/*
* Function: add_admin_princs
*
* Purpose: create admin principals
*
* Arguments:
*
* rseed (input) random seed
* realm (input) realm, or NULL for default realm
* <return value> (output) status, 0 for success, 1 for serious error
*
* Requires:
*
* Effects:
*
* add_admin_princs creates KADM5_ADMIN_SERVICE,
* KADM5_CHANGEPW_SERVICE. If any of these exist a message is
* printed. If any of these existing principal do not have the proper
* attributes, a warning message is printed.
*/
static int add_admin_princs(void *handle, krb5_context context, char *realm)
{
krb5_error_code ret = 0;
char *service_name = 0, *kiprop_name = 0, *canonhost = 0;
char localname[MAXHOSTNAMELEN];
if (gethostname(localname, MAXHOSTNAMELEN)) {
ret = errno;
perror("gethostname");
goto clean_and_exit;
}
ret = krb5_expand_hostname(context, localname, &canonhost);
if (ret) {
com_err(progname, ret, _("while canonicalizing local hostname"));
goto clean_and_exit;
}
if (asprintf(&service_name, "kadmin/%s", canonhost) < 0) {
ret = ENOMEM;
fprintf(stderr, _("Out of memory\n"));
goto clean_and_exit;
}
if (asprintf(&kiprop_name, "kiprop/%s", canonhost) < 0) {
ret = ENOMEM;
fprintf(stderr, _("Out of memory\n"));
goto clean_and_exit;
}
if ((ret = add_admin_princ(handle, context,
service_name, realm,
KRB5_KDB_DISALLOW_TGT_BASED |
KRB5_KDB_LOCKDOWN_KEYS,
ADMIN_LIFETIME)))
goto clean_and_exit;
if ((ret = add_admin_princ(handle, context,
KADM5_ADMIN_SERVICE, realm,
KRB5_KDB_DISALLOW_TGT_BASED |
KRB5_KDB_LOCKDOWN_KEYS,
ADMIN_LIFETIME)))
goto clean_and_exit;
if ((ret = add_admin_princ(handle, context,
KADM5_CHANGEPW_SERVICE, realm,
KRB5_KDB_DISALLOW_TGT_BASED |
KRB5_KDB_PWCHANGE_SERVICE |
KRB5_KDB_LOCKDOWN_KEYS,
CHANGEPW_LIFETIME)))
goto clean_and_exit;
ret = add_admin_princ(handle, context, kiprop_name, realm, 0, 0);
clean_and_exit:
krb5_free_string(context, canonhost);
free(service_name);
free(kiprop_name);
return ret;
}
/*
* Function: add_admin_princs
*
* Purpose: create admin principals
*
* Arguments:
*
* rseed (input) random seed
* realm (input) realm, or NULL for default realm
* <return value> (output) status, 0 for success, 1 for serious error
*
* Requires:
*
* Effects:
*
* add_admin_princs creates KADM5_ADMIN_SERVICE,
* KADM5_CHANGEPW_SERVICE. If any of these exist a message is
* printed. If any of these existing principal do not have the proper
* attributes, a warning message is printed.
*/
static int add_admin_princs(void *handle, krb5_context context, char *realm)
{
krb5_error_code ret = 0;
char service_name[MAXHOSTNAMELEN + 8];
char localname[MAXHOSTNAMELEN];
struct addrinfo *ai, ai_hints;
int gai_error;
if (gethostname(localname, MAXHOSTNAMELEN)) {
ret = errno;
perror("gethostname");
goto clean_and_exit;
}
memset(&ai_hints, 0, sizeof(ai_hints));
ai_hints.ai_flags = AI_CANONNAME;
gai_error = getaddrinfo(localname, (char *)NULL, &ai_hints, &ai);
if (gai_error) {
ret = EINVAL;
fprintf(stderr, "getaddrinfo(%s): %s\n", localname,
gai_strerror(gai_error));
goto clean_and_exit;
}
if (ai->ai_canonname == NULL) {
ret = EINVAL;
fprintf(stderr,
"getaddrinfo(%s): Cannot determine canonical hostname.\n",
localname);
freeaddrinfo(ai);
goto clean_and_exit;
}
sprintf(service_name, "kadmin/%s", ai->ai_canonname);
freeaddrinfo(ai);
if ((ret = add_admin_princ(handle, context,
service_name, realm,
KRB5_KDB_DISALLOW_TGT_BASED,
ADMIN_LIFETIME)))
goto clean_and_exit;
if ((ret = add_admin_princ(handle, context,
KADM5_ADMIN_SERVICE, realm,
KRB5_KDB_DISALLOW_TGT_BASED,
ADMIN_LIFETIME)))
goto clean_and_exit;
if ((ret = add_admin_princ(handle, context,
KADM5_CHANGEPW_SERVICE, realm,
KRB5_KDB_DISALLOW_TGT_BASED |
KRB5_KDB_PWCHANGE_SERVICE,
CHANGEPW_LIFETIME)))
goto clean_and_exit;
clean_and_exit:
return ret;
}
