kadm5_ret_t
kadm5_s_get_principals(void *server_handle,
const char *expression,
char ***princs,
int *count)
{
struct foreach_data d;
kadm5_server_context *context = server_handle;
kadm5_ret_t ret;
ret = context->db->hdb_open(context->context, context->db, O_RDWR, 0);
if(ret) {
krb5_warn(context->context, ret, "opening database");
return ret;
}
d.exp = expression;
{
krb5_realm r;
krb5_get_default_realm(context->context, &r);
asprintf(&d.exp2, "%s@%s", expression, r);
free(r);
}
d.princs = NULL;
d.count = 0;
ret = hdb_foreach(context->context, context->db, HDB_F_ADMIN_DATA, foreach, &d);
context->db->hdb_close(context->context, context->db);
if(ret == 0)
ret = add_princ(&d, NULL);
if(ret == 0){
*princs = d.princs;
*count = d.count - 1;
}else
kadm5_free_name_list(context, d.princs, &d.count);
free(d.exp2);
return _kadm5_error_code(ret);
}
/*
* Function: kdb_init_hist
*
* Purpose: Initializes the hist_princ variable.
*
* Arguments:
*
* handle (r) kadm5 api server handle
* r (r) realm of history principal to use, or NULL
*
* Effects: This function sets the value of the hist_princ global variable.
*/
krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r)
{
int ret = 0;
char *realm, *hist_name;
if (r == NULL) {
if ((ret = krb5_get_default_realm(handle->context, &realm)))
return ret;
} else {
realm = r;
}
if (asprintf(&hist_name, "%s@%s", KADM5_HIST_PRINCIPAL, realm) < 0) {
hist_name = NULL;
goto done;
}
if ((ret = krb5_parse_name(handle->context, hist_name, &hist_princ)))
goto done;
done:
free(hist_name);
if (r == NULL)
free(realm);
return ret;
}
static int
get_lrealm(char *r, int n)
{
krb5_error_code ret;
krb5_context context;
krb5_realm realm;
if (n != 1)
return KFAILURE;
ret = krb5_init_context(&context);
if (ret)
return KFAILURE;
ret = krb5_get_default_realm(context, &realm);
if (ret) {
krb5_free_context(context);
return KFAILURE;
}
strlcpy(r, realm, REALM_SZ);
free(realm);
krb5_free_context(context);
return KSUCCESS;
}
static realm_type
default_realm(krb5_context ctx)
{
char *realm = NULL;
krb5_error_code code;
krb5_data *realm_data;
realm_data = calloc(1, sizeof(krb5_data));
if (realm_data == NULL)
return NULL;
code = krb5_get_default_realm(ctx, &realm);
if (code != 0) {
free(realm);
return NULL;
}
realm_data->magic = KV5M_DATA;
realm_data->data = strdup(realm);
if (realm_data->data == NULL) {
free(realm_data);
krb5_free_default_realm(ctx, realm);
return NULL;
}
realm_data->length = strlen(realm);
krb5_free_default_realm(ctx, realm);
return realm_data;
}
/*
* Find the realm for given hostname
*/
int do_realm(char *hostname) {
krb5_error_code retval;
char **realm;
if (hostname) {
retval = krb5_get_host_realm(ctx, hostname, &realm);
if (retval) {
com_err(progname, retval, "while obtaining realm for %s", hostname);
exit(1);
}
printf("%s\n", *realm);
krb5_free_host_realm(ctx, realm);
} else {
realm = malloc(sizeof(realm));
retval = krb5_get_default_realm(ctx, realm);
if (retval) {
com_err(progname, retval, "while obtaining default realm");
exit(1);
}
printf("%s\n", *realm);
krb5_free_default_realm(ctx, *realm);
free(realm);
}
return 0;
}
/*
* call-seq:
* get_default_realm -> string
*
* Call krb5_get_default_realm() to get the default realm. Returns the default realm on success, raises Krb5Auth::Krb5::Exception on failure.
*/
static VALUE Krb5_get_default_realm(VALUE self)
{
struct ruby_krb5 *kerb;
char *realm;
VALUE result;
krb5_error_code krbret;
Data_Get_Struct(self, struct ruby_krb5, kerb);
if (!kerb) {
NOSTRUCT_EXCEPT();
return Qfalse;
}
krbret = krb5_get_default_realm(kerb->ctx, &realm);
if (krbret) {
Krb5_register_error(krbret);
return Qnil;
}
result = rb_str_new2(realm);
free(realm);
return result;
}
krb5_error_code KRB5_CALLCONV
krb5_parse_name_flags(krb5_context context, const char *name,
int flags, krb5_principal *principal_out)
{
krb5_error_code ret;
krb5_principal princ = NULL;
char *default_realm;
krb5_boolean has_realm;
krb5_boolean enterprise = (flags & KRB5_PRINCIPAL_PARSE_ENTERPRISE);
krb5_boolean require_realm = (flags & KRB5_PRINCIPAL_PARSE_REQUIRE_REALM);
krb5_boolean no_realm = (flags & KRB5_PRINCIPAL_PARSE_NO_REALM);
krb5_boolean ignore_realm = (flags & KRB5_PRINCIPAL_PARSE_IGNORE_REALM);
*principal_out = NULL;
ret = allocate_princ(context, name, enterprise, &princ, &has_realm);
if (ret)
goto cleanup;
parse_name_into_princ(name, enterprise, princ);
/*
* If a realm was not found, then use the default realm, unless
* KRB5_PRINCIPAL_PARSE_NO_REALM was specified in which case the
* realm will be empty.
*/
if (!has_realm) {
if (require_realm) {
ret = KRB5_PARSE_MALFORMED;
krb5_set_error_message(context, ret,
_("Principal %s is missing required realm"),
name);
goto cleanup;
}
if (!no_realm && !ignore_realm) {
ret = krb5_get_default_realm(context, &default_realm);
if (ret)
goto cleanup;
princ->realm = string2data(default_realm);
}
} else if (no_realm) {
ret = KRB5_PARSE_MALFORMED;
krb5_set_error_message(context, ret,
_("Principal %s has realm present"), name);
goto cleanup;
} else if (ignore_realm) {
krb5_free_data_contents(context, &princ->realm);
princ->realm = empty_data();
}
princ->type = (enterprise) ? KRB5_NT_ENTERPRISE_PRINCIPAL :
KRB5_NT_PRINCIPAL;
princ->magic = KV5M_PRINCIPAL;
*principal_out = princ;
princ = NULL;
cleanup:
krb5_free_principal(context, princ);
return ret;
}
/*
* Create, initialize, and add a new ple structure to the global list
*/
static struct gssd_k5_kt_princ *
new_ple(krb5_context context, krb5_principal princ)
{
struct gssd_k5_kt_princ *ple = NULL, *p;
krb5_error_code code;
char *default_realm;
int is_default_realm = 0;
ple = malloc(sizeof(struct gssd_k5_kt_princ));
if (ple == NULL)
goto outerr;
memset(ple, 0, sizeof(*ple));
#ifdef HAVE_KRB5
ple->realm = strndup(princ->realm.data,
princ->realm.length);
#else
ple->realm = strdup(princ->realm);
#endif
if (ple->realm == NULL)
goto outerr;
code = krb5_copy_principal(context, princ, &ple->princ);
if (code)
goto outerr;
/*
* Add new entry onto the list (if this is the default
* realm, always add to the front of the list)
*/
code = krb5_get_default_realm(context, &default_realm);
if (code == 0) {
if (strcmp(ple->realm, default_realm) == 0)
is_default_realm = 1;
k5_free_default_realm(context, default_realm);
}
if (is_default_realm) {
ple->next = gssd_k5_kt_princ_list;
gssd_k5_kt_princ_list = ple;
} else {
p = gssd_k5_kt_princ_list;
while (p != NULL && p->next != NULL)
p = p->next;
if (p == NULL)
gssd_k5_kt_princ_list = ple;
else
p->next = ple;
}
return ple;
outerr:
if (ple) {
if (ple->realm)
free(ple->realm);
free(ple);
}
return NULL;
}
int
main(int argc, char **argv)
{
krb5_context context;
krb5_error_code ret;
krb5_realm realm;
int optind = 0;
char *user;
setprogname(argv[0]);
if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
usage(1);
if (help_flag)
usage (0);
if(version_flag){
print_version(NULL);
exit(0);
}
argc -= optind;
argv += optind;
if (argc != 1)
errx(1, "first argument should be a local user that in root .k5login");
user = argv[0];
ret = krb5_init_context(&context);
if (ret)
errx (1, "krb5_init_context failed: %d", ret);
ret = krb5_get_default_realm(context, &realm);
if (ret)
krb5_err(context, 1, ret, "krb5_get_default_realm");
test_alname(context, realm, user, NULL, user, 1);
test_alname(context, realm, user, "root", "root", 1);
test_alname(context, "FOO.BAR.BAZ.KAKA", user, NULL, user, 0);
test_alname(context, "FOO.BAR.BAZ.KAKA", user, "root", "root", 0);
test_alname(context, realm, user, NULL,
"not-same-as-user", 0);
test_alname(context, realm, user, "root",
"not-same-as-user", 0);
test_alname(context, "FOO.BAR.BAZ.KAKA", user, NULL,
"not-same-as-user", 0);
test_alname(context, "FOO.BAR.BAZ.KAKA", user, "root",
"not-same-as-user", 0);
krb5_free_context(context);
return 0;
}
static isc_result_t
check_credentials(krb5_context context, krb5_ccache ccache, krb5_principal service)
{
char *realm = NULL;
krb5_creds creds;
krb5_creds mcreds;
krb5_error_code krberr;
krb5_timestamp now;
isc_result_t result = ISC_R_FAILURE;
memset(&mcreds, 0, sizeof(mcreds));
memset(&creds, 0, sizeof(creds));
krberr = krb5_get_default_realm(context, &realm);
CHECK_KRB5(context, krberr, "Failed to retrieve default realm");
krberr = krb5_build_principal(context, &mcreds.server,
strlen(realm), realm,
"krbtgt", realm, NULL);
CHECK_KRB5(context, krberr, "Failed to build 'krbtgt/REALM' principal");
mcreds.client = service;
krberr = krb5_cc_retrieve_cred(context, ccache, 0, &mcreds, &creds);
if (krberr) {
const char * errmsg = krb5_get_error_message(context, krberr);
log_error("Credentials are not present in cache (%s)\n", errmsg);
krb5_free_error_message(context, errmsg);
result = ISC_R_FAILURE;
goto cleanup;
}
CHECK_KRB5(context, krberr, "Credentials are not present in cache ");
krberr = krb5_timeofday(context, &now);
CHECK_KRB5(context, krberr, "Failed to get time of day");
if (now > (creds.times.endtime + KRB_MIN_TIME)) {
log_error("Credentials cache expired");
result = ISC_R_FAILURE;
goto cleanup;
} else {
char buf[255];
char fill = ' ';
krb5_timestamp_to_sfstring(creds.times.endtime, buf, 16, &fill);
log_info("Credentials valid til %s\n", buf);
}
result = ISC_R_SUCCESS;
cleanup:
krb5_free_cred_contents(context, &creds);
if (mcreds.server) krb5_free_principal(context, mcreds.server);
if (realm) krb5_free_default_realm(context, realm);
return result;
}
static char *
get_default_realm(krb5_context context)
{
char *realm;
krb5_error_code ret;
if ((ret = krb5_get_default_realm(context, &realm)) != 0)
krb5_err(context, 1, ret, "krb5_get_default_realm");
return realm;
}
static realm_type
default_realm(krb5_context ctx)
{
krb5_error_code code;
realm_type realm;
code = krb5_get_default_realm(ctx, &realm);
if (code != 0)
realm = NULL;
return realm;
}
krb5_error_code kdb_init_master(kadm5_server_handle_t handle,
char *r, int from_keyboard)
{
int ret = 0;
char *realm;
krb5_boolean from_kbd = FALSE;
krb5_kvno mkvno = IGNORE_VNO;
if (from_keyboard)
from_kbd = TRUE;
if (r == NULL) {
if ((ret = krb5_get_default_realm(handle->context, &realm)))
return ret;
} else {
realm = r;
}
if ((ret = krb5_db_setup_mkey_name(handle->context,
handle->params.mkey_name,
realm, NULL, &master_princ)))
goto done;
master_keyblock.enctype = handle->params.enctype;
/*
* Fetch the local mkey, may not be the latest but that's okay because we
* really want the list of all mkeys and those can be retrieved with any
* valid mkey.
*/
ret = krb5_db_fetch_mkey(handle->context, master_princ,
master_keyblock.enctype, from_kbd,
FALSE /* only prompt once */,
handle->params.stash_file,
&mkvno /* get the kvno of the returned mkey */,
NULL /* I'm not sure about this,
but it's what the kdc does --marc */,
&master_keyblock);
if (ret)
goto done;
if ((ret = krb5_db_fetch_mkey_list(handle->context, master_princ,
&master_keyblock))) {
krb5_db_fini(handle->context);
return (ret);
}
done:
if (r == NULL)
free(realm);
return(ret);
}
static krb5_error_code
unparse_name_fixed(krb5_context context,
krb5_const_principal principal,
char *name,
size_t len,
int flags)
{
size_t idx = 0;
int i;
int short_form = (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) != 0;
int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) != 0;
int display = (flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) != 0;
if (!no_realm && princ_realm(principal) == NULL) {
krb5_set_error_message(context, ERANGE,
N_("Realm missing from principal, "
"can't unparse", ""));
return ERANGE;
}
for(i = 0; i < princ_num_comp(principal); i++){
if(i)
add_char(name, idx, len, '/');
idx = quote_string(princ_ncomp(principal, i), name, idx, len, display);
if(idx == len) {
krb5_set_error_message(context, ERANGE,
N_("Out of space printing principal", ""));
return ERANGE;
}
}
/* add realm if different from default realm */
if(short_form && !no_realm) {
krb5_realm r;
krb5_error_code ret;
ret = krb5_get_default_realm(context, &r);
if(ret)
return ret;
if(strcmp(princ_realm(principal), r) != 0)
short_form = 0;
free(r);
}
if(!short_form && !no_realm) {
add_char(name, idx, len, '@');
idx = quote_string(princ_realm(principal), name, idx, len, display);
if(idx == len) {
krb5_set_error_message(context, ERANGE,
N_("Out of space printing "
"realm of principal", ""));
return ERANGE;
}
}
return 0;
}
/*
* Return default Kerberos realm
*/
void
gssd_k5_get_default_realm(char **def_realm)
{
krb5_context context;
if (krb5_init_context(&context))
return;
krb5_get_default_realm(context, def_realm);
krb5_free_context(context);
}
/*
* Find the admin server for the given realm. If the realm is null or
* the empty string, find the admin server for the default realm.
* Returns 0 on succsess (KADM5_OK). It is the callers responsibility to
* free the storage allocated to the admin server, master.
*/
kadm5_ret_t
kadm5_get_master(krb5_context context, const char *realm, char **master)
{
/* Solaris Kerberos */
char *def_realm = NULL;
char *delim;
#ifdef KRB5_DNS_LOOKUP
struct sockaddr *addrs;
int naddrs;
unsigned short dns_portno;
char dns_host[MAX_DNS_NAMELEN];
krb5_data dns_realm;
krb5_error_code dns_ret = 1;
#endif /* KRB5_DNS_LOOKUP */
if (realm == 0 || *realm == '\0')
krb5_get_default_realm(context, &def_realm);
(void) profile_get_string(context->profile, "realms",
realm ? realm : def_realm,
KADM5_MASTER, 0, master);
if ((*master != NULL) && ((delim = strchr(*master, ':')) != NULL))
*delim = '\0';
#ifdef KRB5_DNS_LOOKUP
if (*master == NULL) {
/*
* Initialize realm info for (possible) DNS lookups.
*/
dns_realm.data = strdup(realm ? realm : def_realm);
dns_realm.length = strlen(realm ? realm : def_realm);
dns_realm.magic = 0;
dns_ret = krb5_get_servername(context, &dns_realm,
"_kerberos-adm", "_udp",
dns_host, &dns_portno);
if (dns_ret == 0)
*master = strdup(dns_host);
if (dns_realm.data)
free(dns_realm.data);
}
#endif /* KRB5_DNS_LOOKUP */
/* Solaris Kerberos */
if (def_realm != NULL)
krb5_free_default_realm(context, def_realm);
return (*master ? KADM5_OK : KADM5_NO_SRV);
}
int krealm_init(struct rekey_session *sess) {
int rc;
char *realm=NULL;
if (sess->realm) {
return 0;
}
rc=krb5_get_default_realm(sess->kctx, &realm);
if (rc) {
prtmsg("Unable to get default realm: %s", krb5_get_err_text(sess->kctx, rc));
return rc;
}
sess->realm = realm;
return 0;
}
static void
test_get_default_realm(krb5_context ctx)
{
char *realm;
krb5_error_code retval;
retval = krb5_get_default_realm(ctx, &realm);
if (retval) {
com_err("krb5_get_default_realm", retval, 0);
return;
}
printf("krb5_get_default_realm() returned '%s'\n", realm);
free(realm);
}
krb5_error_code kdb_init_master(kadm5_server_handle_t handle,
char *r, int from_keyboard)
{
int ret = 0;
char *realm;
krb5_boolean from_kbd = FALSE;
if (from_keyboard)
from_kbd = TRUE;
if (r == NULL) {
if ((ret = krb5_get_default_realm(handle->context, &realm)))
return ret;
} else {
realm = r;
}
if ((ret = krb5_db_setup_mkey_name(handle->context,
handle->params.mkey_name,
realm, NULL, &master_princ)))
goto done;
/* Solaris Kerberos */
#if 0
master_keyblock.enctype = handle->params.enctype;
#endif
/* Solaris Kerberos */
ret = krb5_db_fetch_mkey(handle->context, master_princ,
handle->params.enctype, from_kbd,
FALSE /* only prompt once */,
handle->params.stash_file,
NULL /* I'm not sure about this,
but it's what the kdc does --marc */,
&handle->master_keyblock);
if (ret)
goto done;
/* Solaris Kerberos */
if ((ret = krb5_db_verify_master_key(handle->context, master_princ,
&handle->master_keyblock))) {
krb5_db_fini(handle->context);
return ret;
}
done:
if (r == NULL)
free(realm);
return(ret);
}
/*
* call-seq:
* krb.get_default_realm # => 'YOUR.REALM.COM'
*
* Returns the default Kerberos realm on your system.
*/
static VALUE rkrb5_get_default_realm(VALUE self){
RUBY_KRB5* ptr;
char* realm;
krb5_error_code kerror;
Data_Get_Struct(self, RUBY_KRB5, ptr);
kerror = krb5_get_default_realm(ptr->ctx, &realm);
if(kerror)
rb_raise(cKrb5Exception, "krb5_get_default_realm: %s", error_message(kerror));
return rb_str_new2(realm);
}
/*
* Function: Intialize name fields in the Kerberos dialog.
*
* Parameters:
* hwnd - the window recieving the message.
*
* fullname - the full kerberos name to initialize with
*/
void
kwin_init_name(HWND hwnd, char *fullname)
{
char name[ANAME_SZ];
char instance[INST_SZ];
char realm[REALM_SZ];
int krc;
#ifdef KRB5
krb5_error_code code;
char *ptr;
#endif
if (fullname == NULL || fullname[0] == 0) {
#ifdef KRB4
strcpy(name, krb_get_default_user());
strcpy(instance, cns_res.instance);
krc = krb_get_lrealm(realm, 1);
if (krc != KSUCCESS)
realm[0] = 0;
strcpy(realm, cns_res.realm);
#endif /* KRB4 */
#ifdef KRB5
strcpy(name, cns_res.name);
*realm = '\0';
code = krb5_get_default_realm(k5_context, &ptr);
if (!code) {
strcpy(realm, ptr);
/* free(ptr); XXX */
}
strcpy(realm, cns_res.realm);
#endif /* KRB5 */
} else {
#ifdef KRB4
kname_parse(name, instance, realm, fullname);
SetDlgItemText(hwnd, IDD_LOGIN_INSTANCE, instance);
#endif
#ifdef KRB5
krc = k5_kname_parse(name, realm, fullname);
*instance = '\0';
#endif
}
SetDlgItemText(hwnd, IDD_LOGIN_NAME, name);
SetDlgItemText(hwnd, IDD_LOGIN_REALM, realm);
}
/**
* Get the default realm for this host.
*/
static PyObject *get_default_realm(PyObject *self)
{
char *realm = NULL;
PyObject *pyrealm = NULL;
krb5_error_code retval;
retval = krb5_get_default_realm(module_context, &realm);
if (retval)
return python_krb5_error(retval);
pyrealm = PyString_FromString(realm);
free(realm);
return pyrealm;
}
static struct rekey_session *setup_session(void)
{
struct rekey_session *sess;
if (!(sess = calloc(1, sizeof(struct rekey_session))))
fatal("Out of memory!");
if (krb5_init_context(&sess->kctx))
fatal("krb5_init_context failed");
if (krb5_get_default_realm(sess->kctx, &sess->realm))
fatal("krb5_get_default_realm failed");
return sess;
}
/*
* Given a remctl object, the Kerberos context, the type for the wallet
* interface, and a file name of a keytab, iterate through every existing
* principal in the keytab in the local realm, get fresh keys for those
* principals, and save the old and new keys to that file. Returns true on
* success and false on partial failure to retrieve all the keys.
*/
bool
rekey_keytab(struct remctl *r, krb5_context ctx, const char *type,
const char *file)
{
char *realm = NULL;
char *data = NULL;
char *tempfile;
size_t length = 0;
int status;
bool error = false, rekeyed = false;
struct principal_name *names, *current;
xasprintf(&tempfile, "%s.new", file);
krb5_get_default_realm(ctx, &realm);
names = keytab_principals(ctx, file, realm);
for (current = names; current != NULL; current = current->next) {
status = download_keytab(r, type, current->princ, &data, &length);
if (status != 0) {
warn("error rekeying for principal %s", current->princ);
error = true;
continue;
}
write_file(tempfile, data, length);
rekeyed = true;
/*
* Now merge the original keytab file with the one containing the new
* keys from the rekeying of this principal.
*/
if (access(file, F_OK) != 0) {
if (link(tempfile, file) < 0)
sysdie("rename of temporary keytab %s to %s failed", tempfile,
file);
} else {
merge_keytab(ctx, tempfile, file);
if (unlink(tempfile) < 0)
syswarn("unlink of temporary keytab file %s failed",
tempfile);
}
}
/* If no new keytab data, then leave the keytab as-is. */
if (!rekeyed)
die("no rekeyable principals found");
free(tempfile);
return !error;
}
kadm5_ret_t
_kadm5_s_init_context(kadm5_server_context **ctx,
kadm5_config_params *params,
krb5_context context)
{
*ctx = malloc(sizeof(**ctx));
if(*ctx == NULL)
return ENOMEM;
memset(*ctx, 0, sizeof(**ctx));
set_funcs(*ctx);
(*ctx)->context = context;
krb5_add_et_list (context, initialize_kadm5_error_table_r);
#define is_set(M) (params && params->mask & KADM5_CONFIG_ ## M)
if(is_set(REALM))
(*ctx)->config.realm = strdup(params->realm);
else
krb5_get_default_realm(context, &(*ctx)->config.realm);
if(is_set(DBNAME))
(*ctx)->config.dbname = strdup(params->dbname);
if(is_set(ACL_FILE))
(*ctx)->config.acl_file = strdup(params->acl_file);
if(is_set(STASH_FILE))
(*ctx)->config.stash_file = strdup(params->stash_file);
find_db_spec(*ctx);
/* PROFILE can't be specified for now */
/* KADMIND_PORT is supposed to be used on the server also,
but this doesn't make sense */
/* ADMIN_SERVER is client only */
/* ADNAME is not used at all (as far as I can tell) */
/* ADB_LOCKFILE ditto */
/* DICT_FILE */
/* ADMIN_KEYTAB */
/* MKEY_FROM_KEYBOARD is not supported */
/* MKEY_NAME neither */
/* ENCTYPE */
/* MAX_LIFE */
/* MAX_RLIFE */
/* EXPIRATION */
/* FLAGS */
/* ENCTYPES */
return 0;
}
krb5_error_code KRB5_CALLCONV
krb5_get_fallback_host_realm(krb5_context context, krb5_data *hdata,
char ***realms_out)
{
krb5_error_code ret;
struct hostrealm_module_handle **hp;
char **realms, *defrealm, *host, cleanname[1024];
*realms_out = NULL;
/* Convert hdata into a string and clean it. */
host = k5memdup0(hdata->data, hdata->length, &ret);
if (host == NULL)
return ret;
ret = k5_clean_hostname(context, host, cleanname, sizeof(cleanname));
free(host);
if (ret)
return ret;
if (context->hostrealm_handles == NULL) {
ret = load_hostrealm_modules(context);
if (ret)
return ret;
}
/* Give each module a chance to determine the fallback realms. */
for (hp = context->hostrealm_handles; *hp != NULL; hp++) {
ret = fallback_realm(context, *hp, cleanname, &realms);
if (ret == 0) {
ret = copy_list(realms, realms_out);
free_list(context, *hp, realms);
return ret;
} else if (ret != KRB5_PLUGIN_NO_HANDLE) {
return ret;
}
}
/* Return a list containing the default realm. */
ret = krb5_get_default_realm(context, &defrealm);
if (ret)
return ret;
ret = k5_make_realmlist(defrealm, realms_out);
krb5_free_default_realm(context, defrealm);
return ret;
}
krb5_error_code kdb_init_master(kadm5_server_handle_t handle,
char *r, int from_keyboard)
{
int ret = 0;
char *realm;
krb5_keyblock tmk;
if (r == NULL) {
if ((ret = krb5_get_default_realm(handle->context, &realm)))
return ret;
} else {
realm = r;
}
if ((ret = krb5_db_setup_mkey_name(handle->context,
handle->params.mkey_name,
realm, NULL, &master_princ)))
goto done;
if (ret = krb5_db_fetch_mkey(handle->context, master_princ,
handle->params.enctype,
from_keyboard,
FALSE /* only prompt once */,
handle->params.stash_file,
NULL /* I'm not sure about this,
but it's what the kdc does --marc */,
&handle->master_keyblock))
goto done;
if ((ret = krb5_db_init(handle->context)) != KSUCCESS)
goto done;
if ((ret = krb5_db_verify_master_key(handle->context, master_princ,
&handle->master_keyblock))) {
krb5_db_fini(handle->context);
return ret;
}
done:
if (r == NULL)
free(realm);
return(ret);
}
/*
* Test whether anonymous authentication works. If this doesn't, we need to
* skip the tests of anonymous FAST.
*/
static bool
anon_fast_works(void)
{
krb5_context ctx;
krb5_error_code retval;
krb5_principal princ = NULL;
char *realm;
krb5_creds creds;
krb5_get_init_creds_opt *opts = NULL;
/* Construct the anonymous principal name. */
retval = krb5_init_context(&ctx);
if (retval != 0)
bail("cannot initialize Kerberos");
retval = krb5_get_default_realm(ctx, &realm);
if (retval != 0)
bail("cannot get default realm");
retval = krb5_build_principal_ext(ctx, &princ, strlen(realm), realm,
strlen(KRB5_WELLKNOWN_NAME), KRB5_WELLKNOWN_NAME,
strlen(KRB5_ANON_NAME), KRB5_ANON_NAME, NULL);
if (retval != 0)
bail("cannot construct anonymous principal");
krb5_free_default_realm(ctx, realm);
/* Obtain the credentials. */
memset(&creds, 0, sizeof(creds));
retval = krb5_get_init_creds_opt_alloc(ctx, &opts);
if (retval != 0)
bail("cannot create credential options");
krb5_get_init_creds_opt_set_anonymous(opts, 1);
krb5_get_init_creds_opt_set_tkt_life(opts, 60);
retval = krb5_get_init_creds_password(ctx, &creds, princ, NULL, NULL,
NULL, 0, NULL, opts);
/* Clean up. */
if (princ != NULL)
krb5_free_principal(ctx, princ);
if (opts != NULL)
krb5_get_init_creds_opt_free(ctx, opts);
krb5_free_cred_contents(ctx, &creds);
return (retval == 0);
}
DWORD
LwKrb5GetDefaultRealm(
PSTR* ppszRealm
)
{
DWORD dwError = 0;
krb5_context ctx = NULL;
PSTR pszKrb5Realm = NULL;
PSTR pszRealm = NULL;
krb5_init_context(&ctx);
krb5_get_default_realm(ctx, &pszKrb5Realm);
if (LW_IS_NULL_OR_EMPTY_STR(pszKrb5Realm)) {
dwError = LW_ERROR_NO_DEFAULT_REALM;
BAIL_ON_LW_ERROR(dwError);
}
dwError = LwAllocateString(pszKrb5Realm, &pszRealm);
BAIL_ON_LW_ERROR(dwError);
*ppszRealm = pszRealm;
cleanup:
if (pszKrb5Realm)
{
krb5_free_default_realm(ctx, pszKrb5Realm);
}
krb5_free_context(ctx);
return(dwError);
error:
*ppszRealm = NULL;
LW_SAFE_FREE_STRING(pszRealm);
goto cleanup;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_make_principal(krb5_context context,
krb5_principal *principal,
krb5_const_realm realm,
...)
{
krb5_error_code ret;
krb5_realm r = NULL;
va_list ap;
if(realm == NULL) {
ret = krb5_get_default_realm(context, &r);
if(ret)
return ret;
realm = r;
}
va_start(ap, realm);
ret = krb5_build_principal_va(context, principal, strlen(realm), realm, ap);
va_end(ap);
if(r)
free(r);
return ret;
}
