OM_uint32 minor_stat; |
|
984 kadm5_server_handle_t handle; |
|
985 const char *errmsg = NULL; |
|
986 + gss_name_t name = NULL; |
|
987 |
|
988 - xdr_free(xdr_generic_ret, &ret); |
|
989 + xdr_free(xdr_generic_ret, (char *) &ret); |
|
990 |
|
991 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
992 goto exit_func; |
|
993 @@ -1066,8 +1167,12 @@ setkey_principal3_2_svc(setkey3_arg *arg |
|
994 goto exit_func; |
|
995 } |
|
996 |
|
997 + if (!(name = rqst2name(rqstp))) { |
|
998 + ret.code = KADM5_FAILURE; |
|
999 + goto exit_func; |
|
1000 + } |
|
1001 if (!(CHANGEPW_SERVICE(rqstp)) && |
|
1002 - kadm5int_acl_check(handle->context, rqst2name(rqstp), |
|
1003 + kadm5int_acl_check(handle->context, name, |
|
1004 ACL_SETKEY, arg->princ, NULL)) { |
|
1005 ret.code = kadm5_setkey_principal_3((void *)handle, arg->princ, |
|
1006 arg->keepold, |
|
1007 @@ -1096,6 +1201,8 @@ setkey_principal3_2_svc(setkey3_arg *arg |
|
1008 gss_release_buffer(&minor_stat, &service_name); |
|
1009 exit_func: |
|
1010 free_server_handle(handle); |
|
1011 + if (name) |
|
1012 + gss_release_name(&minor_stat, &name); |
|
1013 return &ret; |
|
1014 } |
|
1015 |
|
1016 @@ -1111,8 +1218,9 @@ chrand_principal_2_svc(chrand_arg *arg, |
|
1017 OM_uint32 minor_stat; |
|
1018 kadm5_server_handle_t handle; |
|
1019 const char *errmsg = NULL; |
|
1020 + gss_name_t name = NULL; |
|
1021 |
|
1022 - xdr_free(xdr_chrand_ret, &ret); |
|
1023 + xdr_free(xdr_chrand_ret, (char *) &ret); |
|
1024 |
|
1025 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
1026 goto exit_func; |
|
1027 @@ -1134,11 +1242,15 @@ chrand_principal_2_svc(chrand_arg *arg, |
|
1028 goto exit_func; |
|
1029 } |
|
1030 |
|
1031 - if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { |
|
1032 + if (!(name = rqst2name(rqstp))) { |
|
1033 + ret.code = KADM5_FAILURE; |
|
1034 + goto exit_func; |
|
1035 + } |
|
1036 + if (cmp_gss_krb5_name(handle, name, arg->princ)) { |
|
1037 ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ, |
|
1038 FALSE, 0, NULL, &k, &nkeys); |
|
1039 } else if (!(CHANGEPW_SERVICE(rqstp)) && |
|
1040 - kadm5int_acl_check(handle->context, rqst2name(rqstp), |
|
1041 + kadm5int_acl_check(handle->context, name, |
|
1042 ACL_CHANGEPW, arg->princ, NULL)) { |
|
1043 ret.code = kadm5_randkey_principal((void *)handle, arg->princ, |
|
1044 &k, &nkeys); |
|
1045 @@ -1168,6 +1280,8 @@ chrand_principal_2_svc(chrand_arg *arg, |
|
1046 gss_release_buffer(&minor_stat, &service_name); |
|
1047 exit_func: |
|
1048 free_server_handle(handle); |
|
1049 + if (name) |
|
1050 + gss_release_name(&minor_stat, &name); |
|
1051 return &ret; |
|
1052 } |
|
1053 |
|
1054 @@ -1183,8 +1297,9 @@ chrand_principal3_2_svc(chrand3_arg *arg |
|
1055 OM_uint32 minor_stat; |
|
1056 kadm5_server_handle_t handle; |
|
1057 const char *errmsg = NULL; |
|
1058 + gss_name_t name = NULL; |
|
1059 |
|
1060 - xdr_free(xdr_chrand_ret, &ret); |
|
1061 + xdr_free(xdr_chrand_ret, (char *) &ret); |
|
1062 |
|
1063 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
1064 goto exit_func; |
|
1065 @@ -1205,14 +1320,18 @@ chrand_principal3_2_svc(chrand3_arg *arg |
|
1066 goto exit_func; |
|
1067 } |
|
1068 |
|
1069 - if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { |
|
1070 + if (!(name = rqst2name(rqstp))) { |
|
1071 + ret.code = KADM5_FAILURE; |
|
1072 + goto exit_func; |
|
1073 + } |
|
1074 + if (cmp_gss_krb5_name(handle, name, arg->princ)) { |
|
1075 ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ, |
|
1076 arg->keepold, |
|
1077 arg->n_ks_tuple, |
|
1078 arg->ks_tuple, |
|
1079 &k, &nkeys); |
|
1080 } else if (!(CHANGEPW_SERVICE(rqstp)) && |
|
1081 - kadm5int_acl_check(handle->context, rqst2name(rqstp), |
|
1082 + kadm5int_acl_check(handle->context, name, |
|
1083 ACL_CHANGEPW, arg->princ, NULL)) { |
|
1084 ret.code = kadm5_randkey_principal_3((void *)handle, arg->princ, |
|
1085 arg->keepold, |
|
1086 @@ -1245,6 +1364,8 @@ chrand_principal3_2_svc(chrand3_arg *arg |
|
1087 gss_release_buffer(&minor_stat, &service_name); |
|
1088 exit_func: |
|
1089 free_server_handle(handle); |
|
1090 + if (name) |
|
1091 + gss_release_name(&minor_stat, &name); |
|
1092 return &ret; |
|
1093 } |
|
1094 |
|
1095 @@ -1258,8 +1379,9 @@ create_policy_2_svc(cpol_arg *arg, struc |
|
1096 OM_uint32 minor_stat; |
|
1097 kadm5_server_handle_t handle; |
|
1098 const char *errmsg = NULL; |
|
1099 + gss_name_t name = NULL; |
|
1100 |
|
1101 - xdr_free(xdr_generic_ret, &ret); |
|
1102 + xdr_free(xdr_generic_ret, (char *) &ret); |
|
1103 |
|
1104 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
1105 goto exit_func; |
|
1106 @@ -1275,8 +1397,12 @@ create_policy_2_svc(cpol_arg *arg, struc |
|
1107 } |
|
1108 prime_arg = arg->rec.policy; |
|
1109 |
|
1110 + if (!(name = rqst2name(rqstp))) { |
|
1111 + ret.code = KADM5_FAILURE; |
|
1112 + goto exit_func; |
|
1113 + } |
|
1114 if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, |
|
1115 - rqst2name(rqstp), |
|
1116 + name, |
|
1117 ACL_ADD, NULL, NULL)) { |
|
1118 ret.code = KADM5_AUTH_ADD; |
|
1119 log_unauth("kadm5_create_policy", prime_arg, |
|
1120 @@ -1299,6 +1425,8 @@ create_policy_2_svc(cpol_arg *arg, struc |
|
1121 gss_release_buffer(&minor_stat, &service_name); |
|
1122 exit_func: |
|
1123 free_server_handle(handle); |
|
1124 + if (name) |
|
1125 + gss_release_name(&minor_stat, &name); |
|
1126 return &ret; |
|
1127 } |
|
1128 |
|
1129 @@ -1312,8 +1440,9 @@ delete_policy_2_svc(dpol_arg *arg, struc |
|
1130 OM_uint32 minor_stat; |
|
1131 kadm5_server_handle_t handle; |
|
1132 const char *errmsg = NULL; |
|
1133 + gss_name_t name = NULL; |
|
1134 |
|
1135 - xdr_free(xdr_generic_ret, &ret); |
|
1136 + xdr_free(xdr_generic_ret, (char *) &ret); |
|
1137 |
|
1138 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
1139 goto exit_func; |
|
1140 @@ -1329,8 +1458,12 @@ delete_policy_2_svc(dpol_arg *arg, struc |
|
1141 } |
|
1142 prime_arg = arg->name; |
|
1143 |
|
1144 + if (!(name = rqst2name(rqstp))) { |
|
1145 + ret.code = KADM5_FAILURE; |
|
1146 + goto exit_func; |
|
1147 + } |
|
1148 if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, |
|
1149 - rqst2name(rqstp), |
|
1150 + name, |
|
1151 ACL_DELETE, NULL, NULL)) { |
|
1152 log_unauth("kadm5_delete_policy", prime_arg, |
|
1153 &client_name, &service_name, rqstp); |
|
1154 @@ -1351,6 +1484,8 @@ delete_policy_2_svc(dpol_arg *arg, struc |
|
1155 gss_release_buffer(&minor_stat, &service_name); |
|
1156 exit_func: |
|
1157 free_server_handle(handle); |
|
1158 + if (name) |
|
1159 + gss_release_name(&minor_stat, &name); |
|
1160 return &ret; |
|
1161 } |
|
1162 |
|
1163 @@ -1364,8 +1499,9 @@ modify_policy_2_svc(mpol_arg *arg, struc |
|
1164 OM_uint32 minor_stat; |
|
1165 kadm5_server_handle_t handle; |
|
1166 const char *errmsg = NULL; |
|
1167 + gss_name_t name = NULL; |
|
1168 |
|
1169 - xdr_free(xdr_generic_ret, &ret); |
|
1170 + xdr_free(xdr_generic_ret, (char *) &ret); |
|
1171 |
|
1172 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
1173 goto exit_func; |
|
1174 @@ -1381,8 +1517,12 @@ modify_policy_2_svc(mpol_arg *arg, struc |
|
1175 } |
|
1176 prime_arg = arg->rec.policy; |
|
1177 |
|
1178 + if (!(name = rqst2name(rqstp))) { |
|
1179 + ret.code = KADM5_FAILURE; |
|
1180 + goto exit_func; |
|
1181 + } |
|
1182 if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, |
|
1183 - rqst2name(rqstp), |
|
1184 + name, |
|
1185 ACL_MODIFY, NULL, NULL)) { |
|
1186 log_unauth("kadm5_modify_policy", prime_arg, |
|
1187 &client_name, &service_name, rqstp); |
|
1188 @@ -1404,6 +1544,8 @@ modify_policy_2_svc(mpol_arg *arg, struc |
|
1189 gss_release_buffer(&minor_stat, &service_name); |
|
1190 exit_func: |
|
1191 free_server_handle(handle); |
|
1192 + if (name) |
|
1193 + gss_release_name(&minor_stat, &name); |
|
1194 return &ret; |
|
1195 } |
|
1196 |
|
1197 @@ -1419,8 +1561,9 @@ get_policy_2_svc(gpol_arg *arg, struct s |
|
1198 kadm5_principal_ent_rec caller_ent; |
|
1199 kadm5_server_handle_t handle; |
|
1200 const char *errmsg = NULL; |
|
1201 + gss_name_t name = NULL; |
|
1202 |
|
1203 - xdr_free(xdr_gpol_ret, &ret); |
|
1204 + xdr_free(xdr_gpol_ret, (char *) &ret); |
|
1205 |
|
1206 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
1207 goto exit_func; |
|
1208 @@ -1438,9 +1581,13 @@ get_policy_2_svc(gpol_arg *arg, struct s |
|
1209 } |
|
1210 prime_arg = arg->name; |
|
1211 |
|
1212 + if (!(name = rqst2name(rqstp))) { |
|
1213 + ret.code = KADM5_FAILURE; |
|
1214 + goto exit_func; |
|
1215 + } |
|
1216 ret.code = KADM5_AUTH_GET; |
|
1217 if (!CHANGEPW_SERVICE(rqstp) && kadm5int_acl_check(handle->context, |
|
1218 - rqst2name(rqstp), |
|
1219 + name, |
|
1220 ACL_INQUIRE, NULL, NULL)) |
|
1221 ret.code = KADM5_OK; |
|
1222 else { |
|
1223 @@ -1479,6 +1626,8 @@ get_policy_2_svc(gpol_arg *arg, struct s |
|
1224 gss_release_buffer(&minor_stat, &service_name); |
|
1225 exit_func: |
|
1226 free_server_handle(handle); |
|
1227 + if (name) |
|
1228 + gss_release_name(&minor_stat, &name); |
|
1229 return &ret; |
|
1230 |
|
1231 } |
|
1232 @@ -1493,8 +1642,9 @@ get_pols_2_svc(gpols_arg *arg, struct sv |
|
1233 OM_uint32 minor_stat; |
|
1234 kadm5_server_handle_t handle; |
|
1235 const char *errmsg = NULL; |
|
1236 + gss_name_t name = NULL; |
|
1237 |
|
1238 - xdr_free(xdr_gpols_ret, &ret); |
|
1239 + xdr_free(xdr_gpols_ret, (char *) &ret); |
|
1240 |
|
1241 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
1242 goto exit_func; |
|
1243 @@ -1512,8 +1662,12 @@ get_pols_2_svc(gpols_arg *arg, struct sv |
|
1244 if (prime_arg == NULL) |
|
1245 prime_arg = "*"; |
|
1246 |
|
1247 + if (!(name = rqst2name(rqstp))) { |
|
1248 + ret.code = KADM5_FAILURE; |
|
1249 + goto exit_func; |
|
1250 + } |
|
1251 if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, |
|
1252 - rqst2name(rqstp), |
|
1253 + name, |
|
1254 ACL_LIST, NULL, NULL)) { |
|
1255 ret.code = KADM5_AUTH_LIST; |
|
1256 log_unauth("kadm5_get_policies", prime_arg, |
|
1257 @@ -1535,6 +1689,8 @@ get_pols_2_svc(gpols_arg *arg, struct sv |
|
1258 gss_release_buffer(&minor_stat, &service_name); |
|
1259 exit_func: |
|
1260 free_server_handle(handle); |
|
1261 + if (name) |
|
1262 + gss_release_name(&minor_stat, &name); |
|
1263 return &ret; |
|
1264 } |
|
1265 |
|
1266 @@ -1546,7 +1702,7 @@ getprivs_ret * get_privs_2_svc(krb5_ui_4 |
|
1267 kadm5_server_handle_t handle; |
|
1268 const char *errmsg = NULL; |
|
1269 |
|
1270 - xdr_free(xdr_getprivs_ret, &ret); |
|
1271 + xdr_free(xdr_getprivs_ret, (char *) &ret); |
|
1272 |
|
1273 if ((ret.code = new_server_handle(*arg, rqstp, &handle))) |
|
1274 goto exit_func; |
|
1275 @@ -1588,8 +1744,9 @@ purgekeys_2_svc(purgekeys_arg *arg, stru |
|
1276 kadm5_server_handle_t handle; |
|
1277 |
|
1278 const char *errmsg = NULL; |
|
1279 + gss_name_t name = NULL; |
|
1280 |
|
1281 - xdr_free(xdr_generic_ret, &ret); |
|
1282 + xdr_free(xdr_generic_ret, (char *) &ret); |
|
1283 |
|
1284 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
1285 goto exit_func; |
|
1286 @@ -1610,9 +1767,13 @@ purgekeys_2_svc(purgekeys_arg *arg, stru |
|
1287 goto exit_func; |
|
1288 } |
|
1289 |
|
1290 - if (!cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) && |
|
1291 + if (!(name = rqst2name(rqstp))) { |
|
1292 + ret.code = KADM5_FAILURE; |
|
1293 + goto exit_func; |
|
1294 + } |
|
1295 + if (!cmp_gss_krb5_name(handle, name, arg->princ) && |
|
1296 (CHANGEPW_SERVICE(rqstp) |
|
1297 - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, |
|
1298 + || !kadm5int_acl_check(handle->context, name, ACL_MODIFY, |
|
1299 arg->princ, NULL))) { |
|
1300 ret.code = KADM5_AUTH_MODIFY; |
|
1301 log_unauth(funcname, prime_arg, &client_name, &service_name, rqstp); |
|
1302 @@ -1633,6 +1794,8 @@ purgekeys_2_svc(purgekeys_arg *arg, stru |
|
1303 gss_release_buffer(&minor_stat, &service_name); |
|
1304 exit_func: |
|
1305 free_server_handle(handle); |
|
1306 + if (name) |
|
1307 + gss_release_name(&minor_stat, &name); |
|
1308 return &ret; |
|
1309 } |
|
1310 |
|
1311 @@ -1646,8 +1809,9 @@ get_strings_2_svc(gstrings_arg *arg, str |
|
1312 OM_uint32 minor_stat; |
|
1313 kadm5_server_handle_t handle; |
|
1314 const char *errmsg = NULL; |
|
1315 + gss_name_t name = NULL; |
|
1316 |
|
1317 - xdr_free(xdr_gstrings_ret, &ret); |
|
1318 + xdr_free(xdr_gstrings_ret, (char *) &ret); |
|
1319 |
|
1320 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
1321 goto exit_func; |
|
1322 @@ -1666,9 +1830,13 @@ get_strings_2_svc(gstrings_arg *arg, str |
|
1323 goto exit_func; |
|
1324 } |
|
1325 |
|
1326 - if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) && |
|
1327 + if (!(name = rqst2name(rqstp))) { |
|
1328 + ret.code = KADM5_FAILURE; |
|
1329 + goto exit_func; |
|
1330 + } |
|
1331 + if (! cmp_gss_krb5_name(handle, name, arg->princ) && |
|
1332 (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, |
|
1333 - rqst2name(rqstp), |
|
1334 + name, |
|
1335 ACL_INQUIRE, |
|
1336 arg->princ, |
|
1337 NULL))) { |
|
1338 @@ -1692,6 +1860,8 @@ get_strings_2_svc(gstrings_arg *arg, str |
|
1339 gss_release_buffer(&minor_stat, &service_name); |
|
1340 exit_func: |
|
1341 free_server_handle(handle); |
|
1342 + if (name) |
|
1343 + gss_release_name(&minor_stat, &name); |
|
1344 return &ret; |
|
1345 } |
|
1346 |
|
1347 @@ -1705,8 +1875,9 @@ set_string_2_svc(sstring_arg *arg, struc |
|
1348 OM_uint32 minor_stat; |
|
1349 kadm5_server_handle_t handle; |
|
1350 const char *errmsg = NULL; |
|
1351 + gss_name_t name = NULL; |
|
1352 |
|
1353 - xdr_free(xdr_generic_ret, &ret); |
|
1354 + xdr_free(xdr_generic_ret, (char *) &ret); |
|
1355 |
|
1356 if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) |
|
1357 goto exit_func; |
|
1358 @@ -1725,8 +1896,12 @@ set_string_2_svc(sstring_arg *arg, struc |
|
1359 goto exit_func; |
|
1360 } |
|
1361 |
|
1362 + if (!(name = rqst2name(rqstp))) { |
|
1363 + ret.code = KADM5_FAILURE; |
|
1364 + goto exit_func; |
|
1365 + } |
|
1366 if (CHANGEPW_SERVICE(rqstp) |
|
1367 - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, |
|
1368 + || !kadm5int_acl_check(handle->context, name, ACL_MODIFY, |
|
1369 arg->princ, NULL)) { |
|
1370 ret.code = KADM5_AUTH_MODIFY; |
|
1371 log_unauth("kadm5_mod_strings", prime_arg, |
|
1372 @@ -1748,6 +1923,8 @@ set_string_2_svc(sstring_arg *arg, struc |
|
1373 gss_release_buffer(&minor_stat, &service_name); |
|
1374 exit_func: |
|
1375 free_server_handle(handle); |
|
1376 + if (name) |
|
1377 + gss_release_name(&minor_stat, &name); |
|
1378 return &ret; |
|
1379 } |
|
1380 |
|
1381 @@ -1762,7 +1939,7 @@ generic_ret *init_2_svc(krb5_ui_4 *arg, |
|
1382 size_t clen, slen; |
|
1383 char *cdots, *sdots; |
|
1384 |
|
1385 - xdr_free(xdr_generic_ret, &ret); |
|
1386 + xdr_free(xdr_generic_ret, (char *) &ret); |
|
1387 |
|
1388 if ((ret.code = new_server_handle(*arg, rqstp, &handle))) |
|
1389 goto exit_func; |
|
1390 @@ -1807,9 +1984,18 @@ exit_func: |
|
1391 gss_name_t |
|
1392 rqst2name(struct svc_req *rqstp) |
|
1393 { |
|
1394 + OM_uint32 maj_stat, min_stat; |
|
1395 + gss_name_t name; |
|
1396 + rpc_gss_rawcred_t * raw_cred; |
|
1397 + gss_buffer_desc name_buff; |
|
1398 |
|
1399 - if (rqstp->rq_cred.oa_flavor == RPCSEC_GSS) |
|
1400 - return rqstp->rq_clntname; |
|
1401 - else |
|
1402 - return rqstp->rq_clntcred; |
|
1403 + rpc_gss_getcred(rqstp, &raw_cred, NULL, NULL); |
|
1404 + name_buff.value = raw_cred->client_principal->name; |
|
1405 + name_buff.length = raw_cred->client_principal->len; |
|
1406 + maj_stat = gss_import_name(&min_stat, &name_buff, |
|
1407 + (gss_OID) GSS_C_NT_EXPORT_NAME, &name); |
|
1408 + if (maj_stat != GSS_S_COMPLETE) { |
|
1409 + return (NULL); |
|
1410 + } |
|
1411 + return (name); |
|
1412 } |
|
1413 diff -pur old/src/lib/Makefile.in new/src/lib/Makefile.in |
|
1414 --- old/src/lib/Makefile.in |
|
1415 +++ new/src/lib/Makefile.in |
|
1416 @@ -1,5 +1,5 @@ |
|
1417 mydir=lib |
|
1418 -SUBDIRS=crypto krb5 gssapi rpc kdb kadm5 apputils krad |
|
1419 +SUBDIRS=crypto krb5 gssapi kdb kadm5 apputils krad |
|
1420 WINSUBDIRS=crypto krb5 gssapi |
|
1421 BUILDTOP=$(REL).. |
|
1422 |
|
1423 diff -pur old/src/lib/apputils/net-server.c new/src/lib/apputils/net-server.c |
|
1424 --- old/src/lib/apputils/net-server.c |
|
1425 +++ new/src/lib/apputils/net-server.c |
|
1426 @@ -32,7 +32,7 @@ |
|
1427 #include "port-sockets.h" |
|
1428 #include "socket-utils.h" |
|
1429 |
|
1430 -#include <gssrpc/rpc.h> |
|
1431 +#include <rpc/rpc.h> |
|
1432 |
|
1433 #ifdef HAVE_NETINET_IN_H |
|
1434 #include <sys/types.h> |
|
1435 @@ -228,6 +228,9 @@ struct connection { |
|
1436 #define FREE_SET_DATA(set) \ |
|
1437 (free(set.data), set.data = 0, set.max = 0, set.n = 0) |
|
1438 |
|
1439 +#define EMPTY(set) \ |
|
1440 + (set.n == 0) |
|
1441 + |
|
1442 /* |
|
1443 * N.B.: The Emacs cc-mode indentation code seems to get confused if |
|
1444 * the macro argument here is one word only. So use "unsigned short" |
|
1445 @@ -546,6 +549,127 @@ add_tcp_read_fd(struct socksetup *data, |
|
1446 process_tcp_connection_read, 1); |
|
1447 } |
|
1448 |
|
1449 +static int |
|
1450 +set_tli_opt(int fd, int level, int name, const void *val, unsigned int val_len) |
|
1451 +{ |
|
1452 + struct t_optmgmt req, rep; |
|
1453 + struct opthdr *opt; |
|
1454 + char reqbuf[256]; |
|
1455 + |
|
1456 + if (val_len + sizeof (struct opthdr) > sizeof (reqbuf)) |
|
1457 + return -1; |
|
1458 + |
|
1459 + opt = (struct opthdr *) reqbuf; |
|
1460 + opt->level = level; |
|
1461 + opt->name = name; |
|
1462 + opt->len = val_len; |
|
1463 + |
|
1464 + memcpy(reqbuf + sizeof (struct opthdr), val, val_len); |
|
1465 + |
|
1466 + req.flags = T_NEGOTIATE; |
|
1467 + req.opt.len = sizeof (struct opthdr) + opt->len; |
|
1468 + req.opt.buf = (char *) opt; |
|
1469 + |
|
1470 + rep.flags = 0; |
|
1471 + rep.opt.buf = reqbuf; |
|
1472 + rep.opt.maxlen = sizeof (reqbuf); |
|
1473 + |
|
1474 + if (t_optmgmt(fd, &req, &rep) < 0 || rep.flags != T_SUCCESS) { |
|
1475 + t_error("t_optmgmt"); |
|
1476 + return -1; |
|
1477 + } |
|
1478 + |
|
1479 + return 0; |
|
1480 +} |
|
1481 + |
|
1482 +/* Create a tli/xti endpoint and bind it to port. Ensure the file descriptor |
|
1483 + * will work with select. Set cloexec, reuseaddr, and if applicable v6-only. |
|
1484 + * Does not call listen(). Returns -1 on failure after logging an error. |
|
1485 + */ |
|
1486 +static int |
|
1487 +create_server_endpoint(struct socksetup *data, struct netconfig *nconf, |
|
1488 + u_short port) |
|
1489 +{ |
|
1490 + int fd, on; |
|
1491 + struct t_info tinfo; |
|
1492 + struct t_bind *tbind, *tres; |
|
1493 + struct sockaddr_in *sin4; |
|
1494 + struct sockaddr_in6 *sin6; |
|
1495 + |
|
1496 + /* open transport endpoint */ |
|
1497 + fd = t_open(nconf->nc_device, O_RDWR, &tinfo); |
|
1498 + if (fd == -1) { |
|
1499 + data ->retval = errno; |
|
1500 + com_err(data->prog, errno, |
|
1501 + _("unable to open connection for ADMIN server")); |
|
1502 + return -1; |
|
1503 + } |
|
1504 + set_cloexec_fd(fd); |
|
1505 + |
|
1506 + /* ensure fd works with select */ |
|
1507 +#ifndef _WIN32 /* Windows FD_SETSIZE is a count. */ |
|
1508 + if (fd >= FD_SETSIZE) { |
|
1509 + t_close(fd); |
|
1510 + com_err(data->prog, 0, _("endpoint fd number %d too high"), fd); |
|
1511 + return -1; |
|
1512 + } |
|
1513 +#endif |
|
1514 + |
|
1515 + /* set SO_REUSEADDR */ |
|
1516 + on = 1; |
|
1517 + if (set_tli_opt(fd, SOL_SOCKET, SO_REUSEADDR , &on, sizeof (on)) < 0) |
|
1518 + com_err(data->prog, errno, |
|
1519 + _("cannot enable SO_REUSEADDR on fd %d"), fd); |
|
1520 + |
|
1521 + /* set IPv6-only as appropriate */ |
|
1522 + if (strcmp(nconf->nc_protofmly, NC_INET6) == 0) { |
|
1523 +#ifdef IPV6_V6ONLY |
|
1524 + if (set_tli_opt(fd, IPPROTO_IPV6, IPV6_V6ONLY , &on, sizeof (on)) < 0) |
|
1525 + com_err(data->prog, errno, |
|
1526 + _("cannot set IPV6_V6ONLY on fd %d"), fd); |
|
1527 +#else |
|
1528 + krb5_klog_syslog(LOG_INFO, _("no IPV6_V6ONLY socket option support")); |
|
1529 +#endif /* IPV6_V6ONLY */ |
|
1530 + } |
|
1531 + |
|
1532 + /* bind fd to specified port */ |
|
1533 + if (port != 0) { |
|
1534 + tbind = (struct t_bind *)t_alloc(fd, T_BIND, T_ADDR); |
|
1535 + if (tbind == NULL) { |
|
1536 + com_err(data->prog, errno, |
|
1537 + _("Cannot allocate t_bind structure.")); |
|
1538 + t_close(fd); |
|
1539 + return -1; |
|
1540 + } |
|
1541 + |
|
1542 + tbind->qlen = 8; |
|
1543 + tbind->addr.len = tbind->addr.maxlen; |
|
1544 + if (strcmp(nconf->nc_protofmly, NC_INET6) == 0) { |
|
1545 + sin6 = (struct sockaddr_in6 *)tbind->addr.buf; |
|
1546 + sin6->sin6_family = AF_INET6; |
|
1547 + sin6->sin6_addr = in6addr_any; |
|
1548 + sin6->sin6_port = htons(port); |
|
1549 + } else if (strcmp(nconf->nc_protofmly, NC_INET) == 0) { |
|
1550 + sin4 = (struct sockaddr_in *)tbind->addr.buf; |
|
1551 + sin4->sin_family = AF_INET; |
|
1552 + sin4->sin_addr.s_addr = INADDR_ANY; |
|
1553 + sin4->sin_port = htons(port); |
|
1554 + } |
|
1555 + |
|
1556 + if (t_bind(fd, tbind, NULL) < 0) { |
|
1557 + data->retval = errno; |
|
1558 + com_err(data->prog, errno, |
|
1559 + _("Cannot bind transport endpoint on %d"), port); |
|
1560 + t_free(tbind, T_BIND); |
|
1561 + t_close(fd); |
|
1562 + return -1; |
|
1563 + } |
|
1564 + t_free(tbind, T_BIND); |
|
1565 + } |
|
1566 + |
|
1567 + return fd; |
|
1568 +} |
|
1569 + |
|
1570 /* |
|
1571 * Create a socket and bind it to addr. Ensure the socket will work with |
|
1572 * select(). Set the socket cloexec, reuseaddr, and if applicable v6-only. |
|
1573 @@ -604,12 +728,13 @@ create_server_socket(struct socksetup *d |
|
1574 } |
|
1575 |
|
1576 static verto_ev * |
|
1577 -add_rpc_listener_fd(struct socksetup *data, struct rpc_svc_data *svc, int sock) |
|
1578 +add_rpc_listener_fd(struct socksetup *data, struct netconfig *nconf, |
|
1579 + struct rpc_svc_data *svc, int fd) |
|
1580 { |
|
1581 struct connection *conn; |
|
1582 verto_ev *ev; |
|
1583 |
|
1584 - ev = add_fd(data, sock, CONN_RPC_LISTENER, |
|
1585 + ev = add_fd(data, fd, CONN_RPC_LISTENER, |
|
1586 VERTO_EV_FLAG_IO_READ | |
|
1587 VERTO_EV_FLAG_PERSIST | |
|
1588 VERTO_EV_FLAG_REINITIABLE, |
|
1589 @@ -618,7 +743,7 @@ add_rpc_listener_fd(struct socksetup *da |
|
1590 return NULL; |
|
1591 |
|
1592 conn = verto_get_private(ev); |
|
1593 - conn->transp = svctcp_create(sock, 0, 0); |
|
1594 + conn->transp = svc_tli_create(fd, nconf, NULL, 0, 0); |
|
1595 if (conn->transp == NULL) { |
|
1596 krb5_klog_syslog(LOG_ERR, |
|
1597 _("Cannot create RPC service: %s; continuing"), |
|
1598 @@ -627,11 +752,14 @@ add_rpc_listener_fd(struct socksetup *da |
|
1599 return NULL; |
|
1600 } |
|
1601 |
|
1602 - if (!svc_register(conn->transp, svc->prognum, svc->versnum, |
|
1603 - svc->dispatch, 0)) { |
|
1604 + if (!svc_reg(conn->transp, svc->prognum, svc->versnum, |
|
1605 + svc->dispatch, nconf)) { |
|
1606 krb5_klog_syslog(LOG_ERR, |
|
1607 - _("Cannot register RPC service: %s; continuing"), |
|
1608 - strerror(errno)); |
|
1609 + _("Cannot register RPC prog %d vers %d on %s; " |
|
1610 + "continuing"), |
|
1611 + (int) svc->prognum, |
|
1612 + (int) svc->versnum, |
|
1613 + nconf->nc_netid); |
|
1614 verto_del(ev); |
|
1615 return NULL; |
|
1616 } |
|
1617 @@ -760,53 +888,99 @@ setup_tcp_listener_ports(struct socksetu |
|
1618 return 0; |
|
1619 } |
|
1620 |
|
1621 +static void |
|
1622 +log_rpc_listen(int fd, struct rpc_svc_data *svc, struct netconfig *nconf) { |
|
1623 + if (svc->port != 0) |
|
1624 + krb5_klog_syslog(LOG_INFO, |
|
1625 + _("listening on fd %d: %s port %hd " |
|
1626 + "(RPC prog %d vers %d)"), |
|
1627 + fd, nconf->nc_netid, svc->port, |
|
1628 + (int) svc->prognum, (int) svc->versnum); |
|
1629 + else |
|
1630 + krb5_klog_syslog(LOG_INFO, |
|
1631 + _("listening on fd %d: %s random port " |
|
1632 + "(RPC prog %d vers %d)"), |
|
1633 + fd, nconf->nc_netid, |
|
1634 + (int) svc->prognum, (int) svc->versnum); |
|
1635 + |
|
1636 +} |
|
1637 + |
|
1638 static int |
|
1639 setup_rpc_listener_ports(struct socksetup *data) |
|
1640 { |
|
1641 struct sockaddr_in sin4; |
|
1642 struct sockaddr_in6 sin6; |
|
1643 - int i; |
|
1644 + int i, fd, ret = -1, n_svcs = 0; |
|
1645 struct rpc_svc_data svc; |
|
1646 + void *handlep; |
|
1647 + struct netconfig *nconf, *nconf4 = NULL, *nconf6 = NULL; |
|
1648 + char *protofmly = NULL; |
|
1649 + |
|
1650 + /* pick the right network: tcp and tcp6 */ |
|
1651 + if ((handlep = setnetconfig()) == NULL) { |
|
1652 + com_err(data->prog, errno, _("cannot get any transport information")); |
|
1653 + goto cleanup; |
|
1654 + } |
|
1655 + |
|
1656 + while (nconf = getnetconfig(handlep)) { |
|
1657 + if ((nconf->nc_semantics == NC_TPI_COTS_ORD) && |
|
1658 + (strcmp(nconf->nc_proto, NC_TCP) == 0)){ |
|
1659 + if (strcmp(nconf->nc_protofmly, NC_INET) == 0) |
|
1660 + nconf4 = nconf; |
|
1661 + if (strcmp(nconf->nc_protofmly, NC_INET6) == 0) |
|
1662 + nconf6 = nconf; |
|
1663 + } |
|
1664 + } |
|
1665 |
|
1666 - memset(&sin4, 0, sizeof(sin4)); |
|
1667 - sin4.sin_family = AF_INET; |
|
1668 - sin4.sin_addr.s_addr = INADDR_ANY; |
|
1669 - |
|
1670 - memset(&sin6, 0, sizeof(sin6)); |
|
1671 - sin6.sin6_family = AF_INET6; |
|
1672 - sin6.sin6_addr = in6addr_any; |
|
1673 + if (nconf4 == NULL && nconf6 == NULL) { |
|
1674 + com_err(data->prog, 0, _("no transport with proto=%s"), NC_TCP); |
|
1675 + goto cleanup; |
|
1676 + } |
|
1677 |
|
1678 FOREACH_ELT (rpc_svc_data, i, svc) { |
|
1679 - int s4; |
|
1680 - int s6; |
|
1681 - |
|
1682 - sa_setport((struct sockaddr *)&sin4, svc.port); |
|
1683 - s4 = create_server_socket(data, (struct sockaddr *)&sin4, SOCK_STREAM); |
|
1684 - if (s4 < 0) |
|
1685 - return -1; |
|
1686 - |
|
1687 - if (add_rpc_listener_fd(data, &svc, s4) == NULL) |
|
1688 - close(s4); |
|
1689 - else |
|
1690 - krb5_klog_syslog(LOG_INFO, _("listening on fd %d: rpc %s"), |
|
1691 - s4, paddr((struct sockaddr *)&sin4)); |
|
1692 + fd = create_server_endpoint(data, nconf4, svc.port); |
|
1693 + if (fd < 0) |
|
1694 + goto cleanup; |
|
1695 + |
|
1696 + if (add_rpc_listener_fd(data, nconf4, &svc, fd) == NULL) |
|
1697 + close(fd); |
|
1698 + else { |
|
1699 + n_svcs++; |
|
1700 + log_rpc_listen(fd, &svc, nconf4); |
|
1701 + } |
|
1702 |
|
1703 if (ipv6_enabled()) { |
|
1704 - sa_setport((struct sockaddr *)&sin6, svc.port); |
|
1705 - s6 = create_server_socket(data, (struct sockaddr *)&sin6, |
|
1706 - SOCK_STREAM); |
|
1707 - if (s6 < 0) |
|
1708 - return -1; |
|
1709 + fd = create_server_endpoint(data, nconf6, svc.port); |
|
1710 + if (fd < 0) |
|
1711 + goto cleanup; |
|
1712 |
|
1713 - if (add_rpc_listener_fd(data, &svc, s6) == NULL) |
|
1714 - close(s6); |
|
1715 - else |
|
1716 - krb5_klog_syslog(LOG_INFO, _("listening on fd %d: rpc %s"), |
|
1717 - s6, paddr((struct sockaddr *)&sin6)); |
|
1718 + if (add_rpc_listener_fd(data, nconf6, &svc, fd) == NULL) |
|
1719 + close(fd); |
|
1720 + else { |
|
1721 + n_svcs++; |
|
1722 + log_rpc_listen(fd, &svc, nconf6); |
|
1723 + } |
|
1724 } |
|
1725 } |
|
1726 - |
|
1727 - return 0; |
|
1728 + if (n_svcs > 0) { |
|
1729 + krb5_klog_syslog(LOG_INFO, _("%d RPC services registered"), n_svcs); |
|
1730 + } else if (!EMPTY(rpc_svc_data)){ |
|
1731 + /* |
|
1732 + * If rpc_svc_data is not empty and n_svcs is 0, it means that |
|
1733 + * we have tried to register some RPC services, but failed for all of |
|
1734 + * them. In that case, refuse to start. |
|
1735 + * If rpc_svc_data was emtpy, it means we were not registering any RPC |
|
1736 + * services in the firstplace. krb5kdc is an example of daemon |
|
1737 + * that does not register any RPC services. |
|
1738 + */ |
|
1739 + com_err(data->prog, 0, _("Cannot register any RPC services, exiting.")); |
|
1740 + exit (1); |
|
1741 + } |
|
1742 + ret = 0; |
|
1743 + |
|
1744 +cleanup: |
|
1745 + endnetconfig(handlep); |
|
1746 + return ret; |
|
1747 } |
|
1748 |
|
1749 #if defined(CMSG_SPACE) && defined(HAVE_STRUCT_CMSGHDR) && \ |
|
1750 diff -pur old/src/lib/kadm5/Makefile.in new/src/lib/kadm5/Makefile.in |
|
1751 --- old/src/lib/kadm5/Makefile.in |
|
1752 +++ new/src/lib/kadm5/Makefile.in |
|
1753 @@ -21,6 +21,7 @@ SRCS = kadm_err.c \ |
|
1754 $(srcdir)/chpass_util.c \ |
|
1755 $(srcdir)/alt_prof.c \ |
|
1756 $(srcdir)/str_conv.c \ |
|
1757 + $(srcdir)/kadm_host_srv_names.c \ |
|
1758 $(srcdir)/logger.c |
|
1759 |
|
1760 OBJS = kadm_err.$(OBJEXT) \ |
|
1761 @@ -30,6 +31,7 @@ OBJS = kadm_err.$(OBJEXT) \ |
|
1762 chpass_util.$(OBJEXT) \ |
|
1763 alt_prof.$(OBJEXT) \ |
|
1764 str_conv.$(OBJEXT) \ |
|
1765 + kadm_host_srv_names.$(OBJEXT) \ |
|
1766 logger.$(OBJEXT) |
|
1767 |
|
1768 STLIBOBJS = \ |
|
1769 @@ -40,6 +42,7 @@ STLIBOBJS = \ |
|
1770 chpass_util.o \ |
|
1771 alt_prof.o \ |
|
1772 str_conv.o \ |
|
1773 + kadm_host_srv_names.o \ |
|
1774 logger.o |
|
1775 |
|
1776 HDRDIR=$(BUILDTOP)/include/kadm5 |
|
1777 diff -pur old/src/lib/kadm5/admin.h new/src/lib/kadm5/admin.h |
|
1778 --- old/src/lib/kadm5/admin.h |
|
1779 +++ new/src/lib/kadm5/admin.h |
|
1780 @@ -42,7 +42,7 @@ |
|
1781 #define __KADM5_ADMIN_H__ |
|
1782 |
|
1783 #include <sys/types.h> |
|
1784 -#include <gssrpc/rpc.h> |
|
1785 +#include <rpc/rpc.h> |
|
1786 #include <krb5.h> |
|
1787 #include <kdb.h> |
|
1788 #include <com_err.h> |
|
1789 @@ -67,6 +67,7 @@ KADM5INT_BEGIN_DECLS |
|
1790 |
|
1791 #define KADM5_KIPROP_HOST_SERVICE "kiprop" |
|
1792 #define KADM5_ADMIN_HOST_SERVICE "kadmin" |
|
1793 +#define KADM5_CHANGEPW_HOST_SERVICE "changepw" |
|
1794 |
|
1795 typedef krb5_principal kadm5_princ_t; |
|
1796 typedef char *kadm5_policy_t; |
|
1797 @@ -453,6 +454,21 @@ kadm5_ret_t kadm5_free_key_data(void |
|
1798 kadm5_ret_t kadm5_free_name_list(void *server_handle, char **names, |
|
1799 int count); |
|
1800 |
|
1801 +kadm5_ret_t |
|
1802 +kadm5_get_adm_host_srv_names(krb5_context context, |
|
1803 + const char *realm, char ***host_service_names); |
|
1804 + |
|
1805 +kadm5_ret_t |
|
1806 +kadm5_get_cpw_host_srv_names(krb5_context context, |
|
1807 + const char *realm, char ***host_service_names); |
|
1808 + |
|
1809 +kadm5_ret_t |
|
1810 +kadm5_get_kiprop_host_srv_names(krb5_context context, |
|
1811 + const char *realm, char ***host_service_names); |
|
1812 + |
|
1813 +void |
|
1814 +free_srv_names(char **srv_names); |
|
1815 + |
|
1816 krb5_error_code kadm5_init_krb5_context (krb5_context *); |
|
1817 |
|
1818 krb5_error_code kadm5_init_iprop(void *server_handle, char **db_args); |
|
1819 diff -pur old/src/lib/kadm5/alt_prof.c new/src/lib/kadm5/alt_prof.c |
|
1820 --- old/src/lib/kadm5/alt_prof.c |
|
1821 +++ new/src/lib/kadm5/alt_prof.c |
|
1822 @@ -746,10 +746,17 @@ krb5_error_code kadm5_get_config_params( |
|
1823 params.mask |= KADM5_CONFIG_IPROP_ENABLED; |
|
1824 params.iprop_enabled = params_in->iprop_enabled; |
|
1825 } else { |
|
1826 - if (aprofile && |
|
1827 - !krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) { |
|
1828 - params.iprop_enabled = bvalue; |
|
1829 - params.mask |= KADM5_CONFIG_IPROP_ENABLED; |
|
1830 + if (aprofile) { |
|
1831 + if(!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) { |
|
1832 + params.iprop_enabled = bvalue; |
|
1833 + params.mask |= KADM5_CONFIG_IPROP_ENABLED; |
|
1834 + } else { |
|
1835 + hierarchy[2] = KRB5_CONF_SUNW_DBPROP_ENABLE; |
|
1836 + if(!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)){ |
|
1837 + params.iprop_enabled = bvalue; |
|
1838 + params.mask |= KADM5_CONFIG_IPROP_ENABLED; |
|
1839 + } |
|
1840 + } |
|
1841 } |
|
1842 } |
|
1843 |
|
1844 @@ -778,18 +785,30 @@ krb5_error_code kadm5_get_config_params( |
|
1845 params.mask |= KADM5_CONFIG_ULOG_SIZE; |
|
1846 params.iprop_ulogsize = params_in->iprop_ulogsize; |
|
1847 } else { |
|
1848 - if (aprofile != NULL && |
|
1849 - !krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) { |
|
1850 - if (ivalue <= 0) |
|
1851 - params.iprop_ulogsize = DEF_ULOGENTRIES; |
|
1852 - else |
|
1853 - params.iprop_ulogsize = ivalue; |
|
1854 - params.mask |= KADM5_CONFIG_ULOG_SIZE; |
|
1855 + if (aprofile != NULL) { |
|
1856 + if (!krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) { |
|
1857 + if (ivalue <= 0) |
|
1858 + params.iprop_ulogsize = DEF_ULOGENTRIES; |
|
1859 + else |
|
1860 + params.iprop_ulogsize = ivalue; |
|
1861 + params.mask |= KADM5_CONFIG_ULOG_SIZE; |
|
1862 + } else { |
|
1863 + hierarchy[2] = KRB5_CONF_SUNW_DBPROP_MASTER_ULOGSIZE; |
|
1864 + if (!krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) { |
|
1865 + if (ivalue <= 0) |
|
1866 + params.iprop_ulogsize = DEF_ULOGENTRIES; |
|
1867 + else |
|
1868 + params.iprop_ulogsize = ivalue; |
|
1869 + params.mask |= KADM5_CONFIG_ULOG_SIZE; |
|
1870 + } |
|
1871 + } |
|
1872 } |
|
1873 } |
|
1874 |
|
1875 GET_DELTAT_PARAM(iprop_poll_time, KADM5_CONFIG_POLL_TIME, |
|
1876 - KRB5_CONF_IPROP_SLAVE_POLL, 2 * 60); /* 2m */ |
|
1877 + KRB5_CONF_SUNW_DBPROP_SLAVE_POLL, 2 * 60); /* 2m */ |
|
1878 + GET_DELTAT_PARAM(iprop_poll_time, KADM5_CONFIG_POLL_TIME, |
|
1879 + KRB5_CONF_IPROP_SLAVE_POLL, params.iprop_poll_time); |
|
1880 |
|
1881 *params_out = params; |
|
1882 |
|
1883 diff -pur old/src/lib/kadm5/clnt/Makefile.in new/src/lib/kadm5/clnt/Makefile.in |
|
1884 --- old/src/lib/kadm5/clnt/Makefile.in |
|
1885 +++ new/src/lib/kadm5/clnt/Makefile.in |
|
1886 @@ -7,12 +7,11 @@ LIBMAJOR=9 |
|
1887 LIBMINOR=0 |
|
1888 STOBJLISTS=../OBJS.ST OBJS.ST |
|
1889 SHLIB_EXPDEPS=\ |
|
1890 - $(TOPLIBD)/libgssrpc$(SHLIBEXT) \ |
|
1891 $(TOPLIBD)/libgssapi_krb5$(SHLIBEXT) \ |
|
1892 $(TOPLIBD)/libkrb5$(SHLIBEXT) \ |
|
1893 $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ |
|
1894 $(COM_ERR_DEPLIB) $(SUPPORT_LIBDEP) |
|
1895 -SHLIB_EXPLIBS=-lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto $(SUPPORT_LIB) -lcom_err $(LIBS) |
|
1896 +SHLIB_EXPLIBS= -lgssapi_krb5 -lkrb5 -lk5crypto $(SUPPORT_LIB) -lcom_err $(LIBS) |
|
1897 RELDIR=kadm5/clnt |
|
1898 |
|
1899 ##DOSBUILDTOP = ..\..\.. |
|
1900 diff -pur old/src/lib/kadm5/clnt/client_init.c new/src/lib/kadm5/clnt/client_init.c |
|
1901 --- old/src/lib/kadm5/clnt/client_init.c |
|
1902 +++ new/src/lib/kadm5/clnt/client_init.c |
|
1903 @@ -44,12 +44,12 @@ |
|
1904 #include <iprop_hdr.h> |
|
1905 #include "iprop.h" |
|
1906 |
|
1907 -#include <gssrpc/rpc.h> |
|
1908 +#include <rpc/rpc.h> |
|
1909 #include <gssapi/gssapi.h> |
|
1910 #include <gssapi/gssapi_krb5.h> |
|
1911 -#include <gssrpc/auth_gssapi.h> |
|
1912 |
|
1913 #define ADM_CCACHE "/tmp/ovsec_adm.XXXXXX" |
|
1914 +#define KADMIND_CONNECT_TIMEOUT 25 |
|
1915 |
|
1916 enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS, INIT_ANONYMOUS }; |
|
1917 |
|
1918 @@ -138,9 +138,379 @@ kadm5_init_with_skey(krb5_context contex |
|
1919 server_handle); |
|
1920 } |
|
1921 |
|
1922 +/* |
|
1923 + * Open an fd for the given address and connect asynchronously. Wait |
|
1924 + * KADMIND_CONNECT_TIMEOUT seconds or till it succeeds. If it succeeds |
|
1925 + * change fd to blocking and return it, else return -1. |
|
1926 + */ |
|
1927 +static int |
|
1928 +get_connection(struct netconfig *nconf, struct netbuf netaddr) |
|
1929 +{ |
|
1930 + struct t_info tinfo; |
|
1931 + struct t_call sndcall; |
|
1932 + struct t_call *rcvcall = NULL; |
|
1933 + int connect_time; |
|
1934 + int flags; |
|
1935 + int fd; |
|
1936 + |
|
1937 + (void) memset(&tinfo, 0, sizeof (tinfo)); |
|
1938 + |
|
1939 + /* we'l open with O_NONBLOCK and avoid an fcntl */ |
|
1940 + fd = t_open(nconf->nc_device, O_RDWR | O_NONBLOCK, &tinfo); |
|
1941 + if (fd == -1) { |
|
1942 + return (-1); |
|
1943 + } |
|
1944 + |
|
1945 + if (t_bind(fd, (struct t_bind *)NULL, (struct t_bind *)NULL) == -1) { |
|
1946 + (void) t_close(fd); |
|
1947 + return (-1); |
|
1948 + } |
|
1949 + |
|
1950 + /* we can't connect unless fd is in IDLE state */ |
|
1951 + if (t_getstate(fd) != T_IDLE) { |
|
1952 + (void) t_close(fd); |
|
1953 + return (-1); |
|
1954 + } |
|
1955 + |
|
1956 + /* setup connect parameters */ |
|
1957 + netaddr.len = netaddr.maxlen = __rpc_get_a_size(tinfo.addr); |
|
1958 + sndcall.addr = netaddr; |
|
1959 + sndcall.opt.len = sndcall.udata.len = 0; |
|
1960 + |
|
1961 + /* we wait for KADMIND_CONNECT_TIMEOUT seconds from now */ |
|
1962 + connect_time = time(NULL) + KADMIND_CONNECT_TIMEOUT; |
|
1963 + if (t_connect(fd, &sndcall, rcvcall) != 0) { |
|
1964 + if (t_errno != TNODATA) { |
|
1965 + (void) t_close(fd); |
|
1966 + return (-1); |
|
1967 + } |
|
1968 + } |
|
1969 + |
|
1970 + /* loop till success or timeout */ |
|
1971 + for (;;) { |
|
1972 + if (t_rcvconnect(fd, rcvcall) == 0) |
|
1973 + break; |
|
1974 + |
|
1975 + if (t_errno != TNODATA || time(NULL) > connect_time) { |
|
1976 + /* we have either timed out or caught an error */ |
|
1977 + (void) t_close(fd); |
|
1978 + if (rcvcall != NULL) |
|
1979 + t_free((char *)rcvcall, T_CALL); |
|
1980 + return (-1); |
|
1981 + } |
|
1982 + sleep(1); |
|
1983 + } |
|
1984 + |
|
1985 + /* make the fd blocking (synchronous) */ |
|
1986 + flags = fcntl(fd, F_GETFL, 0); |
|
1987 + (void) fcntl(fd, F_SETFL, flags & ~O_NONBLOCK); |
|
1988 + if (rcvcall != NULL) |
|
1989 + t_free((char *)rcvcall, T_CALL); |
|
1990 + return (fd); |
|
1991 +} |
|
1992 + |
|
1993 +/* |
|
1994 + * Wrapper over clnt_tli_create. |
|
1995 + * Opens a connection to host:port and calls clnt_tli_create. |
|
1996 + * Returns a client handle or NULL on failure. |
|
1997 + */ |
|
1998 +static CLIENT* |
|
1999 +clnt_create_with_port(const char *host, int port, |
|
2000 + const rpcprog_t prog, const rpcvers_t vers) |
|
2001 +{ |
|
2002 + struct netbuf netaddr; |
|
2003 + struct hostent *hp; |
|
2004 + int fd; |
|
2005 + struct sockaddr_in addr; |
|
2006 + struct sockaddr_in *sin; |
|
2007 + struct netconfig *nconf; |
|
2008 + void *handlep = NULL; |
|
2009 + CLIENT *clnt = NULL; |
|
2010 + |
|
2011 + hp = gethostbyname(host); |
|
2012 + if (hp == (struct hostent *)NULL) { |
|
2013 + goto cleanup; |
|
2014 + } |
|
2015 + |
|
2016 + memset(&addr, 0, sizeof (addr)); |
|
2017 + addr.sin_family = hp->h_addrtype; |
|
2018 + (void) memcpy((char *)&addr.sin_addr, (char *)hp->h_addr, |
|
2019 + sizeof (addr.sin_addr)); |
|
2020 + addr.sin_port = htons((ushort_t)port); |
|
2021 + sin = &addr; |
|
2022 + if ((handlep = setnetconfig()) == (void *) NULL) { |
|
2023 + goto cleanup; |
|
2024 + } |
|
2025 + |
|
2026 + while (nconf = getnetconfig(handlep)) { |
|
2027 + if ((nconf->nc_semantics == NC_TPI_COTS_ORD) && |
|
2028 + (strcmp(nconf->nc_protofmly, NC_INET) == 0) && |
|
2029 + (strcmp(nconf->nc_proto, NC_TCP) == 0)) |
|
2030 + break; |
|
2031 + } |
|
2032 + |
|
2033 + if (nconf == (struct netconfig *)NULL) |
|
2034 + goto cleanup; |
|
2035 + |
|
2036 + /* Transform addr to netbuf */ |
|
2037 + (void) memset(&netaddr, 0, sizeof (netaddr)); |
|
2038 + netaddr.buf = (char *)sin; |
|
2039 + |
|
2040 + /* get an fd connected to the given address */ |
|
2041 + fd = get_connection(nconf, netaddr); |
|
2042 + if (fd == -1) { |
|
2043 + goto cleanup; |
|
2044 + } |
|
2045 + |
|
2046 + clnt = clnt_tli_create(fd, nconf, NULL, prog, vers, 0, 0); |
|
2047 + if (clnt == NULL) { |
|
2048 + clnt_pcreateerror("ERROR:"); |
|
2049 + (void) t_close(fd); |
|
2050 + goto cleanup; |
|
2051 + } |
|
2052 + /* |
|
2053 + * The rpc-handle was created on an fd opened and connected |
|
2054 + * by us, so we have to explicitly tell rpc to close it. |
|
2055 + */ |
|
2056 + if (clnt_control(clnt, CLSET_FD_CLOSE, NULL) != TRUE) { |
|
2057 + clnt_destroy(clnt); |
|
2058 + clnt = NULL; |
|
2059 + (void) t_close(fd); |
|
2060 + } |
|
2061 + |
|
2062 +cleanup: |
|
2063 + if (handlep != (void *) NULL) |
|
2064 + (void) endnetconfig(handlep); |
|
2065 + |
|
2066 + return (clnt); |
|
2067 +} |
|
2068 + |
|
2069 +/* |
|
2070 + * Open an RPCSEC_GSS connection and |
|
2071 + * get a client handle to use for future RPCSEC calls. |
|
2072 + * |
|
2073 + * This function is only used when changing passwords and |
|
2074 + * the kpasswd_protocol is RPCSEC_GSS |
|
2075 + */ |
|
2076 +static int |
|
2077 +_kadm5_initialize_rpcsec_gss_handle(kadm5_server_handle_t handle, |
|
2078 + char *client_name, |
|
2079 + char *service_name) |
|
2080 +{ |
|
2081 + int code = 0; |
|
2082 + generic_ret *r; |
|
2083 + char *ccname_orig = NULL; |
|
2084 + char *iprop_svc; |
|
2085 + boolean_t iprop_enable = B_FALSE; |
|
2086 + char mech[] = "kerberos_v5"; |
|
2087 + gss_OID mech_oid; |
|
2088 + gss_OID_set_desc oid_set; |
|
2089 + gss_name_t gss_client; |
|
2090 + gss_buffer_desc input_name; |
|
2091 + gss_cred_id_t gss_client_creds = GSS_C_NO_CREDENTIAL; |
|
2092 + rpc_gss_options_req_t options_req; |
|
2093 + rpc_gss_options_ret_t options_ret; |
|
2094 + rpc_gss_service_t service = rpc_gss_svc_privacy; |
|
2095 + OM_uint32 gssstat, minor_stat; |
|
2096 + enum clnt_stat rpc_err_code; |
|
2097 + char *server; |
|
2098 + int port; |
|
2099 + |
|
2100 + /* service name is service/host */ |
|
2101 + server = strpbrk(service_name, "/"); |
|
2102 + if (!server) { |
|
2103 + code = KADM5_BAD_SERVER_NAME; |
|
2104 + goto cleanup; |
|
2105 + } |
|
2106 + |
|
2107 + /* but rpc_gss_secreate expects service@host */ |
|
2108 + *server++ = '@'; |
|
2109 + |
|
2110 + iprop_svc = strdup(KIPROP_SVC_NAME); |
|
2111 + if (iprop_svc == NULL) |
|
2112 + return (ENOMEM); |
|
2113 + |
|
2114 + /* |
|
2115 + * If the service_name and client_name are iprop-centric |
|
2116 + * use iprop service; otherwise use kadmin service. |
|
2117 + */ |
|
2118 + if ((strstr(service_name, iprop_svc) != NULL) && |
|
2119 + (strstr(client_name, iprop_svc) != NULL)) { |
|
2120 + iprop_enable = B_TRUE; |
|
2121 + } |
|
2122 + |
|
2123 + /* |
|
2124 + * iprop fallback logic: |
|
2125 + * - if iprop_port is configured, connect to iprop_port |
|
2126 + * - if not, query remote rpc/bind |
|
2127 + * - if that fails, try consuming iprop service on kadmin port |
|
2128 + */ |
|
2129 + if (iprop_enable && handle->params.iprop_port != 0){ |
|
2130 + port = handle->params.iprop_port; |
|
2131 + handle->clnt = clnt_create_with_port(server, port, |
|
2132 + KRB5_IPROP_PROG, |
|
2133 + KRB5_IPROP_VERS); |
|
2134 + } else if (iprop_enable && handle->params.iprop_port == 0) { |
|
2135 + /* using remote rpc/bind first */ |
|
2136 + handle->clnt = clnt_create(server, KRB5_IPROP_PROG, |
|
2137 + KRB5_IPROP_VERS, NC_TCP); |
|
2138 + if (handle->clnt == NULL) { |
|
2139 + /* possible rpc/bind failure, try kadmin port */ |
|
2140 + port = handle->params.kadmind_port; |
|
2141 + handle->clnt = clnt_create_with_port(server, port, |
|
2142 + KRB5_IPROP_PROG, |
|
2143 + KRB5_IPROP_VERS); |
|
2144 + } |
|
2145 + } else { |
|
2146 + /* kadmin service */ |
|
2147 + port = handle->params.kadmind_port; |
|
2148 + handle->clnt = clnt_create_with_port(server, port, |
|
2149 + KADM, KADMVERS); |
|
2150 + } |
|
2151 + |
|
2152 + if (handle->clnt == NULL) { |
|
2153 + code = KADM5_RPC_ERROR; |
|
2154 + goto error; |
|
2155 + } |
|
2156 + |
|
2157 + if (iprop_svc) |
|
2158 + free(iprop_svc); |
|
2159 + |
|
2160 + handle->lhandle->clnt = handle->clnt; |
|
2161 + |
|
2162 + /* now that handle->clnt is set, we can check the handle */ |
|
2163 + if (code = _kadm5_check_handle((void *) handle)) |
|
2164 + goto error; |
|
2165 + |
|
2166 + /* |
|
2167 + * The RPC connection is open; establish the GSS-API |
|
2168 + * authentication context. |
|
2169 + */ |
|
2170 + /* use the kadm5 cache */ |
|
2171 + gssstat = gss_krb5_ccache_name(&minor_stat, handle->cache_name, |
|
2172 + &ccname_orig); |
|
2173 + if (gssstat != GSS_S_COMPLETE) { |
|
2174 + code = KADM5_GSS_ERROR; |
|
2175 + goto error; |
|
2176 + } |
|
2177 + if (ccname_orig) |
|
2178 + ccname_orig = strdup(ccname_orig); |
|
2179 + |
|
2180 + input_name.value = client_name; |
|
2181 + input_name.length = strlen((char *)input_name.value) + 1; |
|
2182 + gssstat = gss_import_name(&minor_stat, &input_name, |
|
2183 + (gss_OID)gss_nt_krb5_name, &gss_client); |
|
2184 + if (gssstat != GSS_S_COMPLETE) { |
|
2185 + code = KADM5_GSS_ERROR; |
|
2186 + goto error; |
|
2187 + } |
|
2188 + |
|
2189 + if (!rpc_gss_mech_to_oid(mech, (rpc_gss_OID *)&mech_oid)) { |
|
2190 + goto error; |
|
2191 + } |
|
2192 + |
|
2193 + oid_set.count = 1; |
|
2194 + oid_set.elements = mech_oid; |
|
2195 + |
|
2196 + gssstat = gss_acquire_cred(&minor_stat, gss_client, 0, |
|
2197 + &oid_set, GSS_C_INITIATE, |
|
2198 + &gss_client_creds, NULL, NULL); |
|
2199 + (void) gss_release_name(&minor_stat, &gss_client); |
|
2200 + if (gssstat != GSS_S_COMPLETE) { |
|
2201 + code = KADM5_GSS_ERROR; |
|
2202 + goto error; |
|
2203 + } |
|
2204 + options_req.my_cred = gss_client_creds; |
|
2205 + options_req.req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG; |
|
2206 + options_req.time_req = 0; |
|
2207 + options_req.input_channel_bindings = NULL; |
|
2208 +#ifndef INIT_TEST |
|
2209 + handle->clnt->cl_auth = rpc_gss_seccreate(handle->clnt, |
|
2210 + service_name, |
|
2211 + mech, |
|
2212 + service, |
|
2213 + NULL, |
|
2214 + &options_req, |
|
2215 + &options_ret); |
|
2216 +#endif /* ! INIT_TEST */ |
|
2217 + |
|
2218 + if (ccname_orig) { |
|
2219 + gssstat = gss_krb5_ccache_name(&minor_stat, ccname_orig, NULL); |
|
2220 + free(ccname_orig); |
|
2221 + if (gssstat != GSS_S_COMPLETE) { |
|
2222 + code = KADM5_GSS_ERROR; |
|
2223 + goto error; |
|
2224 + } |
|
2225 + } else { |
|
2226 + gssstat = gss_krb5_ccache_name(&minor_stat, NULL, NULL); |
|
2227 + if (gssstat != GSS_S_COMPLETE) { |
|
2228 + code = KADM5_GSS_ERROR; |
|
2229 + goto error; |
|
2230 + } |
|
2231 + } |
|
2232 + |
|
2233 + if (handle->clnt->cl_auth == NULL) { |
|
2234 + code = KADM5_GSS_ERROR; |
|
2235 + goto error; |
|
2236 + } |
|
2237 + |
|
2238 + /* |
|
2239 + * Bypass the remainder of the code and return straightaway |
|
2240 + * if the gss service requested is kiprop |
|
2241 + */ |
|
2242 + if (iprop_enable == B_TRUE) { |
|
2243 + code = 0; |
|
2244 + goto cleanup; |
|
2245 + } |
|
2246 + |
|
2247 + r = init_2(&handle->api_version, handle->clnt); |
|
2248 + if (r == NULL) { |
|
2249 + code = KADM5_RPC_ERROR; |
|
2250 + goto error; |
|
2251 + } |
|
2252 + |
|
2253 + /* Drop down to v3 wire protocol if server does not support v4 */ |
|
2254 + if (r->code == KADM5_NEW_SERVER_API_VERSION && |
|
2255 + handle->api_version == KADM5_API_VERSION_4) { |
|
2256 + handle->api_version = KADM5_API_VERSION_3; |
|
2257 + r = init_2(&handle->api_version, handle->clnt); |
|
2258 + if (r == NULL) { |
|
2259 + code = KADM5_RPC_ERROR; |
|
2260 + goto error; |
|
2261 + } |
|
2262 + } |
|
2263 + |
|
2264 + /* Drop down to v2 wire protocol if server does not support v3 */ |
|
2265 + if (r->code == KADM5_NEW_SERVER_API_VERSION && |
|
2266 + handle->api_version == KADM5_API_VERSION_3) { |
|
2267 + handle->api_version = KADM5_API_VERSION_2; |
|
2268 + r = init_2(&handle->api_version, handle->clnt); |
|
2269 + if (r == NULL) { |
|
2270 + code = KADM5_RPC_ERROR; |
|
2271 + goto error; |
|
2272 + } |
|
2273 + } |
|
2274 + |
|
2275 + if (r->code) { |
|
2276 + code = r->code; |
|
2277 + goto error; |
|
2278 + } |
|
2279 +error: |
|
2280 +cleanup: |
|
2281 + /* |
|
2282 + * gss_client_creds is freed only when there is an error condition, |
|
2283 + * given that rpc_gss_seccreate() will assign the cred pointer to the |
|
2284 + * my_cred member in the auth handle's private data structure. |
|
2285 + */ |
|
2286 + if (code && (gss_client_creds != GSS_C_NO_CREDENTIAL)) |
|
2287 + (void) gss_release_cred(&minor_stat, &gss_client_creds); |
|
2288 + |
|
2289 + return (code); |
|
2290 +} |
|
2291 + |
|
2292 static kadm5_ret_t |
|
2293 init_any(krb5_context context, char *client_name, enum init_type init_type, |
|
2294 - char *pass, krb5_ccache ccache_in, char *service_name, |
|
2295 + char *pass, krb5_ccache ccache_in, char *svcname_in, |
|
2296 kadm5_config_params *params_in, krb5_ui_4 struct_version, |
|
2297 krb5_ui_4 api_version, char **db_args, void **server_handle) |
|
2298 { |
|
2299 @@ -158,6 +528,7 @@ init_any(krb5_context context, char *cli |
|
2300 |
|
2301 int code = 0; |
|
2302 generic_ret *r; |
|
2303 + char svcname[BUFSIZ]; |
|
2304 |
|
2305 initialize_ovk_error_table(); |
|
2306 /* initialize_adb_error_table(); */ |
|
2307 @@ -225,99 +596,27 @@ init_any(krb5_context context, char *cli |
|
2308 if (code) |
|
2309 goto error; |
|
2310 |
|
2311 - /* |
|
2312 - * Get credentials. Also does some fallbacks in case kadmin/fqdn |
|
2313 - * principal doesn't exist. |
|
2314 - */ |
|
2315 - code = get_init_creds(handle, client, init_type, pass, ccache_in, |
|
2316 - service_name, handle->params.realm, &server); |
|
2317 - if (code) |
|
2318 - goto error; |
|
2319 - |
|
2320 - /* If the service_name and client_name are iprop-centric, use the iprop |
|
2321 - * port and RPC identifiers. */ |
|
2322 - iprop_enable = (service_name != NULL && |
|
2323 - strstr(service_name, KIPROP_SVC_NAME) != NULL && |
|
2324 - strstr(client_name, KIPROP_SVC_NAME) != NULL); |
|
2325 - if (iprop_enable) { |
|
2326 - port = handle->params.iprop_port; |
|
2327 - rpc_prog = KRB5_IPROP_PROG; |
|
2328 - rpc_vers = KRB5_IPROP_VERS; |
|
2329 + /* NULL svcname means use host-based. */ |
|
2330 + if (svcname_in == NULL) { |
|
2331 + code = kadm5_get_admin_service_name(handle->context, |
|
2332 + handle->params.realm, |
|
2333 + svcname, sizeof(svcname)); |
|
2334 + if (code) |
|
2335 + goto error; |
|
2336 } else { |
|
2337 - port = handle->params.kadmind_port; |
|
2338 - rpc_prog = KADM; |
|
2339 - rpc_vers = KADMVERS; |
|
2340 - } |
|
2341 - |
|
2342 - code = connect_to_server(handle->params.admin_server, port, &fd); |
|
2343 - if (code) |
|
2344 - goto error; |
|
2345 - |
|
2346 - handle->clnt = clnttcp_create(NULL, rpc_prog, rpc_vers, &fd, 0, 0); |
|
2347 - if (handle->clnt == NULL) { |
|
2348 - code = KADM5_RPC_ERROR; |
|
2349 -#ifdef DEBUG |
|
2350 - clnt_pcreateerror("clnttcp_create"); |
|
2351 -#endif |
|
2352 - goto error; |
|
2353 + strncpy(svcname, svcname_in, sizeof(svcname)); |
|
2354 + svcname[sizeof(svcname)-1] = '\0'; |
|
2355 } |
|
2356 - handle->client_socket = fd; |
|
2357 - handle->lhandle->clnt = handle->clnt; |
|
2358 - handle->lhandle->client_socket = fd; |
|
2359 - |
|
2360 - /* now that handle->clnt is set, we can check the handle */ |
|
2361 - if ((code = _kadm5_check_handle((void *) handle))) |
|
2362 - goto error; |
|
2363 |
|
2364 - /* |
|
2365 - * The RPC connection is open; establish the GSS-API |
|
2366 - * authentication context. |
|
2367 - */ |
|
2368 - code = setup_gss(handle, params_in, |
|
2369 - (init_type == INIT_CREDS) ? client : NULL, server); |
|
2370 + /* Get credentials. */ |
|
2371 + code = get_init_creds(handle, client, init_type, pass, ccache_in, |
|
2372 + svcname, handle->params.realm, &server); |
|
2373 if (code) |
|
2374 goto error; |
|
2375 |
|
2376 - /* |
|
2377 - * Bypass the remainder of the code and return straightaway |
|
2378 - * if the gss service requested is kiprop |
|
2379 - */ |
|
2380 - if (iprop_enable) { |
|
2381 - code = 0; |
|
2382 - *server_handle = (void *) handle; |
|
2383 - goto cleanup; |
|
2384 - } |
|
2385 - |
|
2386 - r = init_2(&handle->api_version, handle->clnt); |
|
2387 - if (r == NULL) { |
|
2388 - code = KADM5_RPC_ERROR; |
|
2389 -#ifdef DEBUG |
|
2390 - clnt_perror(handle->clnt, "init_2 null resp"); |
|
2391 -#endif |
|
2392 - goto error; |
|
2393 - } |
|
2394 - /* Drop down to v3 wire protocol if server does not support v4 */ |
|
2395 - if (r->code == KADM5_NEW_SERVER_API_VERSION && |
|
2396 - handle->api_version == KADM5_API_VERSION_4) { |
|
2397 - handle->api_version = KADM5_API_VERSION_3; |
|
2398 - r = init_2(&handle->api_version, handle->clnt); |
|
2399 - if (r == NULL) { |
|
2400 - code = KADM5_RPC_ERROR; |
|
2401 - goto error; |
|
2402 - } |
|
2403 - } |
|
2404 - /* Drop down to v2 wire protocol if server does not support v3 */ |
|
2405 - if (r->code == KADM5_NEW_SERVER_API_VERSION && |
|
2406 - handle->api_version == KADM5_API_VERSION_3) { |
|
2407 - handle->api_version = KADM5_API_VERSION_2; |
|
2408 - r = init_2(&handle->api_version, handle->clnt); |
|
2409 - if (r == NULL) { |
|
2410 - code = KADM5_RPC_ERROR; |
|
2411 - goto error; |
|
2412 - } |
|
2413 - } |
|
2414 - if (r->code) { |
|
2415 - code = r->code; |
|
2416 + code = _kadm5_initialize_rpcsec_gss_handle(handle, client_name, |
|
2417 + svcname); |
|
2418 + if (code != 0) { |
|
2419 goto error; |
|
2420 } |
|
2421 |
|
2422 @@ -357,31 +656,17 @@ cleanup: |
|
2423 return code; |
|
2424 } |
|
2425 |
|
2426 -/* Get initial credentials for authenticating to server. Perform fallback from |
|
2427 - * kadmin/fqdn to kadmin/admin if svcname_in is NULL. */ |
|
2428 +/* Get initial credentials for authenticating to server. */ |
|
2429 static kadm5_ret_t |
|
2430 get_init_creds(kadm5_server_handle_t handle, krb5_principal client, |
|
2431 enum init_type init_type, char *pass, krb5_ccache ccache_in, |
|
2432 - char *svcname_in, char *realm, krb5_principal *server_out) |
|
2433 + char *svcname, char *realm, krb5_principal *server_out) |
|
2434 { |
|
2435 kadm5_ret_t code; |
|
2436 krb5_ccache ccache = NULL; |
|
2437 - char svcname[BUFSIZ]; |
|
2438 |
|
2439 *server_out = NULL; |
|
2440 |
|
2441 - /* NULL svcname means use host-based. */ |
|
2442 - if (svcname_in == NULL) { |
|
2443 - code = kadm5_get_admin_service_name(handle->context, |
|
2444 - handle->params.realm, |
|
2445 - svcname, sizeof(svcname)); |
|
2446 - if (code) |
|
2447 - goto error; |
|
2448 - } else { |
|
2449 - strncpy(svcname, svcname_in, sizeof(svcname)); |
|
2450 - svcname[sizeof(svcname)-1] = '\0'; |
|
2451 - } |
|
2452 - |
|
2453 /* |
|
2454 * Acquire a service ticket for svcname@realm for client, using password |
|
2455 * pass (which could be NULL), and create a ccache to store them in. If |
|
2456 @@ -419,12 +704,6 @@ get_init_creds(kadm5_server_handle_t han |
|
2457 |
|
2458 code = gic_iter(handle, init_type, ccache, client, pass, svcname, realm, |
|
2459 server_out); |
|
2460 - if ((code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN |
|
2461 - || code == KRB5_CC_NOTFOUND) && svcname_in == NULL) { |
|
2462 - /* Retry with old host-independent service principal. */ |
|
2463 - code = gic_iter(handle, init_type, ccache, client, pass, |
|
2464 - KADM5_ADMIN_SERVICE, realm, server_out); |
|
2465 - } |
|
2466 /* Improved error messages */ |
|
2467 if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD; |
|
2468 if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) |
|
2469 @@ -691,6 +970,26 @@ rpc_auth(kadm5_server_handle_t handle, k |
|
2470 gss_cred_id_t gss_client_creds, gss_name_t gss_target) |
|
2471 { |
|
2472 OM_uint32 gssstat, minor_stat; |
|
2473 + gss_buffer_desc buf; |
|
2474 + rpc_gss_options_req_t options_req; |
|
2475 + rpc_gss_options_ret_t options_ret; |
|
2476 + |
|
2477 + if (gss_display_name(&minor_stat, gss_target, &buf, NULL) != GSS_S_COMPLETE) |
|
2478 + return; |
|
2479 + |
|
2480 + options_req.my_cred = gss_client_creds; |
|
2481 + options_req.req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG; |
|
2482 + options_req.time_req = 0; |
|
2483 + options_req.input_channel_bindings = NULL; |
|
2484 + handle->clnt->cl_auth = rpc_gss_seccreate(handle->clnt, |
|
2485 + (char*) buf.value, |
|
2486 + "kerberos_v5", |
|
2487 + rpc_gss_svc_privacy, |
|
2488 + NULL, |
|
2489 + &options_req, |
|
2490 + &options_ret); |
|
2491 + |
|
2492 +#if 0 |
|
2493 struct rpc_gss_sec sec; |
|
2494 |
|
2495 /* Allow unauthenticated option for testing. */ |
|
2496 @@ -725,6 +1024,7 @@ rpc_auth(kadm5_server_handle_t handle, k |
|
2497 GSS_C_MUTUAL_FLAG |
|
2498 | GSS_C_REPLAY_FLAG, |
|
2499 0, NULL, NULL, NULL); |
|
2500 +#endif |
|
2501 } |
|
2502 |
|
2503 kadm5_ret_t |
|
2504 diff -pur old/src/lib/kadm5/clnt/client_principal.c new/src/lib/kadm5/clnt/client_principal.c |
|
2505 --- old/src/lib/kadm5/clnt/client_principal.c |
|
2506 +++ new/src/lib/kadm5/clnt/client_principal.c |
|
2507 @@ -5,7 +5,7 @@ |
|
2508 * $Header$ |
|
2509 */ |
|
2510 |
|
2511 -#include <gssrpc/rpc.h> |
|
2512 +#include <rpc/rpc.h> |
|
2513 #include <kadm5/admin.h> |
|
2514 #include <kadm5/kadm_rpc.h> |
|
2515 #ifdef HAVE_MEMORY_H |
|
2516 diff -pur old/src/lib/kadm5/clnt/client_rpc.c new/src/lib/kadm5/clnt/client_rpc.c |
|
2517 --- old/src/lib/kadm5/clnt/client_rpc.c |
|
2518 +++ new/src/lib/kadm5/clnt/client_rpc.c |
|
2519 @@ -1,5 +1,5 @@ |
|
2520 /* -*- mode: c; c-file-style: "bsd"; indent-tabs-mode: t -*- */ |
|
2521 -#include <gssrpc/rpc.h> |
|
2522 +#include <rpc/rpc.h> |
|
2523 #include <kadm5/kadm_rpc.h> |
|
2524 #include <krb5.h> |
|
2525 #include <kadm5/admin.h> |
|
2526 diff -pur old/src/lib/kadm5/clnt/clnt_policy.c new/src/lib/kadm5/clnt/clnt_policy.c |
|
2527 --- old/src/lib/kadm5/clnt/clnt_policy.c |
|
2528 +++ new/src/lib/kadm5/clnt/clnt_policy.c |
|
2529 @@ -5,7 +5,7 @@ |
|
2530 * $Header$ |
|
2531 */ |
|
2532 |
|
2533 -#include <gssrpc/rpc.h> |
|
2534 +#include <rpc/rpc.h> |
|
2535 #include <kadm5/admin.h> |
|
2536 #include <kadm5/kadm_rpc.h> |
|
2537 #include "client_internal.h" |
|
2538 diff -pur old/src/lib/kadm5/clnt/clnt_privs.c new/src/lib/kadm5/clnt/clnt_privs.c |
|
2539 --- old/src/lib/kadm5/clnt/clnt_privs.c |
|
2540 +++ new/src/lib/kadm5/clnt/clnt_privs.c |
|
2541 @@ -7,7 +7,7 @@ |
|
2542 * |
|
2543 */ |
|
2544 |
|
2545 -#include <gssrpc/rpc.h> |
|
2546 +#include <rpc/rpc.h> |
|
2547 #include <kadm5/admin.h> |
|
2548 #include <kadm5/kadm_rpc.h> |
|
2549 #include "client_internal.h" |
|
2550 diff -pur old/src/lib/kadm5/deps new/src/lib/kadm5/deps |
|
2551 --- old/src/lib/kadm5/deps |
|
2552 +++ new/src/lib/kadm5/deps |
|
2553 @@ -90,6 +90,20 @@ str_conv.so str_conv.po $(OUTPRE)str_con |
|
2554 $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ |
|
2555 $(top_srcdir)/include/socket-utils.h admin_internal.h \ |
|
2556 str_conv.c |
|
2557 +kadm_host_srv_names.so kadm_host_srv_names.po $(OUTPRE)kadm_host_srv_names.$(OBJEXT): \ |
|
2558 + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ |
|
2559 + $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ |
|
2560 + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ |
|
2561 + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../krb5/os/os-proto.h \ |
|
2562 + $(top_srcdir)/include/fake-addrinfo.h $(top_srcdir)/include/k5-buf.h \ |
|
2563 + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ |
|
2564 + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ |
|
2565 + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ |
|
2566 + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ |
|
2567 + $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ |
|
2568 + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ |
|
2569 + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ |
|
2570 + $(top_srcdir)/include/socket-utils.h admin.h kadm_host_srv_names.c |
|
2571 logger.so logger.po $(OUTPRE)logger.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ |
|
2572 $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ |
|
2573 $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/adm_proto.h \ |
|
2574 diff -pur old/src/lib/kadm5/kadm_rpc.h new/src/lib/kadm5/kadm_rpc.h |
|
2575 --- old/src/lib/kadm5/kadm_rpc.h |
|
2576 +++ new/src/lib/kadm5/kadm_rpc.h |
|
2577 @@ -2,7 +2,7 @@ |
|
2578 #ifndef __KADM_RPC_H__ |
|
2579 #define __KADM_RPC_H__ |
|
2580 |
|
2581 -#include <gssrpc/types.h> |
|
2582 +#include <rpc/types.h> |
|
2583 |
|
2584 #include <krb5.h> |
|
2585 #include <kadm5/admin.h> |
|
2586 @@ -345,5 +345,8 @@ extern bool_t xdr_gstrings_ret (); |
|
2587 extern bool_t xdr_sstring_arg (); |
|
2588 extern bool_t xdr_krb5_string_attr (); |
|
2589 |
|
2590 +/* Solaris libc doesn't define 32 bit version of xdr_int and xdr_u_int */ |
|
2591 +#define xdr_int32 xdr_int |
|
2592 +#define xdr_u_int32 xdr_u_int |
|
2593 |
|
2594 #endif /* __KADM_RPC_H__ */ |
|
2595 diff -pur old/src/lib/kadm5/kadm_rpc_xdr.c new/src/lib/kadm5/kadm_rpc_xdr.c |
|
2596 --- old/src/lib/kadm5/kadm_rpc_xdr.c |
|
2597 +++ new/src/lib/kadm5/kadm_rpc_xdr.c |
|
2598 @@ -3,7 +3,7 @@ |
|
2599 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved |
|
2600 */ |
|
2601 |
|
2602 -#include <gssrpc/rpc.h> |
|
2603 +#include <rpc/rpc.h> |
|
2604 #include <krb5.h> |
|
2605 #include <errno.h> |
|
2606 #include <kadm5/admin.h> |
|
2607 diff -pur old/src/lib/kadm5/server_internal.h new/src/lib/kadm5/server_internal.h |
|
2608 --- old/src/lib/kadm5/server_internal.h |
|
2609 +++ new/src/lib/kadm5/server_internal.h |
|
2610 @@ -257,4 +257,8 @@ k5_kadm5_hook_remove (krb5_context conte |
|
2611 |
|
2612 /** @}*/ |
|
2613 |
|
2614 +/* Solaris Kerberos: symbols available in libkadm5srv_mit */ |
|
2615 +extern void xdralloc_create(XDR *xdrs, enum xdr_op op); |
|
2616 +extern caddr_t xdralloc_getdata(XDR *xdrs); |
|
2617 + |
|
2618 #endif /* __KADM5_SERVER_INTERNAL_H__ */ |
|
2619 diff -pur old/src/lib/kadm5/srv/Makefile.in new/src/lib/kadm5/srv/Makefile.in |
|
2620 --- old/src/lib/kadm5/srv/Makefile.in |
|
2621 +++ new/src/lib/kadm5/srv/Makefile.in |
|
2622 @@ -14,13 +14,12 @@ LIBMINOR=0 |
|
2623 STOBJLISTS=../OBJS.ST OBJS.ST |
|
2624 |
|
2625 SHLIB_EXPDEPS=\ |
|
2626 - $(TOPLIBD)/libgssrpc$(SHLIBEXT) \ |
|
2627 $(TOPLIBD)/libgssapi_krb5$(SHLIBEXT) \ |
|
2628 $(TOPLIBD)/libkdb5$(SHLIBEXT) \ |
|
2629 $(TOPLIBD)/libkrb5$(SHLIBEXT) \ |
|
2630 $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ |
|
2631 $(COM_ERR_DEPLIB) $(SUPPORT_LIBDEP) |
|
2632 -SHLIB_EXPLIBS = -lgssrpc -lgssapi_krb5 -lkdb5 $(KDB5_DB_LIB) \ |
|
2633 +SHLIB_EXPLIBS = -lgssapi_krb5 -lkdb5 $(KDB5_DB_LIB) \ |
|
2634 -lkrb5 -lk5crypto $(SUPPORT_LIB) -lcom_err @GEN_LIB@ $(LIBS) |
|
2635 RELDIR=kadm5/srv |
|
2636 |
|
2637 @@ -38,6 +37,8 @@ SRCS = $(srcdir)/pwqual.c \ |
|
2638 $(srcdir)/server_init.c \ |
|
2639 $(srcdir)/svr_iters.c \ |
|
2640 $(srcdir)/svr_chpass_util.c \ |
|
2641 + $(srcdir)/xdr_alloc.c \ |
|
2642 + $(srcdir)/dyn.c \ |
|
2643 $(srcdir)/adb_xdr.c |
|
2644 |
|
2645 OBJS = pwqual.$(OBJEXT) \ |
|
2646 @@ -54,6 +55,8 @@ OBJS = pwqual.$(OBJEXT) \ |
|
2647 server_init.$(OBJEXT) \ |
|
2648 svr_iters.$(OBJEXT) \ |
|
2649 svr_chpass_util.$(OBJEXT) \ |
|
2650 + xdr_alloc.$(OBJEXT) \ |
|
2651 + dyn.$(OBJEXT) \ |
|
2652 adb_xdr.$(OBJEXT) |
|
2653 |
|
2654 STLIBOBJS = \ |
|
2655 @@ -71,6 +74,8 @@ STLIBOBJS = \ |
|
2656 server_init.o \ |
|
2657 svr_iters.o \ |
|
2658 svr_chpass_util.o \ |
|
2659 + xdr_alloc.o \ |
|
2660 + dyn.o \ |
|
2661 adb_xdr.o |
|
2662 |
|
2663 all-unix:: includes |
|
2664 diff -pur old/src/lib/kadm5/srv/adb_xdr.c new/src/lib/kadm5/srv/adb_xdr.c |
|
2665 --- old/src/lib/kadm5/srv/adb_xdr.c |
|
2666 +++ new/src/lib/kadm5/srv/adb_xdr.c |
|
2667 @@ -7,7 +7,7 @@ |
|
2668 |
|
2669 #include <sys/types.h> |
|
2670 #include <krb5.h> |
|
2671 -#include <gssrpc/rpc.h> |
|
2672 +#include <rpc/rpc.h> |
|
2673 #include "server_internal.h" |
|
2674 #include "admin_xdr.h" |
|
2675 #ifdef HAVE_MEMORY_H |
|
2676 diff -pur old/src/lib/kadm5/srv/server_init.c new/src/lib/kadm5/srv/server_init.c |
|
2677 --- old/src/lib/kadm5/srv/server_init.c |
|
2678 +++ new/src/lib/kadm5/srv/server_init.c |
|
2679 @@ -233,8 +233,7 @@ kadm5_ret_t kadm5_init(krb5_context cont |
|
2680 |
|
2681 #define IPROP_REQUIRED_PARAMS \ |
|
2682 (KADM5_CONFIG_IPROP_ENABLED | \ |
|
2683 - KADM5_CONFIG_IPROP_LOGFILE | \ |
|
2684 - KADM5_CONFIG_IPROP_PORT) |
|
2685 + KADM5_CONFIG_IPROP_LOGFILE) |
|
2686 |
|
2687 if ((handle->params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { |
|
2688 free_db_args(handle); |
|
2689 diff -pur old/src/lib/kdb/Makefile.in new/src/lib/kdb/Makefile.in |
|
2690 --- old/src/lib/kdb/Makefile.in |
|
2691 +++ new/src/lib/kdb/Makefile.in |
|
2692 @@ -14,9 +14,8 @@ RELDIR=kdb |
|
2693 |
|
2694 SHLIB_EXPDEPS = \ |
|
2695 $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ |
|
2696 - $(TOPLIBD)/libgssrpc$(SHLIBEXT) \ |
|
2697 $(TOPLIBD)/libkrb5$(SHLIBEXT) |
|
2698 -SHLIB_EXPLIBS=-lgssrpc -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) $(DL_LIB) $(LIBS) |
|
2699 +SHLIB_EXPLIBS= -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) $(DL_LIB) $(LIBS) |
|
2700 |
|
2701 adb_err.$(OBJEXT): adb_err.c |
|
2702 adb_err.c adb_err.h: $(srcdir)/adb_err.et |
|
2703 diff -pur old/src/lib/kdb/iprop_xdr.c new/src/lib/kdb/iprop_xdr.c |
|
2704 --- old/src/lib/kdb/iprop_xdr.c |
|
2705 +++ new/src/lib/kdb/iprop_xdr.c |
|
2706 @@ -9,6 +9,7 @@ |
|
2707 #pragma GCC diagnostic ignored "-Wunused-variable" |
|
2708 #endif |
|
2709 |
|
2710 +#if 0 |
|
2711 static bool_t |
|
2712 xdr_int16_t (XDR *xdrs, int16_t *objp) |
|
2713 { |
|
2714 @@ -38,6 +39,7 @@ xdr_uint32_t (XDR *xdrs, uint32_t *objp) |
|
2715 return FALSE; |
|
2716 return TRUE; |
|
2717 } |
|
2718 +#endif |
|
2719 |
|
2720 bool_t |
|
2721 xdr_utf8str_t (XDR *xdrs, utf8str_t *objp) |
|
2722 diff -pur old/src/lib/krb5/os/changepw.c new/src/lib/krb5/os/changepw.c |
|
2723 --- old/src/lib/krb5/os/changepw.c |
|
2724 +++ new/src/lib/krb5/os/changepw.c |
|
2725 @@ -57,7 +57,7 @@ struct sendto_callback_context { |
|
2726 * Wrapper function for the two backends |
|
2727 */ |
|
2728 |
|
2729 -static krb5_error_code |
|
2730 +krb5_error_code |
|
2731 locate_kpasswd(krb5_context context, const krb5_data *realm, |
|
2732 struct serverlist *serverlist, krb5_boolean no_udp) |
|
2733 { |
|
2734 diff -pur old/src/lib/krb5/os/locate_kdc.c new/src/lib/krb5/os/locate_kdc.c |
|
2735 --- old/src/lib/krb5/os/locate_kdc.c |
|
2736 +++ new/src/lib/krb5/os/locate_kdc.c |
|
2737 @@ -675,6 +675,14 @@ k5_locate_kdc(krb5_context context, cons |
|
2738 return k5_locate_server(context, realm, serverlist, stype, no_udp); |
|
2739 } |
|
2740 |
|
2741 +krb5_error_code |
|
2742 +k5_locate_kadmin(krb5_context context, const krb5_data *realm, |
|
2743 + struct serverlist *serverlist) |
|
2744 +{ |
|
2745 + return k5_locate_server(context, realm, serverlist, locate_service_kadmin, |
|
2746 + 1); |
|
2747 +} |
|
2748 + |
|
2749 krb5_boolean |
|
2750 k5_kdc_is_master(krb5_context context, const krb5_data *realm, |
|
2751 struct server_entry *server) |
|
2752 diff -pur old/src/lib/rpc/xdr_alloc.c new/src/lib/rpc/xdr_alloc.c |
|
2753 --- old/src/lib/rpc/xdr_alloc.c |
|
2754 +++ new/src/lib/rpc/xdr_alloc.c |
|
2755 @@ -35,18 +35,23 @@ |
|
2756 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved. |
|
2757 */ |
|
2758 |
|
2759 -#include <gssrpc/types.h> |
|
2760 -#include <gssrpc/xdr.h> |
|
2761 +#include <sys/types.h> |
|
2762 +#include <rpc/types.h> |
|
2763 +#include <rpc/xdr.h> |
|
2764 +#include <inttypes.h> |
|
2765 #include "dyn.h" |
|
2766 |
|
2767 static bool_t xdralloc_putlong(XDR *, long *); |
|
2768 -static bool_t xdralloc_putbytes(XDR *, caddr_t, unsigned int); |
|
2769 +static bool_t xdralloc_putbytes(XDR *, caddr_t, int); |
|
2770 static unsigned int xdralloc_getpos(XDR *); |
|
2771 static rpc_inline_t * xdralloc_inline(XDR *, int); |
|
2772 static void xdralloc_destroy(XDR *); |
|
2773 +static bool_t xdralloc_putint32(XDR *, int32_t *); |
|
2774 static bool_t xdralloc_notsup_getlong(XDR *, long *); |
|
2775 -static bool_t xdralloc_notsup_getbytes(XDR *, caddr_t, unsigned int); |
|
2776 +static bool_t xdralloc_notsup_getbytes(XDR *, caddr_t, int); |
|
2777 static bool_t xdralloc_notsup_setpos(XDR *, unsigned int); |
|
2778 +static bool_t xdralloc_notsup_getint32(XDR *, int32_t *); |
|
2779 +static bool_t xdralloc_notsup_control(XDR *, int, void *); |
|
2780 static struct xdr_ops xdralloc_ops = { |
|
2781 xdralloc_notsup_getlong, |
|
2782 xdralloc_putlong, |
|
2783 @@ -56,6 +61,11 @@ static struct xdr_ops xdralloc_ops = { |
|
2784 xdralloc_notsup_setpos, |
|
2785 xdralloc_inline, |
|
2786 xdralloc_destroy, |
|
2787 + xdralloc_notsup_control, |
|
2788 +#if defined(_LP64) |
|
2789 + xdralloc_notsup_getint32, |
|
2790 + xdralloc_putint32, |
|
2791 +#endif |
|
2792 }; |
|
2793 |
|
2794 /* |
|
2795 @@ -96,7 +106,12 @@ static bool_t xdralloc_putlong( |
|
2796 register XDR *xdrs, |
|
2797 long *lp) |
|
2798 { |
|
2799 - int l = htonl((uint32_t) *lp); /* XXX need bounds checking */ |
|
2800 +#if defined(_LP64) |
|
2801 + if ((*lp > INT32_MAX) || (*lp < INT32_MIN)) |
|
2802 + return FALSE; |
|
2803 +#endif |
|
2804 + |
|
2805 + int l = htonl((uint32_t) *lp); |
|
2806 |
|
2807 /* XXX assumes sizeof(int)==4 */ |
|
2808 if (DynInsert((DynObject) xdrs->x_private, |
|
2809 @@ -106,11 +121,33 @@ static bool_t xdralloc_putlong( |
|
2810 return (TRUE); |
|
2811 } |
|
2812 |
|
2813 +#if defined(_LP64) |
|
2814 +static bool_t xdralloc_notsup_getint32( |
|
2815 + register XDR *xdrs, |
|
2816 + int32_t *lp) |
|
2817 +{ |
|
2818 + return FALSE; |
|
2819 +} |
|
2820 + |
|
2821 +static bool_t xdralloc_putint32( |
|
2822 + register XDR *xdrs, |
|
2823 + int32_t *lp) |
|
2824 +{ |
|
2825 + int l = htonl((uint32_t) *lp); |
|
2826 + |
|
2827 + /* XXX assumes sizeof(int)==4 */ |
|
2828 + if (DynInsert((DynObject) xdrs->x_private, |
|
2829 + DynSize((DynObject) xdrs->x_private), &l, |
|
2830 + sizeof(int)) != DYN_OK) |
|
2831 + return FALSE; |
|
2832 + return (TRUE); |
|
2833 +} |
|
2834 +#endif |
|
2835 |
|
2836 static bool_t xdralloc_notsup_getbytes( |
|
2837 register XDR *xdrs, |
|
2838 caddr_t addr, |
|
2839 - register unsigned int len) |
|
2840 + register int len) |
|
2841 { |
|
2842 return FALSE; |
|
2843 } |
|
2844 @@ -119,7 +156,7 @@ static bool_t xdralloc_notsup_getbytes( |
|
2845 static bool_t xdralloc_putbytes( |
|
2846 register XDR *xdrs, |
|
2847 caddr_t addr, |
|
2848 - register unsigned int len) |
|
2849 + register int len) |
|
2850 { |
|
2851 if (DynInsert((DynObject) xdrs->x_private, |
|
2852 DynSize((DynObject) xdrs->x_private), |
|
2853 @@ -148,3 +185,10 @@ static rpc_inline_t *xdralloc_inline( |
|
2854 { |
|
2855 return (rpc_inline_t *) 0; |
|
2856 } |
|
2857 + |
|
2858 +static bool_t xdralloc_notsup_control(XDR *xdrs, |
|
2859 + int request, |
|
2860 + void *info) |
|
2861 +{ |
|
2862 + return FALSE; |
|
2863 +} |
|
2864 diff -pur old/src/plugins/kdb/db2/adb_policy.c new/src/plugins/kdb/db2/adb_policy.c |
|
2865 --- old/src/plugins/kdb/db2/adb_policy.c |
|
2866 +++ new/src/plugins/kdb/db2/adb_policy.c |
|
2867 @@ -28,6 +28,9 @@ |
|
2868 return cl_ret; \ |
|
2869 } |
|
2870 |
|
2871 +/* Solaris Kerberos: symbols available from libkadm5srv_mit */ |
|
2872 +extern void xdralloc_create(XDR *, enum xdr_op); |
|
2873 +extern caddr_t xdralloc_getdata(XDR *); |
|
2874 |
|
2875 /* |
|
2876 * Function: osa_adb_create_policy |
|
2877 diff -pur old/src/plugins/kdb/db2/pol_xdr.c new/src/plugins/kdb/db2/pol_xdr.c |
|
2878 --- old/src/plugins/kdb/db2/pol_xdr.c |
|
2879 +++ new/src/plugins/kdb/db2/pol_xdr.c |
|
2880 @@ -1,6 +1,6 @@ |
|
2881 #include <sys/types.h> |
|
2882 #include <krb5.h> |
|
2883 -#include <gssrpc/rpc.h> |
|
2884 +#include <rpc/rpc.h> |
|
2885 #include <kdb.h> |
|
2886 #include <kadm5/admin_xdr.h> |
|
2887 #include "policy_db.h" |
|
2888 diff -pur old/src/plugins/kdb/db2/policy_db.h new/src/plugins/kdb/db2/policy_db.h |
|
2889 --- old/src/plugins/kdb/db2/policy_db.h |
|
2890 +++ new/src/plugins/kdb/db2/policy_db.h |
|
2891 @@ -28,8 +28,8 @@ |
|
2892 |
|
2893 A better fix might be for db.h to include netinet/in.h if that's |
|
2894 where we find u_int32_t. */ |
|
2895 -#include <gssrpc/types.h> |
|
2896 -#include <gssrpc/xdr.h> |
|
2897 +#include <rpc/types.h> |
|
2898 +#include <rpc/xdr.h> |
|
2899 #include <db.h> |
|
2900 #include "adb_err.h" |
|
2901 #include <com_err.h> |
|
2902 diff -pur old/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c new/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c |
|
2903 --- old/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c |
|
2904 +++ new/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c |
|
2905 @@ -3,6 +3,10 @@ |
|
2906 #include "princ_xdr.h" |
|
2907 #include <kadm5/admin.h> |
|
2908 |
|
2909 +/* Solaris Kerberos: symbols available from libkadm5srv_mit*/ |
|
2910 +extern void xdralloc_create(XDR *, enum xdr_op); |
|
2911 +extern caddr_t xdralloc_getdata(XDR *); |
|
2912 + |
|
2913 bool_t |
|
2914 ldap_xdr_krb5_ui_2(XDR *xdrs, krb5_ui_2 *objp) |
|
2915 { |
|
2916 diff -pur old/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h new/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h |
|
2917 --- old/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h |
|
2918 +++ new/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h |
|
2919 @@ -4,7 +4,7 @@ |
|
2920 #include <sys/types.h> |
|
2921 #include <krb5.h> |
|
2922 #include <kdb.h> |
|
2923 -#include <gssrpc/rpc.h> |
|
2924 +#include <rpc/rpc.h> |
|
2925 |
|
2926 #ifdef HAVE_MEMORY_H |
|
2927 #include <memory.h> |
|
2928 diff -pur old/src/slave/kpropd.c new/src/slave/kpropd.c |
|
2929 --- old/src/slave/kpropd.c |
|
2930 +++ new/src/slave/kpropd.c |
|
2931 @@ -584,7 +584,7 @@ full_resync(CLIENT *clnt) |
|
2932 |
|
2933 memset(&clnt_res, 0, sizeof(clnt_res)); |
|
2934 |
|
2935 - status = clnt_call(clnt, IPROP_FULL_RESYNC_EXT, (xdrproc_t)xdr_u_int32, |
|
2936 + status = clnt_call(clnt, IPROP_FULL_RESYNC_EXT, (xdrproc_t)xdr_u_int, |
|
2937 (caddr_t)&vers, (xdrproc_t)xdr_kdb_fullresync_result_t, |
|
2938 (caddr_t)&clnt_res, full_resync_timeout); |
|
2939 if (status == RPC_PROCUNAVAIL) { |
|
2940 diff -pur old/src/tests/misc/Makefile.in new/src/tests/misc/Makefile.in |
|
2941 --- old/src/tests/misc/Makefile.in |
|
2942 +++ new/src/tests/misc/Makefile.in |
|
2943 @@ -12,18 +12,16 @@ SRCS=\ |
|
2944 $(srcdir)/test_cxx_krb5.cpp \ |
|
2945 $(srcdir)/test_cxx_k5int.cpp \ |
|
2946 $(srcdir)/test_cxx_gss.cpp \ |
|
2947 - $(srcdir)/test_cxx_rpc.cpp \ |
|
2948 $(srcdir)/test_cxx_kadm5.cpp |
|
2949 |
|
2950 all:: test_getpw test_chpw_message |
|
2951 |
|
2952 -check:: test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_rpc test_cxx_k5int test_cxx_kadm5 |
|
2953 +check:: test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_kadm5 |
|
2954 $(RUN_SETUP) $(VALGRIND) ./test_getpw |
|
2955 $(RUN_SETUP) $(VALGRIND) ./test_chpw_message |
|
2956 $(RUN_SETUP) $(VALGRIND) ./test_cxx_krb5 |
|
2957 $(RUN_SETUP) $(VALGRIND) ./test_cxx_k5int |
|
2958 $(RUN_SETUP) $(VALGRIND) ./test_cxx_gss |
|
2959 - $(RUN_SETUP) $(VALGRIND) ./test_cxx_rpc |
|
2960 $(RUN_SETUP) $(VALGRIND) ./test_cxx_kadm5 |
|
2961 |
|
2962 test_getpw: $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_DEPLIB) |
|
2963 @@ -41,18 +39,15 @@ test_cxx_k5int: $(OUTPRE)test_cxx_k5int. |
|
2964 $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_k5int $(OUTPRE)test_cxx_k5int.$(OBJEXT) $(KRB5_BASE_LIBS) $(LIBS) |
|
2965 test_cxx_gss: $(OUTPRE)test_cxx_gss.$(OBJEXT) |
|
2966 $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_gss $(OUTPRE)test_cxx_gss.$(OBJEXT) $(LIBS) |
|
2967 -test_cxx_rpc: $(OUTPRE)test_cxx_rpc.$(OBJEXT) $(GSSRPC_DEPLIBS) |
|
2968 - $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_rpc $(OUTPRE)test_cxx_rpc.$(OBJEXT) $(GSSRPC_LIBS) $(KRB5_BASE_LIBS) $(LIBS) |
|
2969 test_cxx_kadm5: $(OUTPRE)test_cxx_kadm5.$(OBJEXT) $(KADMCLNT_DEPLIBS) |
|
2970 $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_kadm5 $(OUTPRE)test_cxx_kadm5.$(OBJEXT) $(KADMCLNT_LIBS) $(KRB5_BASE_LIBS) $(LIBS) |
|
2971 |
|
2972 test_cxx_krb5.$(OBJEXT): test_cxx_krb5.cpp |
|
2973 test_cxx_gss.$(OBJEXT): test_cxx_gss.cpp |
|
2974 -test_cxx_rpc.$(OBJEXT): test_cxx_rpc.cpp |
|
2975 test_cxx_kadm5.$(OBJEXT): test_cxx_kadm5.cpp |
|
2976 |
|
2977 install:: |
|
2978 |
|
2979 clean:: |
|
2980 - $(RM) test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_rpc test_cxx_kadm5 *.o |
|
2981 + $(RM) test_getpw test_chpw_message test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_kadm5 *.o |
|
2982 |
|
2983 diff -pur old/src/tests/t_iprop.py new/src/tests/t_iprop.py |
|
2984 --- old/src/tests/t_iprop.py |
|
2985 +++ new/src/tests/t_iprop.py |
|
2986 @@ -1,50 +1,35 @@ |
|
2987 #!/usr/bin/python |
|
2988 |
|
2989 import os |
|
2990 -import re |
|
2991 |
|
2992 from k5test import * |
|
2993 |
|
2994 # Read lines from kpropd output until we are synchronized. Error if |
|
2995 # full_expected is true and we didn't see a full propagation or vice |
|
2996 # versa. |
|
2997 -def wait_for_prop(kpropd, full_expected, expected_old, expected_new): |
|
2998 +def wait_for_prop(kpropd, full_expected): |
|
2999 output('*** Waiting for sync from kpropd\n') |
|
3000 - full_seen = sleep_seen = prodded_after_dump = False |
|
3001 - old_sno = new_sno = -1 |
|
3002 + full_seen = False |
|
3003 while True: |
|
3004 line = kpropd.stdout.readline() |
|
3005 if line == '': |
|
3006 fail('kpropd process exited unexpectedly') |
|
3007 output('kpropd: ' + line) |
|
3008 |
|
3009 - m = re.match(r'Calling iprop_get_updates_1 \(sno=(\d+) ', line) |
|
3010 - if m: |
|
3011 - if not full_seen: |
|
3012 - old_sno = int(m.group(1)) |
|
3013 - # Also record this as the new sno, in case we get back |
|
3014 - # UPDATE_NIL. |
|
3015 - new_sno = int(m.group(1)) |
|
3016 - |
|
3017 - m = re.match(r'Got incremental updates \(sno=(\d+) ', line) |
|
3018 - if m: |
|
3019 - new_sno = int(m.group(1)) |
|
3020 - |
|
3021 if 'KDC is synchronized' in line or 'Incremental updates:' in line: |
|
3022 - break |
|
3023 + output('*** Sync complete\n') |
|
3024 + if full_expected and not full_seen: |
|
3025 + fail('Expected full dump but saw only incremental') |
|
3026 + if full_seen and not full_expected: |
|
3027 + fail('Expected incremental prop but saw full dump') |
|
3028 + return |
|
3029 |
|
3030 - # After a full resync request, these lines could appear in |
|
3031 - # either order. |
|
3032 - if 'Waiting for' in line: |
|
3033 - sleep_seen = True |
|
3034 if 'load process for full propagation completed' in line: |
|
3035 full_seen = True |
|
3036 - if sleep_seen and full_seen and not prodded_after_dump: |
|
3037 - # Prod the kpropd parent into getting incrementals after |
|
3038 - # it finishes a DB load. This will be unnecessary if |
|
3039 - # kpropd is simplified to use a single process. |
|
3040 + # kpropd's child process has finished a DB load; make the parent |
|
3041 + # do another iprop request. This will be unnecessary if kpropd |
|
3042 + # is simplified to use a single process. |
|
3043 kpropd.send_signal(signal.SIGUSR1) |
|
3044 - prodded_after_dump = True |
|
3045 |
|
3046 # Detect some failure conditions. |
|
3047 if 'Still waiting for full resync' in line: |
|
3048 @@ -60,92 +45,28 @@ def wait_for_prop(kpropd, full_expected, |
|
3049 if 'invalid return' in line: |
|
3050 fail('kadmind returned invalid result') |
|
3051 |
|
3052 - if full_expected and not full_seen: |
|
3053 - fail('Expected full dump but saw only incremental') |
|
3054 - if full_seen and not full_expected: |
|
3055 - fail('Expected incremental prop but saw full dump') |
|
3056 - if old_sno != expected_old: |
|
3057 - fail('Expected old serial %d from kpropd sync' % expected_old) |
|
3058 - if new_sno != expected_new: |
|
3059 - fail('Expected new serial %d from kpropd sync' % expected_new) |
|
3060 - |
|
3061 - # Wait until kpropd is sleeping before continuing, to avoid races. |
|
3062 - # (This is imperfect since there's there is a short window between |
|
3063 - # the fprintf and the sleep; kpropd will need design changes to |
|
3064 - # fix that.) |
|
3065 - while True: |
|
3066 - line = kpropd.stdout.readline() |
|
3067 - output('kpropd: ' + line) |
|
3068 - if 'Waiting for' in line: |
|
3069 - break |
|
3070 - output('*** Sync complete\n') |
|
3071 - |
|
3072 -# Verify the output of kproplog against the expected number of |
|
3073 -# entries, first and last serial number, and a list of principal names |
|
3074 -# for the update entrires. |
|
3075 -def check_ulog(num, first, last, entries, env=None): |
|
3076 - out = realm.run([kproplog], env=env) |
|
3077 - if 'Number of entries : ' + str(num) + '\n' not in out: |
|
3078 - fail('Expected %d entries' % num) |
|
3079 - if last: |
|
3080 - firststr = first and str(first) or 'None' |
|
3081 - if 'First serial # : ' + firststr + '\n' not in out: |
|
3082 - fail('Expected first serial number %d' % first) |
|
3083 - laststr = last and str(last) or 'None' |
|
3084 - if 'Last serial # : ' + laststr + '\n' not in out: |
|
3085 - fail('Expected last serial number %d' % last) |
|
3086 - assert(len(entries) == num) |
|
3087 - ser = first - 1 |
|
3088 - entindex = 0 |
|
3089 - for line in out.splitlines(): |
|
3090 - m = re.match(r'\tUpdate serial # : (\d+)$', line) |
|
3091 - if m: |
|
3092 - ser = ser + 1 |
|
3093 - if m.group(1) != str(ser): |
|
3094 - fail('Expected serial number %d in update entry' % ser) |
|
3095 - m = re.match(r'\tUpdate principal : (.*)$', line) |
|
3096 - if m: |
|
3097 - eprinc = entries[ser - first] |
|
3098 - if m.group(1) != eprinc: |
|
3099 - fail('Expected princ %s in update entry %d' % (eprinc, ser)) |
|
3100 - |
|
3101 -# slave1 will receive updates from master, and slave2 will receive |
|
3102 -# updates from slave1. Because of the awkward way iprop and kprop |
|
3103 -# port configuration currently works, we need separate config files |
|
3104 -# for the slave and master sides of slave1, but they use the same DB |
|
3105 -# and ulog file. |
|
3106 -conf = {'realms': {'$realm': {'iprop_enable': 'true', |
|
3107 - 'iprop_logfile': '$testdir/db.ulog'}}} |
|
3108 -conf_slave1 = {'realms': {'$realm': {'iprop_slave_poll': '600', |
|
3109 - 'iprop_logfile': '$testdir/ulog.slave1'}}, |
|
3110 - 'dbmodules': {'db': {'database_name': '$testdir/db.slave1'}}} |
|
3111 -conf_slave1m = {'realms': {'$realm': {'iprop_logfile': '$testdir/ulog.slave1', |
|
3112 - 'iprop_port': '$port8'}}, |
|
3113 - 'dbmodules': {'db': {'database_name': '$testdir/db.slave1'}}} |
|
3114 -conf_slave2 = {'realms': {'$realm': {'iprop_slave_poll': '600', |
|
3115 - 'iprop_logfile': '$testdir/ulog.slave2', |
|
3116 - 'iprop_port': '$port8'}}, |
|
3117 - 'dbmodules': {'db': {'database_name': '$testdir/db.slave2'}}} |
|
3118 |
|
3119 -realm = K5Realm(kdc_conf=conf, create_user=False, start_kadmind=True) |
|
3120 -slave1 = realm.special_env('slave1', True, kdc_conf=conf_slave1) |
|
3121 -slave1m = realm.special_env('slave1m', True, kdc_conf=conf_slave1m) |
|
3122 -slave2 = realm.special_env('slave2', True, kdc_conf=conf_slave2) |
|
3123 - |
|
3124 -# Define some principal names. pr3 is long enough to cause internal |
|
3125 -# reallocs, but not long enough to grow the basic ulog entry size. |
|
3126 -pr1 = 'wakawaka@' + realm.realm |
|
3127 -pr2 = 'w@' + realm.realm |
|
3128 -c = 'chocolate-flavored-school-bus' |
|
3129 -cs = c + '/' |
|
3130 -pr3 = (cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + c + |
|
3131 - '@' + realm.realm) |
|
3132 +# Verify the iprop log last serial number against an expected value, |
|
3133 +# on either the master or slave. |
|
3134 +def check_serial(realm, expected, env=None): |
|
3135 + out = realm.run([kproplog, '-h'], env=env) |
|
3136 + if 'Last serial # : ' not in out: |
|
3137 + fail('Unexpected serial number') |
|
3138 + |
|
3139 + |
|
3140 +conf = { |
|
3141 + 'realms': {'$realm': { |
|
3142 + 'iprop_enable': 'true', |
|
3143 + 'iprop_logfile' : '$testdir/db.ulog'}}} |
|
3144 + |
|
3145 +conf_slave = { |
|
3146 + 'realms': {'$realm': { |
|
3147 + 'iprop_slave_poll': '600', |
|
3148 + 'iprop_logfile' : '$testdir/db.slave.ulog'}}, |
|
3149 + 'dbmodules': {'db': {'database_name': '$testdir/db.slave'}}} |
|
3150 |
|
3151 -# Create the kpropd ACL file. |
|
3152 -acl_file = os.path.join(realm.testdir, 'kpropd-acl') |
|
3153 -acl = open(acl_file, 'w') |
|
3154 -acl.write(realm.host_princ + '\n') |
|
3155 -acl.close() |
|
3156 +realm = K5Realm(kdc_conf=conf, create_user=False, start_kadmind=True) |
|
3157 +slave = realm.special_env('slave', True, kdc_conf=conf_slave) |
|
3158 |
|
3159 ulog = os.path.join(realm.testdir, 'db.ulog') |
|
3160 if not os.path.exists(ulog): |
|
3161 @@ -153,209 +74,117 @@ if not os.path.exists(ulog): |
|
3162 |
|
3163 # Create the principal used to authenticate kpropd to kadmind. |
|
3164 kiprop_princ = 'kiprop/' + hostname |
|
3165 +realm.addprinc(kiprop_princ) |
|
3166 realm.extract_keytab(kiprop_princ, realm.keytab) |
|
3167 |
|
3168 -# Create the initial slave1 and slave2 databases. |
|
3169 +# Create the slave db. |
|
3170 dumpfile = os.path.join(realm.testdir, 'dump') |
|
3171 realm.run([kdb5_util, 'dump', dumpfile]) |
|
3172 -realm.run([kdb5_util, 'load', dumpfile], slave1) |
|
3173 -realm.run([kdb5_util, 'load', dumpfile], slave2) |
|
3174 +realm.run([kdb5_util, 'load', dumpfile], slave) |
|
3175 +realm.run([kdb5_util, 'stash', '-P', 'master'], slave) |
|
3176 |
|
3177 -# Reinitialize the master ulog so we know exactly what to expect in |
|
3178 -# it. |
|
3179 -realm.run([kproplog, '-R']) |
|
3180 -check_ulog(0, 0, 0, []) |
|
3181 +# Make some changes to the master db. |
|
3182 +realm.addprinc('wakawaka') |
|
3183 +# Add a principal enough to make realloc likely, but not enough to grow |
|
3184 +# basic ulog entry size. |
|
3185 +c = 'chocolate-flavored-school-bus' |
|
3186 +cs = c + '/' |
|
3187 +longname = cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + c |
|
3188 +realm.addprinc(longname) |
|
3189 +realm.addprinc('w') |
|
3190 +realm.run_kadminl('modprinc -allow_tix w') |
|
3191 +realm.run_kadminl('modprinc +allow_tix w') |
|
3192 |
|
3193 -# Make some changes to the master DB. |
|
3194 -realm.addprinc(pr1) |
|
3195 -realm.addprinc(pr3) |
|
3196 -realm.addprinc(pr2) |
|
3197 -realm.run_kadminl('modprinc -allow_tix ' + pr2) |
|
3198 -realm.run_kadminl('modprinc +allow_tix ' + pr2) |
|
3199 -check_ulog(5, 1, 5, [pr1, pr3, pr2, pr2, pr2]) |
|
3200 - |
|
3201 -# Start kpropd for slave1 and get a full dump from master. |
|
3202 -kpropd1 = realm.start_kpropd(slave1, ['-d']) |
|
3203 -wait_for_prop(kpropd1, True, 0, 5) |
|
3204 -out = realm.run_kadminl('listprincs', slave1) |
|
3205 -if pr1 not in out or pr2 not in out or pr3 not in out: |
|
3206 - fail('slave1 does not have all principals from master') |
|
3207 -check_ulog(0, 0, 5, [], slave1) |
|
3208 +check_serial(realm, '7') |
|
3209 + |
|
3210 +# Set up the kpropd acl file. |
|
3211 +acl_file = os.path.join(realm.testdir, 'kpropd-acl') |
|
3212 +acl = open(acl_file, 'w') |
|
3213 +acl.write(realm.host_princ + '\n') |
|
3214 +acl.close() |
|
3215 + |
|
3216 +# Start kpropd and get a full dump from master. |
|
3217 +kpropd = realm.start_kpropd(slave, ['-d']) |
|
3218 +wait_for_prop(kpropd, True) |
|
3219 +out = realm.run_kadminl('listprincs', slave) |
|
3220 +if longname not in out or 'wakawaka' not in out or 'w@' not in out: |
|
3221 + fail('Slave does not have all principals from master') |
|
3222 |
|
3223 # Make a change and check that it propagates incrementally. |
|
3224 -realm.run_kadminl('modprinc -allow_tix ' + pr2) |
|
3225 -check_ulog(6, 1, 6, [pr1, pr3, pr2, pr2, pr2, pr2]) |
|
3226 -kpropd1.send_signal(signal.SIGUSR1) |
|
3227 -wait_for_prop(kpropd1, False, 5, 6) |
|
3228 -check_ulog(1, 6, 6, [pr2], slave1) |
|
3229 -out = realm.run_kadminl('getprinc ' + pr2, slave1) |
|
3230 +realm.run_kadminl('modprinc -allow_tix w') |
|
3231 +check_serial(realm, '8') |
|
3232 +kpropd.send_signal(signal.SIGUSR1) |
|
3233 +wait_for_prop(kpropd, False) |
|
3234 +check_serial(realm, '8', slave) |
|
3235 +out = realm.run_kadminl('getprinc w', slave) |
|
3236 if 'Attributes: DISALLOW_ALL_TIX' not in out: |
|
3237 - fail('slave1 does not have modification from master') |
|
3238 + fail('Slave does not have modification from master') |
|
3239 |
|
3240 -# Start kadmind -proponly for slave1. (Use the slave1m environment |
|
3241 -# which defines iprop_port to $port8.) |
|
3242 -slave1_out_dump_path = os.path.join(realm.testdir, 'dump.slave1.out') |
|
3243 -slave2_in_dump_path = os.path.join(realm.testdir, 'dump.slave2.in') |
|
3244 -slave2_kprop_port = str(realm.portbase + 9) |
|
3245 -slave1m['KPROP_PORT'] = slave2_kprop_port |
|
3246 -realm.start_server([kadmind, '-nofork', '-proponly', '-W', '-p', kdb5_util, |
|
3247 - '-K', kprop, '-F', slave1_out_dump_path], 'starting...', |
|
3248 - slave1m) |
|
3249 - |
|
3250 -# Start kpropd for slave2. The -A option isn't needed since we're |
|
3251 -# talking to the same host as master (we specify it anyway to exercise |
|
3252 -# the code), but slave2 defines iprop_port to $port8 so it will talk |
|
3253 -# to slave1. Get a full dump from slave1. |
|
3254 -kpropd2 = realm.start_server([kpropd, '-d', '-D', '-P', slave2_kprop_port, |
|
3255 - '-f', slave2_in_dump_path, '-p', kdb5_util, |
|
3256 - '-a', acl_file, '-A', hostname], 'ready', slave2) |
|
3257 -wait_for_prop(kpropd2, True, 0, 6) |
|
3258 -check_ulog(0, 0, 6, [], slave2) |
|
3259 -out = realm.run_kadminl('listprincs', slave1) |
|
3260 -if pr1 not in out or pr2 not in out or pr3 not in out: |
|
3261 - fail('slave2 does not have all principals from slave1') |
|
3262 - |
|
3263 -# Make another change and check that it propagates incrementally to |
|
3264 -# both slaves. |
|
3265 -realm.run_kadminl('modprinc -maxrenewlife "22 hours" ' + pr1) |
|
3266 -check_ulog(7, 1, 7, [pr1, pr3, pr2, pr2, pr2, pr2, pr1]) |
|
3267 -kpropd1.send_signal(signal.SIGUSR1) |
|
3268 -wait_for_prop(kpropd1, False, 6, 7) |
|
3269 -check_ulog(2, 6, 7, [pr2, pr1], slave1) |
|
3270 -out = realm.run_kadminl('getprinc ' + pr1, slave1) |
|
3271 -if 'Maximum renewable life: 0 days 22:00:00\n' not in out: |
|
3272 - fail('slave1 does not have modification from master') |
|
3273 -kpropd2.send_signal(signal.SIGUSR1) |
|
3274 -wait_for_prop(kpropd2, False, 6, 7) |
|
3275 -check_ulog(1, 7, 7, [pr1], slave2) |
|
3276 -out = realm.run_kadminl('getprinc ' + pr1, slave2) |
|
3277 -if 'Maximum renewable life: 0 days 22:00:00\n' not in out: |
|
3278 - fail('slave2 does not have modification from slave1') |
|
3279 - |
|
3280 -# Reset the ulog on slave1 to force a full resync from master. The |
|
3281 -# resync will use the old dump file and then propagate changes. |
|
3282 -# slave2 should still be in sync with slave1 after the resync, so make |
|
3283 -# sure it doesn't take a full resync. |
|
3284 -realm.run([kproplog, '-R'], slave1) |
|
3285 -check_ulog(0, 0, 0, [], slave1) |
|
3286 -kpropd1.send_signal(signal.SIGUSR1) |
|
3287 -wait_for_prop(kpropd1, True, 0, 7) |
|
3288 -check_ulog(2, 6, 7, [pr2, pr1], slave1) |
|
3289 -kpropd2.send_signal(signal.SIGUSR1) |
|
3290 -wait_for_prop(kpropd2, False, 7, 7) |
|
3291 -check_ulog(1, 7, 7, [pr1], slave2) |
|
3292 - |
|
3293 -# Make another change and check that it propagates incrementally to |
|
3294 -# both slaves. |
|
3295 +# Make another change and check that it propagates incrementally. |
|
3296 realm.run_kadminl('modprinc +allow_tix w') |
|
3297 -check_ulog(8, 1, 8, [pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr2]) |
|
3298 -kpropd1.send_signal(signal.SIGUSR1) |
|
3299 -wait_for_prop(kpropd1, False, 7, 8) |
|
3300 -check_ulog(3, 6, 8, [pr2, pr1, pr2], slave1) |
|
3301 -out = realm.run_kadminl('getprinc ' + pr2, slave1) |
|
3302 +check_serial(realm, '9') |
|
3303 +kpropd.send_signal(signal.SIGUSR1) |
|
3304 +wait_for_prop(kpropd, False) |
|
3305 +check_serial(realm, '9', slave) |
|
3306 +out = realm.run_kadminl('getprinc w', slave) |
|
3307 if 'Attributes:\n' not in out: |
|
3308 - fail('slave1 does not have modification from master') |
|
3309 -kpropd2.send_signal(signal.SIGUSR1) |
|
3310 -wait_for_prop(kpropd2, False, 7, 8) |
|
3311 -check_ulog(2, 7, 8, [pr1, pr2], slave2) |
|
3312 -out = realm.run_kadminl('getprinc ' + pr2, slave2) |
|
3313 + fail('Slave does not have modification from master') |
|
3314 + |
|
3315 +# Reset the ulog on the slave side to force a full resync to the slave. |
|
3316 +realm.run([kproplog, '-R'], slave) |
|
3317 +check_serial(realm, 'None', slave) |
|
3318 +kpropd.send_signal(signal.SIGUSR1) |
|
3319 +wait_for_prop(kpropd, True) |
|
3320 +check_serial(realm, '9', slave) |
|
3321 + |
|
3322 +# Make another change and check that it propagates incrementally. |
|
3323 +realm.run_kadminl('modprinc +allow_tix w') |
|
3324 +check_serial(realm, '10') |
|
3325 +kpropd.send_signal(signal.SIGUSR1) |
|
3326 +wait_for_prop(kpropd, False) |
|
3327 +check_serial(realm, '10', slave) |
|
3328 +out = realm.run_kadminl('getprinc w', slave) |
|
3329 if 'Attributes:\n' not in out: |
|
3330 - fail('slave2 does not have modification from slave1') |
|
3331 + fail('Slave has different state from master') |
|
3332 |
|
3333 # Create a policy and check that it propagates via full resync. |
|
3334 realm.run_kadminl('addpol -minclasses 2 testpol') |
|
3335 -check_ulog(0, 0, 0, []) |
|
3336 -kpropd1.send_signal(signal.SIGUSR1) |
|
3337 -wait_for_prop(kpropd1, True, 8, 0) |
|
3338 -check_ulog(0, 0, 0, [], slave1) |
|
3339 -out = realm.run_kadminl('getpol testpol', slave1) |
|
3340 +check_serial(realm, 'None') |
|
3341 +kpropd.send_signal(signal.SIGUSR1) |
|
3342 +wait_for_prop(kpropd, True) |
|
3343 +check_serial(realm, 'None', slave) |
|
3344 +out = realm.run_kadminl('getpol testpol', slave) |
|
3345 if 'Minimum number of password character classes: 2' not in out: |
|
3346 - fail('slave1 does not have policy from master') |
|
3347 -kpropd2.send_signal(signal.SIGUSR1) |
|
3348 -wait_for_prop(kpropd2, True, 8, 0) |
|
3349 -check_ulog(0, 0, 0, [], slave2) |
|
3350 -out = realm.run_kadminl('getpol testpol', slave2) |
|
3351 -if 'Minimum number of password character classes: 2' not in out: |
|
3352 - fail('slave2 does not have policy from slave1') |
|
3353 + fail('Slave does not have policy from master') |
|
3354 |
|
3355 # Modify the policy and test that it also propagates via full resync. |
|
3356 realm.run_kadminl('modpol -minlength 17 testpol') |
|
3357 -check_ulog(0, 0, 0, []) |
|
3358 -kpropd1.send_signal(signal.SIGUSR1) |
|
3359 -wait_for_prop(kpropd1, True, 0, 0) |
|
3360 -check_ulog(0, 0, 0, [], slave1) |
|
3361 -out = realm.run_kadminl('getpol testpol', slave1) |
|
3362 -if 'Minimum password length: 17' not in out: |
|
3363 - fail('slave1 does not have policy change from master') |
|
3364 -kpropd2.send_signal(signal.SIGUSR1) |
|
3365 -wait_for_prop(kpropd2, True, 0, 0) |
|
3366 -check_ulog(0, 0, 0, [], slave2) |
|
3367 -out = realm.run_kadminl('getpol testpol', slave2) |
|
3368 +check_serial(realm, 'None') |
|
3369 +kpropd.send_signal(signal.SIGUSR1) |
|
3370 +wait_for_prop(kpropd, True) |
|
3371 +check_serial(realm, 'None', slave) |
|
3372 +out = realm.run_kadminl('getpol testpol', slave) |
|
3373 if 'Minimum password length: 17' not in out: |
|
3374 - fail('slave2 does not have policy change from slave1') |
|
3375 + fail('Slave does not have policy change from master') |
|
3376 |
|
3377 # Delete the policy and test that it propagates via full resync. |
|
3378 realm.run_kadminl('delpol -force testpol') |
|
3379 -check_ulog(0, 0, 0, []) |
|
3380 -kpropd1.send_signal(signal.SIGUSR1) |
|
3381 -wait_for_prop(kpropd1, True, 0, 0) |
|
3382 -check_ulog(0, 0, 0, [], slave1) |
|
3383 -out = realm.run_kadminl('getpol testpol', slave1) |
|
3384 +check_serial(realm, 'None') |
|
3385 +kpropd.send_signal(signal.SIGUSR1) |
|
3386 +wait_for_prop(kpropd, True) |
|
3387 +check_serial(realm, 'None', slave) |
|
3388 +out = realm.run_kadminl('getpol testpol', slave) |
|
3389 if 'Policy does not exist' not in out: |
|
3390 - fail('slave1 did not get policy deletion from master') |
|
3391 -kpropd2.send_signal(signal.SIGUSR1) |
|
3392 -wait_for_prop(kpropd2, True, 0, 0) |
|
3393 -check_ulog(0, 0, 0, [], slave2) |
|
3394 -out = realm.run_kadminl('getpol testpol', slave2) |
|
3395 -if 'Policy does not exist' not in out: |
|
3396 - fail('slave2 did not get policy deletion from slave1') |
|
3397 - |
|
3398 -# Modify a principal on the master and test that it propagates via |
|
3399 -# full resync. (The master's ulog does not remember the timestamp it |
|
3400 -# had at serial number 0, so it does not know that an incremental |
|
3401 -# propagation is possible.) |
|
3402 -realm.run_kadminl('modprinc -maxlife "10 minutes" ' + pr1) |
|
3403 -check_ulog(1, 1, 1, [pr1]) |
|
3404 -kpropd1.send_signal(signal.SIGUSR1) |
|
3405 -wait_for_prop(kpropd1, True, 0, 1) |
|
3406 -check_ulog(0, 0, 1, [], slave1) |
|
3407 -out = realm.run_kadminl('getprinc ' + pr1, slave1) |
|
3408 -if 'Maximum ticket life: 0 days 00:10:00' not in out: |
|
3409 - fail('slave1 does not have modification from master') |
|
3410 -kpropd2.send_signal(signal.SIGUSR1) |
|
3411 -wait_for_prop(kpropd2, True, 0, 1) |
|
3412 -check_ulog(0, 0, 1, [], slave2) |
|
3413 -out = realm.run_kadminl('getprinc ' + pr1, slave2) |
|
3414 -if 'Maximum ticket life: 0 days 00:10:00' not in out: |
|
3415 - fail('slave2 does not have modification from slave1') |
|
3416 - |
|
3417 -# Delete a principal and test that it propagates incrementally to |
|
3418 -# slave1. slave2 needs another full resync because slave1 no longer |
|
3419 -# has serial number 1 in its ulog after processing its first |
|
3420 -# incremental update. |
|
3421 -realm.run_kadminl('delprinc -force ' + pr3) |
|
3422 -check_ulog(2, 1, 2, [pr1, pr3]) |
|
3423 -kpropd1.send_signal(signal.SIGUSR1) |
|
3424 -wait_for_prop(kpropd1, False, 1, 2) |
|
3425 -check_ulog(1, 2, 2, [pr3], slave1) |
|
3426 -out = realm.run_kadminl('getprinc ' + pr3, slave1) |
|
3427 -if 'Principal does not exist' not in out: |
|
3428 - fail('slave1 does not have principal deletion from master') |
|
3429 -kpropd2.send_signal(signal.SIGUSR1) |
|
3430 -wait_for_prop(kpropd2, True, 1, 2) |
|
3431 -check_ulog(0, 0, 2, [], slave2) |
|
3432 -out = realm.run_kadminl('getprinc ' + pr3, slave2) |
|
3433 -if 'Principal does not exist' not in out: |
|
3434 - fail('slave2 does not have principal deletion from slave1') |
|
3435 + fail('Slave did not get policy deletion from master') |
|
3436 |
|
3437 -# Reset the ulog on the master to force a full resync. |
|
3438 +# Reset the ulog on the master side to force a full resync to all slaves. |
|
3439 +# XXX Note that we only have one slave in this test, so we can't really |
|
3440 +# test this. |
|
3441 realm.run([kproplog, '-R']) |
|
3442 -check_ulog(0, 0, 0, []) |
|
3443 -kpropd1.send_signal(signal.SIGUSR1) |
|
3444 -wait_for_prop(kpropd1, True, 2, 0) |
|
3445 -check_ulog(0, 0, 0, [], slave1) |
|
3446 -kpropd2.send_signal(signal.SIGUSR1) |
|
3447 -wait_for_prop(kpropd2, True, 2, 0) |
|
3448 -check_ulog(0, 0, 0, [], slave2) |
|
3449 +check_serial(realm, 'None') |
|
3450 +kpropd.send_signal(signal.SIGUSR1) |
|
3451 +wait_for_prop(kpropd, True) |
|
3452 +check_serial(realm, 'None', slave) |
|
3453 |
|
3454 success('iprop tests') |
|
3455 + |
|
3456 diff -pur old/src/tests/t_kadmin_acl.py new/src/tests/t_kadmin_acl.py |
|
3457 --- old/src/tests/t_kadmin_acl.py |
|
3458 +++ new/src/tests/t_kadmin_acl.py |
|
3459 @@ -9,7 +9,7 @@ def make_client(name): |
|
3460 ccache = os.path.join(realm.testdir, |
|
3461 'kadmin_ccache_' + name.replace('/', '_')) |
|
3462 realm.kinit(name, password(name), |
|
3463 - flags=['-S', 'kadmin/admin', '-c', ccache]) |
|
3464 + flags=['-S', 'kadmin/' + hostname, '-c', ccache]) |
|
3465 return ccache |
|
3466 |
|
3467 def kadmin_as(client, query): |
|
3468 diff -pur old/src/util/gss-kernel-lib/Makefile.in new/src/util/gss-kernel-lib/Makefile.in |
|
3469 --- old/src/util/gss-kernel-lib/Makefile.in |
|
3470 +++ new/src/util/gss-kernel-lib/Makefile.in |
|
3471 @@ -7,7 +7,7 @@ ALL_CFLAGS=$(CPPFLAGS) $(CFLAGS) $(WARN_ |
|
3472 SHLIB_EXPDEPS = \ |
|
3473 $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ |
|
3474 $(TOPLIBD)/libkrb5$(SHLIBEXT) |
|
3475 -SHLIB_EXPLIBS=-lgssrpc -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) $(LIBS) |
|
3476 +SHLIB_EXPLIBS= -lkrb5 -lk5crypto -lcom_err $(SUPPORT_LIB) $(LIBS) |
|
3477 |
|
3478 SRCS= \ |
|
3479 k5seal.c \ |
|
3480 diff -pur old/src/util/k5test.py new/src/util/k5test.py |
|
3481 --- old/src/util/k5test.py |
|
3482 +++ new/src/util/k5test.py |
|
3483 @@ -972,7 +972,7 @@ class K5Realm(object): |
|
3484 princname = self.admin_princ |
|
3485 pw = password('admin') |
|
3486 return self.kinit(princname, pw, |
|
3487 - flags=['-S', 'kadmin/admin', |
|
3488 + flags=['-S', 'kadmin/' + hostname, |
|
3489 '-c', self.kadmin_ccache] + flags) |
|
3490 |
|
3491 def run_kadmin(self, query, **keywords): |