code = ktc_SetToken(&server, &token, &client, 0);
UNLOCK_GLOBAL_MUTEX;
return code;
}
afs_int32
ka_GetServerToken(char *name, char *instance, char *cell, Date lifetime,
struct ktc_token * token, int new, int dosetpag)
{
afs_int32 code;
struct ubik_client *conn;
afs_int32 now = time(0);
struct ktc_token auth_token;
struct ktc_token cell_token;
struct ktc_principal server, auth_server, client;
char *localCell = ka_LocalCell();
char cellname[MAXKTCREALMLEN];
char realm[MAXKTCREALMLEN];
char authDomain[MAXKTCREALMLEN];
int local;
LOCK_GLOBAL_MUTEX;
code = ka_ExpandCell(cell, cellname, 0 /*local */ );
if (code) {
UNLOCK_GLOBAL_MUTEX;
return code;
}
cell = cellname;
strcpy(server.name, name);
strcpy(server.instance, instance);
int
CommandProc(struct cmd_syndesc *as, void *arock)
{
char name[MAXKTCNAMELEN];
char instance[MAXKTCNAMELEN];
char cell[MAXKTCREALMLEN];
char realm[MAXKTCREALMLEN];
afs_uint32 serverList[MAXSERVERS];
char *lcell; /* local cellname */
char lrealm[MAXKTCREALMLEN]; /* uppercase copy of local cellname */
int code;
int i, dosetpag;
Date lifetime; /* requested ticket lifetime */
struct passwd pwent;
struct passwd *pw = &pwent;
struct passwd *lclpw = &pwent;
char passwd[BUFSIZ];
static char rn[] = "klog"; /*Routine name */
static int Pipe = 0; /* reading from a pipe */
static int Silent = 0; /* Don't want error messages */
int explicit; /* servers specified explicitly */
int local; /* explicit cell is same a local one */
int foundPassword = 0; /*Not yet, anyway */
int foundExplicitCell = 0; /*Not yet, anyway */
int writeTicketFile = 0; /* write ticket file to /tmp */
afs_int32 password_expires = -1;
char *reason; /* string describing errors */
/* blow away command line arguments */
for (i = 1; i < zero_argc; i++)
memset(zero_argv[i], 0, strlen(zero_argv[i]));
zero_argc = 0;
/* first determine quiet flag based on -silent switch */
Silent = (as->parms[aSILENT].items ? 1 : 0);
Pipe = (as->parms[aPIPE].items ? 1 : 0);
/* Determine if we should also do a setpag based on -setpag switch */
dosetpag = (as->parms[aSETPAG].items ? 1 : 0);
if (as->parms[aTMP].items) {
writeTicketFile = 1;
}
if (as->parms[aCELL].items) {
/*
* cell name explicitly mentioned; take it in if no other cell name
* has already been specified and if the name actually appears. If
* the given cell name differs from our own, we don't do a lookup.
*/
foundExplicitCell = 1;
strncpy(realm, as->parms[aCELL].items->data, sizeof(realm));
/* XXX the following is just a hack to handle the afscell environment XXX */
(void)afsconf_GetCellInfo((struct afsconf_dir *)0, realm, 0,
(struct afsconf_cell *)0);
}
code = ka_Init(0);
if (code || !(lcell = ka_LocalCell())) {
nocell:
if (!Silent)
afs_com_err(rn, code, "Can't get local cell name!");
KLOGEXIT(code);
}
if ((code = ka_CellToRealm(lcell, lrealm, 0)))
goto nocell;
strcpy(instance, "");
/* Parse our arguments. */
if (as->parms[aCELL].items) {
/*
* cell name explicitly mentioned; take it in if no other cell name
* has already been specified and if the name actually appears. If
* the given cell name differs from our own, we don't do a lookup.
*/
foundExplicitCell = 1;
strncpy(realm, as->parms[aCELL].items->data, sizeof(realm));
}
if (as->parms[aSERVERS].items) {
/* explicit server list */
int i;
struct cmd_item *ip;
char *ap[MAXSERVERS + 2];
for (ip = as->parms[aSERVERS].items, i = 2; ip; ip = ip->next, i++)
ap[i] = ip->data;
ap[0] = "";
ap[1] = "-servers";
code = ubik_ParseClientList(i, ap, serverList);
if (code) {
if (!Silent) {
afs_com_err(rn, code, "could not parse server list");
}
return code;
}
explicit = 1;
} else
int
main(int argc, char *argv[])
{
afs_int32 code;
char *whoami = argv[0];
afs_uint32 serverList[MAXSERVERS];
struct afsconf_cell cellinfo;
char *cell;
const char *cellservdb, *dbpath, *lclpath;
int a;
char arg[32];
char default_lclpath[AFSDIR_PATH_MAX];
int servers;
int initFlags;
int level; /* security level for Ubik */
afs_int32 i;
char clones[MAXHOSTSPERCELL];
afs_uint32 host = ntohl(INADDR_ANY);
char *auditFileName = NULL;
struct rx_service *tservice;
struct rx_securityClass *sca[1];
struct rx_securityClass *scm[3];
extern int rx_stackSize;
#ifdef AFS_AIX32_ENV
/*
* The following signal action for AIX is necessary so that in case of a
* crash (i.e. core is generated) we can include the user's data section
* in the core dump. Unfortunately, by default, only a partial core is
* generated which, in many cases, isn't too useful.
*/
struct sigaction nsa;
sigemptyset(&nsa.sa_mask);
nsa.sa_handler = SIG_DFL;
nsa.sa_flags = SA_FULLDUMP;
sigaction(SIGABRT, &nsa, NULL);
sigaction(SIGSEGV, &nsa, NULL);
#endif
osi_audit_init();
if (argc == 0) {
usage:
printf("Usage: kaserver [-noAuth] [-database <dbpath>] "
"[-auditlog <log path>] [-audit-interface <file|sysvmq>] "
"[-rxbind] [-localfiles <lclpath>] [-minhours <n>] "
"[-servers <serverlist>] [-crossrealm] "
/*" [-enable_peer_stats] [-enable_process_stats] " */
"[-help]\n");
exit(1);
}
#ifdef AFS_NT40_ENV
/* initialize winsock */
if (afs_winsockInit() < 0) {
ReportErrorEventAlt(AFSEVT_SVR_WINSOCK_INIT_FAILED, 0, argv[0], 0);
fprintf(stderr, "%s: Couldn't initialize winsock.\n", whoami);
exit(1);
}
#endif
/* Initialize dirpaths */
if (!(initAFSDirPath() & AFSDIR_SERVER_PATHS_OK)) {
#ifdef AFS_NT40_ENV
ReportErrorEventAlt(AFSEVT_SVR_NO_INSTALL_DIR, 0, argv[0], 0);
#endif
fprintf(stderr, "%s: Unable to obtain AFS server directory.\n",
argv[0]);
exit(2);
}
cellservdb = AFSDIR_SERVER_ETC_DIRPATH;
dbpath = AFSDIR_SERVER_KADB_FILEPATH;
strcompose(default_lclpath, AFSDIR_PATH_MAX, AFSDIR_SERVER_LOCAL_DIRPATH,
"/", AFSDIR_KADB_FILE, NULL);
lclpath = default_lclpath;
debugOutput = 0;
servers = 0;
initFlags = 0;
level = rxkad_crypt;
for (a = 1; a < argc; a++) {
int arglen = strlen(argv[a]);
lcstring(arg, argv[a], sizeof(arg));
#define IsArg(a) (strncmp (arg,a, arglen) == 0)
if (strcmp(arg, "-database") == 0) {
dbpath = argv[++a];
if (strcmp(lclpath, default_lclpath) == 0)
lclpath = dbpath;
}
else if (strncmp(arg, "-auditlog", arglen) == 0) {
auditFileName = argv[++a];
} else if (strncmp(arg, "-audit-interface", arglen) == 0) {
char *interface = argv[++a];
if (osi_audit_interface(interface)) {
printf("Invalid audit interface '%s'\n", interface);
exit(1);
}
} else if (strcmp(arg, "-localfiles") == 0)
lclpath = argv[++a];
else if (strcmp(arg, "-servers") == 0)
debugOutput++, servers = 1;
else if (strcmp(arg, "-noauth") == 0)
debugOutput++, initFlags |= 1;
else if (strcmp(arg, "-fastkeys") == 0)
debugOutput++, initFlags |= 4;
else if (strcmp(arg, "-dbfixup") == 0)
debugOutput++, initFlags |= 8;
else if (strcmp(arg, "-cellservdb") == 0) {
cellservdb = argv[++a];
initFlags |= 2;
debugOutput++;
}
else if (IsArg("-crypt"))
level = rxkad_crypt;
else if (IsArg("-safe"))
level = rxkad_crypt;
else if (IsArg("-clear"))
level = rxkad_clear;
else if (IsArg("-sorry"))
level = rxkad_clear;
else if (IsArg("-debug"))
verbose_track = 0;
else if (IsArg("-crossrealm"))
krb4_cross = 1;
else if (IsArg("-rxbind"))
rxBind = 1;
else if (IsArg("-minhours")) {
MinHours = atoi(argv[++a]);
} else if (IsArg("-enable_peer_stats")) {
rx_enablePeerRPCStats();
} else if (IsArg("-enable_process_stats")) {
rx_enableProcessRPCStats();
} else if (*arg == '-') {
/* hack to support help flag */
goto usage;
}
}
if (auditFileName) {
osi_audit_file(auditFileName);
}
if ((code = ka_CellConfig(cellservdb)))
goto abort;
cell = ka_LocalCell();
KA_conf = afsconf_Open(cellservdb);
if (!KA_conf) {
code = KANOCELLS;
abort:
afs_com_err(whoami, code, "Failed getting cell info");
exit(1);
}
#ifdef AUTH_DBM_LOG
kalog_Init();
#else
/* NT & HPUX do not have dbm package support. So we can only do some
* text logging. So open the AuthLog file for logging and redirect
* stdin and stdout to it
*/
OpenLog(AFSDIR_SERVER_KALOG_FILEPATH);
SetupLogSignals();
#endif
fprintf(stderr, "%s: WARNING: kaserver is deprecated due to its weak security "
"properties. Migrating to a Kerberos 5 KDC is advised. "
"http://www.openafs.org/no-more-des.html\n", whoami);
ViceLog(0, ("WARNING: kaserver is deprecated due to its weak security properties. "
"Migrating to a Kerberos 5 KDC is advised. "
"http://www.openafs.org/no-more-des.html\n"));
code =
afsconf_GetExtendedCellInfo(KA_conf, cell, AFSCONF_KAUTHSERVICE,
&cellinfo, clones);
if (servers) {
if ((code = ubik_ParseServerList(argc, argv, &myHost, serverList))) {
afs_com_err(whoami, code, "Couldn't parse server list");
exit(1);
}
cellinfo.hostAddr[0].sin_addr.s_addr = myHost;
for (i = 1; i < MAXSERVERS; i++) {
if (!serverList[i])
break;
cellinfo.hostAddr[i].sin_addr.s_addr = serverList[i];
}
cellinfo.numServers = i;
} else {
code = convert_cell_to_ubik(&cellinfo, &myHost, serverList);
if (code)
goto abort;
ViceLog(0, ("Using server list from %s cell database.\n", cell));
}
/* initialize audit user check */
osi_audit_set_user_check(KA_conf, KA_IsLocalRealmMatch);
/* initialize ubik */
if (level == rxkad_clear)
ubik_SetClientSecurityProcs(afsconf_ClientAuth, afsconf_UpToDate,
KA_conf);
else if (level == rxkad_crypt)
ubik_SetClientSecurityProcs(afsconf_ClientAuthSecure,
afsconf_UpToDate, KA_conf);
else {
ViceLog(0, ("Unsupported security level %d\n", level));
exit(5);
}
ViceLog(0,
("Using level %s for Ubik connections.\n",
(level == rxkad_crypt ? "crypt" : "clear")));
ubik_SetServerSecurityProcs(afsconf_BuildServerSecurityObjects,
afsconf_CheckAuth,
KA_conf);
ubik_nBuffers = 80;
if (rxBind) {
afs_int32 ccode;
if (AFSDIR_SERVER_NETRESTRICT_FILEPATH ||
AFSDIR_SERVER_NETINFO_FILEPATH) {
char reason[1024];
ccode = parseNetFiles(SHostAddrs, NULL, NULL,
ADDRSPERSITE, reason,
AFSDIR_SERVER_NETINFO_FILEPATH,
AFSDIR_SERVER_NETRESTRICT_FILEPATH);
} else
{
ccode = rx_getAllAddr(SHostAddrs, ADDRSPERSITE);
}
if (ccode == 1) {
host = SHostAddrs[0];
rx_InitHost(host, htons(AFSCONF_KAUTHPORT));
}
}
/* Disable jumbograms */
rx_SetNoJumbo();
if (servers)
code =
ubik_ServerInit(myHost, htons(AFSCONF_KAUTHPORT), serverList,
dbpath, &KA_dbase);
else
code =
ubik_ServerInitByInfo(myHost, htons(AFSCONF_KAUTHPORT), &cellinfo,
clones, dbpath, &KA_dbase);
if (code) {
afs_com_err(whoami, code, "Ubik init failed");
exit(2);
}
sca[RX_SCINDEX_NULL] = rxnull_NewServerSecurityObject();
tservice =
rx_NewServiceHost(host, 0, KA_AUTHENTICATION_SERVICE,
"AuthenticationService", sca, 1, KAA_ExecuteRequest);
if (tservice == (struct rx_service *)0) {
ViceLog(0, ("Could not create Authentication rx service\n"));
exit(3);
}
rx_SetMinProcs(tservice, 1);
rx_SetMaxProcs(tservice, 1);
tservice =
rx_NewServiceHost(host, 0, KA_TICKET_GRANTING_SERVICE, "TicketGrantingService",
sca, 1, KAT_ExecuteRequest);
if (tservice == (struct rx_service *)0) {
ViceLog(0, ("Could not create Ticket Granting rx service\n"));
exit(3);
}
rx_SetMinProcs(tservice, 1);
rx_SetMaxProcs(tservice, 1);
scm[RX_SCINDEX_NULL] = sca[RX_SCINDEX_NULL];
scm[RX_SCINDEX_VAB] = 0;
scm[RX_SCINDEX_KAD] =
rxkad_NewServerSecurityObject(rxkad_crypt, 0, kvno_admin_key, 0);
tservice =
rx_NewServiceHost(host, 0, KA_MAINTENANCE_SERVICE, "Maintenance", scm, 3,
KAM_ExecuteRequest);
if (tservice == (struct rx_service *)0) {
ViceLog(0, ("Could not create Maintenance rx service\n"));
exit(3);
}
rx_SetMinProcs(tservice, 1);
rx_SetMaxProcs(tservice, 1);
rx_SetStackSize(tservice, 10000);
tservice =
rx_NewServiceHost(host, 0, RX_STATS_SERVICE_ID, "rpcstats", scm, 3,
RXSTATS_ExecuteRequest);
if (tservice == (struct rx_service *)0) {
ViceLog(0, ("Could not create rpc stats rx service\n"));
exit(3);
}
rx_SetMinProcs(tservice, 2);
rx_SetMaxProcs(tservice, 4);
initialize_dstats();
/* allow super users to manage RX statistics */
rx_SetRxStatUserOk(KA_rxstat_userok);
rx_StartServer(0); /* start handling req. of all types */
if (init_kaprocs(lclpath, initFlags))
return -1;
if ((code = init_krb_udp())) {
ViceLog(0,
("Failed to initialize UDP interface; code = %d.\n", code));
ViceLog(0, ("Running without UDP access.\n"));
}
ViceLog(0, ("Starting to process AuthServer requests\n"));
rx_ServerProc(NULL); /* donate this LWP */
return 0;
}
int
CommandProc(struct cmd_syndesc *as, void *arock)
{
char name[MAXKTCNAMELEN] = "";
char instance[MAXKTCNAMELEN] = "";
char cell[MAXKTCREALMLEN] = "";
char realm[MAXKTCREALMLEN] = "";
afs_int32 serverList[MAXSERVERS];
char *lcell; /* local cellname */
int code;
int i;
struct ubik_client *conn = 0;
struct ktc_encryptionKey key;
struct ktc_encryptionKey mitkey;
struct ktc_encryptionKey newkey;
struct ktc_encryptionKey newmitkey;
struct ktc_token token;
struct passwd pwent;
struct passwd *pw = &pwent;
int insist; /* insist on good password quality */
int lexplicit = 0; /* servers specified explicitly */
int local; /* explicit cell is same a local cell */
int foundPassword = 0; /*Not yet, anyway */
int foundNewPassword = 0; /*Not yet, anyway */
int foundExplicitCell = 0; /*Not yet, anyway */
#ifdef DEFAULT_MITV4_STRINGTOKEY
int dess2k = 1;
#elif DEFAULT_AFS_STRINGTOKEY
int dess2k = 0;
#else
int dess2k = -1;
#endif
/* blow away command line arguments */
for (i = 1; i < zero_argc; i++)
memset(zero_argv[i], 0, strlen(zero_argv[i]));
zero_argc = 0;
/* first determine quiet flag based on -pipe switch */
Pipe = (as->parms[aPIPE].items ? 1 : 0);
#if TIMEOUT
signal(SIGALRM, timedout);
alarm(30);
#endif
code = ka_Init(0);
if (code || !(lcell = ka_LocalCell())) {
#ifndef AFS_FREELANCE_CLIENT
if (!Pipe)
afs_com_err(rn, code, "Can't get local cell name!");
exit(1);
#endif
}
code = rx_Init(0);
if (code) {
if (!Pipe)
afs_com_err(rn, code, "Failed to initialize Rx");
exit(1);
}
strcpy(instance, "");
/* Parse our arguments. */
if (as->parms[aCELL].items) {
/*
* cell name explicitly mentioned; take it in if no other cell name
* has already been specified and if the name actually appears. If
* the given cell name differs from our own, we don't do a lookup.
*/
foundExplicitCell = 1;
strncpy(realm, as->parms[aCELL].items->data, sizeof(realm));
}
if (as->parms[aSERVERS].items) {
/* explicit server list */
int i;
struct cmd_item *ip;
char *ap[MAXSERVERS + 2];
for (ip = as->parms[aSERVERS].items, i = 2; ip; ip = ip->next, i++)
ap[i] = ip->data;
ap[0] = "";
ap[1] = "-servers";
code = ubik_ParseClientList(i, ap, serverList);
if (code) {
if (!Pipe)
afs_com_err(rn, code, "could not parse server list");
return code;
}
lexplicit = 1;
}
if (as->parms[aPRINCIPAL].items) {
ka_ParseLoginName(as->parms[aPRINCIPAL].items->data, name, instance,
cell);
if (strlen(instance) > 0)
if (!Pipe)
fprintf(stderr,
"Non-null instance (%s) may cause strange behavior.\n",
instance);
if (strlen(cell) > 0) {
if (foundExplicitCell) {
if (!Pipe)
fprintf(stderr,
"%s: May not specify an explicit cell twice.\n",
rn);
return -1;
}
foundExplicitCell = 1;
strncpy(realm, cell, sizeof(realm));
}
pw->pw_name = name;
} else {
/* No explicit name provided: use Unix uid. */
#ifdef AFS_NT40_ENV
userNameLen = 128;
if (GetUserName(userName, &userNameLen) == 0) {
if (!Pipe) {
fprintf(stderr,
"Can't figure out your name in local cell %s from your user id.\n",
lcell);
fprintf(stderr, "Try providing the user name.\n");
}
exit(1);
}
pw->pw_name = userName;
#else
pw = getpwuid(getuid());
if (pw == 0) {
if (!Pipe) {
fprintf(stderr,
"Can't figure out your name in local cell %s from your user id.\n",
lcell);
fprintf(stderr, "Try providing the user name.\n");
}
exit(1);
}
#endif
}
if (as->parms[aPASSWORD].items) {
/*
* Current argument is the desired password string. Remember it in
* our local buffer, and zero out the argument string - anyone can
* see it there with ps!
*/
foundPassword = 1;
strncpy(passwd, as->parms[aPASSWORD].items->data, sizeof(passwd));
memset(as->parms[aPASSWORD].items->data, 0,
strlen(as->parms[aPASSWORD].items->data));
}
if (as->parms[aNEWPASSWORD].items) {
/*
* Current argument is the new password string. Remember it in
* our local buffer, and zero out the argument string - anyone can
* see it there with ps!
*/
foundNewPassword = 1;
strncpy(npasswd, as->parms[aNEWPASSWORD].items->data,
sizeof(npasswd));
memset(as->parms[aNEWPASSWORD].items->data, 0,
strlen(as->parms[aNEWPASSWORD].items->data));
}
#ifdef AFS_FREELANCE_CLIENT
if (!foundExplicitCell && !lcell) {
if (!Pipe)
afs_com_err(rn, code, "no cell name provided");
exit(1);
}
#else
if (!foundExplicitCell)
strcpy(realm, lcell);
#endif /* freelance */
if ((code = ka_CellToRealm(realm, realm, &local))) {
if (!Pipe)
afs_com_err(rn, code, "Can't convert cell to realm");
exit(1);
}
lcstring(cell, realm, sizeof(cell));
ka_PrintUserID("Changing password for '", pw->pw_name, instance, "'");
printf(" in cell '%s'.\n", cell);
/* Get the password if it wasn't provided. */
if (!foundPassword) {
if (Pipe)
getpipepass(passwd, sizeof(passwd));
else {
code = read_pass(passwd, sizeof(passwd), "Old password: "******"reading password");
exit(1);
}
}
}
ka_StringToKey(passwd, realm, &key);
des_string_to_key(passwd, ktc_to_cblockptr(&mitkey));
give_to_child(passwd);
/* Get new password if it wasn't provided. */
insist = 0;
if (!foundNewPassword) {
if (Pipe)
getpipepass(npasswd, sizeof(npasswd));
else {
do {
code =
read_pass(npasswd, sizeof(npasswd),
"New password (RETURN to abort): ", 0);
if (code || (strlen(npasswd) == 0)) {
if (code)
code = KAREADPW;
goto no_change;
}
} while (password_bad(npasswd));
code =
read_pass(verify, sizeof(verify), "Retype new password: "******"Mismatch - ");
goto no_change;
}
memset(verify, 0, sizeof(verify));
}
}
if ((code = password_bad(npasswd))) { /* assmt here! */
goto no_change_no_msg;
}
#if TRUNCATEPASSWORD
if (strlen(npasswd) > 8) {
npasswd[8] = 0;
fprintf(stderr,
"%s: password too long, only the first 8 chars will be used.\n",
rn);
} else
npasswd[8] = 0; /* in case the password was exactly 8 chars long */
#endif
ka_StringToKey(npasswd, realm, &newkey);
des_string_to_key(npasswd, ktc_to_cblockptr(&newmitkey));
memset(npasswd, 0, sizeof(npasswd));
if (lexplicit)
ka_ExplicitCell(realm, serverList);
/* Get an connection to kaserver's admin service in desired cell. Set the
* lifetime above the time uncertainty so that badly skewed clocks are
* reported when the ticket is decrypted. Then give us 10 seconds to
* actually get our work done if the clocks are skewed by only 14:59.
* NOTE: Kerberos lifetime encoding will round this up to next 5 minute
* interval, namely 20 minutes. */
#define ADMIN_LIFETIME (KTC_TIME_UNCERTAINTY+1)
code =
ka_GetAdminToken(pw->pw_name, instance, realm, &key, ADMIN_LIFETIME,
&token, /*!new */ 0);
if (code == KABADREQUEST) {
code =
ka_GetAdminToken(pw->pw_name, instance, realm, &mitkey,
ADMIN_LIFETIME, &token, /*!new */ 0);
if ((code == KABADREQUEST) && (strlen(passwd) > 8)) {
/* try with only the first 8 characters incase they set their password
* with an old style passwd program. */
char pass8[9];
strncpy(pass8, passwd, 8);
pass8[8] = 0;
ka_StringToKey(pass8, realm, &key);
memset(pass8, 0, sizeof(pass8));
memset(passwd, 0, sizeof(passwd));
code = ka_GetAdminToken(pw->pw_name, instance, realm, &key, ADMIN_LIFETIME, &token, /*!new */
0);
#ifdef notdef
/* the folks in testing really *hate* this message */
if (code == 0) {
fprintf(stderr,
"Warning: only the first 8 characters of your old password were significant.\n");
}
#endif
if (code == 0) {
if (dess2k == -1)
dess2k = 0;
}
} else {
if (dess2k == -1)
dess2k = 1;
}
} else {
if (dess2k == -1)
dess2k = 0;
}
memset(&mitkey, 0, sizeof(mitkey));
memset(&key, 0, sizeof(key));
if (code == KAUBIKCALL)
afs_com_err(rn, code, "(Authentication Server unavailable, try later)");
else if (code) {
if (code == KABADREQUEST)
fprintf(stderr, "%s: Incorrect old password.\n", rn);
else
afs_com_err(rn, code, "so couldn't change password");
} else {
code =
ka_AuthServerConn(realm, KA_MAINTENANCE_SERVICE, &token, &conn);
if (code)
afs_com_err(rn, code, "contacting Admin Server");
else {
if (dess2k == 1)
code =
ka_ChangePassword(pw->pw_name, instance, conn, 0,
&newmitkey);
else
code =
ka_ChangePassword(pw->pw_name, instance, conn, 0,
&newkey);
memset(&newkey, 0, sizeof(newkey));
memset(&newmitkey, 0, sizeof(newmitkey));
if (code) {
char *reason;
reason = (char *)afs_error_message(code);
fprintf(stderr, "%s: Password was not changed because %s\n",
rn, reason);
} else
printf("Password changed.\n\n");
}
}
memset(&newkey, 0, sizeof(newkey));
memset(&newmitkey, 0, sizeof(newmitkey));
/* Might need to close down the ubik_Client connection */
if (conn) {
ubik_ClientDestroy(conn);
conn = 0;
}
rx_Finalize();
terminate_child();
exit(code);
no_change: /* yuck, yuck, yuck */
if (code)
afs_com_err(rn, code, "getting new password");
no_change_no_msg:
memset(&key, 0, sizeof(key));
memset(npasswd, 0, sizeof(npasswd));
printf("Password for '%s' in cell '%s' unchanged.\n\n", pw->pw_name,
cell);
terminate_child();
exit(code ? code : 1);
}
