#
# This patch provides interfaces and functionality for the pam_krb5 module
# and for other libkadm5clnt dependents, such as AK.
#
# Note: MIT may be interested in a public form of k5_get_init_creds_password
# as the function returns the AS-REP, which can be used to glean key expiration,
# among others. A subsequent RFE-ticket will be filed for MIT.
#
# Note: MIT may decide to choose a different front-end support for multi-master
# configuration via kadm5_get_adm_host_srv_names, instead of using
# kadm5_get_admin_service_name, which returns the kadmin/<fqhn> form instead of
# of kadmin@<fqhn> for instance. In any case, a design such as this should be
# presented to MIT.
# Patch source: in-house
#
--- a/src/lib/kadm5/clnt/client_init.c
+++ b/src/lib/kadm5/clnt/client_init.c
@@ -299,7 +299,7 @@ _kadm5_initialize_rpcsec_gss_handle(kadm5_server_handle_t handle,
{
int code = 0;
generic_ret *r;
- char *ccname_orig = NULL;
+ const char *ccname_orig = NULL;
char *iprop_svc;
boolean_t iprop_enable = B_FALSE;
char mech[] = "kerberos_v5";
@@ -317,15 +317,13 @@ _kadm5_initialize_rpcsec_gss_handle(kadm5_server_handle_t handle,
int port;
struct timeval timeout;
- /* service name is service/host */
- server = strpbrk(service_name, "/");
+ /* service name is service@host */
+ server = strpbrk(service_name, "@");
if (!server) {
code = KADM5_BAD_SERVER_NAME;
goto cleanup;
}
-
- /* but rpc_gss_secreate expects service@host */
- *server++ = '@';
+ server++;
iprop_svc = strdup(KIPROP_SVC_NAME);
if (iprop_svc == NULL)
@@ -442,7 +440,7 @@ _kadm5_initialize_rpcsec_gss_handle(kadm5_server_handle_t handle,
if (ccname_orig) {
gssstat = gss_krb5_ccache_name(&minor_stat, ccname_orig, NULL);
- free(ccname_orig);
+ free((void *)ccname_orig);
if (gssstat != GSS_S_COMPLETE) {
code = KADM5_GSS_ERROR;
goto error;
@@ -516,7 +514,7 @@ cleanup:
static kadm5_ret_t
init_any(krb5_context context, char *client_name, enum init_type init_type,
- char *pass, krb5_ccache ccache_in, char *svcname_in,
+ char *pass, krb5_ccache ccache_in, char *svcname,
kadm5_config_params *params_in, krb5_ui_4 struct_version,
krb5_ui_4 api_version, char **db_args, void **server_handle)
{
@@ -534,7 +532,6 @@ init_any(krb5_context context, char *client_name, enum init_type init_type,
int code = 0;
generic_ret *r;
- char svcname[BUFSIZ];
initialize_ovk_error_table();
/* initialize_adb_error_table(); */
@@ -603,15 +600,19 @@ init_any(krb5_context context, char *client_name, enum init_type init_type,
goto error;
/* NULL svcname means use host-based. */
- if (svcname_in == NULL) {
- code = kadm5_get_admin_service_name(handle->context,
- handle->params.realm,
- svcname, sizeof(svcname));
+ if (svcname == NULL) {
+ char **kadmin_srv_names;
+
+ code = kadm5_get_adm_host_srv_names(context, handle->params.realm,
+ &kadmin_srv_names);
if (code)
goto error;
- } else {
- strncpy(svcname, svcname_in, sizeof(svcname));
- svcname[sizeof(svcname)-1] = '\0';
+ svcname = strdup(kadmin_srv_names[0]);
+ free_srv_names(kadmin_srv_names);
+ if (svcname == NULL) {
+ code = ENOMEM;
+ goto error;
+ }
}
/* Get credentials. */
@@ -666,14 +667,52 @@ cleanup:
static kadm5_ret_t
get_init_creds(kadm5_server_handle_t handle, krb5_principal client,
enum init_type init_type, char *pass, krb5_ccache ccache_in,
- char *svcname, char *realm, krb5_principal *server_out)
+ char *svcname_in, char *realm, krb5_principal *server_out)
{
kadm5_ret_t code;
krb5_ccache ccache = NULL;
+ krb5_principal cprinc;
+ char svcbuf[BUFSIZ], *service, *host, *svcname, *save;
*server_out = NULL;
/*
+ * Convert the RPCSEC_GSS version to the host based version as this
+ * is what gic expects.
+ */
+ if ((svcname = strdup(svcname_in)) == NULL) {
+ code = ENOMEM;
+ goto error;
+ }
+ if ((service = strtok_r(svcname, "@", &save)) != NULL) {
+ if ((host = strtok_r(NULL, "@", &save)) != NULL) {
+ char *str = NULL;
+ /*
+ * We want the canonical name here, via sname_to_principal.
+ */
+ code = krb5_sname_to_principal(handle->context, host, service,
+ KRB5_NT_SRV_HST, &cprinc);
+ if (code) {
+ free(svcname);
+ goto error;
+ }
+ code = krb5_unparse_name_flags(handle->context, cprinc,
+ KRB5_PRINCIPAL_UNPARSE_NO_REALM, &str);
+ krb5_free_principal(handle->context, cprinc);
+ if (code) {
+ free(svcname);
+ goto error;
+ }
+ (void) strncpy(svcbuf, str, sizeof(svcbuf));
+ krb5_free_unparsed_name(handle->context, str);
+ }
+ } else {
+ strncpy(svcbuf, svcname, sizeof(svcbuf));
+ svcbuf[sizeof(svcname)-1] = '\0';
+ }
+ free(svcname);
+
+ /*
* Acquire a service ticket for svcname@realm for client, using password
* pass (which could be NULL), and create a ccache to store them in. If
* INIT_CREDS, use the ccache we were provided instead.
@@ -708,7 +747,7 @@ get_init_creds(kadm5_server_handle_t handle, krb5_principal client,
}
handle->lhandle->cache_name = handle->cache_name;
- code = gic_iter(handle, init_type, ccache, client, pass, svcname, realm,
+ code = gic_iter(handle, init_type, ccache, client, pass, svcbuf, realm,
server_out);
/* Improved error messages */
if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD;
--- a/src/lib/krb5/krb/gic_pwd.c
+++ b/src/lib/krb5/krb/gic_pwd.c
@@ -5,6 +5,17 @@
#include "int-proto.h"
#include "os-proto.h"
+/*
+ * See the function's definition for the description of this interface.
+ */
+krb5_error_code
+k5_get_init_creds_password(krb5_context, krb5_creds *,
+ krb5_principal, const char *,
+ krb5_prompter_fct, void *,
+ krb5_deltat, const char *,
+ krb5_get_init_creds_opt *,
+ krb5_kdc_rep **);
+
krb5_error_code
krb5_get_as_key_password(krb5_context context,
krb5_principal client,
@@ -135,7 +146,7 @@ krb5_init_creds_set_password(krb5_context context,
/* Return the password expiry time indicated by enc_part2. Set *is_last_req
* if the information came from a last_req value. */
-static void
+void
get_expiry_times(krb5_enc_kdc_rep_part *enc_part2, krb5_timestamp *pw_exp,
krb5_timestamp *acct_exp, krb5_boolean *is_last_req)
{
@@ -288,6 +299,35 @@ krb5_get_init_creds_password(krb5_context context,
const char *in_tkt_service,
krb5_get_init_creds_opt *options)
{
+ /*
+ * We call our own private function that returns the as_reply back to
+ * the caller. This structure contains information, such as
+ * key-expiration and last-req fields. Entities such as pam_krb5 can
+ * use this information to provide account/password expiration warnings.
+ * The original "prompter" interface is not granular enough for PAM,
+ * as it will perform all passes w/o coordination with other modules.
+ */
+ return (k5_get_init_creds_password(context, creds, client, password,
+ prompter, data, start_time,
+ in_tkt_service, options, NULL));
+}
+
+/*
+ * See krb5_get_init_creds_password()'s comments for the justification of this
+ * private function. Caller must free ptr_as_reply if non-NULL.
+ */
+krb5_error_code KRB5_CALLCONV
+k5_get_init_creds_password(krb5_context context,
+ krb5_creds *creds,
+ krb5_principal client,
+ const char *password,
+ krb5_prompter_fct prompter,
+ void *data,
+ krb5_deltat start_time,
+ const char *in_tkt_service,
+ krb5_get_init_creds_opt *options,
+ krb5_kdc_rep **ptr_as_reply)
+{
krb5_error_code ret;
int use_master;
krb5_kdc_rep *as_reply;
@@ -505,8 +545,12 @@ cleanup:
memset(pw0array, 0, sizeof(pw0array));
memset(pw1array, 0, sizeof(pw1array));
krb5_free_cred_contents(context, &chpw_creds);
- if (as_reply)
- krb5_free_kdc_rep(context, as_reply);
+ if (as_reply != NULL) {
+ if (ptr_as_reply == NULL)
+ krb5_free_kdc_rep(context, as_reply);
+ else
+ *ptr_as_reply = as_reply;
+ }
k5_clear_error(&errsave);
return(ret);
--- a/src/slave/kpropd.c
+++ b/src/slave/kpropd.c
@@ -644,6 +644,7 @@ do_iprop()
params.realm = def_realm;
if (master_svc_princstr == NULL) {
+#if 0
retval = kadm5_get_kiprop_host_srv_name(kpropd_context, def_realm,
&master_svc_princstr);
if (retval) {
@@ -653,6 +654,27 @@ do_iprop()
progname, def_realm);
return retval;
}
+#endif
+ char **kiprop_srv_names;
+
+ retval = kadm5_get_kiprop_host_srv_names(kpropd_context, def_realm,
+ &kiprop_srv_names);
+ if (retval) {
+ com_err(progname, retval,
+ _("%s: unable to get kiprop host based "
+ "service name for realm %s\n"),
+ progname, def_realm);
+ return retval;
+ }
+ master_svc_princstr = strdup(kiprop_srv_names[0]);
+ free_srv_names(kiprop_srv_names);
+ if (master_svc_princstr == NULL) {
+ com_err(progname, retval,
+ _("%s: unable to allocate memory for kiprop host based "
+ "service name for realm %s\n"),
+ progname, def_realm);
+ return ENOMEM;
+ }
}
retval = krb5_sname_to_principal(kpropd_context, NULL, KIPROP_SVC_NAME,