Esempio n. 1
0
/* Point GSSAPI at the KDB keytab so we don't need an actual file keytab. */
static krb5_error_code
setup_kdb_keytab()
{
    krb5_error_code ret;

    ret = krb5_ktkdb_set_context(context);
    if (ret)
        return ret;
    ret = krb5_db_register_keytab(context);
    if (ret)
        return ret;
    return krb5_gss_register_acceptor_identity("KDB:");
}
Esempio n. 2
0
static void nfs_Init(const nfs_start_info_t *p_start_info)
{
	cache_inode_status_t cache_status;
	state_status_t state_status;
	int rc = 0;
#ifdef _HAVE_GSSAPI
	gss_buffer_desc gss_service_buf;
	OM_uint32 maj_stat, min_stat;
	char GssError[MAXNAMLEN + 1];
#endif

#ifdef USE_DBUS
	/* DBUS init */
	gsh_dbus_pkginit();
#ifdef USE_DBUS_STATS
	dbus_export_init();
	dbus_client_init();
#endif
#endif

	/* Cache Inode Initialisation */
	cache_status = cache_inode_init();
	if (cache_status != CACHE_INODE_SUCCESS) {
		LogFatal(COMPONENT_INIT,
			 "Cache Inode Layer could not be initialized, status=%s",
			 cache_inode_err_str(cache_status));
	}

	state_status = state_lock_init(nfs_param.cache_param.cookie_param);
	if (state_status != STATE_SUCCESS) {
		LogFatal(COMPONENT_INIT,
			 "State Lock Layer could not be initialized, status=%s",
			 state_err_str(state_status));
	}
	LogInfo(COMPONENT_INIT, "Cache Inode library successfully initialized");

	/* Cache Inode LRU (call this here, rather than as part of
	   cache_inode_init() so the GC policy has been set */
	rc = cache_inode_lru_pkginit();
	if (rc != 0) {
		LogFatal(COMPONENT_INIT,
			 "Unable to initialize LRU subsystem: %d.", rc);
	}

	/* finish the job with exports by caching the root entries
	 */
	exports_pkginit();

	nfs41_session_pool =
	    pool_init("NFSv4.1 session pool", sizeof(nfs41_session_t),
		      pool_basic_substrate, NULL, NULL, NULL);

	request_pool =
	    pool_init("Request pool", sizeof(request_data_t),
		      pool_basic_substrate, NULL,
		      NULL /* FASTER constructor_request_data_t */ ,
		      NULL);
	if (!request_pool) {
		LogCrit(COMPONENT_INIT, "Error while allocating request pool");
		LogError(COMPONENT_INIT, ERR_SYS, ERR_MALLOC, errno);
		Fatal();
	}

	request_data_pool =
	    pool_init("Request Data Pool", sizeof(nfs_request_data_t),
		      pool_basic_substrate, NULL,
		      NULL /* FASTER constructor_nfs_request_data_t */ ,
		      NULL);
	if (!request_data_pool) {
		LogCrit(COMPONENT_INIT,
			"Error while allocating request data pool");
		LogError(COMPONENT_INIT, ERR_SYS, ERR_MALLOC, errno);
		Fatal();
	}

	dupreq_pool =
	    pool_init("Duplicate Request Pool", sizeof(dupreq_entry_t),
		      pool_basic_substrate, NULL, NULL, NULL);
	if (!(dupreq_pool)) {
		LogCrit(COMPONENT_INIT,
			"Error while allocating duplicate request pool");
		LogError(COMPONENT_INIT, ERR_SYS, ERR_MALLOC, errno);
		Fatal();
	}
#ifdef _USE_ASYNC_CACHE_INODE
	/* Start the TAD and synclets for writeback cache inode */
	cache_inode_async_init(nfs_param.cache_layers_param.
			       cache_inode_client_param);
#endif

	/* If rpcsec_gss is used, set the path to the keytab */
#ifdef _HAVE_GSSAPI
#ifdef HAVE_KRB5
	if (nfs_param.krb5_param.active_krb5) {
		OM_uint32 gss_status = GSS_S_COMPLETE;

		if (nfs_param.krb5_param.keytab[0] != '\0')
			gss_status =
			    krb5_gss_register_acceptor_identity(nfs_param.
								krb5_param.
								keytab);

		if (gss_status != GSS_S_COMPLETE) {
			log_sperror_gss(GssError, gss_status, 0);
			LogFatal(COMPONENT_INIT,
				 "Error setting krb5 keytab to value %s is %s",
				 nfs_param.krb5_param.keytab, GssError);
		}
		LogInfo(COMPONENT_INIT,
			"krb5 keytab path successfully set to %s",
			nfs_param.krb5_param.keytab);
#endif				/* HAVE_KRB5 */

		/* Set up principal to be use for GSSAPPI within GSSRPC/KRB5 */
		gss_service_buf.value = nfs_param.krb5_param.svc.principal;
		gss_service_buf.length =
			strlen(nfs_param.krb5_param.svc.principal) + 1;
		/* The '+1' is not to be forgotten, for the '\0' at the end */

		maj_stat = gss_import_name(&min_stat, &gss_service_buf,
					   (gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
					   &nfs_param.krb5_param.svc.gss_name);
		if (maj_stat != GSS_S_COMPLETE) {
			log_sperror_gss(GssError, maj_stat, min_stat);
			LogFatal(COMPONENT_INIT,
				 "Error importing gss principal %s is %s",
				 nfs_param.krb5_param.svc.principal, GssError);
		}

		if (nfs_param.krb5_param.svc.gss_name == GSS_C_NO_NAME)
			LogInfo(COMPONENT_INIT,
				"Regression:  svc.gss_name == GSS_C_NO_NAME");

		LogInfo(COMPONENT_INIT, "gss principal \"%s\" successfully set",
			nfs_param.krb5_param.svc.principal);

		/* Set the principal to GSSRPC */
		if (!svcauth_gss_set_svc_name
		    (nfs_param.krb5_param.svc.gss_name)) {
			LogFatal(COMPONENT_INIT,
				 "Impossible to set gss principal to GSSRPC");
		}

		/* Don't release name until shutdown, it will be used by the
		 * backchannel. */

#ifdef HAVE_KRB5
	}			/*  if( nfs_param.krb5_param.active_krb5 ) */
#endif				/* HAVE_KRB5 */
#endif				/* _HAVE_GSSAPI */

	/* RPC Initialisation - exits on failure */
	nfs_Init_svc();
	LogInfo(COMPONENT_INIT, "RPC ressources successfully initialized");

	/* Admin initialisation */
	nfs_Init_admin_thread();

	LogEvent(COMPONENT_INIT, "Initializing ID Mapper.");
	if (!idmapper_init())
		LogFatal(COMPONENT_INIT, "Failed initializing ID Mapper.");
	else
		LogEvent(COMPONENT_INIT, "ID Mapper successfully initialized.");

	/* Init the NFSv4 Clientid cache */
	LogDebug(COMPONENT_INIT, "Now building NFSv4 clientid cache");
	if (nfs_Init_client_id(&nfs_param.client_id_param) !=
	    CLIENT_ID_SUCCESS) {
		LogFatal(COMPONENT_INIT,
			 "Error while initializing NFSv4 clientid cache");
	}
	LogInfo(COMPONENT_INIT,
		"NFSv4 clientid cache successfully initialized");

	/* Init duplicate request cache */
	dupreq2_pkginit();
	LogInfo(COMPONENT_INIT,
		"duplicate request hash table cache successfully initialized");

	/* Init the IP/name cache */
	LogDebug(COMPONENT_INIT, "Now building IP/name cache");
	if (nfs_Init_ip_name(nfs_param.ip_name_param) != IP_NAME_SUCCESS) {
		LogFatal(COMPONENT_INIT,
			 "Error while initializing IP/name cache");
	}
	LogInfo(COMPONENT_INIT, "IP/name cache successfully initialized");

	/* Init The NFSv4 State id cache */
	LogDebug(COMPONENT_INIT, "Now building NFSv4 State Id cache");
	if (nfs4_Init_state_id(&nfs_param.state_id_param) != 0) {
		LogFatal(COMPONENT_INIT,
			 "Error while initializing NFSv4 State Id cache");
	}
	LogInfo(COMPONENT_INIT,
		"NFSv4 State Id cache successfully initialized");

	/* Init The NFSv4 Open Owner cache */
	LogDebug(COMPONENT_INIT, "Now building NFSv4 Owner cache");
	if (Init_nfs4_owner(&nfs_param.nfs4_owner_param) != 0) {
		LogFatal(COMPONENT_INIT,
			 "Error while initializing NFSv4 Owner cache");
	}
	LogInfo(COMPONENT_INIT,
		"NFSv4 Open Owner cache successfully initialized");

	if (nfs_param.core_param.enable_NLM) {
		/* Init The NLM Owner cache */
		LogDebug(COMPONENT_INIT, "Now building NLM Owner cache");
		if (Init_nlm_hash() != 0) {
			LogFatal(COMPONENT_INIT,
				 "Error while initializing NLM Owner cache");
		}
		LogInfo(COMPONENT_INIT,
			"NLM Owner cache successfully initialized");
		nlm_init();
	}
#ifdef _USE_9P
	/* Init the 9P lock owner cache */
	LogDebug(COMPONENT_INIT, "Now building 9P Owner cache");
	if (Init_9p_hash() != 0) {
		LogFatal(COMPONENT_INIT,
			 "Error while initializing 9P Owner cache");
	}
	LogInfo(COMPONENT_INIT, "9P Owner cache successfully initialized");
#endif

	LogDebug(COMPONENT_INIT, "Now building NFSv4 Session Id cache");
	if (nfs41_Init_session_id(&nfs_param.session_id_param) != 0) {
		LogFatal(COMPONENT_INIT,
			 "Error while initializing NFSv4 Session Id cache");
	}
	LogInfo(COMPONENT_INIT,
		"NFSv4 Session Id cache successfully initialized");

	LogDebug(COMPONENT_INIT, "Now building NFSv4 ACL cache");
	if (nfs4_acls_init() != 0) {
		LogCrit(COMPONENT_INIT, "Error while initializing NFSv4 ACLs");
		exit(1);
	}
	LogInfo(COMPONENT_INIT, "NFSv4 ACL cache successfully initialized");

#ifdef _USE_9P
	LogDebug(COMPONENT_INIT, "Now building 9P resources");
	if (_9p_init(&nfs_param._9p_param)) {
		LogCrit(COMPONENT_INIT,
			"Error while initializing 9P Resources");
		exit(1);
	}
	LogInfo(COMPONENT_INIT, "9P resources successfully initialized");
#endif				/* _USE_9P */

	/* Creates the pseudo fs */
	LogDebug(COMPONENT_INIT, "Now building pseudo fs");
	rc = nfs4_ExportToPseudoFS();
	if (rc != 0)
		LogFatal(COMPONENT_INIT,
			 "Error %d while initializing NFSv4 pseudo file system",
			 rc);

	LogInfo(COMPONENT_INIT,
		"NFSv4 pseudo file system successfully initialized");

	/* Save Ganesha thread credentials with Frank's routine for later use */
	fsal_save_ganesha_credentials();

	/* Create stable storage directory, this needs to be done before
	 * starting the recovery thread.
	 */
	nfs4_create_recov_dir();

	/* initialize grace and read in the client IDs */
	nfs4_init_grace();
	nfs4_load_recov_clids(NULL);

	/* Start grace period */
	nfs4_start_grace(NULL);

	/* callback dispatch */
	nfs_rpc_cb_pkginit();
#ifdef _USE_CB_SIMULATOR
	nfs_rpc_cbsim_pkginit();
#endif				/*  _USE_CB_SIMULATOR */

}				/* nfs_Init */
Esempio n. 3
0
int
main(int argc, char *argv[])
{
    OM_uint32 minor, major;
    gss_cred_id_t impersonator_cred_handle = GSS_C_NO_CREDENTIAL;
    gss_cred_id_t user_cred_handle = GSS_C_NO_CREDENTIAL;
    gss_cred_id_t delegated_cred_handle = GSS_C_NO_CREDENTIAL;
    gss_name_t user = GSS_C_NO_NAME, target = GSS_C_NO_NAME;
    gss_OID_set mechs;

    if (argc < 2 || argc > 5) {
        fprintf(stderr, "Usage: %s [--spnego] [user] "
                "[proxy-target] [keytab]\n", argv[0]);
        fprintf(stderr, "       proxy-target and keytab are optional\n");
        exit(1);
    }

    if (strcmp(argv[1], "--spnego") == 0) {
        use_spnego++;
        argc--;
        argv++;
    }

    user = import_name(argv[1]);

    if (argc > 2 && strcmp(argv[2], "-"))
        target = import_name(argv[2]);

    if (argc > 3) {
        major = krb5_gss_register_acceptor_identity(argv[3]);
        check_gsserr("krb5_gss_register_acceptor_identity", major, 0);
    }

    /* Get default cred. */
    mechs = use_spnego ? &mechset_spnego : &mechset_krb5;
    major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE, mechs,
                             GSS_C_BOTH, &impersonator_cred_handle, NULL,
                             NULL);
    check_gsserr("gss_acquire_cred", major, minor);

    printf("Protocol transition tests follow\n");
    printf("-----------------------------------\n\n");

    test_greet_authz_data(&user);

    /* Get S4U2Self cred. */
    major = gss_acquire_cred_impersonate_name(&minor, impersonator_cred_handle,
                                              user, GSS_C_INDEFINITE, mechs,
                                              GSS_C_INITIATE,
                                              &user_cred_handle, NULL, NULL);
    check_gsserr("gss_acquire_cred_impersonate_name", major, minor);

    init_accept_sec_context(user_cred_handle, impersonator_cred_handle,
                            &delegated_cred_handle);
    printf("\n");

    if (target != GSS_C_NO_NAME &&
        delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
        constrained_delegate(mechs, target, delegated_cred_handle,
                             impersonator_cred_handle);
    } else if (target != GSS_C_NO_NAME) {
        fprintf(stderr, "Warning: no delegated cred handle returned\n\n");
        fprintf(stderr, "Verify:\n\n");
        fprintf(stderr, " - The TGT for the impersonating service is "
                "forwardable\n");
        fprintf(stderr, " - The T2A4D flag set on the impersonating service's "
                "UAC\n");
        fprintf(stderr, " - The user is not marked sensitive and cannot be "
                "delegated\n");
        fprintf(stderr, "\n");
    }

    (void)gss_release_name(&minor, &user);
    (void)gss_release_name(&minor, &target);
    (void)gss_release_cred(&minor, &delegated_cred_handle);
    (void)gss_release_cred(&minor, &impersonator_cred_handle);
    (void)gss_release_cred(&minor, &user_cred_handle);
    return 0;
}
Esempio n. 4
0
int
main(int argc, char **argv)
{
    krb5_error_code ret;
    int optidx = 0;
    int i;
    krb5_keytab keytab;
    krb5_socket_t sfd = rk_INVALID_SOCKET;

    setprogname(argv[0]);

    ret = krb5_init_context(&context);
    if (ret)
	errx (1, "krb5_init_context failed: %d", ret);

    if (getarg(args, num_args, argc, argv, &optidx)) {
	warnx("error at argument `%s'", argv[optidx]);
	usage(1);
    }

    if (help_flag)
	usage (0);

    if (version_flag) {
	print_version(NULL);
	exit(0);
    }

    setup_context(context);

    /*
     * Now, do the same for the gssapi thread we are going to be running in
     */
    {
	krb5_context gssctx;
	ret = _gsskrb5_init(&gssctx);
	if (ret)
	    errx(1, "failed to setup gssapi context");
	setup_context(gssctx);
	krb5_gss_register_acceptor_identity("HDB:");
    }

    ret = krb5_kt_resolve(context, keytab_str, &keytab);
    if(ret)
	krb5_err(context, 1, ret, "krb5_kt_resolve");

    kadm5_setup_passwd_quality_check (context, check_library, check_function);

    for (i = 0; i < policy_libraries.num_strings; i++) {
	ret = kadm5_add_passwd_quality_verifier(context,
						policy_libraries.strings[i]);
	if (ret)
	    krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
    }
    ret = kadm5_add_passwd_quality_verifier(context, NULL);
    if (ret)
	krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");

#ifdef ___APPLE__
    if (sandbox_flag) {
	char *errorstring;
	ret = sandbox_init("kadmind", SANDBOX_NAMED, &errorstring);
	if (ret)
	    errx(1, "sandbox_init failed: %d: %s", ret, errorstring);
    }
#endif

    if(debug_flag) {
	int debug_port;

	if(port_str == NULL)
	    debug_port = krb5_getportbyname (context, "kerberos-adm",
					     "tcp", 749);
	else
	    debug_port = htons(atoi(port_str));
	mini_inetd(debug_port, &sfd);
    } else {
#ifdef _WIN32
	pidfile(NULL);
	start_server(context, port_str);
#else
	struct sockaddr_storage __ss;
	struct sockaddr *sa = (struct sockaddr *)&__ss;
	socklen_t sa_size = sizeof(__ss);

	/*
	 * Check if we are running inside inetd or not, if not, start
	 * our own server.
	 */

	if(roken_getsockname(STDIN_FILENO, sa, &sa_size) < 0 &&
	   rk_SOCK_ERRNO == ENOTSOCK) {
	    pidfile(NULL);
	    start_server(context, port_str);
	}
#endif /* _WIN32 */
	sfd = STDIN_FILENO;
    }

    if(realm)
	krb5_set_default_realm(context, realm); /* XXX */

    kadmind_loop(context, keytab, sfd);

    return 0;
}