/* Point GSSAPI at the KDB keytab so we don't need an actual file keytab. */ static krb5_error_code setup_kdb_keytab() { krb5_error_code ret; ret = krb5_ktkdb_set_context(context); if (ret) return ret; ret = krb5_db_register_keytab(context); if (ret) return ret; return krb5_gss_register_acceptor_identity("KDB:"); }
static void nfs_Init(const nfs_start_info_t *p_start_info) { cache_inode_status_t cache_status; state_status_t state_status; int rc = 0; #ifdef _HAVE_GSSAPI gss_buffer_desc gss_service_buf; OM_uint32 maj_stat, min_stat; char GssError[MAXNAMLEN + 1]; #endif #ifdef USE_DBUS /* DBUS init */ gsh_dbus_pkginit(); #ifdef USE_DBUS_STATS dbus_export_init(); dbus_client_init(); #endif #endif /* Cache Inode Initialisation */ cache_status = cache_inode_init(); if (cache_status != CACHE_INODE_SUCCESS) { LogFatal(COMPONENT_INIT, "Cache Inode Layer could not be initialized, status=%s", cache_inode_err_str(cache_status)); } state_status = state_lock_init(nfs_param.cache_param.cookie_param); if (state_status != STATE_SUCCESS) { LogFatal(COMPONENT_INIT, "State Lock Layer could not be initialized, status=%s", state_err_str(state_status)); } LogInfo(COMPONENT_INIT, "Cache Inode library successfully initialized"); /* Cache Inode LRU (call this here, rather than as part of cache_inode_init() so the GC policy has been set */ rc = cache_inode_lru_pkginit(); if (rc != 0) { LogFatal(COMPONENT_INIT, "Unable to initialize LRU subsystem: %d.", rc); } /* finish the job with exports by caching the root entries */ exports_pkginit(); nfs41_session_pool = pool_init("NFSv4.1 session pool", sizeof(nfs41_session_t), pool_basic_substrate, NULL, NULL, NULL); request_pool = pool_init("Request pool", sizeof(request_data_t), pool_basic_substrate, NULL, NULL /* FASTER constructor_request_data_t */ , NULL); if (!request_pool) { LogCrit(COMPONENT_INIT, "Error while allocating request pool"); LogError(COMPONENT_INIT, ERR_SYS, ERR_MALLOC, errno); Fatal(); } request_data_pool = pool_init("Request Data Pool", sizeof(nfs_request_data_t), pool_basic_substrate, NULL, NULL /* FASTER constructor_nfs_request_data_t */ , NULL); if (!request_data_pool) { LogCrit(COMPONENT_INIT, "Error while allocating request data pool"); LogError(COMPONENT_INIT, ERR_SYS, ERR_MALLOC, errno); Fatal(); } dupreq_pool = pool_init("Duplicate Request Pool", sizeof(dupreq_entry_t), pool_basic_substrate, NULL, NULL, NULL); if (!(dupreq_pool)) { LogCrit(COMPONENT_INIT, "Error while allocating duplicate request pool"); LogError(COMPONENT_INIT, ERR_SYS, ERR_MALLOC, errno); Fatal(); } #ifdef _USE_ASYNC_CACHE_INODE /* Start the TAD and synclets for writeback cache inode */ cache_inode_async_init(nfs_param.cache_layers_param. cache_inode_client_param); #endif /* If rpcsec_gss is used, set the path to the keytab */ #ifdef _HAVE_GSSAPI #ifdef HAVE_KRB5 if (nfs_param.krb5_param.active_krb5) { OM_uint32 gss_status = GSS_S_COMPLETE; if (nfs_param.krb5_param.keytab[0] != '\0') gss_status = krb5_gss_register_acceptor_identity(nfs_param. krb5_param. keytab); if (gss_status != GSS_S_COMPLETE) { log_sperror_gss(GssError, gss_status, 0); LogFatal(COMPONENT_INIT, "Error setting krb5 keytab to value %s is %s", nfs_param.krb5_param.keytab, GssError); } LogInfo(COMPONENT_INIT, "krb5 keytab path successfully set to %s", nfs_param.krb5_param.keytab); #endif /* HAVE_KRB5 */ /* Set up principal to be use for GSSAPPI within GSSRPC/KRB5 */ gss_service_buf.value = nfs_param.krb5_param.svc.principal; gss_service_buf.length = strlen(nfs_param.krb5_param.svc.principal) + 1; /* The '+1' is not to be forgotten, for the '\0' at the end */ maj_stat = gss_import_name(&min_stat, &gss_service_buf, (gss_OID) GSS_C_NT_HOSTBASED_SERVICE, &nfs_param.krb5_param.svc.gss_name); if (maj_stat != GSS_S_COMPLETE) { log_sperror_gss(GssError, maj_stat, min_stat); LogFatal(COMPONENT_INIT, "Error importing gss principal %s is %s", nfs_param.krb5_param.svc.principal, GssError); } if (nfs_param.krb5_param.svc.gss_name == GSS_C_NO_NAME) LogInfo(COMPONENT_INIT, "Regression: svc.gss_name == GSS_C_NO_NAME"); LogInfo(COMPONENT_INIT, "gss principal \"%s\" successfully set", nfs_param.krb5_param.svc.principal); /* Set the principal to GSSRPC */ if (!svcauth_gss_set_svc_name (nfs_param.krb5_param.svc.gss_name)) { LogFatal(COMPONENT_INIT, "Impossible to set gss principal to GSSRPC"); } /* Don't release name until shutdown, it will be used by the * backchannel. */ #ifdef HAVE_KRB5 } /* if( nfs_param.krb5_param.active_krb5 ) */ #endif /* HAVE_KRB5 */ #endif /* _HAVE_GSSAPI */ /* RPC Initialisation - exits on failure */ nfs_Init_svc(); LogInfo(COMPONENT_INIT, "RPC ressources successfully initialized"); /* Admin initialisation */ nfs_Init_admin_thread(); LogEvent(COMPONENT_INIT, "Initializing ID Mapper."); if (!idmapper_init()) LogFatal(COMPONENT_INIT, "Failed initializing ID Mapper."); else LogEvent(COMPONENT_INIT, "ID Mapper successfully initialized."); /* Init the NFSv4 Clientid cache */ LogDebug(COMPONENT_INIT, "Now building NFSv4 clientid cache"); if (nfs_Init_client_id(&nfs_param.client_id_param) != CLIENT_ID_SUCCESS) { LogFatal(COMPONENT_INIT, "Error while initializing NFSv4 clientid cache"); } LogInfo(COMPONENT_INIT, "NFSv4 clientid cache successfully initialized"); /* Init duplicate request cache */ dupreq2_pkginit(); LogInfo(COMPONENT_INIT, "duplicate request hash table cache successfully initialized"); /* Init the IP/name cache */ LogDebug(COMPONENT_INIT, "Now building IP/name cache"); if (nfs_Init_ip_name(nfs_param.ip_name_param) != IP_NAME_SUCCESS) { LogFatal(COMPONENT_INIT, "Error while initializing IP/name cache"); } LogInfo(COMPONENT_INIT, "IP/name cache successfully initialized"); /* Init The NFSv4 State id cache */ LogDebug(COMPONENT_INIT, "Now building NFSv4 State Id cache"); if (nfs4_Init_state_id(&nfs_param.state_id_param) != 0) { LogFatal(COMPONENT_INIT, "Error while initializing NFSv4 State Id cache"); } LogInfo(COMPONENT_INIT, "NFSv4 State Id cache successfully initialized"); /* Init The NFSv4 Open Owner cache */ LogDebug(COMPONENT_INIT, "Now building NFSv4 Owner cache"); if (Init_nfs4_owner(&nfs_param.nfs4_owner_param) != 0) { LogFatal(COMPONENT_INIT, "Error while initializing NFSv4 Owner cache"); } LogInfo(COMPONENT_INIT, "NFSv4 Open Owner cache successfully initialized"); if (nfs_param.core_param.enable_NLM) { /* Init The NLM Owner cache */ LogDebug(COMPONENT_INIT, "Now building NLM Owner cache"); if (Init_nlm_hash() != 0) { LogFatal(COMPONENT_INIT, "Error while initializing NLM Owner cache"); } LogInfo(COMPONENT_INIT, "NLM Owner cache successfully initialized"); nlm_init(); } #ifdef _USE_9P /* Init the 9P lock owner cache */ LogDebug(COMPONENT_INIT, "Now building 9P Owner cache"); if (Init_9p_hash() != 0) { LogFatal(COMPONENT_INIT, "Error while initializing 9P Owner cache"); } LogInfo(COMPONENT_INIT, "9P Owner cache successfully initialized"); #endif LogDebug(COMPONENT_INIT, "Now building NFSv4 Session Id cache"); if (nfs41_Init_session_id(&nfs_param.session_id_param) != 0) { LogFatal(COMPONENT_INIT, "Error while initializing NFSv4 Session Id cache"); } LogInfo(COMPONENT_INIT, "NFSv4 Session Id cache successfully initialized"); LogDebug(COMPONENT_INIT, "Now building NFSv4 ACL cache"); if (nfs4_acls_init() != 0) { LogCrit(COMPONENT_INIT, "Error while initializing NFSv4 ACLs"); exit(1); } LogInfo(COMPONENT_INIT, "NFSv4 ACL cache successfully initialized"); #ifdef _USE_9P LogDebug(COMPONENT_INIT, "Now building 9P resources"); if (_9p_init(&nfs_param._9p_param)) { LogCrit(COMPONENT_INIT, "Error while initializing 9P Resources"); exit(1); } LogInfo(COMPONENT_INIT, "9P resources successfully initialized"); #endif /* _USE_9P */ /* Creates the pseudo fs */ LogDebug(COMPONENT_INIT, "Now building pseudo fs"); rc = nfs4_ExportToPseudoFS(); if (rc != 0) LogFatal(COMPONENT_INIT, "Error %d while initializing NFSv4 pseudo file system", rc); LogInfo(COMPONENT_INIT, "NFSv4 pseudo file system successfully initialized"); /* Save Ganesha thread credentials with Frank's routine for later use */ fsal_save_ganesha_credentials(); /* Create stable storage directory, this needs to be done before * starting the recovery thread. */ nfs4_create_recov_dir(); /* initialize grace and read in the client IDs */ nfs4_init_grace(); nfs4_load_recov_clids(NULL); /* Start grace period */ nfs4_start_grace(NULL); /* callback dispatch */ nfs_rpc_cb_pkginit(); #ifdef _USE_CB_SIMULATOR nfs_rpc_cbsim_pkginit(); #endif /* _USE_CB_SIMULATOR */ } /* nfs_Init */
int main(int argc, char *argv[]) { OM_uint32 minor, major; gss_cred_id_t impersonator_cred_handle = GSS_C_NO_CREDENTIAL; gss_cred_id_t user_cred_handle = GSS_C_NO_CREDENTIAL; gss_cred_id_t delegated_cred_handle = GSS_C_NO_CREDENTIAL; gss_name_t user = GSS_C_NO_NAME, target = GSS_C_NO_NAME; gss_OID_set mechs; if (argc < 2 || argc > 5) { fprintf(stderr, "Usage: %s [--spnego] [user] " "[proxy-target] [keytab]\n", argv[0]); fprintf(stderr, " proxy-target and keytab are optional\n"); exit(1); } if (strcmp(argv[1], "--spnego") == 0) { use_spnego++; argc--; argv++; } user = import_name(argv[1]); if (argc > 2 && strcmp(argv[2], "-")) target = import_name(argv[2]); if (argc > 3) { major = krb5_gss_register_acceptor_identity(argv[3]); check_gsserr("krb5_gss_register_acceptor_identity", major, 0); } /* Get default cred. */ mechs = use_spnego ? &mechset_spnego : &mechset_krb5; major = gss_acquire_cred(&minor, GSS_C_NO_NAME, GSS_C_INDEFINITE, mechs, GSS_C_BOTH, &impersonator_cred_handle, NULL, NULL); check_gsserr("gss_acquire_cred", major, minor); printf("Protocol transition tests follow\n"); printf("-----------------------------------\n\n"); test_greet_authz_data(&user); /* Get S4U2Self cred. */ major = gss_acquire_cred_impersonate_name(&minor, impersonator_cred_handle, user, GSS_C_INDEFINITE, mechs, GSS_C_INITIATE, &user_cred_handle, NULL, NULL); check_gsserr("gss_acquire_cred_impersonate_name", major, minor); init_accept_sec_context(user_cred_handle, impersonator_cred_handle, &delegated_cred_handle); printf("\n"); if (target != GSS_C_NO_NAME && delegated_cred_handle != GSS_C_NO_CREDENTIAL) { constrained_delegate(mechs, target, delegated_cred_handle, impersonator_cred_handle); } else if (target != GSS_C_NO_NAME) { fprintf(stderr, "Warning: no delegated cred handle returned\n\n"); fprintf(stderr, "Verify:\n\n"); fprintf(stderr, " - The TGT for the impersonating service is " "forwardable\n"); fprintf(stderr, " - The T2A4D flag set on the impersonating service's " "UAC\n"); fprintf(stderr, " - The user is not marked sensitive and cannot be " "delegated\n"); fprintf(stderr, "\n"); } (void)gss_release_name(&minor, &user); (void)gss_release_name(&minor, &target); (void)gss_release_cred(&minor, &delegated_cred_handle); (void)gss_release_cred(&minor, &impersonator_cred_handle); (void)gss_release_cred(&minor, &user_cred_handle); return 0; }
int main(int argc, char **argv) { krb5_error_code ret; int optidx = 0; int i; krb5_keytab keytab; krb5_socket_t sfd = rk_INVALID_SOCKET; setprogname(argv[0]); ret = krb5_init_context(&context); if (ret) errx (1, "krb5_init_context failed: %d", ret); if (getarg(args, num_args, argc, argv, &optidx)) { warnx("error at argument `%s'", argv[optidx]); usage(1); } if (help_flag) usage (0); if (version_flag) { print_version(NULL); exit(0); } setup_context(context); /* * Now, do the same for the gssapi thread we are going to be running in */ { krb5_context gssctx; ret = _gsskrb5_init(&gssctx); if (ret) errx(1, "failed to setup gssapi context"); setup_context(gssctx); krb5_gss_register_acceptor_identity("HDB:"); } ret = krb5_kt_resolve(context, keytab_str, &keytab); if(ret) krb5_err(context, 1, ret, "krb5_kt_resolve"); kadm5_setup_passwd_quality_check (context, check_library, check_function); for (i = 0; i < policy_libraries.num_strings; i++) { ret = kadm5_add_passwd_quality_verifier(context, policy_libraries.strings[i]); if (ret) krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier"); } ret = kadm5_add_passwd_quality_verifier(context, NULL); if (ret) krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier"); #ifdef ___APPLE__ if (sandbox_flag) { char *errorstring; ret = sandbox_init("kadmind", SANDBOX_NAMED, &errorstring); if (ret) errx(1, "sandbox_init failed: %d: %s", ret, errorstring); } #endif if(debug_flag) { int debug_port; if(port_str == NULL) debug_port = krb5_getportbyname (context, "kerberos-adm", "tcp", 749); else debug_port = htons(atoi(port_str)); mini_inetd(debug_port, &sfd); } else { #ifdef _WIN32 pidfile(NULL); start_server(context, port_str); #else struct sockaddr_storage __ss; struct sockaddr *sa = (struct sockaddr *)&__ss; socklen_t sa_size = sizeof(__ss); /* * Check if we are running inside inetd or not, if not, start * our own server. */ if(roken_getsockname(STDIN_FILENO, sa, &sa_size) < 0 && rk_SOCK_ERRNO == ENOTSOCK) { pidfile(NULL); start_server(context, port_str); } #endif /* _WIN32 */ sfd = STDIN_FILENO; } if(realm) krb5_set_default_realm(context, realm); /* XXX */ kadmind_loop(context, keytab, sfd); return 0; }