/* Construct a host-based principal, similar to krb5_sname_to_principal() but * with a specified realm. */ krb5_error_code sn2princ_realm(krb5_context context, const char *hostname, const char *sname, const char *realm, krb5_principal *princ_out) { krb5_error_code ret; char *canonhost, localname[MAXHOSTNAMELEN]; *princ_out = NULL; assert(sname != NULL && realm != NULL); /* If hostname is NULL, use the local hostname. */ if (hostname == NULL) { if (gethostname(localname, MAXHOSTNAMELEN) != 0) return SOCKET_ERRNO; hostname = localname; } ret = krb5_expand_hostname(context, hostname, &canonhost); if (ret) return ret; ret = krb5_build_principal(context, princ_out, strlen(realm), realm, sname, canonhost, (char *)NULL); krb5_free_string(context, canonhost); if (!ret) (*princ_out)->type = KRB5_NT_SRV_HST; return ret; }
static int expand_hostname(krb5_context context, const char *host) { krb5_error_code ret; char *h, **r; ret = krb5_expand_hostname(context, host, &h); if (ret) krb5_err(context, 1, ret, "krb5_expand_hostname(%s)", host); free(h); if (debug_flag) printf("hostname: %s -> %s\n", host, h); ret = krb5_expand_hostname_realms(context, host, &h, &r); if (ret) krb5_err(context, 1, ret, "krb5_expand_hostname_realms(%s)", host); if (debug_flag) { int j; printf("hostname: %s -> %s\n", host, h); for (j = 0; r[j]; j++) { printf("\trealm: %s\n", r[j]); } } free(h); krb5_free_host_realm(context, r); return 0; }
/* * Function: add_admin_princs * * Purpose: create admin principals * * Arguments: * * rseed (input) random seed * realm (input) realm, or NULL for default realm * <return value> (output) status, 0 for success, 1 for serious error * * Requires: * * Effects: * * add_admin_princs creates KADM5_ADMIN_SERVICE, * KADM5_CHANGEPW_SERVICE. If any of these exist a message is * printed. If any of these existing principal do not have the proper * attributes, a warning message is printed. */ static int add_admin_princs(void *handle, krb5_context context, char *realm) { krb5_error_code ret = 0; char *service_name = 0, *kiprop_name = 0, *canonhost = 0; char localname[MAXHOSTNAMELEN]; if (gethostname(localname, MAXHOSTNAMELEN)) { ret = errno; perror("gethostname"); goto clean_and_exit; } ret = krb5_expand_hostname(context, localname, &canonhost); if (ret) { com_err(progname, ret, _("while canonicalizing local hostname")); goto clean_and_exit; } if (asprintf(&service_name, "kadmin/%s", canonhost) < 0) { ret = ENOMEM; fprintf(stderr, _("Out of memory\n")); goto clean_and_exit; } if (asprintf(&kiprop_name, "kiprop/%s", canonhost) < 0) { ret = ENOMEM; fprintf(stderr, _("Out of memory\n")); goto clean_and_exit; } if ((ret = add_admin_princ(handle, context, service_name, realm, KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_LOCKDOWN_KEYS, ADMIN_LIFETIME))) goto clean_and_exit; if ((ret = add_admin_princ(handle, context, KADM5_ADMIN_SERVICE, realm, KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_LOCKDOWN_KEYS, ADMIN_LIFETIME))) goto clean_and_exit; if ((ret = add_admin_princ(handle, context, KADM5_CHANGEPW_SERVICE, realm, KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE | KRB5_KDB_LOCKDOWN_KEYS, CHANGEPW_LIFETIME))) goto clean_and_exit; ret = add_admin_princ(handle, context, kiprop_name, realm, 0, 0); clean_and_exit: krb5_free_string(context, canonhost); free(service_name); free(kiprop_name); return ret; }