/* * Function: add_admin_princs * * Purpose: create admin principals * * Arguments: * * rseed (input) random seed * realm (input) realm, or NULL for default realm * <return value> (output) status, 0 for success, 1 for serious error * * Requires: * * Effects: * * add_admin_princs creates KADM5_ADMIN_SERVICE, * KADM5_CHANGEPW_SERVICE. If any of these exist a message is * printed. If any of these existing principal do not have the proper * attributes, a warning message is printed. */ static int add_admin_princs(void *handle, krb5_context context, char *realm) { krb5_error_code ret = 0; char *service_name = 0, *kiprop_name = 0, *canonhost = 0; char localname[MAXHOSTNAMELEN]; if (gethostname(localname, MAXHOSTNAMELEN)) { ret = errno; perror("gethostname"); goto clean_and_exit; } ret = krb5_expand_hostname(context, localname, &canonhost); if (ret) { com_err(progname, ret, _("while canonicalizing local hostname")); goto clean_and_exit; } if (asprintf(&service_name, "kadmin/%s", canonhost) < 0) { ret = ENOMEM; fprintf(stderr, _("Out of memory\n")); goto clean_and_exit; } if (asprintf(&kiprop_name, "kiprop/%s", canonhost) < 0) { ret = ENOMEM; fprintf(stderr, _("Out of memory\n")); goto clean_and_exit; } if ((ret = add_admin_princ(handle, context, service_name, realm, KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_LOCKDOWN_KEYS, ADMIN_LIFETIME))) goto clean_and_exit; if ((ret = add_admin_princ(handle, context, KADM5_ADMIN_SERVICE, realm, KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_LOCKDOWN_KEYS, ADMIN_LIFETIME))) goto clean_and_exit; if ((ret = add_admin_princ(handle, context, KADM5_CHANGEPW_SERVICE, realm, KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE | KRB5_KDB_LOCKDOWN_KEYS, CHANGEPW_LIFETIME))) goto clean_and_exit; ret = add_admin_princ(handle, context, kiprop_name, realm, 0, 0); clean_and_exit: krb5_free_string(context, canonhost); free(service_name); free(kiprop_name); return ret; }
/* * Function: add_admin_princs * * Purpose: create admin principals * * Arguments: * * rseed (input) random seed * realm (input) realm, or NULL for default realm * <return value> (output) status, 0 for success, 1 for serious error * * Requires: * * Effects: * * add_admin_princs creates KADM5_ADMIN_SERVICE, * KADM5_CHANGEPW_SERVICE. If any of these exist a message is * printed. If any of these existing principal do not have the proper * attributes, a warning message is printed. */ static int add_admin_princs(void *handle, krb5_context context, char *realm) { krb5_error_code ret = 0; char service_name[MAXHOSTNAMELEN + 8]; char localname[MAXHOSTNAMELEN]; struct addrinfo *ai, ai_hints; int gai_error; if (gethostname(localname, MAXHOSTNAMELEN)) { ret = errno; perror("gethostname"); goto clean_and_exit; } memset(&ai_hints, 0, sizeof(ai_hints)); ai_hints.ai_flags = AI_CANONNAME; gai_error = getaddrinfo(localname, (char *)NULL, &ai_hints, &ai); if (gai_error) { ret = EINVAL; fprintf(stderr, "getaddrinfo(%s): %s\n", localname, gai_strerror(gai_error)); goto clean_and_exit; } if (ai->ai_canonname == NULL) { ret = EINVAL; fprintf(stderr, "getaddrinfo(%s): Cannot determine canonical hostname.\n", localname); freeaddrinfo(ai); goto clean_and_exit; } sprintf(service_name, "kadmin/%s", ai->ai_canonname); freeaddrinfo(ai); if ((ret = add_admin_princ(handle, context, service_name, realm, KRB5_KDB_DISALLOW_TGT_BASED, ADMIN_LIFETIME))) goto clean_and_exit; if ((ret = add_admin_princ(handle, context, KADM5_ADMIN_SERVICE, realm, KRB5_KDB_DISALLOW_TGT_BASED, ADMIN_LIFETIME))) goto clean_and_exit; if ((ret = add_admin_princ(handle, context, KADM5_CHANGEPW_SERVICE, realm, KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE, CHANGEPW_LIFETIME))) goto clean_and_exit; clean_and_exit: return ret; }