int print_ccache (kim_ccache in_ccache, int *out_found_valid_tgt)
{
kim_error err = 0;
kim_credential_iterator iterator = NULL;
kim_identity ccache_identity = NULL;
kim_string type = NULL;
kim_string name = NULL;
kim_string ccache_identity_string = NULL;
int found_tickets = 0;
*out_found_valid_tgt = 0;
if (!err) {
err = kim_ccache_get_type (in_ccache, &type);
printiferr (err, "while getting the ccache type");
}
if (!err) {
err = kim_ccache_get_name (in_ccache, &name);
printiferr (err, "while getting the ccache name");
}
if (!err) {
err = kim_ccache_get_client_identity (in_ccache, &ccache_identity);
printiferr (err, "while getting the ccache principal");
}
if (!err) {
err = kim_identity_get_display_string (ccache_identity,
&ccache_identity_string);
printiferr (err, "while unparsing the ccache principal name");
}
if (!err) {
printmsg ("Kerberos 5 ticket cache: '%s:%s'\nDefault principal: %s\n\n",
type, name, ccache_identity_string);
printmsg ("Valid Starting");
printfiller (' ', get_timestamp_width () - sizeof ("Valid Starting") + 3);
printmsg ("Expires");
printfiller (' ', get_timestamp_width () - sizeof ("Expires") + 3);
printmsg ("Service Principal\n");
err = kim_credential_iterator_create (&iterator, in_ccache);
}
while (!err) {
kim_credential credential = NULL;
kim_identity client = NULL;
kim_identity service = NULL;
kim_string client_string = NULL;
kim_string service_string = NULL;
krb5_creds *creds = NULL;
int extra_field = 0;
err = kim_credential_iterator_next (iterator, &credential);
if (!err && !credential) { break; }
if (!err) {
err = kim_credential_get_client_identity (credential, &client);
printiferr (err, "while getting the client principal");
}
if (!err) {
err = kim_identity_get_display_string (client, &client_string);
printiferr (err, "while unparsing the client principal name");
}
if (!err) {
err = kim_credential_get_service_identity (credential, &service);
printiferr (err, "while getting the service principal");
}
if (!err) {
err = kim_identity_get_display_string (service, &service_string);
printiferr (err, "while unparsing the service principal name");
}
if (!err) {
err = kim_credential_get_krb5_creds (credential, kcontext, &creds);
printiferr (err, "while getting krb5 creds");
}
if (!err && krb5_is_config_principal(kcontext, creds->server))
goto next;
if (!err) {
found_tickets = 1;
printtime (creds->times.starttime ? creds->times.starttime : creds->times.authtime);
printmsg (" ");
printtime (creds->times.endtime);
printmsg (" ");
printmsg ("%s\n", service_string);
if (strcmp (ccache_identity_string, client_string)) {
if (!extra_field) {
printmsg ("\t");
}
printmsg ("for client %s", client_string);
extra_field++;
}
if (creds->ticket_flags & TKT_FLG_RENEWABLE) {
printmsg (extra_field ? ", " : "\t");
printmsg ("renew until ");
printtime (creds->times.renew_till);
extra_field += 2;
}
if (extra_field > 2) {
printmsg ("\n");
extra_field = 0;
}
if (show_flags) {
printmsg (extra_field ? ", " : "\t");
printflags (creds->ticket_flags);
extra_field++;
}
if (extra_field > 2) {
printmsg ("\n");
extra_field = 0;
}
if (show_enctypes) {
krb5_ticket *ticket_rep;
if (krb5_decode_ticket (&creds->ticket, &ticket_rep) == 0) {
if (!extra_field) {
printmsg ("\t");
} else {
printmsg (", ");
}
printmsg ("Etype (skey, tkt): %s, ",
enctype_to_string (creds->keyblock.enctype));
printmsg ("%s ",
enctype_to_string (ticket_rep->enc_part.enctype));
extra_field++;
krb5_free_ticket (kcontext, ticket_rep);
}
}
if (extra_field) {
printmsg ("\n");
}
if (show_address_list) {
printmsg ("\tAddresses: ");
if (!creds->addresses || !creds->addresses[0]) {
printmsg ("(none)\n");
} else {
int i;
for (i = 0; creds->addresses[i]; i++) {
if (i > 0) {
printmsg (", ");
}
printaddress (*creds->addresses[i]);
}
printmsg ("\n");
}
}
if (extra_field) {
printmsg ("\n");
}
}
if (!err) {
kim_boolean is_tgt = 0;
kim_credential_state state;
err = kim_credential_is_tgt (credential, &is_tgt);
printiferr (err, "while checking if creds are valid");
if (!err) {
err = kim_credential_get_state (credential, &state);
}
if (!err && is_tgt && state == kim_credentials_state_valid) {
*out_found_valid_tgt = 1;
}
}
next:
if (creds) { krb5_free_creds (kcontext, creds); }
kim_string_free (&client_string);
kim_string_free (&service_string);
kim_identity_free (&client);
kim_identity_free (&service);
kim_credential_free (&credential);
}
kim_string_free (&type);
kim_string_free (&name);
kim_string_free (&ccache_identity_string);
kim_identity_free (&ccache_identity);
kim_credential_iterator_free (&iterator);
if (!err) {
if (!found_tickets) {
printerr ("No Kerberos 5 tickets in credentials cache\n");
} else {
printmsg ("\n");
}
}
return err;
}
kim_error kim_identity_change_password_with_credential (kim_identity in_identity,
kim_credential in_credential,
kim_string in_new_password,
kim_ui_context *in_ui_context,
kim_error *out_rejected_err,
kim_string *out_rejected_message,
kim_string *out_rejected_description)
{
kim_error err = KIM_NO_ERROR;
krb5_creds *creds = NULL;
int rejected_err = 0;
krb5_data message_data;
krb5_data description_data;
if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && !in_credential ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && !in_new_password ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && !in_ui_context ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && !out_rejected_err) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err) {
err = kim_credential_get_krb5_creds (in_credential,
in_identity->context,
&creds);
}
if (!err) {
if (krb5_principal_compare (in_identity->context,
in_identity->principal,
creds->client)) {
/* Same principal, change the password normally */
err = krb5_error (in_identity->context,
krb5_change_password (in_identity->context,
creds,
(char *) in_new_password,
&rejected_err,
&message_data,
&description_data));
} else {
/* Different principal, use set change password protocol */
err = krb5_error (in_identity->context,
krb5_set_password (in_identity->context,
creds,
(char *) in_new_password,
in_identity->principal,
&rejected_err,
&message_data,
&description_data));
}
}
if (!err && rejected_err) {
kim_string rejected_message = NULL;
kim_string rejected_description = NULL;
if (message_data.data && message_data.length > 0) {
err = kim_string_create_from_buffer (&rejected_message,
message_data.data,
message_data.length);
} else {
err = kim_os_string_create_localized (&rejected_message,
"Kerberos Change Password Failed:");
}
if (!err) {
if (description_data.data && description_data.length > 0) {
err = kim_string_create_from_buffer (&rejected_description,
description_data.data,
description_data.length);
} else {
err = kim_os_string_create_localized (&rejected_description,
"New password rejected.");
}
}
if (!err && in_ui_context->type != kim_ui_type_cli) {
char *c;
// replace all \n and \r characters with spaces
for (c = (char *) rejected_message; *c != '\0'; c++) {
if ((*c == '\n') || (*c == '\r')) { *c = ' '; }
}
for (c = (char *) rejected_description; *c != '\0'; c++) {
if ((*c == '\n') || (*c == '\r')) { *c = ' '; }
}
}
if (!err) {
if (out_rejected_message) {
*out_rejected_message = rejected_message;
rejected_message = NULL;
}
if (out_rejected_description) {
*out_rejected_description = rejected_description;
rejected_description = NULL;
}
}
kim_string_free (&rejected_message);
kim_string_free (&rejected_description);
krb5_free_data_contents (in_identity->context, &message_data);
krb5_free_data_contents (in_identity->context, &description_data);
}
if (!err) {
/* do this after reporting errors so we don't double report rejection */
*out_rejected_err = rejected_err;
}
if (creds) { krb5_free_creds (in_identity->context, creds); }
return check_error (err);
}
