int kadm_init(struct rekey_session *sess)
{
void *kadm_handle=NULL;
kadm5_config_params kadm_param;
int rc;
rc = krealm_init(sess);
if (rc)
return rc;
kadm_param.mask = KADM5_CONFIG_REALM;
kadm_param.realm = sess->realm;
#ifdef HAVE_KADM5_INIT_WITH_SKEY_CTX
rc = kadm5_init_with_skey_ctx(sess->kctx, "rekey/admin", NULL, KADM5_ADMIN_SERVICE,
&kadm_param, KADM5_STRUCT_VERSION,
KADM5_API_VERSION_2, &kadm_handle);
#else
rc = kadm5_init_with_skey(sess->kctx, "rekey/admin", NULL, KADM5_ADMIN_SERVICE,
&kadm_param, KADM5_STRUCT_VERSION,
KADM5_API_VERSION_2, NULL, &kadm_handle);
#endif
if (rc) {
prtmsg("Unable to initialize kadm5 library: %s", krb5_get_err_text(sess->kctx, rc));
return rc;
}
sess->kadm_handle = kadm_handle;
return 0;
}
static PyKAdminObject *_kadmin_init_with_keytab(PyObject *self, PyObject *args) {
PyKAdminObject *kadmin = PyKAdminObject_create();
PyObject *db_args_dict = NULL;
kadm5_ret_t retval = KADM5_OK;
krb5_error_code code = 0;
krb5_principal princ = NULL;
char *client_name = NULL;
char *keytab_name = NULL;
char **db_args = NULL;
kadm5_config_params *params = calloc(0x1, sizeof(kadm5_config_params));
if (!PyArg_ParseTuple(args, "|zzO!", &client_name, &keytab_name, &PyDict_Type, &db_args_dict))
return NULL;
db_args = _kadmin_dict_to_db_args(db_args_dict);
if (keytab_name == NULL) {
keytab_name = "/etc/krb5.keytab";
}
if (client_name == NULL) {
code = krb5_sname_to_principal(kadmin->context, NULL, "host", KRB5_NT_SRV_HST, &princ);
if (code) { PyKAdmin_RETURN_ERROR(code, "krb5_sname_to_principal"); }
code = krb5_unparse_name(kadmin->context, princ, &client_name);
if (code) { PyKAdmin_RETURN_ERROR(code, "krb5_unparse_name"); }
krb5_free_principal(kadmin->context, princ);
}
retval = kadm5_init_with_skey(
kadmin->context,
client_name,
keytab_name,
service_name,
params,
struct_version,
api_version,
db_args,
&kadmin->server_handle);
if (db_args)
_kadmin_free_db_args(db_args);
if (retval != KADM5_OK) { PyKAdmin_RETURN_ERROR(retval, "kadm5_init_with_skey"); }
Py_XINCREF(kadmin);
return kadmin;
}
/* Modify Kerberos principal */
long modify_kerberos(char *username, int activate)
{
void *kadm_server_handle = NULL;
krb5_context context = NULL;
kadm5_ret_t status;
krb5_principal princ;
kadm5_principal_ent_rec dprinc;
kadm5_policy_ent_rec defpol;
kadm5_config_params realm_params;
char admin_princ[256];
long mask = 0;
#ifdef KERBEROS_TEST_REALM
char ubuf[256];
sprintf(admin_princ, "moira/%s@%s", hostname, KERBEROS_TEST_REALM);
sprintf(ubuf, "%s@%s", username, KERBEROS_TEST_REALM);
username = ubuf;
realm_params.realm = KERBEROS_TEST_REALM;
realm_params.mask = KADM5_CONFIG_REALM;
#else
strcpy(admin_princ, MOIRA_SVR_PRINCIPAL);
realm_params.mask = 0;
#endif
status = krb5_init_context(&context);
if (status)
return status;
memset(&princ, 0, sizeof(princ));
memset(&dprinc, 0, sizeof(dprinc));
status = krb5_parse_name(context, username, &princ);
if (status)
return status;
status = kadm5_init_with_skey(admin_princ, NULL, KADM5_ADMIN_SERVICE,
&realm_params, KADM5_STRUCT_VERSION,
KADM5_API_VERSION_2, NULL,
&kadm_server_handle);
if (status)
goto cleanup;
status = kadm5_get_principal(kadm_server_handle, princ, &dprinc, KADM5_PRINCIPAL_NORMAL_MASK);
if (status)
goto cleanup;
mask |= KADM5_ATTRIBUTES;
if (activate == 2)
{
/* Force password change */
dprinc.attributes |= KRB5_KDB_REQUIRES_PWCHANGE;
dprinc.attributes &= ~KRB5_KDB_DISALLOW_ALL_TIX;
}
else if (activate == 1)
{
/* Enable principal */
dprinc.attributes &= ~KRB5_KDB_DISALLOW_ALL_TIX;
dprinc.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
}
else
{
/* Disable principal */
dprinc.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
dprinc.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
}
status = kadm5_modify_principal(kadm_server_handle, &dprinc, mask);
cleanup:
krb5_free_principal(context, princ);
kadm5_free_principal_ent(kadm_server_handle, &dprinc);
if (kadm_server_handle)
kadm5_destroy(kadm_server_handle);
return status;
}
static PyKAdminObject *_kadmin_init_with_keytab(PyObject *self, PyObject *args) {
PyKAdminObject *kadmin = NULL;
PyObject *py_db_args = NULL;
kadm5_ret_t retval = KADM5_OK;
krb5_error_code code = 0;
krb5_principal princ = NULL;
char *client_name = NULL;
char *keytab_name = NULL;
char **db_args = NULL;
kadm5_config_params *params = NULL;
if (!PyArg_ParseTuple(args, "|zzO", &client_name, &keytab_name, &py_db_args))
return NULL;
kadmin = PyKAdminObject_create();
params = calloc(0x1, sizeof(kadm5_config_params));
db_args = pykadmin_parse_db_args(py_db_args);
if (keytab_name == NULL) {
keytab_name = "/etc/krb5.keytab";
}
if (client_name == NULL) {
code = krb5_sname_to_principal(kadmin->context, NULL, "host", KRB5_NT_SRV_HST, &princ);
if (code) {
PyKAdminError_raise_error(code, "krb5_sname_to_principal");
goto cleanup;
}
code = krb5_unparse_name(kadmin->context, princ, &client_name);
if (code) {
PyKAdminError_raise_error(code, "krb5_unparse_name");
goto cleanup;
}
}
retval = kadm5_init_with_skey(
kadmin->context,
client_name,
keytab_name,
service_name,
params,
struct_version,
api_version,
db_args,
&kadmin->server_handle);
if (retval != KADM5_OK) {
Py_XDECREF(kadmin);
kadmin = NULL;
PyKAdminError_raise_error(retval, "kadm5_init_with_skey");
}
cleanup:
if (princ)
krb5_free_principal(kadmin->context, princ);
if (params)
free(params);
pykadmin_free_db_args(db_args);
return kadmin;
}
