KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_verify_user_opt(krb5_context context,
krb5_principal principal,
const char *password,
krb5_verify_opt *opt)
{
krb5_error_code ret;
if(opt && (opt->flags & KRB5_VERIFY_LREALMS)) {
krb5_realm *realms, *r;
ret = krb5_get_default_realms (context, &realms);
if (ret)
return ret;
ret = KRB5_CONFIG_NODEFREALM;
for (r = realms; *r != NULL && ret != 0; ++r) {
ret = krb5_principal_set_realm(context, principal, *r);
if (ret) {
krb5_free_host_realm (context, realms);
return ret;
}
ret = verify_user_opt_int(context, principal, password, opt);
}
krb5_free_host_realm (context, realms);
if(ret)
return ret;
} else
ret = verify_user_opt_int(context, principal, password, opt);
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_copy_host_realm(krb5_context context,
const krb5_realm *from,
krb5_realm **to)
{
unsigned int n, i;
const krb5_realm *p;
for (n = 1, p = from; *p != NULL; ++p)
++n;
*to = calloc (n, sizeof(**to));
if (*to == NULL) {
krb5_set_error_message (context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
for (i = 0, p = from; *p != NULL; ++p, ++i) {
(*to)[i] = strdup(*p);
if ((*to)[i] == NULL) {
krb5_free_host_realm (context, *to);
krb5_set_error_message (context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
}
return 0;
}
krb5_error_code KRB5_LIB_FUNCTION
krb5_mk_req(krb5_context context,
krb5_auth_context *auth_context,
const krb5_flags ap_req_options,
const char *service,
const char *hostname,
krb5_data *in_data,
krb5_ccache ccache,
krb5_data *outbuf)
{
krb5_error_code ret;
char **realms;
char *real_hostname;
krb5_principal server;
ret = krb5_expand_hostname_realms (context, hostname,
&real_hostname, &realms);
if (ret)
return ret;
ret = krb5_build_principal (context, &server,
strlen(*realms),
*realms,
service,
real_hostname,
NULL);
free (real_hostname);
krb5_free_host_realm (context, realms);
if (ret)
return ret;
ret = krb5_mk_req_exact (context, auth_context, ap_req_options,
server, in_data, ccache, outbuf);
krb5_free_principal (context, server);
return ret;
}
static krb5_boolean
match_local_principals(krb5_context context,
krb5_principal principal,
const char *luser)
{
krb5_error_code ret;
krb5_realm *realms, *r;
krb5_boolean result = FALSE;
/* multi-component principals can never match */
if(krb5_principal_get_comp_string(context, principal, 1) != NULL)
return FALSE;
ret = krb5_get_default_realms (context, &realms);
if (ret)
return FALSE;
for (r = realms; *r != NULL; ++r) {
if(strcmp(krb5_principal_get_realm(context, principal),
*r) != 0)
continue;
if(strcmp(krb5_principal_get_comp_string(context, principal, 0),
luser) == 0) {
result = TRUE;
break;
}
}
krb5_free_host_realm (context, realms);
return result;
}
char *afs_realm_of_cell(krb5_context context, struct afsconf_cell *cellconfig, int fallback)
{
static char krbrlm[REALM_SZ+1];
char **hrealms = 0;
krb5_error_code retval;
if (!cellconfig)
return 0;
if (fallback) {
char * p;
p = strchr(cellconfig->hostName[0], '.');
if (p++)
strcpy(krbrlm, p);
else
strcpy(krbrlm, cellconfig->name);
for (p=krbrlm; *p; p++) {
if (islower(*p))
*p = toupper(*p);
}
} else {
if (retval = krb5_get_host_realm(context,
cellconfig->hostName[0], &hrealms))
return 0;
if(!hrealms[0]) return 0;
strcpy(krbrlm, hrealms[0]);
if (hrealms) krb5_free_host_realm(context, hrealms);
}
return krbrlm;
}
/* As of MIT Kerberos 1.6, krb5_get_host_realm() will return the NUL-string
* if there is no domain_realm mapping for the hostname's domain. This is
* used as a trigger indicating that referrals should be used within the
* krb5_get_credentials() call. However, if the KDC does not support referrals
* that will result in a KRB5_ERR_HOST_REALM_UNKNOWN error and we will have
* to manually fallback to mapping the domain of the host as a realm name.
* Hence, the new fallback parameter.
*/
static char *afs_realm_of_cell5(krb5_context context, struct afsconf_cell *cellconfig, int fallback)
{
char ** krbrlms = 0;
static char krbrlm[REALM_SZ+1];
krb5_error_code status;
if (!cellconfig)
return 0;
if (fallback) {
char * p;
p = strchr(cellconfig->hostName[0], '.');
if (p++)
strcpy(krbrlm, p);
else
strcpy(krbrlm, cellconfig->name);
strupr(krbrlm);
} else {
status = krb5_get_host_realm( context, cellconfig->hostName[0], &krbrlms );
if (status == 0 && krbrlms && krbrlms[0]) {
strcpy(krbrlm, krbrlms[0]);
} else {
strcpy(krbrlm, cellconfig->name);
strupr(krbrlm);
}
if (krbrlms)
krb5_free_host_realm( context, krbrlms );
}
return krbrlm;
}
static int
expand_hostname(krb5_context context, const char *host)
{
krb5_error_code ret;
char *h, **r;
ret = krb5_expand_hostname(context, host, &h);
if (ret)
krb5_err(context, 1, ret, "krb5_expand_hostname(%s)", host);
free(h);
if (debug_flag)
printf("hostname: %s -> %s\n", host, h);
ret = krb5_expand_hostname_realms(context, host, &h, &r);
if (ret)
krb5_err(context, 1, ret, "krb5_expand_hostname_realms(%s)", host);
if (debug_flag) {
int j;
printf("hostname: %s -> %s\n", host, h);
for (j = 0; r[j]; j++) {
printf("\trealm: %s\n", r[j]);
}
}
free(h);
krb5_free_host_realm(context, r);
return 0;
}
static heim_array_t
get_realms(void)
{
heim_array_t array;
char **realms, **r;
unsigned int i;
int ret;
array = heim_array_create();
for(i = 0; i < config->num_db; i++) {
if (config->db[i]->hdb_get_realms == NULL)
continue;
ret = (config->db[i]->hdb_get_realms)(context, config->db[i], &realms);
if (ret == 0) {
for (r = realms; r && *r; r++) {
heim_string_t s = heim_string_create(*r);
if (s)
heim_array_append_value(array, s);
heim_release(s);
}
krb5_free_host_realm(context, realms);
}
}
return array;
}
/*
* Find the realm for given hostname
*/
int do_realm(char *hostname) {
krb5_error_code retval;
char **realm;
if (hostname) {
retval = krb5_get_host_realm(ctx, hostname, &realm);
if (retval) {
com_err(progname, retval, "while obtaining realm for %s", hostname);
exit(1);
}
printf("%s\n", *realm);
krb5_free_host_realm(ctx, realm);
} else {
realm = malloc(sizeof(realm));
retval = krb5_get_default_realm(ctx, realm);
if (retval) {
com_err(progname, retval, "while obtaining default realm");
exit(1);
}
printf("%s\n", *realm);
krb5_free_default_realm(ctx, *realm);
free(realm);
}
return 0;
}
krb5_error_code KRB5_LIB_FUNCTION
krb5_aname_to_localname (krb5_context context,
krb5_const_principal aname,
size_t lnsize,
char *lname)
{
krb5_error_code ret;
krb5_realm *lrealms, *r;
int valid;
size_t len;
const char *res;
ret = krb5_get_default_realms (context, &lrealms);
if (ret)
return ret;
valid = 0;
for (r = lrealms; *r != NULL; ++r) {
if (strcmp (*r, aname->realm) == 0) {
valid = 1;
break;
}
}
krb5_free_host_realm (context, lrealms);
if (valid == 0)
return KRB5_NO_LOCALNAME;
if (aname->name.name_string.len == 1)
res = aname->name.name_string.val[0];
else if (aname->name.name_string.len == 2
&& strcmp (aname->name.name_string.val[1], "root") == 0) {
krb5_principal rootprinc;
krb5_boolean userok;
res = "root";
ret = krb5_copy_principal(context, aname, &rootprinc);
if (ret)
return ret;
userok = krb5_kuserok(context, rootprinc, res);
krb5_free_principal(context, rootprinc);
if (!userok)
return KRB5_NO_LOCALNAME;
} else
return KRB5_NO_LOCALNAME;
len = strlen (res);
if (len >= lnsize)
return ERANGE;
strlcpy (lname, res, lnsize);
return 0;
}
static char *
get_realm(struct kafs_data *data, const char *host)
{
struct krb5_kafs_data *d = data->data;
krb5_realm *realms;
char *r;
if(krb5_get_host_realm(d->context, host, &realms))
return NULL;
r = strdup(realms[0]);
krb5_free_host_realm(d->context, realms);
return r;
}
static krb5_error_code
LDAP_principal2message(krb5_context context, HDB * db,
krb5_principal princ, LDAPMessage ** msg)
{
char *name, *name_short = NULL;
krb5_error_code ret;
krb5_realm *r, *r0;
*msg = NULL;
ret = krb5_unparse_name(context, princ, &name);
if (ret)
return ret;
ret = krb5_get_default_realms(context, &r0);
if(ret) {
free(name);
return ret;
}
for (r = r0; *r != NULL; r++) {
if(strcmp(krb5_principal_get_realm(context, princ), *r) == 0) {
ret = krb5_unparse_name_short(context, princ, &name_short);
if (ret) {
krb5_free_host_realm(context, r0);
free(name);
return ret;
}
break;
}
}
krb5_free_host_realm(context, r0);
ret = LDAP__lookup_princ(context, db, name, name_short, msg);
free(name);
free(name_short);
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_sname_to_principal (krb5_context context,
const char *hostname,
const char *sname,
int32_t type,
krb5_principal *ret_princ)
{
krb5_error_code ret;
char localhost[MAXHOSTNAMELEN];
char **realms, *host = NULL;
if(type != KRB5_NT_SRV_HST && type != KRB5_NT_UNKNOWN) {
krb5_set_error_message(context, KRB5_SNAME_UNSUPP_NAMETYPE,
N_("unsupported name type %d", ""),
(int)type);
return KRB5_SNAME_UNSUPP_NAMETYPE;
}
if(hostname == NULL) {
ret = gethostname(localhost, sizeof(localhost) - 1);
if (ret != 0) {
ret = errno;
krb5_set_error_message(context, ret,
N_("Failed to get local hostname", ""));
return ret;
}
localhost[sizeof(localhost) - 1] = '\0';
hostname = localhost;
}
if(sname == NULL)
sname = "host";
if(type == KRB5_NT_SRV_HST) {
ret = krb5_expand_hostname_realms (context, hostname,
&host, &realms);
if (ret)
return ret;
strlwr(host);
hostname = host;
} else {
ret = krb5_get_host_realm(context, hostname, &realms);
if(ret)
return ret;
}
ret = krb5_make_principal(context, ret_princ, realms[0], sname,
hostname, NULL);
if(host)
free(host);
krb5_free_host_realm(context, realms);
return ret;
}
/* Possibly try a non-referral request after a referral request failure.
* Expects ctx->reply_code to be set to the error from a referral request. */
static krb5_error_code
try_fallback(krb5_context context, krb5_tkt_creds_context ctx)
{
krb5_error_code code;
char **hrealms;
/* Only fall back if our error was from the first referral request. */
if (ctx->referral_count > 1)
return ctx->reply_code;
/* If the request used a specified realm, make a non-referral request to
* that realm (in case it's a KDC which rejects KDC_OPT_CANONICALIZE). */
if (!krb5_is_referral_realm(&ctx->req_server->realm))
return begin_non_referral(context, ctx);
if (ctx->server->length < 2) {
/* We need a type/host format principal to find a fallback realm. */
return KRB5_ERR_HOST_REALM_UNKNOWN;
}
/* We expect this to give exactly one answer (XXX clean up interface). */
code = krb5_get_fallback_host_realm(context, &ctx->server->data[1],
&hrealms);
if (code != 0)
return code;
/* If the fallback realm isn't any different, use the existing TGT. */
if (data_eq_string(ctx->server->realm, hrealms[0])) {
krb5_free_host_realm(context, hrealms);
return begin_non_referral(context, ctx);
}
/* Rewrite server->realm to be the fallback realm. */
krb5_free_data_contents(context, &ctx->server->realm);
ctx->server->realm = string2data(hrealms[0]);
free(hrealms);
TRACE_TKT_CREDS_FALLBACK(context, &ctx->server->realm);
/* Obtain a TGT for the new service realm. */
ctx->getting_tgt_for = STATE_NON_REFERRAL;
return begin_get_tgt(context, ctx);
}
/*
* Find a remote realm TGS principal for an unknown host-based service
* principal.
*/
static krb5_int32
find_referral_tgs(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request,
krb5_principal *krbtgt_princ)
{
krb5_error_code retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
char **realms = NULL, *hostname = NULL;
krb5_data srealm = request->server->realm;
if (!is_referral_req(kdc_active_realm, request))
goto cleanup;
hostname = data2string(krb5_princ_component(kdc_context,
request->server, 1));
if (hostname == NULL) {
retval = ENOMEM;
goto cleanup;
}
/* If the hostname doesn't contain a '.', it's not a FQDN. */
if (strchr(hostname, '.') == NULL)
goto cleanup;
retval = krb5_get_host_realm(kdc_context, hostname, &realms);
if (retval) {
/* no match found */
kdc_err(kdc_context, retval, "unable to find realm of host");
goto cleanup;
}
/* Don't return a referral to the empty realm or the service realm. */
if (realms == NULL || realms[0] == NULL || *realms[0] == '\0' ||
data_eq_string(srealm, realms[0])) {
retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto cleanup;
}
retval = krb5_build_principal(kdc_context, krbtgt_princ,
srealm.length, srealm.data,
"krbtgt", realms[0], (char *)0);
cleanup:
krb5_free_host_realm(kdc_context, realms);
free(hostname);
return retval;
}
/* Copy a null-terminated list of strings. */
static krb5_error_code
copy_list(char **in, char ***out)
{
size_t count, i;
char **list;
*out = NULL;
for (count = 0; in[count] != NULL; count++);
list = calloc(count + 1, sizeof(*list));
if (list == NULL)
return ENOMEM;
for (i = 0; i < count; i++) {
list[i] = strdup(in[i]);
if (list[i] == NULL) {
krb5_free_host_realm(NULL, list);
return ENOMEM;
}
}
*out = list;
return 0;
}
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_free_context(krb5_context context)
{
_krb5_free_name_canon_rules(context, context->name_canon_rules);
if (context->default_cc_name)
free(context->default_cc_name);
if (context->default_cc_name_env)
free(context->default_cc_name_env);
free(context->etypes);
free(context->etypes_des);
krb5_free_host_realm (context, context->default_realms);
krb5_config_file_free (context, context->cf);
free_error_table (context->et_list);
free(rk_UNCONST(context->cc_ops));
free(context->kt_types);
krb5_clear_error_message(context);
if(context->warn_dest != NULL)
krb5_closelog(context, context->warn_dest);
if(context->debug_dest != NULL)
krb5_closelog(context, context->debug_dest);
krb5_set_extra_addresses(context, NULL);
krb5_set_ignore_addresses(context, NULL);
krb5_set_send_to_kdc_func(context, NULL, NULL);
#ifdef PKINIT
if (context->hx509ctx)
hx509_context_free(&context->hx509ctx);
#endif
HEIMDAL_MUTEX_destroy(context->mutex);
free(context->mutex);
if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
rk_SOCK_EXIT();
}
memset(context, 0, sizeof(*context));
free(context);
}
static int
princ_realm_is_default(krb5_context context,
krb5_const_principal aname)
{
krb5_error_code ret;
krb5_realm *lrealms = NULL;
krb5_realm *r;
int valid;
ret = krb5_get_default_realms(context, &lrealms);
if (ret)
return 0;
valid = 0;
for (r = lrealms; *r != NULL; ++r) {
if (strcmp (*r, aname->realm) == 0) {
valid = 1;
break;
}
}
krb5_free_host_realm (context, lrealms);
return valid;
}
krb5_error_code KRB5_LIB_FUNCTION
krb5_set_default_realm(krb5_context context,
const char *realm)
{
krb5_error_code ret = 0;
krb5_realm *realms = NULL;
if (realm == NULL) {
realms = krb5_config_get_strings (context, NULL,
"libdefaults",
"default_realm",
NULL);
if (realms == NULL)
ret = krb5_get_host_realm(context, NULL, &realms);
} else {
ret = string_to_list (context, realm, &realms);
}
if (ret)
return ret;
krb5_free_host_realm (context, context->default_realms);
context->default_realms = realms;
return 0;
}
krb5_error_code KRB5_CALLCONV
krb5_sname_to_principal(krb5_context context, const char *hostname, const char *sname, krb5_int32 type, krb5_principal *ret_princ)
{
char **hrealms, *realm, *remote_host;
krb5_error_code retval;
register char *cp;
char localname[MAXHOSTNAMELEN];
#ifdef DEBUG_REFERRALS
printf("krb5_sname_to_principal(host=%s, sname=%s, type=%d)\n",hostname,sname,type);
printf(" name types: 0=unknown, 3=srv_host\n");
#endif
if ((type == KRB5_NT_UNKNOWN) ||
(type == KRB5_NT_SRV_HST)) {
/* if hostname is NULL, use local hostname */
if (! hostname) {
if (gethostname(localname, MAXHOSTNAMELEN))
return SOCKET_ERRNO;
hostname = localname;
}
/* if sname is NULL, use "host" */
if (! sname)
sname = "host";
/* copy the hostname into non-volatile storage */
if (type == KRB5_NT_SRV_HST) {
struct addrinfo *ai, hints;
int err;
char hnamebuf[NI_MAXHOST];
/* Note that the old code would accept numeric addresses,
and if the gethostbyaddr step could convert them to
real hostnames, you could actually get reasonable
results. If the mapping failed, you'd get dotted
triples as realm names. *sigh*
The latter has been fixed in hst_realm.c, but we should
keep supporting numeric addresses if they do have
hostnames associated. */
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET;
hints.ai_flags = AI_CANONNAME;
try_getaddrinfo_again:
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {
#ifdef DEBUG_REFERRALS
printf("sname_to_princ: probably punting due to bad hostname of %s\n",hostname);
#endif
if (hints.ai_family == AF_INET) {
/* Just in case it's an IPv6-only name. */
hints.ai_family = 0;
goto try_getaddrinfo_again;
}
return KRB5_ERR_BAD_HOSTNAME;
}
remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname);
if (!remote_host) {
freeaddrinfo(ai);
return ENOMEM;
}
if (maybe_use_reverse_dns(context, DEFAULT_RDNS_LOOKUP)) {
/*
* Do a reverse resolution to get the full name, just in
* case there's some funny business going on. If there
* isn't an in-addr record, give up.
*/
/* XXX: This is *so* bogus. There are several cases where
this won't get us the canonical name of the host, but
this is what we've trained people to expect. We'll
probably fix it at some point, but let's try to
preserve the current behavior and only shake things up
once when it comes time to fix this lossage. */
err = getnameinfo(ai->ai_addr, ai->ai_addrlen,
hnamebuf, sizeof(hnamebuf), 0, 0, NI_NAMEREQD);
freeaddrinfo(ai);
if (err == 0) {
free(remote_host);
remote_host = strdup(hnamebuf);
if (!remote_host)
return ENOMEM;
}
} else
freeaddrinfo(ai);
} else { /* type == KRB5_NT_UNKNOWN */
remote_host = strdup(hostname);
}
if (!remote_host)
return ENOMEM;
#ifdef DEBUG_REFERRALS
printf("sname_to_princ: hostname <%s> after rdns processing\n",remote_host);
#endif
if (type == KRB5_NT_SRV_HST)
for (cp = remote_host; *cp; cp++)
if (isupper((unsigned char) (*cp)))
*cp = tolower((unsigned char) (*cp));
/*
* Windows NT5's broken resolver gratuitously tacks on a
* trailing period to the hostname (at least it does in
* Beta2). Find and remove it.
*/
if (remote_host[0]) {
cp = remote_host + strlen(remote_host)-1;
if (*cp == '.')
*cp = 0;
}
if ((retval = krb5_get_host_realm(context, remote_host, &hrealms))) {
free(remote_host);
return retval;
}
#ifdef DEBUG_REFERRALS
printf("sname_to_princ: realm <%s> after krb5_get_host_realm\n",hrealms[0]);
#endif
if (!hrealms[0]) {
free(remote_host);
free(hrealms);
return KRB5_ERR_HOST_REALM_UNKNOWN;
}
realm = hrealms[0];
retval = krb5_build_principal(context, ret_princ, strlen(realm),
realm, sname, remote_host,
(char *)0);
if (retval == 0)
krb5_princ_type(context, *ret_princ) = type;
#ifdef DEBUG_REFERRALS
printf("krb5_sname_to_principal returning\n");
printf("realm: <%s>, sname: <%s>, remote_host: <%s>\n",
realm,sname,remote_host);
krb5int_dbgref_dump_principal("krb5_sname_to_principal",*ret_princ);
#endif
free(remote_host);
krb5_free_host_realm(context, hrealms);
return retval;
} else {
return KRB5_SNAME_UNSUPP_NAMETYPE;
}
}
/*
* Find a keytab entry to use for a given target hostname.
* Tries to find the most appropriate keytab to use given the
* name of the host we are trying to connect with.
*/
static int find_keytab_entry(krb5_context context, krb5_keytab kt,
const char *hostname, krb5_keytab_entry *kte,
const char **svcnames)
{
krb5_error_code code;
char **realmnames = NULL;
char myhostname[NI_MAXHOST], targethostname[NI_MAXHOST];
char myhostad[NI_MAXHOST + 1];
int i, j, retval;
char *default_realm = NULL;
char *realm;
char *k5err = NULL;
int tried_all = 0, tried_default = 0;
krb5_principal princ;
/* Get full target hostname */
retval =
get_full_hostname(hostname, targethostname, sizeof(targethostname));
if (retval)
goto out;
/* Get full local hostname */
retval = gethostname(myhostname, sizeof(myhostname));
if (retval) {
k5err = gssd_k5_err_msg(context, retval);
printerr(1, "%s while getting local hostname\n", k5err);
gsh_free(k5err);
goto out;
}
/* Compute the active directory machine name HOST$ */
strcpy(myhostad, myhostname);
for (i = 0; myhostad[i] != 0; ++i)
myhostad[i] = toupper(myhostad[i]);
myhostad[i] = '$';
myhostad[i + 1] = 0;
retval = get_full_hostname(myhostname, myhostname, sizeof(myhostname));
if (retval)
goto out;
code = krb5_get_default_realm(context, &default_realm);
if (code) {
retval = code;
k5err = gssd_k5_err_msg(context, code);
printerr(1, "%s while getting default realm name\n", k5err);
gsh_free(k5err);
goto out;
}
/*
* Get the realm name(s) for the target hostname.
* In reality, this function currently only returns a
* single realm, but we code with the assumption that
* someday it may actually return a list.
*/
code = krb5_get_host_realm(context, targethostname, &realmnames);
if (code) {
k5err = gssd_k5_err_msg(context, code);
printerr(0, "ERROR: %s while getting realm(s) for host '%s'\n",
k5err, targethostname);
gsh_free(k5err);
retval = code;
goto out;
}
/*
* Try the "appropriate" realm first, and if nothing found for that
* realm, try the default realm (if it hasn't already been tried).
*/
i = 0;
realm = realmnames[i];
while (1) {
if (realm == NULL) {
tried_all = 1;
if (!tried_default)
realm = default_realm;
}
if (tried_all && tried_default)
break;
if (strcmp(realm, default_realm) == 0)
tried_default = 1;
for (j = 0; svcnames[j] != NULL; j++) {
char spn[300];
/*
* The special svcname "$" means 'try the active
* directory machine account'
*/
if (strcmp(svcnames[j], "$") == 0) {
snprintf(spn, sizeof(spn), "%s@%s", myhostad,
realm);
code =
krb5_build_principal_ext(context, &princ,
strlen(realm),
realm,
strlen(myhostad),
myhostad, NULL);
} else {
snprintf(spn, sizeof(spn), "%s/%s@%s",
svcnames[j], myhostname, realm);
code =
krb5_build_principal_ext(context, &princ,
strlen(realm),
realm,
strlen(svcnames
[j]),
svcnames[j],
strlen(myhostname),
myhostname, NULL);
}
if (code) {
k5err = gssd_k5_err_msg(context, code);
printerr(1,
"%s while building principal for '%s'\n",
k5err, spn);
gsh_free(k5err);
continue;
}
code = krb5_kt_get_entry(context, kt, princ, 0, 0, kte);
krb5_free_principal(context, princ);
if (code) {
k5err = gssd_k5_err_msg(context, code);
printerr(3,
"%s while getting keytab entry for '%s'\n",
k5err, spn);
gsh_free(k5err);
} else {
printerr(3,
"Success getting keytab entry for '%s'\n",
spn);
retval = 0;
goto out;
}
retval = code;
}
/*
* Nothing found with our hostname instance, now look for
* names with any instance (they must have an instance)
*/
for (j = 0; svcnames[j] != NULL; j++) {
int found = 0;
if (strcmp(svcnames[j], "$") == 0)
continue;
code =
gssd_search_krb5_keytab(context, kt, realm,
svcnames[j], &found, kte);
if (!code && found) {
printerr(3,
"Success getting keytab entry for "
"%s/*@%s\n", svcnames[j], realm);
retval = 0;
goto out;
}
}
if (!tried_all) {
i++;
realm = realmnames[i];
}
}
out:
if (default_realm)
k5_free_default_realm(context, default_realm);
if (realmnames)
krb5_free_host_realm(context, realmnames);
return retval;
}
static krb5_error_code
init_context_from_config_file(krb5_context context)
{
krb5_error_code ret;
const char * tmp;
char **s;
krb5_enctype *tmptypes;
INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
INIT_FIELD(context, time, kdc_timeout, 30, "kdc_timeout");
INIT_FIELD(context, time, host_timeout, 3, "host_timeout");
INIT_FIELD(context, int, max_retries, 3, "max_retries");
INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
ret = krb5_config_get_bool_default(context, NULL, FALSE,
"libdefaults",
"allow_weak_crypto", NULL);
if (ret) {
krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
}
ret = set_etypes (context, "default_etypes", &tmptypes);
if(ret)
return ret;
free(context->etypes);
context->etypes = tmptypes;
ret = set_etypes (context, "default_etypes_des", &tmptypes);
if(ret)
return ret;
free(context->etypes_des);
context->etypes_des = tmptypes;
ret = set_etypes (context, "default_as_etypes", &tmptypes);
if(ret)
return ret;
free(context->as_etypes);
context->as_etypes = tmptypes;
ret = set_etypes (context, "default_tgs_etypes", &tmptypes);
if(ret)
return ret;
free(context->tgs_etypes);
context->tgs_etypes = tmptypes;
ret = set_etypes (context, "permitted_enctypes", &tmptypes);
if(ret)
return ret;
free(context->permitted_enctypes);
context->permitted_enctypes = tmptypes;
/* default keytab name */
tmp = NULL;
if(!issuid())
tmp = getenv("KRB5_KTNAME");
if(tmp != NULL)
context->default_keytab = tmp;
else
INIT_FIELD(context, string, default_keytab,
KEYTAB_DEFAULT, "default_keytab_name");
INIT_FIELD(context, string, default_keytab_modify,
NULL, "default_keytab_modify_name");
INIT_FIELD(context, string, time_fmt,
"%Y-%m-%dT%H:%M:%S", "time_format");
INIT_FIELD(context, string, date_fmt,
"%Y-%m-%d", "date_format");
INIT_FIELD(context, bool, log_utc,
FALSE, "log_utc");
/* init dns-proxy slime */
tmp = krb5_config_get_string(context, NULL, "libdefaults",
"dns_proxy", NULL);
if(tmp)
roken_gethostby_setup(context->http_proxy, tmp);
krb5_free_host_realm (context, context->default_realms);
context->default_realms = NULL;
{
krb5_addresses addresses;
char **adr, **a;
krb5_set_extra_addresses(context, NULL);
adr = krb5_config_get_strings(context, NULL,
"libdefaults",
"extra_addresses",
NULL);
memset(&addresses, 0, sizeof(addresses));
for(a = adr; a && *a; a++) {
ret = krb5_parse_address(context, *a, &addresses);
if (ret == 0) {
krb5_add_extra_addresses(context, &addresses);
krb5_free_addresses(context, &addresses);
}
}
krb5_config_free_strings(adr);
krb5_set_ignore_addresses(context, NULL);
adr = krb5_config_get_strings(context, NULL,
"libdefaults",
"ignore_addresses",
NULL);
memset(&addresses, 0, sizeof(addresses));
for(a = adr; a && *a; a++) {
ret = krb5_parse_address(context, *a, &addresses);
if (ret == 0) {
krb5_add_ignore_addresses(context, &addresses);
krb5_free_addresses(context, &addresses);
}
}
krb5_config_free_strings(adr);
}
INIT_FIELD(context, bool, scan_interfaces, TRUE, "scan_interfaces");
INIT_FIELD(context, int, fcache_vno, 0, "fcache_version");
/* prefer dns_lookup_kdc over srv_lookup. */
INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
INIT_FIELD(context, int, large_msg_size, 1400, "large_message_size");
INIT_FIELD(context, int, max_msg_size, 1000 * 1024, "maximum_message_size");
INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
if (context->default_cc_name)
free(context->default_cc_name);
context->default_cc_name = NULL;
context->default_cc_name_set = 0;
s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
if(s) {
char **p;
if (context->debug_dest)
krb5_closelog(context, context->debug_dest);
krb5_initlog(context, "libkrb5", &context->debug_dest);
for(p = s; *p; p++)
krb5_addlog_dest(context, context->debug_dest, *p);
krb5_config_free_strings(s);
}
tmp = krb5_config_get_string(context, NULL, "libdefaults",
"check-rd-req-server", NULL);
if (tmp == NULL && !issuid())
tmp = getenv("KRB5_CHECK_RD_REQ_SERVER");
if(tmp) {
if (strcasecmp(tmp, "ignore") == 0)
context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
}
ret = krb5_config_get_bool_default(context, NULL, TRUE,
"libdefaults",
"fcache_strict_checking", NULL);
if (ret)
context->flags |= KRB5_CTX_F_FCACHE_STRICT_CHECKING;
return 0;
}
static int
doit (krb5_keytab keytab, int port)
{
krb5_error_code ret;
int *sockets;
int maxfd;
krb5_realm *realms;
krb5_addresses addrs;
krb5_address *my_addrp;
unsigned n, i;
fd_set real_fdset;
struct sockaddr_storage __ss;
struct sockaddr *sa = (struct sockaddr *)&__ss;
#ifdef INETD_SUPPORT
int fdz;
int from_inetd;
socklen_t fromlen;
krb5_address my_addr;
struct sockaddr_storage __local;
struct sockaddr *localsa = (struct sockaddr *)&__local;
#endif
ret = krb5_get_default_realms(context, &realms);
if (ret)
krb5_err (context, 1, ret, "krb5_get_default_realms");
#ifdef INETD_SUPPORT
fromlen = sizeof __ss;
from_inetd = (getsockname(0, sa, &fromlen) == 0);
if (!from_inetd) {
#endif
if (explicit_addresses.len) {
addrs = explicit_addresses;
} else {
ret = krb5_get_all_server_addrs (context, &addrs);
if (ret)
krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
}
n = addrs.len;
sockets = malloc (n * sizeof(*sockets));
if (sockets == NULL)
krb5_errx (context, 1, "out of memory");
maxfd = -1;
FD_ZERO(&real_fdset);
for (i = 0; i < n; ++i) {
krb5_socklen_t sa_size = sizeof(__ss);
krb5_addr2sockaddr (context, &addrs.val[i], sa, &sa_size, port);
sockets[i] = socket (sa->sa_family, SOCK_DGRAM, 0);
if (sockets[i] < 0)
krb5_err (context, 1, errno, "socket");
if (bind (sockets[i], sa, sa_size) < 0) {
char str[128];
size_t len;
int save_errno = errno;
ret = krb5_print_address (&addrs.val[i], str, sizeof(str), &len);
if (ret)
strlcpy(str, "unknown address", sizeof(str));
krb5_warn (context, save_errno, "bind(%s)", str);
continue;
}
maxfd = max (maxfd, sockets[i]);
if (maxfd >= FD_SETSIZE)
krb5_errx (context, 1, "fd too large");
FD_SET(sockets[i], &real_fdset);
}
#ifdef INETD_SUPPORT
} else {
n = 1;
maxfd = 0;
fdz = 0;
sockets = &fdz;
FD_ZERO(&real_fdset);
FD_SET(0, &real_fdset);
}
#endif
if (maxfd == -1)
krb5_errx (context, 1, "No sockets!");
while(exit_flag == 0) {
krb5_ssize_t retx;
fd_set fdset = real_fdset;
retx = select (maxfd + 1, &fdset, NULL, NULL, NULL);
if (retx < 0) {
if (errno == EINTR)
continue;
else
krb5_err (context, 1, errno, "select");
}
for (i = 0; i < n; ++i)
if (FD_ISSET(sockets[i], &fdset)) {
u_char buf[BUFSIZ];
socklen_t addrlen = sizeof(__ss);
retx = recvfrom(sockets[i], buf, sizeof(buf), 0,
sa, &addrlen);
if (retx < 0) {
if(errno == EINTR)
break;
else
krb5_err (context, 1, errno, "recvfrom");
}
#ifdef INETD_SUPPORT
if (from_inetd) {
socklen_t loclen = sizeof(__local);
int ret2;
ret2 = get_local_addr(sa, addrlen, localsa, &loclen);
if (ret2 < 0)
krb5_errx (context, errno, "get_local_addr");
ret2 = krb5_sockaddr2address(context, localsa,
&my_addr);
if (ret2)
krb5_errx (context, ret2,
"krb5_sockaddr2address");
my_addrp = &my_addr;
} else
#endif
my_addrp = &addrs.val[i];
process (realms, keytab, sockets[i],
my_addrp,
sa, addrlen,
buf, retx);
#ifdef INETD_SUPPORT
if (from_inetd) {
krb5_free_address(context, &my_addr);
}
#endif
}
#ifdef INETD_SUPPORT
if (from_inetd)
break;
#endif
}
for (i = 0; i < n; ++i)
close(sockets[i]);
free(sockets);
#ifdef INETD_SUPPORT
if (!from_inetd)
#endif
krb5_free_addresses (context, &addrs);
krb5_free_host_realm (context, realms);
krb5_free_context (context);
return 0;
}
static krb5_error_code
tgs_build_reply(krb5_context context,
krb5_kdc_configuration *config,
KDC_REQ *req,
KDC_REQ_BODY *b,
hdb_entry_ex *krbtgt,
krb5_enctype krbtgt_etype,
krb5_ticket *ticket,
krb5_data *reply,
const char *from,
const char **e_text,
AuthorizationData *auth_data,
const struct sockaddr *from_addr,
int datagram_reply)
{
krb5_error_code ret;
krb5_principal cp = NULL, sp = NULL;
krb5_principal client_principal = NULL;
char *spn = NULL, *cpn = NULL;
hdb_entry_ex *server = NULL, *client = NULL;
EncTicketPart *tgt = &ticket->ticket;
KRB5SignedPathPrincipals *spp = NULL;
const EncryptionKey *ekey;
krb5_keyblock sessionkey;
krb5_kvno kvno;
krb5_data rspac;
int cross_realm = 0;
PrincipalName *s;
Realm r;
int nloop = 0;
EncTicketPart adtkt;
char opt_str[128];
int require_signedpath = 0;
memset(&sessionkey, 0, sizeof(sessionkey));
memset(&adtkt, 0, sizeof(adtkt));
krb5_data_zero(&rspac);
s = b->sname;
r = b->realm;
if(b->kdc_options.enc_tkt_in_skey){
Ticket *t;
hdb_entry_ex *uu;
krb5_principal p;
Key *uukey;
if(b->additional_tickets == NULL ||
b->additional_tickets->len == 0){
ret = KRB5KDC_ERR_BADOPTION; /* ? */
kdc_log(context, config, 0,
"No second ticket present in request");
goto out;
}
t = &b->additional_tickets->val[0];
if(!get_krbtgt_realm(&t->sname)){
kdc_log(context, config, 0,
"Additional ticket is not a ticket-granting ticket");
ret = KRB5KDC_ERR_POLICY;
goto out;
}
_krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
ret = _kdc_db_fetch(context, config, p,
HDB_F_GET_CLIENT|HDB_F_GET_SERVER,
NULL, &uu);
krb5_free_principal(context, p);
if(ret){
if (ret == HDB_ERR_NOENTRY)
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out;
}
ret = hdb_enctype2key(context, &uu->entry,
t->enc_part.etype, &uukey);
if(ret){
_kdc_free_ent(context, uu);
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
goto out;
}
ret = krb5_decrypt_ticket(context, t, &uukey->key, &adtkt, 0);
_kdc_free_ent(context, uu);
if(ret)
goto out;
ret = verify_flags(context, config, &adtkt, spn);
if (ret)
goto out;
s = &adtkt.cname;
r = adtkt.crealm;
}
_krb5_principalname2krb5_principal(context, &sp, *s, r);
ret = krb5_unparse_name(context, sp, &spn);
if (ret)
goto out;
_krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
ret = krb5_unparse_name(context, cp, &cpn);
if (ret)
goto out;
unparse_flags (KDCOptions2int(b->kdc_options),
asn1_KDCOptions_units(),
opt_str, sizeof(opt_str));
if(*opt_str)
kdc_log(context, config, 0,
"TGS-REQ %s from %s for %s [%s]",
cpn, from, spn, opt_str);
else
kdc_log(context, config, 0,
"TGS-REQ %s from %s for %s", cpn, from, spn);
/*
* Fetch server
*/
server_lookup:
ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER, NULL, &server);
if(ret){
const char *new_rlm;
Realm req_rlm;
krb5_realm *realms;
if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) {
if(nloop++ < 2) {
new_rlm = find_rpath(context, tgt->crealm, req_rlm);
if(new_rlm) {
kdc_log(context, config, 5, "krbtgt for realm %s "
"not found, trying %s",
req_rlm, new_rlm);
krb5_free_principal(context, sp);
free(spn);
krb5_make_principal(context, &sp, r,
KRB5_TGS_NAME, new_rlm, NULL);
ret = krb5_unparse_name(context, sp, &spn);
if (ret)
goto out;
goto server_lookup;
}
}
} else if(need_referral(context, sp, &realms)) {
if (strcmp(realms[0], sp->realm) != 0) {
kdc_log(context, config, 5,
"Returning a referral to realm %s for "
"server %s that was not found",
realms[0], spn);
krb5_free_principal(context, sp);
free(spn);
krb5_make_principal(context, &sp, r, KRB5_TGS_NAME,
realms[0], NULL);
ret = krb5_unparse_name(context, sp, &spn);
if (ret)
goto out;
krb5_free_host_realm(context, realms);
goto server_lookup;
}
krb5_free_host_realm(context, realms);
}
kdc_log(context, config, 0,
"Server not found in database: %s: %s", spn,
krb5_get_err_text(context, ret));
if (ret == HDB_ERR_NOENTRY)
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out;
}
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, NULL, &client);
if(ret) {
const char *krbtgt_realm;
/*
* If the client belongs to the same realm as our krbtgt, it
* should exist in the local database.
*
*/
krbtgt_realm =
krb5_principal_get_comp_string(context,
krbtgt->entry.principal, 1);
if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
if (ret == HDB_ERR_NOENTRY)
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
kdc_log(context, config, 1, "Client no longer in database: %s",
cpn);
goto out;
}
kdc_log(context, config, 1, "Client not found in database: %s: %s",
cpn, krb5_get_err_text(context, ret));
cross_realm = 1;
}
/*
* Check that service is in the same realm as the krbtgt. If its
* not the same, its someone that is using a uni-directional trust
* backward.
*/
if (strcmp(krb5_principal_get_realm(context, sp),
krb5_principal_get_comp_string(context,
krbtgt->entry.principal,
1)) != 0) {
char *tpn;
ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
kdc_log(context, config, 0,
"Request with wrong krbtgt: %s",
(ret == 0) ? tpn : "<unknown>");
if(ret == 0)
free(tpn);
ret = KRB5KRB_AP_ERR_NOT_US;
goto out;
}
/*
*
*/
client_principal = cp;
if (client) {
const PA_DATA *sdata;
int i = 0;
sdata = _kdc_find_padata(req, &i, KRB5_PADATA_S4U2SELF);
if (sdata) {
krb5_crypto crypto;
krb5_data datack;
PA_S4U2Self self;
char *selfcpn = NULL;
const char *str;
ret = decode_PA_S4U2Self(sdata->padata_value.data,
sdata->padata_value.length,
&self, NULL);
if (ret) {
kdc_log(context, config, 0, "Failed to decode PA-S4U2Self");
goto out;
}
ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
if (ret)
goto out;
ret = krb5_crypto_init(context, &tgt->key, 0, &crypto);
if (ret) {
free_PA_S4U2Self(&self);
krb5_data_free(&datack);
kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
krb5_get_err_text(context, ret));
goto out;
}
ret = krb5_verify_checksum(context,
crypto,
KRB5_KU_OTHER_CKSUM,
datack.data,
datack.length,
&self.cksum);
krb5_data_free(&datack);
krb5_crypto_destroy(context, crypto);
if (ret) {
free_PA_S4U2Self(&self);
kdc_log(context, config, 0,
"krb5_verify_checksum failed for S4U2Self: %s",
krb5_get_err_text(context, ret));
goto out;
}
ret = _krb5_principalname2krb5_principal(context,
&client_principal,
self.name,
self.realm);
free_PA_S4U2Self(&self);
if (ret)
goto out;
ret = krb5_unparse_name(context, client_principal, &selfcpn);
if (ret)
goto out;
/*
* Check that service doing the impersonating is
* requesting a ticket to it-self.
*/
if (krb5_principal_compare(context, cp, sp) != TRUE) {
kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
"to impersonate some other user "
"(tried for user %s to service %s)",
cpn, selfcpn, spn);
free(selfcpn);
ret = KRB5KDC_ERR_BADOPTION; /* ? */
goto out;
}
/*
* If the service isn't trusted for authentication to
* delegation, remove the forward flag.
*/
if (client->entry.flags.trusted_for_delegation) {
str = "[forwardable]";
} else {
b->kdc_options.forwardable = 0;
str = "";
}
kdc_log(context, config, 0, "s4u2self %s impersonating %s to "
"service %s %s", cpn, selfcpn, spn, str);
free(selfcpn);
}
}
/*
* Constrained delegation
*/
if (client != NULL
&& b->additional_tickets != NULL
&& b->additional_tickets->len != 0
&& b->kdc_options.enc_tkt_in_skey == 0)
{
Key *clientkey;
Ticket *t;
char *str;
t = &b->additional_tickets->val[0];
ret = hdb_enctype2key(context, &client->entry,
t->enc_part.etype, &clientkey);
if(ret){
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
goto out;
}
ret = krb5_decrypt_ticket(context, t, &clientkey->key, &adtkt, 0);
if (ret) {
kdc_log(context, config, 0,
"failed to decrypt ticket for "
"constrained delegation from %s to %s ", spn, cpn);
goto out;
}
/* check that ticket is valid */
if (adtkt.flags.forwardable == 0) {
kdc_log(context, config, 0,
"Missing forwardable flag on ticket for "
"constrained delegation from %s to %s ", spn, cpn);
ret = KRB5KDC_ERR_ETYPE_NOSUPP; /* XXX */
goto out;
}
ret = check_constrained_delegation(context, config, client, sp);
if (ret) {
kdc_log(context, config, 0,
"constrained delegation from %s to %s not allowed",
spn, cpn);
goto out;
}
ret = _krb5_principalname2krb5_principal(context,
&client_principal,
adtkt.cname,
adtkt.crealm);
if (ret)
goto out;
ret = krb5_unparse_name(context, client_principal, &str);
if (ret)
goto out;
ret = verify_flags(context, config, &adtkt, str);
if (ret) {
free(str);
goto out;
}
/*
* Check KRB5SignedPath in authorization data and add new entry to
* make sure servers can't fake a ticket to us.
*/
ret = check_KRB5SignedPath(context,
config,
krbtgt,
&adtkt,
&spp,
1);
if (ret) {
kdc_log(context, config, 0,
"KRB5SignedPath check from service %s failed "
"for delegation to %s for client %s "
"from %s failed with %s",
spn, str, cpn, from, krb5_get_err_text(context, ret));
free(str);
goto out;
}
kdc_log(context, config, 0, "constrained delegation for %s "
"from %s to %s", str, cpn, spn);
free(str);
/*
* Also require that the KDC have issue the service's krbtgt
* used to do the request.
*/
require_signedpath = 1;
}
/*
* Check flags
*/
ret = _kdc_check_flags(context, config,
client, cpn,
server, spn,
FALSE);
if(ret)
goto out;
if((b->kdc_options.validate || b->kdc_options.renew) &&
!krb5_principal_compare(context,
krbtgt->entry.principal,
server->entry.principal)){
kdc_log(context, config, 0, "Inconsistent request.");
ret = KRB5KDC_ERR_SERVER_NOMATCH;
goto out;
}
/* check for valid set of addresses */
if(!_kdc_check_addresses(context, config, tgt->caddr, from_addr)) {
ret = KRB5KRB_AP_ERR_BADADDR;
kdc_log(context, config, 0, "Request from wrong address");
goto out;
}
/*
* Select enctype, return key and kvno.
*/
{
krb5_enctype etype;
if(b->kdc_options.enc_tkt_in_skey) {
int i;
ekey = &adtkt.key;
for(i = 0; i < b->etype.len; i++)
if (b->etype.val[i] == adtkt.key.keytype)
break;
if(i == b->etype.len) {
krb5_clear_error_string(context);
return KRB5KDC_ERR_ETYPE_NOSUPP;
}
etype = b->etype.val[i];
kvno = 0;
} else {
Key *skey;
ret = _kdc_find_etype(context, server, b->etype.val, b->etype.len,
&skey, &etype);
if(ret) {
kdc_log(context, config, 0,
"Server (%s) has no support for etypes", spp);
return ret;
}
ekey = &skey->key;
kvno = server->entry.kvno;
}
ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
if (ret)
goto out;
}
/* check PAC if not cross realm and if there is one */
if (!cross_realm) {
Key *tkey;
ret = hdb_enctype2key(context, &krbtgt->entry,
krbtgt_etype, &tkey);
if(ret) {
kdc_log(context, config, 0,
"Failed to find key for krbtgt PAC check");
goto out;
}
ret = check_PAC(context, config, client_principal,
client, server, ekey, &tkey->key,
tgt, &rspac, &require_signedpath);
if (ret) {
kdc_log(context, config, 0,
"Verify PAC failed for %s (%s) from %s with %s",
spn, cpn, from, krb5_get_err_text(context, ret));
goto out;
}
}
/* also check the krbtgt for signature */
ret = check_KRB5SignedPath(context,
config,
krbtgt,
tgt,
&spp,
require_signedpath);
if (ret) {
kdc_log(context, config, 0,
"KRB5SignedPath check failed for %s (%s) from %s with %s",
spn, cpn, from, krb5_get_err_text(context, ret));
goto out;
}
/*
*
*/
ret = tgs_make_reply(context,
config,
b,
client_principal,
tgt,
ekey,
&sessionkey,
kvno,
auth_data,
server,
spn,
client,
cp,
krbtgt,
krbtgt_etype,
spp,
&rspac,
e_text,
reply);
out:
free(spn);
free(cpn);
krb5_data_free(&rspac);
krb5_free_keyblock_contents(context, &sessionkey);
if(server)
_kdc_free_ent(context, server);
if(client)
_kdc_free_ent(context, client);
if (client_principal && client_principal != cp)
krb5_free_principal(context, client_principal);
if (cp)
krb5_free_principal(context, cp);
if (sp)
krb5_free_principal(context, sp);
free_EncTicketPart(&adtkt);
return ret;
}
/* Determine in which realm a cell exists. We do this by obtaining the address
* of the fileserver which holds /afs/cellname (assuming that the root.cell
* volume from the cell is mounted there), converting the address to a host
* name, and then asking libkrb5 to tell us to which realm the host belongs. */
static int
minikafs_realm_of_cell_with_ctx(krb5_context ctx,
struct _pam_krb5_options *options,
const char *cell,
char *realm, size_t length)
{
struct minikafs_ioblock iob;
struct sockaddr_in sin;
in_addr_t *address;
krb5_context use_ctx;
char *path, host[HOSTNAME_SIZE], **realms;
int i, n_addresses, ret;
if (cell) {
path = malloc(strlen(cell) + 6);
} else {
path = malloc(5);
}
if (path == NULL) {
return -1;
}
if (cell) {
sprintf(path, "/afs/%s", cell);
} else {
sprintf(path, "/afs");
}
n_addresses = 16;
do {
/* allocate the output buffer for the address [list] */
address = malloc(n_addresses * sizeof(address[0]));
if (address == NULL) {
ret = -1;
break;
}
memset(address, 0, n_addresses * sizeof(address[0]));
memset(&iob, 0, sizeof(iob));
iob.in = path;
iob.insize = strlen(path) + 1;
iob.out = (char*) &address[0];
iob.outsize = n_addresses * sizeof(address[0]);
ret = minikafs_pioctl(path, minikafs_pioctl_whereis, &iob);
/* if we failed, free the address [list], and if the error was
* E2BIG, increase the size we'll use next time, up to a
* hard-coded limit */
if (ret != 0) {
if (options->debug) {
debug("error during whereis pioctl: %s",
strerror(errno));
}
free(address);
address = NULL;
if (errno == E2BIG) {
if (n_addresses > 256) {
if (options->debug) {
debug("giving up");
}
break;
}
if (options->debug) {
debug("retrying");
}
n_addresses *= 2;
}
}
} while ((ret != 0) && (errno == E2BIG));
if (ret != 0) {
if (options->debug) {
debug("got error %d (%s) determining file server for "
"\"%s\"", errno, v5_error_message(errno), path);
}
free(path);
return ret;
}
free(path);
sin.sin_family = AF_INET;
if (options->debug) {
for (i = 0; (i < n_addresses) && (address[i] != 0); i++) {
debug("file server for \"/afs/%s\" is %u.%u.%u.%u",
cell,
(address[i] >> 0) & 0xff,
(address[i] >> 8) & 0xff,
(address[i] >> 16) & 0xff,
(address[i] >> 24) & 0xff);
}
}
if (ctx == NULL) {
if (_pam_krb5_init_ctx(&use_ctx, 0, NULL) != 0) {
free(address);
return -1;
}
} else {
use_ctx = ctx;
}
for (i = 0; (i < n_addresses) && (address[i] != 0); i++) {
memcpy(&sin.sin_addr, &address[i], sizeof(address[i]));
if (getnameinfo((const struct sockaddr*) &sin, sizeof(sin),
host, sizeof(host), NULL, 0,
NI_NAMEREQD) == 0) {
if (options->debug) {
debug("file server %d.%d.%d.%d has name %s",
(address[i] >> 0) & 0xff,
(address[i] >> 8) & 0xff,
(address[i] >> 16) & 0xff,
(address[i] >> 24) & 0xff,
host);
}
if (krb5_get_host_realm(use_ctx, host, &realms) == 0) {
strncpy(realm, realms[0], length - 1);
realm[length - 1] = '\0';
krb5_free_host_realm(use_ctx, realms);
if (options->debug) {
debug("%s is in realm %s", host, realm);
}
i = 0;
break;
}
} else {
if (options->debug) {
static int
CommandProc(struct cmd_syndesc *as, void *arock)
{
krb5_principal princ = 0;
char *cell, *pname, **hrealms, *service;
char service_temp[MAXKTCREALMLEN + 20];
krb5_creds incred[1], mcred[1], *outcred = 0, *afscred;
krb5_ccache cc = 0;
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
krb5_get_init_creds_opt *gic_opts;
#else
krb5_get_init_creds_opt gic_opts[1];
#endif
char *tofree = NULL, *outname;
int code;
char *what;
int i, dosetpag, evil, noprdb, id;
#ifdef AFS_RXK5
int authtype;
#endif
krb5_data enc_part[1];
krb5_prompter_fct pf = NULL;
char *pass = 0;
void *pa = 0;
struct kp_arg klog_arg[1];
char passwd[BUFSIZ];
struct afsconf_cell cellconfig[1];
static char rn[] = "klog"; /*Routine name */
static int Pipe = 0; /* reading from a pipe */
static int Silent = 0; /* Don't want error messages */
int writeTicketFile = 0; /* write ticket file to /tmp */
service = 0;
memset(incred, 0, sizeof *incred);
/* blow away command line arguments */
for (i = 1; i < zero_argc; i++)
memset(zero_argv[i], 0, strlen(zero_argv[i]));
zero_argc = 0;
memset(klog_arg, 0, sizeof *klog_arg);
/* first determine quiet flag based on -silent switch */
Silent = (as->parms[aSILENT].items ? 1 : 0);
if (Silent) {
afs_set_com_err_hook(silent_errors);
}
if ((code = krb5_init_context(&k5context))) {
afs_com_err(rn, code, "while initializing Kerberos 5 library");
KLOGEXIT(code);
}
if ((code = rx_Init(0))) {
afs_com_err(rn, code, "while initializing rx");
KLOGEXIT(code);
}
initialize_U_error_table();
/*initialize_krb5_error_table();*/
initialize_RXK_error_table();
initialize_KTC_error_table();
initialize_ACFG_error_table();
/* initialize_rx_error_table(); */
if (!(tdir = afsconf_Open(AFSDIR_CLIENT_ETC_DIRPATH))) {
afs_com_err(rn, 0, "can't get afs configuration (afsconf_Open(%s))",
AFSDIR_CLIENT_ETC_DIRPATH);
KLOGEXIT(1);
}
/*
* Enable DES enctypes, which are currently still required for AFS.
* krb5_allow_weak_crypto is MIT Kerberos 1.8. krb5_enctype_enable is
* Heimdal.
*/
#if defined(HAVE_KRB5_ENCTYPE_ENABLE)
i = krb5_enctype_valid(k5context, ETYPE_DES_CBC_CRC);
if (i)
krb5_enctype_enable(k5context, ETYPE_DES_CBC_CRC);
#elif defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO)
krb5_allow_weak_crypto(k5context, 1);
#endif
/* Parse remaining arguments. */
dosetpag = !! as->parms[aSETPAG].items;
Pipe = !! as->parms[aPIPE].items;
writeTicketFile = !! as->parms[aTMP].items;
noprdb = !! as->parms[aNOPRDB].items;
evil = (always_evil&1) || !! as->parms[aUNWRAP].items;
#ifdef AFS_RXK5
authtype = 0;
if (as->parms[aK5].items)
authtype |= FORCE_RXK5;
if (as->parms[aK4].items)
authtype |= FORCE_RXKAD;
if (!authtype)
authtype |= env_afs_rxk5_default();
#endif
cell = as->parms[aCELL].items ? as->parms[aCELL].items->data : 0;
if ((code = afsconf_GetCellInfo(tdir, cell, "afsprot", cellconfig))) {
if (cell)
afs_com_err(rn, code, "Can't get cell information for '%s'", cell);
else
afs_com_err(rn, code, "Can't get determine local cell!");
KLOGEXIT(code);
}
if (as->parms[aKRBREALM].items) {
code = krb5_set_default_realm(k5context,
as->parms[aKRBREALM].items->data);
if (code) {
afs_com_err(rn, code, "Can't make <%s> the default realm",
as->parms[aKRBREALM].items->data);
KLOGEXIT(code);
}
}
else if ((code = krb5_get_host_realm(k5context, cellconfig->hostName[0], &hrealms))) {
afs_com_err(rn, code, "Can't get realm for host <%s> in cell <%s>\n",
cellconfig->hostName[0], cellconfig->name);
KLOGEXIT(code);
} else {
if (hrealms && *hrealms) {
code = krb5_set_default_realm(k5context,
*hrealms);
if (code) {
afs_com_err(rn, code, "Can't make <%s> the default realm",
*hrealms);
KLOGEXIT(code);
}
}
if (hrealms) krb5_free_host_realm(k5context, hrealms);
}
id = getuid();
if (as->parms[aPRINCIPAL].items) {
pname = as->parms[aPRINCIPAL].items->data;
} else {
/* No explicit name provided: use Unix uid. */
struct passwd *pw;
pw = getpwuid(id);
if (pw == 0) {
afs_com_err(rn, 0,
"Can't figure out your name from your user id (%d).", id);
if (!Silent)
fprintf(stderr, "%s: Try providing the user name.\n", rn);
KLOGEXIT(1);
}
pname = pw->pw_name;
}
code = krb5_parse_name(k5context, pname, &princ);
if (code) {
afs_com_err(rn, code, "Can't parse principal <%s>", pname);
KLOGEXIT(code);
}
if (as->parms[aPASSWORD].items) {
/*
* Current argument is the desired password string. Remember it in
* our local buffer, and zero out the argument string - anyone can
* see it there with ps!
*/
strncpy(passwd, as->parms[aPASSWORD].items->data, sizeof(passwd));
memset(as->parms[aPASSWORD].items->data, 0,
strlen(as->parms[aPASSWORD].items->data));
pass = passwd;
}
/* Get the password if it wasn't provided. */
if (!pass) {
if (Pipe) {
strncpy(passwd, getpipepass(), sizeof(passwd));
pass = passwd;
} else {
pf = klog_prompter;
pa = klog_arg;
}
}
service = 0;
#ifdef AFS_RXK5
if (authtype & FORCE_RXK5) {
tofree = get_afs_krb5_svc_princ(cellconfig);
snprintf(service_temp, sizeof service_temp, "%s", tofree);
} else
#endif
snprintf (service_temp, sizeof service_temp, "afs/%s", cellconfig->name);
klog_arg->pp = &pass;
klog_arg->pstore = passwd;
klog_arg->allocated = sizeof(passwd);
/* XXX should allow k5 to prompt in most cases -- what about expired pw?*/
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
code = krb5_get_init_creds_opt_alloc(k5context, &gic_opts);
if (code) {
afs_com_err(rn, code, "Can't allocate get_init_creds options");
KLOGEXIT(code);
}
#else
krb5_get_init_creds_opt_init(gic_opts);
#endif
for (;;) {
code = krb5_get_init_creds_password(k5context,
incred,
princ,
pass,
pf, /* prompter */
pa, /* data */
0, /* start_time */
0, /* in_tkt_service */
gic_opts);
if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
break;
}
memset(passwd, 0, sizeof(passwd));
if (code) {
char *r = 0;
if (krb5_get_default_realm(k5context, &r))
r = 0;
if (r)
afs_com_err(rn, code, "Unable to authenticate in realm %s", r);
else
afs_com_err(rn, code, "Unable to authenticate to use cell %s",
cellconfig->name);
if (r) free(r);
KLOGEXIT(code);
}
for (;;writeTicketFile = 0) {
if (writeTicketFile) {
what = "getting default ccache";
code = krb5_cc_default(k5context, &cc);
} else {
what = "krb5_cc_resolve";
code = krb5_cc_resolve(k5context, "MEMORY:core", &cc);
if (code) goto Failed;
}
what = "initializing ccache";
code = krb5_cc_initialize(k5context, cc, princ);
if (code) goto Failed;
what = "writing Kerberos ticket file";
code = krb5_cc_store_cred(k5context, cc, incred);
if (code) goto Failed;
if (writeTicketFile)
fprintf(stderr,
"Wrote ticket file to %s\n",
krb5_cc_get_name(k5context, cc));
break;
Failed:
if (code)
afs_com_err(rn, code, "%s", what);
if (writeTicketFile) {
if (cc) {
krb5_cc_close(k5context, cc);
cc = 0;
}
continue;
}
KLOGEXIT(code);
}
for (service = service_temp;;service = "afs") {
memset(mcred, 0, sizeof *mcred);
mcred->client = princ;
code = krb5_parse_name(k5context, service, &mcred->server);
if (code) {
afs_com_err(rn, code, "Unable to parse service <%s>\n", service);
KLOGEXIT(code);
}
if (tofree) { free(tofree); tofree = 0; }
if (!(code = krb5_unparse_name(k5context, mcred->server, &outname)))
tofree = outname;
else outname = service;
code = krb5_get_credentials(k5context, 0, cc, mcred, &outcred);
krb5_free_principal(k5context, mcred->server);
if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || service != service_temp) break;
#ifdef AFS_RXK5
if (authtype & FORCE_RXK5)
break;
#endif
}
afscred = outcred;
if (code) {
afs_com_err(rn, code, "Unable to get credentials to use %s", outname);
KLOGEXIT(code);
}
#ifdef AFS_RXK5
if (authtype & FORCE_RXK5) {
struct ktc_principal aserver[1];
int viceid = 555;
memset(aserver, 0, sizeof *aserver);
strncpy(aserver->cell, cellconfig->name, MAXKTCREALMLEN-1);
code = ktc_SetK5Token(k5context, aserver, afscred, viceid, dosetpag);
if (code) {
afs_com_err(rn, code, "Unable to store tokens for cell %s\n",
cellconfig->name);
KLOGEXIT(1);
}
} else
#endif
{
struct ktc_principal aserver[1], aclient[1];
struct ktc_token atoken[1];
memset(atoken, 0, sizeof *atoken);
if (evil) {
size_t elen = enc_part->length;
atoken->kvno = RXKAD_TKT_TYPE_KERBEROS_V5_ENCPART_ONLY;
if (afs_krb5_skip_ticket_wrapper(afscred->ticket.data,
afscred->ticket.length, (char **) &enc_part->data,
&elen)) {
afs_com_err(rn, 0, "Can't unwrap %s AFS credential",
cellconfig->name);
KLOGEXIT(1);
}
} else {
atoken->kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
*enc_part = afscred->ticket;
}
atoken->startTime = afscred->times.starttime;
atoken->endTime = afscred->times.endtime;
if (tkt_DeriveDesKey(get_creds_enctype(afscred),
get_cred_keydata(afscred),
get_cred_keylen(afscred), &atoken->sessionKey)) {
afs_com_err(rn, 0,
"Cannot derive DES key from enctype %i of length %u",
get_creds_enctype(afscred),
(unsigned)get_cred_keylen(afscred));
KLOGEXIT(1);
}
memcpy(atoken->ticket, enc_part->data,
atoken->ticketLen = enc_part->length);
memset(aserver, 0, sizeof *aserver);
strncpy(aserver->name, "afs", 4);
strncpy(aserver->cell, cellconfig->name, MAXKTCREALMLEN-1);
memset(aclient, 0, sizeof *aclient);
i = realm_len(k5context, afscred->client);
if (i > MAXKTCREALMLEN-1) i = MAXKTCREALMLEN-1;
memcpy(aclient->cell, realm_data(k5context, afscred->client), i);
if (!noprdb) {
int viceid = 0;
k5_to_k4_name(k5context, afscred->client, aclient);
code = whoami(atoken, cellconfig, aclient, &viceid);
if (code) {
afs_com_err(rn, code, "Can't get your viceid for cell %s", cellconfig->name);
*aclient->name = 0;
} else
snprintf(aclient->name, MAXKTCNAMELEN-1, "AFS ID %d", viceid);
}
if (!*aclient->name)
k5_to_k4_name(k5context, afscred->client, aclient);
code = ktc_SetToken(aserver, atoken, aclient, dosetpag);
if (code) {
afs_com_err(rn, code, "Unable to store tokens for cell %s\n",
cellconfig->name);
KLOGEXIT(1);
}
}
krb5_free_principal(k5context, princ);
krb5_free_cred_contents(k5context, incred);
if (outcred) krb5_free_creds(k5context, outcred);
if (cc)
krb5_cc_close(k5context, cc);
if (tofree) free(tofree);
return 0;
}
static int
krb5_verify(const struct passwd *login_info,
const struct passwd *su_info,
const char *instance)
{
krb5_error_code ret;
krb5_principal p;
krb5_realm *realms, *r;
char *login_name = NULL;
int user_ok = 0;
#if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN)
login_name = getlogin();
#endif
ret = krb5_init_context (&context);
if (ret) {
#if 0
warnx("krb5_init_context failed: %d", ret);
#endif
return 1;
}
ret = krb5_get_default_realms(context, &realms);
if (ret)
return 1;
/* Check all local realms */
for (r = realms; *r != NULL && !user_ok; r++) {
if (login_name == NULL || strcmp (login_name, "root") == 0)
login_name = login_info->pw_name;
if (strcmp (su_info->pw_name, "root") == 0)
ret = krb5_make_principal(context, &p, *r,
login_name,
instance,
NULL);
else
ret = krb5_make_principal(context, &p, *r,
su_info->pw_name,
NULL);
if (ret) {
krb5_free_host_realm(context, realms);
return 1;
}
/* if we are su-ing too root, check with krb5_kuserok */
if (su_info->pw_uid == 0 && !krb5_kuserok(context, p, su_info->pw_name))
continue;
ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &ccache);
if(ret) {
krb5_free_host_realm(context, realms);
krb5_free_principal (context, p);
return 1;
}
ret = krb5_verify_user(context, p, ccache, NULL, TRUE, NULL);
krb5_free_principal (context, p);
switch (ret) {
case 0:
user_ok = 1;
break;
case KRB5_LIBOS_PWDINTR :
krb5_cc_destroy(context, ccache);
break;
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
case KRB5KRB_AP_ERR_MODIFIED:
krb5_cc_destroy(context, ccache);
krb5_warnx(context, "Password incorrect");
break;
default :
krb5_cc_destroy(context, ccache);
krb5_warn(context, ret, "krb5_verify_user");
break;
}
}
krb5_free_host_realm(context, realms);
if (!user_ok)
return 1;
return 0;
}
int
_GetSecurityObject(struct afscp_cell *cell)
{
int code = ENOENT;
#ifdef HAVE_KERBEROS
krb5_context context;
krb5_creds match;
krb5_creds *cred;
krb5_ccache cc;
char **realms, *realm;
struct afsconf_cell celldata;
char localcell[MAXCELLCHARS + 1];
struct rx_securityClass *sc;
struct ktc_encryptionKey k;
int i;
rxkad_level l;
code = _GetCellInfo(cell->name, &celldata);
if (code != 0) {
goto try_anon;
}
if (authas_name[0]) {
code = _GetLocalSecurityObject(cell, authas_name, authas_inst);
if (code == 0) {
return 0;
}
}
code = krb5_init_context(&context); /* see aklog.c main() */
if (code != 0) {
goto try_anon;
}
if (cell->realm == NULL) {
realm = NULL;
code = krb5_get_host_realm(context, celldata.hostName[0], &realms);
if (code == 0) {
strlcpy(localcell, realms[0], sizeof(localcell));
krb5_free_host_realm(context, realms);
realm = localcell;
} else
goto try_anon;
} else {
realm = cell->realm;
strlcpy(localcell, realm, MAXCELLCHARS + 1);
}
if (realm)
if (realm == NULL) {
for (i = 0; (i < MAXCELLCHARS && cell->name[i]); i++) {
if (isalpha(cell->name[i]))
localcell[i] = toupper(cell->name[i]);
else
localcell[i] = cell->name[i];
}
localcell[i] = '\0';
realm = localcell;
}
cc = NULL;
code = krb5_cc_default(context, &cc);
memset(&match, 0, sizeof(match));
Z_enctype(Z_credskey(&match)) = ENCTYPE_DES_CBC_CRC;
if (code == 0)
code = krb5_cc_get_principal(context, cc, &match.client);
if (code == 0)
code = krb5_build_principal(context, &match.server,
strlen(realm), realm,
"afs", cell->name, NULL);
if (code != 0) {
krb5_free_cred_contents(context, &match);
if (cc)
krb5_cc_close(context, cc);
krb5_free_context(context);
goto try_anon;
}
code = krb5_get_credentials(context, 0, cc, &match, &cred);
if (code != 0) {
krb5_free_principal(context, match.server);
match.server = NULL;
code = krb5_build_principal(context, &match.server,
strlen(realm), realm, "afs", NULL);
if (code == 0)
code = krb5_get_credentials(context, 0, cc, &match, &cred);
if (code != 0) {
krb5_free_cred_contents(context, &match);
if (cc)
krb5_cc_close(context, cc);
krb5_free_context(context);
goto try_anon;
}
}
if (insecure)
l = rxkad_clear;
else
l = rxkad_crypt;
memcpy(&k.data, Z_keydata(Z_credskey(cred)), 8);
sc = (struct rx_securityClass *)rxkad_NewClientSecurityObject
(l, &k, RXKAD_TKT_TYPE_KERBEROS_V5,
cred->ticket.length, cred->ticket.data);
krb5_free_creds(context, cred);
krb5_free_cred_contents(context, &match);
if (cc)
krb5_cc_close(context, cc);
krb5_free_context(context);
cell->security = sc;
cell->scindex = 2;
return 0;
try_anon:
#endif /* HAVE_KERBEROS */
if (try_anonymous)
return _GetNullSecurityObject(cell);
else
return code;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_sname_to_principal (krb5_context context,
const char *hostname,
const char *sname,
int32_t type,
krb5_principal *ret_princ)
{
krb5_error_code ret;
char localhost[MAXHOSTNAMELEN];
char **realms;
size_t len;
if(type != KRB5_NT_SRV_HST && type != KRB5_NT_UNKNOWN) {
krb5_set_error_message(context, KRB5_SNAME_UNSUPP_NAMETYPE,
N_("unsupported name type %d", ""),
(int)type);
return KRB5_SNAME_UNSUPP_NAMETYPE;
}
if(hostname == NULL) {
ret = gethostname(localhost, sizeof(localhost) - 1);
if (ret != 0) {
ret = errno;
krb5_set_error_message(context, ret,
N_("Failed to get local hostname", ""));
return ret;
}
localhost[sizeof(localhost) - 1] = '\0';
} else {
strlcpy(localhost, hostname, sizeof(localhost));
}
if(sname == NULL)
sname = "host";
if(type == KRB5_NT_SRV_HST) {
char *host;
ret = krb5_expand_hostname_realms (context, localhost,
&host, &realms);
if (ret)
return ret;
strlwr(host);
strlcpy(localhost, host, sizeof(localhost));
free(host);
} else {
ret = krb5_get_host_realm(context, hostname, &realms);
if(ret)
return ret;
}
/*
* Squash any trailing . on the hostname since that is jolly good
* to have when looking up a DNS name (qualified), but its no good
* to have in the kerberos principal since those are supposed to
* be in qualified format already.
*/
len = strlen(localhost);
if (len > 0 && localhost[len - 1] == '.')
localhost[len - 1] = '\0';
ret = krb5_make_principal(context, ret_princ, realms[0], sname,
localhost, NULL);
krb5_free_host_realm(context, realms);
return ret;
}
