int
pr_ChangeEntry(prname oldname, prname newname, afs_int32 *newid, prname newowner)
{
afs_int32 code;
afs_int32 id;
afs_int32 oid = 0;
/* pr_SNameToId takes care of length checks for us. */
code = pr_SNameToId(oldname, &id);
if (code)
return code;
if (id == ANONYMOUSID)
return PRNOENT;
if (newowner && *newowner) {
code = pr_SNameToId(newowner, &oid);
if (code)
return code;
if (oid == ANONYMOUSID)
return PRNOENT;
}
if (newid)
code = ubik_PR_ChangeEntry(pruclient, 0, id, newname, oid, *newid);
else
code = ubik_PR_ChangeEntry(pruclient, 0, id, newname, oid, 0);
return code;
}
int
pr_ChangeEntry(char *oldname, char *newname, afs_int32 *newid, char *newowner)
{
afs_int32 code;
afs_int32 id;
afs_int32 oid = 0;
code = pr_SNameToId(oldname, &id);
if (code)
return code;
if (id == ANONYMOUSID)
return PRNOENT;
if (newowner && *newowner) {
code = pr_SNameToId(newowner, &oid);
if (code)
return code;
if (oid == ANONYMOUSID)
return PRNOENT;
}
if (newid)
code = ubik_PR_ChangeEntry(pruclient, 0, id, newname, oid, *newid);
else
code = ubik_PR_ChangeEntry(pruclient, 0, id, newname, oid, 0);
return code;
}
int
pr_CheckEntryByName(prname name, afs_int32 *id, prname owner, prname creator)
{
/* struct prcheckentry returns other things, which aren't useful to show at this time. */
afs_int32 code;
struct prcheckentry aentry;
/* pr_SNameToId will check name's length. */
code = pr_SNameToId(name, id);
if (code)
return code;
if (*id == ANONYMOUSID)
return PRNOENT;
code = ubik_PR_ListEntry(pruclient, 0, *id, &aentry);
if (code)
return code;
/* this should be done in one RPC, but I'm lazy. */
code = pr_SIdToName(aentry.owner, owner);
if (code)
return code;
code = pr_SIdToName(aentry.creator, creator);
if (code)
return code;
return PRSUCCESS;
}
int
pr_ListMembers(prname group, namelist *lnames)
{
afs_int32 code;
afs_int32 gid;
int i;
memset(lnames, 0, sizeof(namelist));
/* pr_SNameToId checks the length of group. */
code = pr_SNameToId(group, &gid);
if (code)
return code;
if (gid == ANONYMOUSID)
return PRNOENT;
code = pr_IDListMembers(gid, lnames);
if (code)
return code;
for (i = 0; i < lnames->namelist_len; i++) {
code = check_length(lnames->namelist_val[i]);
if (code)
return code;
}
return code;
}
int
pr_CreateGroup(prname name, prname owner, afs_int32 *id)
{
afs_int32 code;
afs_int32 oid = 0;
afs_int32 flags = 0;
code = check_length(name);
if (code)
return code;
/* pr_SNameToId will check owner's length. */
stolower(name);
if (owner) {
code = pr_SNameToId(owner, &oid);
if (code)
return code;
if (oid == ANONYMOUSID)
return PRNOENT;
}
flags |= PRGRP;
if (*id) {
code = ubik_PR_INewEntry(pruclient, 0, name, *id, oid);
} else {
code = ubik_PR_NewEntry(pruclient, 0, name, flags, oid, id);
}
return code;
}
/*
* Check if a username is valid: If it contains only digits (or a
* negative sign), then it might be bad. If we know the cellname,
* then query the ptserver to see if the entry is recognized.
*/
static int
BadName(char *aname, char *cellname)
{
afs_int32 tc, code, id = 0;
char *nm;
for ( nm = aname; tc = *nm; nm++) {
/* all must be '-' or digit to be bad */
if (tc != '-' && (tc < '0' || tc > '9'))
return 0;
}
if (cellname) {
char confDir[257];
/* Go to the PRDB and see if this all number username is valid */
cm_GetConfigDir(confDir, sizeof(confDir));
pr_Initialize(1, confDir, cellname);
code = pr_SNameToId(aname, &id);
pr_End();
}
/* 1=>Not-valid; 0=>Valid */
return ((!code && (id == ANONYMOUSID)) ? 1 : 0);
}
int
pr_ListMembers(char *group, namelist *lnames)
{
afs_int32 code;
afs_int32 gid;
code = pr_SNameToId(group, &gid);
if (code)
return code;
if (gid == ANONYMOUSID)
return PRNOENT;
code = pr_IDListMembers(gid, lnames);
return code;
}
int
pr_Delete(char *name)
{
afs_int32 code;
afs_int32 id;
stolower(name);
code = pr_SNameToId(name, &id);
if (code)
return code;
if (id == ANONYMOUSID)
return PRNOENT;
code = ubik_PR_Delete(pruclient, 0, id);
return code;
}
int
pr_Delete(prname name)
{
afs_int32 code;
afs_int32 id;
/* pr_SNameToId both checks the length of name and lowercases it. */
code = pr_SNameToId(name, &id);
if (code)
return code;
if (id == ANONYMOUSID)
return PRNOENT;
code = ubik_PR_Delete(pruclient, 0, id);
return code;
}
int afs_set_token(struct afs_auth_creds afscreds ) {
/*
* Set tokens in kernel
*/
int afs_status;
char buf[1024];
int buflen=0;
afs_int32 viceId;
/*
* Initialize afs? and map the afs user (client.name) to an id
*/
atc_log_debug("Initialize afs client?");
if (afs_status=pr_Initialize(0,AFSDIR_CLIENT_ETC_DIRPATH,afscreds.server.cell)) {
sprintf(afs_token_cache_errmsg,"Failed to initialize afs stuff for cell '%s'",afscreds.server.cell);
goto fail;
}
atc_log_debug("Mapping username to afs pts id");
if ( afs_status=afs_status=pr_SNameToId(afscreds.client.name,&viceId)) {
sprintf(afs_token_cache_errmsg,"Failed to map name '%s' to id",afscreds.client.name);
goto fail;
}
/*
* Set the token if the afs id is greater than 0 and not anonymous (32766)
*/
if ( viceId != 32766 && viceId > 0 ) {
atc_log_info("Setting afs tokens in kernel for user '%s'", afscreds.client.name);
afs_status=ktc_SetToken(&afscreds.server, &afscreds.token, &afscreds.client, 0);
if ( afs_status ) {
sprintf(afs_token_cache_errmsg, "Failed to set tokens in kernel for user '%s'", afscreds.client.name);
goto fail;
}
} else {
atc_log_info("User id is either 0 or the afs anonymous id (32766), not setting tokens");
}
return 0;
fail:
atc_log_err(afs_token_cache_errmsg);
return 1;
}
static int
whoami(struct ktc_token *atoken,
struct afsconf_cell *cellconfig,
struct ktc_principal *aclient,
int *vicep)
{
int code;
char tempname[2*PR_MAXNAMELEN];
code = pr_Initialize(0, AFSDIR_CLIENT_ETC_DIRPATH, cellconfig->name);
if (code)
goto Failed;
if (*aclient->instance)
snprintf (tempname, sizeof tempname, "%s.%s",
aclient->name, aclient->instance);
else
snprintf (tempname, sizeof tempname, "%s", aclient->name);
code = pr_SNameToId(tempname, vicep);
Failed:
return code;
}
int
pr_CreateGroup(char name[PR_MAXNAMELEN], char owner[PR_MAXNAMELEN], afs_int32 *id)
{
afs_int32 code;
afs_int32 oid = 0;
afs_int32 flags = 0;
stolower(name);
if (owner) {
code = pr_SNameToId(owner, &oid);
if (code)
return code;
if (oid == ANONYMOUSID)
return PRNOENT;
}
flags |= PRGRP;
if (*id) {
code = ubik_PR_INewEntry(pruclient, 0, name, *id, oid);
return code;
} else {
code = ubik_PR_NewEntry(pruclient, 0, name, flags, oid, id);
return code;
}
}
void ViceIDToUsername(char *username, char *realm_of_user, char *realm_of_cell,
char * cell_to_use, CREDENTIALS *c,
int *status,
struct ktc_principal *aclient, struct ktc_principal *aserver, struct ktc_token *atoken)
{
static char lastcell[MAXCELLCHARS+1] = { 0 };
static char confname[512] = { 0 };
char username_copy[BUFSIZ];
afs_int32 viceId; /* AFS uid of user */
if (confname[0] == '\0') {
strncpy(confname, AFSDIR_CLIENT_ETC_DIRPATH, sizeof(confname));
confname[sizeof(confname) - 2] = '\0';
}
if (dflag)
printf("About to resolve name %s to id\n", username);
strcpy(lastcell, aserver->cell);
if (!pr_Initialize (0, confname, aserver->cell)) {
char sname[PR_MAXNAMELEN], *at;
strncpy(sname, username, PR_MAXNAMELEN);
sname[PR_MAXNAMELEN-1] = '\0';
at = strchr(sname, '@');
if (at && !stricmp(at+1, realm_of_cell))
*at = '\0';
*status = pr_SNameToId (sname, &viceId);
}
if (dflag)
{
if (*status)
printf("pr_SNameToId Error %s\n", afs_error_message(*status));
else
printf("Id %d\n", viceId);
}
/*
* This code is taken from cklog -- it lets people
* automatically register with the ptserver in foreign cells
*/
#ifdef ALLOW_REGISTER
if (*status == 0) {
if (viceId != ANONYMOUSID) {
#else /* ALLOW_REGISTER */
if ((*status == 0) && (viceId != ANONYMOUSID))
#endif /* ALLOW_REGISTER */
{
#ifdef AFS_ID_TO_NAME
strncpy(username_copy, username, BUFSIZ);
snprintf (username, BUFSIZ, "%s (AFS ID %d)", username_copy, (int) viceId);
#endif /* AFS_ID_TO_NAME */
}
#ifdef ALLOW_REGISTER
} else if (strcmp(realm_of_user, realm_of_cell) != 0) {
int i;
if (dflag) {
printf("doing first-time registration of %s "
"at %s\n", username, cell_to_use);
}
strncpy(aclient->name, username, MAXKTCNAMELEN - 1);
aclient->name[MAXKTCNAMELEN - 1] = '\0';
strcpy(aclient->instance, "");
strncpy(aclient->cell, cell_to_use, MAXKTCREALMLEN - 1);
aclient->cell[MAXKTCREALMLEN - 1] = '\0';
for ( i=0; aclient->cell[i]; i++ ) {
if ( islower(aclient->cell[i]) )
aclient->cell[i] = toupper(aclient->cell[i]);
}
if ((*status = ktc_SetToken(aserver, atoken, aclient, 0))) {
afs_com_err(progname, *status,
"while obtaining tokens for cell %s\n",
cell_to_use);
*status = AKLOG_TOKEN;
return ;
}
/*
* In case you're wondering, we don't need to change the
* filename here because we're still connecting to the
* same cell -- we're just using a different authentication
* level
*/
if ((*status = pr_Initialize(1L, confname, aserver->cell))) {
printf("pr_Initialize Error %s\n", afs_error_message(*status));
return;
}
/* copy the name because pr_CreateUser lowercases the realm */
strncpy(username_copy, username, BUFSIZ);
viceId = 0;
*status = pr_CreateUser(username_copy, &viceId);
if (*status) {
printf("%s: unable to create remote PTS "
"user %s in cell %s (status: %s).\n", progname,
username_copy, cell_to_use, afs_error_message(*status));
} else {
printf("created cross-cell entry for %s (Id %d) at %s\n",
username_copy, viceId, cell_to_use);
#ifdef AFS_ID_TO_NAME
snprintf (username, BUFSIZ, "%s (AFS ID %d)", username_copy, (int) viceId);
#endif /* AFS_ID_TO_NAME */
}
}
}
#endif /* ALLOW_REGISTER */
}
/*
* Log to a cell. If the cell has already been logged to, return without
* doing anything. Otherwise, log to it and mark that it has been logged
* to.
*/
static int auth_to_cell(krb5_context context, char *user, char *cell, char *realm)
{
int status = 0;
char username[BUFSIZ]; /* To hold client username structure */
afs_int32 viceId; /* AFS uid of user */
char name[ANAME_SZ]; /* Name of afs key */
char primary_instance[INST_SZ]; /* Instance of afs key */
char secondary_instance[INST_SZ]; /* Backup instance to try */
int try_secondary = 0; /* Flag to indicate if we try second */
char realm_of_user[REALM_SZ]; /* Kerberos realm of user */
char realm_of_cell[REALM_SZ]; /* Kerberos realm of cell */
char local_cell[MAXCELLCHARS+1];
char cell_to_use[MAXCELLCHARS+1]; /* Cell to authenticate to */
static char lastcell[MAXCELLCHARS+1] = { 0 };
static char confname[512] = { 0 };
krb5_creds *v5cred = NULL;
struct ktc_principal aserver;
struct ktc_principal aclient;
struct ktc_token atoken, btoken;
int afssetpag = 0, uid = -1;
struct passwd *pwd;
memset(name, 0, sizeof(name));
memset(primary_instance, 0, sizeof(primary_instance));
memset(secondary_instance, 0, sizeof(secondary_instance));
memset(realm_of_user, 0, sizeof(realm_of_user));
memset(realm_of_cell, 0, sizeof(realm_of_cell));
syslog(LOG_AUTH|LOG_DEBUG, "LAM aklog starting: user %s uid %d", user, getuid());
if (confname[0] == '\0') {
strncpy(confname, AFSDIR_CLIENT_ETC_DIRPATH, sizeof(confname));
confname[sizeof(confname) - 2] = '\0';
}
/* NULL or empty cell returns information on local cell */
if ((status = get_cellconfig(cell, &ak_cellconfig,
local_cell, linkedcell))) {
syslog(LOG_AUTH|LOG_ERR, "LAM aklog: get_cellconfig returns %d", status);
return(status);
}
strncpy(cell_to_use, ak_cellconfig.name, MAXCELLCHARS);
cell_to_use[MAXCELLCHARS] = 0;
/*
* Find out which realm we're supposed to authenticate to. If one
* is not included, use the kerberos realm found in the credentials
* cache.
*/
if (realm && realm[0]) {
strcpy(realm_of_cell, realm);
}
else {
char *afs_realm = afs_realm_of_cell(context, &ak_cellconfig, FALSE);
if (!afs_realm) {
syslog(LOG_AUTH|LOG_ERR, "LAM aklog: afs_realm_of_cell returns %d", status);
return AFSCONF_FAILURE;
}
strcpy(realm_of_cell, afs_realm);
}
/* We use the afs.<cellname> convention here...
*
* Doug Engert's original code had principals of the form:
*
* "afsx/cell@realm"
*
* in the KDC, so the name wouldn't conflict with DFS. Since we're
* not using DFS, I changed it just to look for the following
* principals:
*
* afs/<cell>@<realm>
* afs@<realm>
*
* Because people are transitioning from afs@realm to afs/cell,
* we configure things so that if the first one isn't found, we
* try the second one. You can select which one you prefer with
* a configure option.
*/
strcpy(name, AFSKEY);
if (1 || strcasecmp(cell_to_use, realm_of_cell) != 0) {
strncpy(primary_instance, cell_to_use, sizeof(primary_instance));
primary_instance[sizeof(primary_instance)-1] = '\0';
if (strcasecmp(cell_to_use, realm_of_cell) == 0) {
try_secondary = 1;
secondary_instance[0] = '\0';
}
} else {
primary_instance[0] = '\0';
try_secondary = 1;
strncpy(secondary_instance, cell_to_use,
sizeof(secondary_instance));
secondary_instance[sizeof(secondary_instance)-1] = '\0';
}
/*
* Extract the session key from the ticket file and hand-frob an
* afs style authenticator.
*/
/*
* Try to obtain AFS tickets. Because there are two valid service
* names, we will try both, but trying the more specific first.
*
* afs/<cell>@<realm> i.e. allow for single name with "."
* afs@<realm>
*/
status = get_credv5(context, user, name, primary_instance, realm_of_cell,
&v5cred);
if ((status == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN ||
status == KRB5KRB_ERR_GENERIC) && !realm_of_cell[0]) {
char *afs_realm = afs_realm_of_cell(context, &ak_cellconfig, TRUE);
if (!afs_realm) {
syslog(LOG_AUTH|LOG_ERR, "LAM aklog: afs_realm_of_cell returns %d", status);
return AFSCONF_FAILURE;
}
strcpy(realm_of_cell, afs_realm);
if (strcasecmp(cell_to_use, realm_of_cell) == 0) {
try_secondary = 1;
secondary_instance[0] = '\0';
}
status = get_credv5(context, user, name, primary_instance,
realm_of_cell, &v5cred);
}
if (status == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN ||
status == KRB5KRB_ERR_GENERIC) {
if (try_secondary)
status = get_credv5(context, user, name, secondary_instance,
realm_of_cell, &v5cred);
}
if (status) {
syslog(LOG_AUTH|LOG_ERR, "LAM aklog: get_credv5 returns %d", status);
return status;
}
strncpy(aserver.name, AFSKEY, MAXKTCNAMELEN - 1);
strncpy(aserver.instance, AFSINST, MAXKTCNAMELEN - 1);
strncpy(aserver.cell, cell_to_use, MAXKTCREALMLEN - 1);
/*
* The default is to use rxkad2b, which means we put in a full
* V5 ticket. If the user specifies -524, we talk to the
* 524 ticket converter.
*/
{
char *p;
int len;
len = min(get_princ_len(context, v5cred->client, 0),
second_comp(context, v5cred->client) ?
MAXKTCNAMELEN - 2 : MAXKTCNAMELEN - 1);
strncpy(username, get_princ_str(context, v5cred->client, 0), len);
username[len] = '\0';
if (second_comp(context, v5cred->client)) {
strcat(username, ".");
p = username + strlen(username);
len = min(get_princ_len(context, v5cred->client, 1),
MAXKTCNAMELEN - strlen(username) - 1);
strncpy(p, get_princ_str(context, v5cred->client, 1), len);
p[len] = '\0';
}
memset(&atoken, 0, sizeof(atoken));
atoken.kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
atoken.startTime = v5cred->times.starttime;;
atoken.endTime = v5cred->times.endtime;
memcpy(&atoken.sessionKey, get_cred_keydata(v5cred),
get_cred_keylen(v5cred));
atoken.ticketLen = v5cred->ticket.length;
memcpy(atoken.ticket, v5cred->ticket.data, atoken.ticketLen);
}
if ((status = get_user_realm(context, realm_of_user))) {
syslog(LOG_AUTH|LOG_ERR, "LAM aklog: get_user_realm returns %d", status);
return KRB5_REALM_UNKNOWN;
}
if (strcmp(realm_of_user, realm_of_cell)) {
strcat(username, "@");
strcat(username, realm_of_user);
}
strcpy(lastcell, aserver.cell);
/*
* This is a crock, but it is Transarc's crock, so
* we have to play along in order to get the
* functionality. The way the afs id is stored is
* as a string in the username field of the token.
* Contrary to what you may think by looking at
* the code for tokens, this hack (AFS ID %d) will
* not work if you change %d to something else.
*/
#if 0
/* This actually crashes long-running daemons */
if (!pr_Initialize (0, confname, aserver.cell))
status = pr_SNameToId (username, &viceId);
if ((status == 0) && (viceId != ANONYMOUSID))
sprintf (username, "AFS ID %d", (int) viceId);
#else
/*
* This actually only works assuming that your uid and pts space match
* and probably this works only for the local cell anyway.
*/
if ((uid = getuid()) == 0) {
if ((pwd = getpwnam(user)) == NULL) {
syslog(LOG_AUTH|LOG_ERR, "LAM aklog: getpwnam %s failed", user);
return AUTH_FAILURE;
}
}
/* Don't do first-time registration. Handle only the simple case */
if ((status == 0) && (viceId != ANONYMOUSID))
sprintf (username, "AFS ID %d", ((uid==0)?(int)pwd->pw_uid:(int)uid));
#endif
/* Reset the "aclient" structure before we call ktc_SetToken.
* This structure was first set by the ktc_GetToken call when
* we were comparing whether identical tokens already existed.
*/
strncpy(aclient.name, username, MAXKTCNAMELEN - 1);
strcpy(aclient.instance, "");
strncpy(aclient.cell, realm_of_user, MAXKTCREALMLEN - 1);
#ifndef AFS_AIX51_ENV
/* on AIX 4.1.4 with AFS 3.4a+ if a write is not done before
* this routine, it will not add the token. It is not clear what
* is going on here! So we will do the following operation.
* On AIX 5 this kills our parent. So we won't.
*/
write(2,"",0); /* dummy write */
#endif
afssetpag = (getpagvalue("afs") > 0) ? 1 : 0;
if (uid == 0) {
struct sigaction newAction, origAction;
pid_t cid, pcid;
int wstatus;
sigemptyset(&newAction.sa_mask);
newAction.sa_handler = SIG_DFL;
newAction.sa_flags = 0;
status = sigaction(SIGCHLD, &newAction, &origAction);
if (status) {
syslog(LOG_AUTH|LOG_ERR, "LAM aklog: sigaction returned %d", status);
return AUTH_FAILURE;
}
syslog(LOG_AUTH|LOG_DEBUG, "LAM aklog: in daemon? forking to set tokens");
cid = fork();
if (cid <= 0) {
syslog(LOG_AUTH|LOG_DEBUG, "LAM aklog child: setting tokens");
setuid(pwd->pw_uid);
status = ktc_SetToken(&aserver, &atoken, &aclient, afssetpag);
if (status != 0)
syslog(LOG_AUTH|LOG_ERR, "LAM aklog child: set tokens, returning %d", status);
exit((status == 0)?0:255);
} else {
do {
pcid = waitpid(cid, &wstatus, 0);
} while ((pcid == -1) && (errno == EINTR));
if ((pcid == cid) && WIFEXITED(wstatus))
status = WEXITSTATUS(wstatus);
else
status = -1;
}
syslog(LOG_AUTH|LOG_DEBUG, "LAM aklog: collected child status %d", status);
sigaction(SIGCHLD, &origAction, NULL);
} else {
status = ktc_SetToken(&aserver, &atoken, &aclient, afssetpag);
}
if (status != 0)
syslog(LOG_AUTH|LOG_ERR, "LAM aklog: set tokens returned %d", status);
else
syslog(LOG_AUTH|LOG_DEBUG, "LAM aklog: set tokens, pag %d", getpagvalue("afs"));
return(status);
}
/*
* Requires that you already possess a TGT.
*/
afs_int32
ka_GetAFSTicket(char *name, char *instance, char *realm, Date lifetime,
afs_int32 flags)
{
afs_int32 code;
struct ktc_token token;
struct ktc_principal server, client;
code = ka_GetServerToken("afs", "", realm, lifetime, &token, /*new */ 1,
/*dosetpag */ flags);
if (code)
return code;
if (ktc_OldPioctl()) {
int local;
char username[MAXKTCNAMELEN];
afs_int32 viceId;
int len;
char *whoami = "UserAuthenticate: ptserver";
strcpy(server.name, "afs");
strcpy(server.instance, "");
code = ka_ExpandCell(realm, server.cell, &local);
if (code)
return code;
code = pr_Initialize(0, AFSDIR_CLIENT_ETC_DIRPATH, server.cell);
if (code) {
afs_com_err(whoami, code, "initializing ptserver in cell '%s'",
server.cell);
return 0;
}
len = strlen(name);
if (instance[0])
len += strlen(instance) + 1;
if (len >= sizeof(username)) {
fprintf(stderr, "user's name '%s'.'%s' would be too large\n",
name, instance);
return 0;
}
strcpy(username, name);
if (instance[0]) {
strcat(username, ".");
strcat(username, instance);
}
code = pr_SNameToId(username, &viceId);
/* Before going further, shutdown the pr ubik connection */
pr_End();
if ((code == 0) && (viceId == ANONYMOUSID))
code = PRNOENT;
if (code) {
afs_com_err(whoami, code, "translating %s to id", username);
return 0;
}
sprintf(client.name, "AFS ID %d", viceId);
strcpy(client.instance, "");
strcpy(client.cell, server.cell);
code = ktc_SetToken(&server, &token, &client, /*dosetpag */ 0);
if (code)
return code;
}
return code;
}
int
main(int argc, char **argv)
{
register afs_int32 code;
char op[8];
char name[PR_MAXNAMELEN];
afs_int32 id, oid = ANONYMOUSID, gid;
afs_int32 pos;
unsigned int i;
int n;
struct prentry entry;
prlist alist;
idlist lid;
namelist lnames;
struct hostent *hostinfo;
struct in_addr *hostaddr;
afs_int32 *ptr;
char *foo;
afs_int32 over;
char *cell;
#ifdef AFS_AIX32_ENV
/*
* The following signal action for AIX is necessary so that in case of a
* crash (i.e. core is generated) we can include the user's data section
* in the core dump. Unfortunately, by default, only a partial core is
* generated which, in many cases, isn't too useful.
*/
struct sigaction nsa;
sigemptyset(&nsa.sa_mask);
nsa.sa_handler = SIG_DFL;
nsa.sa_flags = SA_FULLDUMP;
sigaction(SIGSEGV, &nsa, NULL);
#endif
whoami = argv[0];
initialize_PT_error_table();
strcpy(confdir, AFSDIR_CLIENT_ETC_DIRPATH);
cell = 0;
n = 1;
while (n < argc) {
int arglen = strlen(argv[n]);
char arg[256];
lcstring(arg, argv[n], sizeof(arg));
#define IsArg(a) (strncmp (arg,a, arglen) == 0)
if (IsArg("-testconfdir"))
strncpy(confdir, argv[++n], sizeof(confdir));
else if (IsArg("client"))
strncpy(confdir, AFSDIR_CLIENT_ETC_DIRPATH, sizeof(confdir));
else if (IsArg("server"))
strncpy(confdir, AFSDIR_SERVER_ETC_DIRPATH, sizeof(confdir));
else if (IsArg("0") || IsArg("1") || IsArg("2"))
security = atoi(argv[n]);
else if (IsArg("-ignoreexist"))
ignoreExist++;
else if (IsArg("-cell"))
cell = argv[++n];
else {
printf
("Usage is: 'prclient [-testconfdir <dir> | server | client] [0 | 1 | 2] [-ignoreExist] [-cell <cellname>]\n");
exit(1);
}
n++;
}
printf("Using CellServDB file in %s\n", confdir);
if (security == 0)
printf("Making unauthenticated connection to prserver\n");
code = pr_Initialize(security, confdir, cell);
if (code) {
afs_com_err(whoami, code, "Couldn't initialize protection library");
exit(1);
}
while (1) {
char *s;
printf("pr> ");
s = fgets(line, sizeof(line), stdin);
if (s == NULL)
break;
lineProgress = 0;
code = GetString(op, sizeof(op));
if (code) {
afs_com_err(whoami, PRBADARG,
"error reading opcode in line '%s', got '%.*s'", line,
sizeof(op), op);
exit(1);
}
if (strlen(op) == 0)
continue; /* no input */
if (!strcmp(op, "cr")) {
if (GetString(name, sizeof(name)) || GetInt32(&id)
|| GetInt32(&oid))
code = PRBADARG;
/* use ubik_Call to do the work, finding an up server and handling
* the job of finding a sync site, if need be */
else
code = ubik_PR_INewEntry(pruclient, 0, name, id, oid);
if (CodeOk(code))
afs_com_err(whoami, code, "on %s %s %d %d", op, name, id, oid);
} else if (!strcmp(op, "sf")) {
afs_int32 mask, access, gq, uq;
if (GetInt32(&id) || GetXInt32(&mask) || GetXInt32(&access)
|| GetInt32(&gq) || GetInt32(&uq))
code = PRBADARG;
else
code =
ubik_PR_SetFieldsEntry(pruclient, 0, id, mask,
access, gq, uq, 0, 0);
if (CodeOk(code))
afs_com_err(whoami, code, "on %s %d %x %x %d %d", op, id, mask,
access, gq, uq);
} else if (!strcmp(op, "ce")) {
char newname[PR_MAXNAMELEN];
afs_int32 newid;
if (GetInt32(&id) || GetString(newname, sizeof(newname))
|| GetInt32(&oid) || GetInt32(&newid))
code = PRBADARG;
else
code =
ubik_PR_ChangeEntry(pruclient, 0, id, newname, oid,
newid);
if (CodeOk(code))
afs_com_err(whoami, code, "on %s %d %s %d %d", op, id, newname,
oid, newid);
} else if (!strcmp(op, "wh")) {
/* scanf("%d",&id); */
if (GetInt32(&id))
code = PRBADARG;
else
code = ubik_PR_WhereIsIt(pruclient, 0, id, &pos);
if (CodeOk(code))
printf("%s\n", pr_ErrorMsg(code));
else
printf("location %d\n", pos);
} else if (!strcmp(op, "du")) {
memset(&entry, 0, sizeof(entry));
/* scanf("%d",&pos); */
if (GetInt32(&pos))
code = PRBADARG;
else
code = ubik_PR_DumpEntry(pruclient, 0, pos, (struct prdebugentry *)&entry);
if (CodeOk(code))
printf("%s\n", pr_ErrorMsg(code));
if (code == PRSUCCESS) {
PrintEntry(pos, &entry, /*indent */ 0);
#if 0
printf("The contents of the entry for %d are:\n", entry.id);
printf("flags %d next %d\n", entry.flags, entry.next);
printf("Groups (or members) \n");
for (i = 0; i < PRSIZE; i++)
printf("%d\n", entry.entries[i]);
printf("nextID %d nextname %d name %s\n", entry.nextID,
entry.nextName, entry.name);
printf("owner %d creator %d\n", entry.owner, entry.creator);
#endif
}
} else if (!strcmp(op, "add") || !strcmp(op, "au")) {
/* scanf("%d %d",&id,&gid); */
if (GetInt32(&id) || GetInt32(&gid))
code = PRBADARG;
else
code = ubik_PR_AddToGroup(pruclient, 0, id, gid);
if (CodeOk(code))
afs_com_err(whoami, code, "on %s %d %d", op, id, gid);
} else if (!strcmp(op, "iton")) {
lid.idlist_val = (afs_int32 *) malloc(20 * sizeof(afs_int32));
ptr = lid.idlist_val;
lid.idlist_len = 0;
foo = line;
skip(&foo);
while ((lid.idlist_len < 20) && (sscanf(foo, "%d", ptr) != EOF)) {
lid.idlist_len++;
skip(&foo);
ptr++;
}
if (*foo) {
fprintf(stderr, "too many values specified; max is %d\n", 20);
}
lnames.namelist_val = 0;
lnames.namelist_len = 0;
code = ubik_PR_IDToName(pruclient, 0, &lid, &lnames);
if (CodeOk(code))
printf("%s\n", pr_ErrorMsg(code));
if (code == PRSUCCESS) {
for (i = 0; i < lnames.namelist_len; i++) {
printf("id %d name %s\n", lid.idlist_val[i],
lnames.namelist_val[i]);
}
free(lnames.namelist_val);
}
free(lid.idlist_val);
lid.idlist_val = 0;
lid.idlist_len = 0;
} else if (!strcmp(op, "ntoi")) {
lnames.namelist_val =
(prname *) malloc(PR_MAXLIST * PR_MAXNAMELEN);
lnames.namelist_len = 0;
foo = line;
skip(&foo);
for (i = 0; ((lnames.namelist_len < PR_MAXLIST)
&& (sscanf(foo, "%s", lnames.namelist_val[i]) !=
EOF)); i++) {
lnames.namelist_len++;
skip(&foo);
}
if (*foo) {
fprintf(stderr, "too many values specified; max is %d\n",
PR_MAXLIST);
}
lid.idlist_val = 0;
lid.idlist_len = 0;
code = ubik_PR_NameToID(pruclient, 0, &lnames, &lid);
if (CodeOk(code))
printf("%s\n", pr_ErrorMsg(code));
if (code == PRSUCCESS) {
for (i = 0; i < lid.idlist_len; i++)
printf("name %s id %d\n", lnames.namelist_val[i],
lid.idlist_val[i]);
free(lid.idlist_val);
}
free(lnames.namelist_val);
lnames.namelist_val = 0;
lnames.namelist_len = 0;
} else if (!strcmp(op, "del")) {
/* scanf("%d",&id); */
if (GetInt32(&id))
code = PRBADARG;
else
code = ubik_PR_Delete(pruclient, 0, id);
if (CodeOk(code))
printf("%s\n", pr_ErrorMsg(code));
} else if (!strcmp(op, "dg")) {
/* scanf("%d",&id); */
if (GetInt32(&id))
code = PRBADARG;
else
code = ubik_PR_Delete(pruclient, 0, id);
if (CodeOk(code))
printf("%s\n", pr_ErrorMsg(code));
} else if (!strcmp(op, "rm")) {
/* scanf("%d %d",&id,&gid); */
if (GetInt32(&id) || GetInt32(&gid))
code = PRBADARG;
else
code = ubik_PR_RemoveFromGroup(pruclient, 0, id, gid);
if (CodeOk(code))
printf("%s\n", pr_ErrorMsg(code));
}
#if defined(SUPERGROUPS)
else if (!strcmp(op, "lsg")) {
alist.prlist_len = 0;
alist.prlist_val = 0;
/* scanf("%d",&id); */
if (GetInt32(&id))
code = PRBADARG;
else
code =
ubik_PR_ListSuperGroups(pruclient, 0, id, &alist,
&over);
if (CodeOk(code))
printf("%s\n", pr_ErrorMsg(code));
if (code == PRSUCCESS) {
ptr = alist.prlist_val;
if (over) {
printf("Number of groups greater than PR_MAXGROUPS!\n");
printf("Excess of %d.\n", over);
}
for (i = 0; i < alist.prlist_len; i++, ptr++)
printf("%d\n", *ptr);
free(alist.prlist_val);
alist.prlist_len = 0;
alist.prlist_val = 0;
}
}
#endif /* SUPERGROUPS */
else if (!strcmp(op, "l")) {
alist.prlist_len = 0;
alist.prlist_val = 0;
/* scanf("%d",&id); */
if (GetInt32(&id))
code = PRBADARG;
else
code = ubik_PR_GetCPS(pruclient, 0, id, &alist, &over);
if (CodeOk(code))
printf("%s\n", pr_ErrorMsg(code));
if (code == PRSUCCESS) {
ptr = alist.prlist_val;
if (over) {
printf("Number of groups greater than PR_MAXGROUPS!\n");
printf("Excess of %d.\n", over);
}
for (i = 0; i < alist.prlist_len; i++, ptr++)
printf("%d\n", *ptr);
free(alist.prlist_val);
alist.prlist_len = 0;
alist.prlist_val = 0;
}
} else if (!strcmp(op, "lh")) {
alist.prlist_len = 0;
alist.prlist_val = 0;
/* scanf("%d",&id); */
if (GetString(name, sizeof(name)))
code = PRBADARG;
else if (!(hostinfo = gethostbyname(name)))
code = PRBADARG;
else {
hostaddr = (struct in_addr *)hostinfo->h_addr_list[0];
id = ntohl(hostaddr->s_addr);
code =
ubik_PR_GetHostCPS(pruclient, 0, id, &alist, &over);
}
if (CodeOk(code))
printf("%s\n", pr_ErrorMsg(code));
if (code == PRSUCCESS) {
ptr = alist.prlist_val;
if (over) {
printf("Number of groups greater than PR_MAXGROUPS!\n");
printf("Excess of %d.\n", over);
}
for (i = 0; i < alist.prlist_len; i++, ptr++)
printf("%d\n", *ptr);
free(alist.prlist_val);
alist.prlist_len = 0;
alist.prlist_val = 0;
}
}
#if defined(SUPERGROUPS)
else if (!strcmp(op, "m")) {
alist.prlist_len = 0;
alist.prlist_val = 0;
/* scanf("%d",&id); */
if (GetInt32(&id))
code = PRBADARG;
else
code =
ubik_PR_ListElements(pruclient, 0, id, &alist,
&over);
if (CodeOk(code))
printf("%s\n", pr_ErrorMsg(code));
if (code == PRSUCCESS) {
ptr = alist.prlist_val;
if (over) {
printf("Number of groups greater than PR_MAXGROUPS!\n");
printf("Excess of %d.\n", over);
}
for (i = 0; i < alist.prlist_len; i++, ptr++)
printf("%d\n", *ptr);
free(alist.prlist_val);
alist.prlist_len = 0;
alist.prlist_val = 0;
}
}
#endif /* SUPERGROUPS */
else if (!strcmp(op, "nu")) {
/* scanf("%s",name); */
if (GetString(name, sizeof(name)))
code = PRBADARG;
else
code = pr_CreateUser(name, &id);
if (CodeOk(code))
printf("%s\n", pr_ErrorMsg(code));
if (code == PRSUCCESS)
printf("Id is %d.\n", id);
} else if (!strcmp(op, "ng")) {
/* scanf("%s",name); */
if (GetString(name, sizeof(name)))
code = PRBADARG;
else
code = ubik_PR_NewEntry(pruclient, 0, name, 1, oid, &id);
if (CodeOk(code))
printf("%s\n", pr_ErrorMsg(code));
if (code == PRSUCCESS)
printf("Id is %d.\n", id);
} else if (!strcmp(op, "lm")) {
code = ubik_PR_ListMax(pruclient, 0, &id, &gid);
if (CodeOk(code))
printf("%s\n", pr_ErrorMsg(code));
if (code == PRSUCCESS)
printf("Max user id is %d, max (really min) group is %d.\n",
id, gid);
} else if (!strcmp(op, "smu")) {
/* scanf("%d",&id); */
if (GetInt32(&id))
code = PRBADARG;
else
code = ubik_PR_SetMax(pruclient, 0, id, 0);
if (CodeOk(code))
printf("%s\n", pr_ErrorMsg(code));
} else if (!strcmp(op, "smg")) {
/* scanf("%d",&id); */
if (GetInt32(&id))
code = PRBADARG;
else
code = ubik_PR_SetMax(pruclient, 0, id, 1);
if (CodeOk(code))
printf("%s\n", pr_ErrorMsg(code));
} else if (!strcmp(op, "sin")) {
/* scanf("%d",&id); */
if (GetInt32(&id))
code = PRBADARG;
else
code = pr_SIdToName(id, name);
if (CodeOk(code))
printf("%s\n", pr_ErrorMsg(code));
if (code == PRSUCCESS)
printf("id %d name %s\n", id, name);
} else if (!strcmp(op, "sni")) {
/* scanf("%s",name); */
if (GetString(name, sizeof(name)))
code = PRBADARG;
else
code = pr_SNameToId(name, &id);
if (CodeOk(code))
printf("%s\n", pr_ErrorMsg(code));
if (code == PRSUCCESS)
printf("name %s id %d\n", name, id);
} else if (!strcmp(op, "fih")) {
char tname[128];
struct PrUpdateEntry uentry;
memset(&uentry, 0, sizeof(uentry));
/* scanf("%s",name); */
if (GetString(name, sizeof(name))) {
code = PRBADARG;
continue;
}
code = pr_SNameToId(name, &id);
if (CodeOk(code)) {
printf("%s\n", pr_ErrorMsg(code));
continue;
}
code = pr_SIdToName(id, tname);
if (code == PRSUCCESS) {
printf
("Warning: Id hash for %s (id %d) seems correct at the db; rehashing it anyway\n",
name, id);
/* continue;*/
}
uentry.Mask = PRUPDATE_IDHASH;
code = ubik_PR_UpdateEntry(pruclient, 0, 0, name, &uentry);
if (code) {
printf("Failed to update entry %s (err=%d)\n", name, code);
continue;
}
} else if (!strcmp(op, "fnh")) {
int tid;
struct PrUpdateEntry uentry;
memset(&uentry, 0, sizeof(uentry));
/* scanf("%d", &id); */
if (GetInt32(&id)) {
code = PRBADARG;
continue;
}
code = pr_SIdToName(id, name);
if (CodeOk(code)) {
printf("%s\n", pr_ErrorMsg(code));
continue;
}
code = pr_SNameToId(name, &tid);
if (code == PRSUCCESS) {
printf
("Name hash for %d (name is %s) seems correct at the db; rehashing it anyway\n",
id, name);
/* continue;*/
}
uentry.Mask = PRUPDATE_NAMEHASH;
code =
ubik_PR_UpdateEntry(pruclient, 0, id, "_foo_", &uentry);
if (code) {
printf("Failed to update entry with id %d (err=%d)\n", id,
code);
continue;
}
}
#if defined(SUPERGROUPS)
else if (!strcmp(op, "fih")) {
char tname[128];
struct PrUpdateEntry uentry;
memset(&uentry, 0, sizeof(uentry));
/* scanf("%s",name); */
if (GetString(name, sizeof(name))) {
code = PRBADARG;
continue;
}
code = pr_SNameToId(name, &id);
if (CodeOk(code)) {
printf("%s\n", pr_ErrorMsg(code));
continue;
}
code = pr_SIdToName(id, tname);
if (code == PRSUCCESS) {
printf
("Warning: Id hash for %s (id %d) seems correct at the db; rehashing it anyway\n",
name, id);
/* continue;*/
}
uentry.Mask = PRUPDATE_IDHASH;
code = ubik_PR_UpdateEntry(pruclient, 0, 0, name, &uentry);
if (code) {
printf("Failed to update entry %s (err=%d)\n", name, code);
continue;
}
} else if (!strcmp(op, "fnh")) {
int tid;
struct PrUpdateEntry uentry;
memset(&uentry, 0, sizeof(uentry));
/* scanf("%d", &id); */
if (GetInt32(&id)) {
code = PRBADARG;
continue;
}
code = pr_SIdToName(id, name);
if (CodeOk(code)) {
printf("%s\n", pr_ErrorMsg(code));
continue;
}
code = pr_SNameToId(name, &tid);
if (code == PRSUCCESS) {
printf
("Name hash for %d (name is %s) seems correct at the db; rehashing it anyway\n",
id, name);
/* continue;*/
}
uentry.Mask = PRUPDATE_NAMEHASH;
code =
ubik_PR_UpdateEntry(pruclient, 0, id, "_foo_", &uentry);
if (code) {
printf("Failed to update entry with id %d (err=%d)\n", id,
code);
continue;
}
}
#endif /* SUPERGROUPS */
else if (!strcmp(op, "?"))
PrintHelp();
else if (!strcmp(op, "q"))
exit(0);
else
printf("Unknown op: '%s'! ? for help\n", op);
}
}
/*
* Log to a cell. If the cell has already been logged to, return without
* doing anything. Otherwise, log to it and mark that it has been logged
* to. */
static int auth_to_cell(char *cell, char *realm)
{
int status = AKLOG_SUCCESS;
char username[BUFSIZ]; /* To hold client username structure */
long viceId; /* AFS uid of user */
char name[ANAME_SZ]; /* Name of afs key */
char instance[INST_SZ]; /* Instance of afs key */
char realm_of_user[REALM_SZ]; /* Kerberos realm of user */
char realm_of_cell[REALM_SZ]; /* Kerberos realm of cell */
char local_cell[MAXCELLCHARS+1];
char cell_to_use[MAXCELLCHARS+1]; /* Cell to authenticate to */
int i,j;
CREDENTIALS c;
struct ktc_principal aserver;
struct ktc_principal aclient;
struct ktc_token atoken, btoken;
/* try to avoid an expensive call to get_cellconfig */
if (cell && ll_string_check(&authedcells, cell))
{
if (dflag)
printf("Already authenticated to %s (or tried to)\n", cell);
return(AKLOG_SUCCESS);
}
memset(name, 0, sizeof(name));
memset(instance, 0, sizeof(instance));
memset(realm_of_user, 0, sizeof(realm_of_user));
memset(realm_of_cell, 0, sizeof(realm_of_cell));
/* NULL or empty cell returns information on local cell */
if (status = get_cellconfig(cell, &ak_cellconfig, local_cell))
return(status);
strncpy(cell_to_use, ak_cellconfig.name, MAXCELLCHARS);
cell_to_use[MAXCELLCHARS] = 0;
if (ll_string_check(&authedcells, cell_to_use))
{
if (dflag)
printf("Already authenticated to %s (or tried to)\n", cell_to_use);
return(AKLOG_SUCCESS);
}
/*
* Record that we have attempted to log to this cell. We do this
* before we try rather than after so that we will not try
* and fail repeatedly for one cell.
*/
(void)ll_add_string(&authedcells, cell_to_use);
if (dflag)
printf("Authenticating to cell %s.\n", cell_to_use);
if (realm && realm[0])
strcpy(realm_of_cell, realm);
else
strcpy(realm_of_cell, afs_realm_of_cell(&ak_cellconfig));
/* We use the afs.<cellname> convention here... */
strcpy(name, AFSKEY);
strncpy(instance, cell_to_use, sizeof(instance));
instance[sizeof(instance)-1] = '\0';
/*
* Extract the session key from the ticket file and hand-frob an
* afs style authenticator.
*/
/*
* Try to obtain AFS tickets. Because there are two valid service
* names, we will try both, but trying the more specific first.
*
* afs.<cell>@<realm>
* afs@<realm>
*/
if (dflag)
printf("Getting tickets: %s.%s@%s\n", name, instance, realm_of_cell);
status = get_cred(name, instance, realm_of_cell, &c);
if (status == KDC_PR_UNKNOWN)
{
if (dflag)
printf("Getting tickets: %s@%s\n", name, realm_of_cell);
status = get_cred(name, "", realm_of_cell, &c);
}
if (status != KSUCCESS)
{
if (dflag)
printf("Kerberos error code returned by get_cred: %d\n", status);
fprintf(stderr, "%s: Couldn't get %s AFS tickets: %s\n",
progname, cell_to_use, krb_err_txt[status]);
return(AKLOG_KERBEROS);
}
strncpy(aserver.name, AFSKEY, MAXKTCNAMELEN - 1);
strncpy(aserver.instance, AFSINST, MAXKTCNAMELEN - 1);
strncpy(aserver.cell, cell_to_use, MAXKTCREALMLEN - 1);
strcpy (username, c.pname);
if (c.pinst[0])
{
strcat(username, ".");
strcat(username, c.pinst);
}
atoken.kvno = c.kvno;
atoken.startTime = c.issue_date;
/* ticket lifetime is in five-minutes blocks. */
atoken.endTime = c.issue_date + ((unsigned char)c.lifetime * 5 * 60);
memcpy(&atoken.sessionKey, c.session, 8);
atoken.ticketLen = c.ticket_st.length;
memcpy(atoken.ticket, c.ticket_st.dat, atoken.ticketLen);
if (!force &&
!ktc_GetToken(&aserver, &btoken, sizeof(btoken), &aclient) &&
atoken.kvno == btoken.kvno &&
atoken.ticketLen == btoken.ticketLen &&
!memcmp(&atoken.sessionKey, &btoken.sessionKey, sizeof(atoken.sessionKey)) &&
!memcmp(atoken.ticket, btoken.ticket, atoken.ticketLen))
{
if (dflag)
printf("Identical tokens already exist; skipping.\n");
return 0;
}
if (noprdb)
{
if (dflag)
printf("Not resolving name %s to id (-noprdb set)\n", username);
}
else
{
if ((status = krb_get_tf_realm(TKT_FILE, realm_of_user)) != KSUCCESS)
{
fprintf(stderr, "%s: Couldn't determine realm of user: %s)",
progname, krb_err_txt[status]);
return(AKLOG_KERBEROS);
}
if (strcmp(realm_of_user, realm_of_cell))
{
strcat(username, "@");
strcat(username, realm_of_user);
}
if (dflag)
printf("About to resolve name %s to id\n", username);
if (!pr_Initialize (0, AFSDIR_CLIENT_ETC_DIRPATH, aserver.cell))
status = pr_SNameToId (username, &viceId);
if (dflag)
{
if (status)
printf("Error %d\n", status);
else
printf("Id %d\n", viceId);
}
/*
* This is a crock, but it is Transarc's crock, so
* we have to play along in order to get the
* functionality. The way the afs id is stored is
* as a string in the username field of the token.
* Contrary to what you may think by looking at
* the code for tokens, this hack (AFS ID %d) will
* not work if you change %d to something else.
*/
if ((status == 0) && (viceId != ANONYMOUSID))
sprintf (username, "AFS ID %d", viceId);
}
if (dflag)
printf("Set username to %s\n", username);
/* Reset the "aclient" structure before we call ktc_SetToken.
* This structure was first set by the ktc_GetToken call when
* we were comparing whether identical tokens already existed.
*/
strncpy(aclient.name, username, MAXKTCNAMELEN - 1);
strcpy(aclient.instance, "");
strncpy(aclient.cell, c.realm, MAXKTCREALMLEN - 1);
if (dflag)
printf("Getting tokens.\n");
if (status = ktc_SetToken(&aserver, &atoken, &aclient, 0))
{
fprintf(stderr,
"%s: unable to obtain tokens for cell %s (status: %d).\n",
progname, cell_to_use, status);
status = AKLOG_TOKEN;
}
return(status);
}
