/* Construct a host-based principal, similar to krb5_sname_to_principal() but
* with a specified realm. */
krb5_error_code
sn2princ_realm(krb5_context context, const char *hostname, const char *sname,
const char *realm, krb5_principal *princ_out)
{
krb5_error_code ret;
char *canonhost, localname[MAXHOSTNAMELEN];
*princ_out = NULL;
assert(sname != NULL && realm != NULL);
/* If hostname is NULL, use the local hostname. */
if (hostname == NULL) {
if (gethostname(localname, MAXHOSTNAMELEN) != 0)
return SOCKET_ERRNO;
hostname = localname;
}
ret = krb5_expand_hostname(context, hostname, &canonhost);
if (ret)
return ret;
ret = krb5_build_principal(context, princ_out, strlen(realm), realm, sname,
canonhost, (char *)NULL);
krb5_free_string(context, canonhost);
if (!ret)
(*princ_out)->type = KRB5_NT_SRV_HST;
return ret;
}
static int
expand_hostname(krb5_context context, const char *host)
{
krb5_error_code ret;
char *h, **r;
ret = krb5_expand_hostname(context, host, &h);
if (ret)
krb5_err(context, 1, ret, "krb5_expand_hostname(%s)", host);
free(h);
if (debug_flag)
printf("hostname: %s -> %s\n", host, h);
ret = krb5_expand_hostname_realms(context, host, &h, &r);
if (ret)
krb5_err(context, 1, ret, "krb5_expand_hostname_realms(%s)", host);
if (debug_flag) {
int j;
printf("hostname: %s -> %s\n", host, h);
for (j = 0; r[j]; j++) {
printf("\trealm: %s\n", r[j]);
}
}
free(h);
krb5_free_host_realm(context, r);
return 0;
}
/*
* Function: add_admin_princs
*
* Purpose: create admin principals
*
* Arguments:
*
* rseed (input) random seed
* realm (input) realm, or NULL for default realm
* <return value> (output) status, 0 for success, 1 for serious error
*
* Requires:
*
* Effects:
*
* add_admin_princs creates KADM5_ADMIN_SERVICE,
* KADM5_CHANGEPW_SERVICE. If any of these exist a message is
* printed. If any of these existing principal do not have the proper
* attributes, a warning message is printed.
*/
static int add_admin_princs(void *handle, krb5_context context, char *realm)
{
krb5_error_code ret = 0;
char *service_name = 0, *kiprop_name = 0, *canonhost = 0;
char localname[MAXHOSTNAMELEN];
if (gethostname(localname, MAXHOSTNAMELEN)) {
ret = errno;
perror("gethostname");
goto clean_and_exit;
}
ret = krb5_expand_hostname(context, localname, &canonhost);
if (ret) {
com_err(progname, ret, _("while canonicalizing local hostname"));
goto clean_and_exit;
}
if (asprintf(&service_name, "kadmin/%s", canonhost) < 0) {
ret = ENOMEM;
fprintf(stderr, _("Out of memory\n"));
goto clean_and_exit;
}
if (asprintf(&kiprop_name, "kiprop/%s", canonhost) < 0) {
ret = ENOMEM;
fprintf(stderr, _("Out of memory\n"));
goto clean_and_exit;
}
if ((ret = add_admin_princ(handle, context,
service_name, realm,
KRB5_KDB_DISALLOW_TGT_BASED |
KRB5_KDB_LOCKDOWN_KEYS,
ADMIN_LIFETIME)))
goto clean_and_exit;
if ((ret = add_admin_princ(handle, context,
KADM5_ADMIN_SERVICE, realm,
KRB5_KDB_DISALLOW_TGT_BASED |
KRB5_KDB_LOCKDOWN_KEYS,
ADMIN_LIFETIME)))
goto clean_and_exit;
if ((ret = add_admin_princ(handle, context,
KADM5_CHANGEPW_SERVICE, realm,
KRB5_KDB_DISALLOW_TGT_BASED |
KRB5_KDB_PWCHANGE_SERVICE |
KRB5_KDB_LOCKDOWN_KEYS,
CHANGEPW_LIFETIME)))
goto clean_and_exit;
ret = add_admin_princ(handle, context, kiprop_name, realm, 0, 0);
clean_and_exit:
krb5_free_string(context, canonhost);
free(service_name);
free(kiprop_name);
return ret;
}
