/*
* Log to a cell. If the cell has already been logged to, return without
* doing anything. Otherwise, log to it and mark that it has been logged
* to.
*/
static int auth_to_cell(krb5_context context, char *user, char *cell, char *realm)
{
int status = 0;
char username[BUFSIZ]; /* To hold client username structure */
afs_int32 viceId; /* AFS uid of user */
char name[ANAME_SZ]; /* Name of afs key */
char primary_instance[INST_SZ]; /* Instance of afs key */
char secondary_instance[INST_SZ]; /* Backup instance to try */
int try_secondary = 0; /* Flag to indicate if we try second */
char realm_of_user[REALM_SZ]; /* Kerberos realm of user */
char realm_of_cell[REALM_SZ]; /* Kerberos realm of cell */
char local_cell[MAXCELLCHARS+1];
char cell_to_use[MAXCELLCHARS+1]; /* Cell to authenticate to */
static char lastcell[MAXCELLCHARS+1] = { 0 };
static char confname[512] = { 0 };
krb5_creds *v5cred = NULL;
struct ktc_principal aserver;
struct ktc_principal aclient;
struct ktc_token atoken, btoken;
int afssetpag = 0, uid = -1;
struct passwd *pwd;
memset(name, 0, sizeof(name));
memset(primary_instance, 0, sizeof(primary_instance));
memset(secondary_instance, 0, sizeof(secondary_instance));
memset(realm_of_user, 0, sizeof(realm_of_user));
memset(realm_of_cell, 0, sizeof(realm_of_cell));
syslog(LOG_AUTH|LOG_DEBUG, "LAM aklog starting: user %s uid %d", user, getuid());
if (confname[0] == '\0') {
strncpy(confname, AFSDIR_CLIENT_ETC_DIRPATH, sizeof(confname));
confname[sizeof(confname) - 2] = '\0';
}
/* NULL or empty cell returns information on local cell */
if ((status = get_cellconfig(cell, &ak_cellconfig,
local_cell, linkedcell))) {
syslog(LOG_AUTH|LOG_ERR, "LAM aklog: get_cellconfig returns %d", status);
return(status);
}
strncpy(cell_to_use, ak_cellconfig.name, MAXCELLCHARS);
cell_to_use[MAXCELLCHARS] = 0;
/*
* Find out which realm we're supposed to authenticate to. If one
* is not included, use the kerberos realm found in the credentials
* cache.
*/
if (realm && realm[0]) {
strcpy(realm_of_cell, realm);
}
else {
char *afs_realm = afs_realm_of_cell(context, &ak_cellconfig, FALSE);
if (!afs_realm) {
syslog(LOG_AUTH|LOG_ERR, "LAM aklog: afs_realm_of_cell returns %d", status);
return AFSCONF_FAILURE;
}
strcpy(realm_of_cell, afs_realm);
}
/* We use the afs.<cellname> convention here...
*
* Doug Engert's original code had principals of the form:
*
* "afsx/cell@realm"
*
* in the KDC, so the name wouldn't conflict with DFS. Since we're
* not using DFS, I changed it just to look for the following
* principals:
*
* afs/<cell>@<realm>
* afs@<realm>
*
* Because people are transitioning from afs@realm to afs/cell,
* we configure things so that if the first one isn't found, we
* try the second one. You can select which one you prefer with
* a configure option.
*/
strcpy(name, AFSKEY);
if (1 || strcasecmp(cell_to_use, realm_of_cell) != 0) {
strncpy(primary_instance, cell_to_use, sizeof(primary_instance));
primary_instance[sizeof(primary_instance)-1] = '\0';
if (strcasecmp(cell_to_use, realm_of_cell) == 0) {
try_secondary = 1;
secondary_instance[0] = '\0';
}
} else {
primary_instance[0] = '\0';
try_secondary = 1;
strncpy(secondary_instance, cell_to_use,
sizeof(secondary_instance));
secondary_instance[sizeof(secondary_instance)-1] = '\0';
}
/*
* Extract the session key from the ticket file and hand-frob an
* afs style authenticator.
*/
/*
* Try to obtain AFS tickets. Because there are two valid service
* names, we will try both, but trying the more specific first.
*
* afs/<cell>@<realm> i.e. allow for single name with "."
* afs@<realm>
*/
status = get_credv5(context, user, name, primary_instance, realm_of_cell,
&v5cred);
if ((status == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN ||
status == KRB5KRB_ERR_GENERIC) && !realm_of_cell[0]) {
char *afs_realm = afs_realm_of_cell(context, &ak_cellconfig, TRUE);
if (!afs_realm) {
syslog(LOG_AUTH|LOG_ERR, "LAM aklog: afs_realm_of_cell returns %d", status);
return AFSCONF_FAILURE;
}
strcpy(realm_of_cell, afs_realm);
if (strcasecmp(cell_to_use, realm_of_cell) == 0) {
try_secondary = 1;
secondary_instance[0] = '\0';
}
status = get_credv5(context, user, name, primary_instance,
realm_of_cell, &v5cred);
}
if (status == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN ||
status == KRB5KRB_ERR_GENERIC) {
if (try_secondary)
status = get_credv5(context, user, name, secondary_instance,
realm_of_cell, &v5cred);
}
if (status) {
syslog(LOG_AUTH|LOG_ERR, "LAM aklog: get_credv5 returns %d", status);
return status;
}
strncpy(aserver.name, AFSKEY, MAXKTCNAMELEN - 1);
strncpy(aserver.instance, AFSINST, MAXKTCNAMELEN - 1);
strncpy(aserver.cell, cell_to_use, MAXKTCREALMLEN - 1);
/*
* The default is to use rxkad2b, which means we put in a full
* V5 ticket. If the user specifies -524, we talk to the
* 524 ticket converter.
*/
{
char *p;
int len;
len = min(get_princ_len(context, v5cred->client, 0),
second_comp(context, v5cred->client) ?
MAXKTCNAMELEN - 2 : MAXKTCNAMELEN - 1);
strncpy(username, get_princ_str(context, v5cred->client, 0), len);
username[len] = '\0';
if (second_comp(context, v5cred->client)) {
strcat(username, ".");
p = username + strlen(username);
len = min(get_princ_len(context, v5cred->client, 1),
MAXKTCNAMELEN - strlen(username) - 1);
strncpy(p, get_princ_str(context, v5cred->client, 1), len);
p[len] = '\0';
}
memset(&atoken, 0, sizeof(atoken));
atoken.kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
atoken.startTime = v5cred->times.starttime;;
atoken.endTime = v5cred->times.endtime;
memcpy(&atoken.sessionKey, get_cred_keydata(v5cred),
get_cred_keylen(v5cred));
atoken.ticketLen = v5cred->ticket.length;
memcpy(atoken.ticket, v5cred->ticket.data, atoken.ticketLen);
}
if ((status = get_user_realm(context, realm_of_user))) {
syslog(LOG_AUTH|LOG_ERR, "LAM aklog: get_user_realm returns %d", status);
return KRB5_REALM_UNKNOWN;
}
if (strcmp(realm_of_user, realm_of_cell)) {
strcat(username, "@");
strcat(username, realm_of_user);
}
strcpy(lastcell, aserver.cell);
/*
* This is a crock, but it is Transarc's crock, so
* we have to play along in order to get the
* functionality. The way the afs id is stored is
* as a string in the username field of the token.
* Contrary to what you may think by looking at
* the code for tokens, this hack (AFS ID %d) will
* not work if you change %d to something else.
*/
#if 0
/* This actually crashes long-running daemons */
if (!pr_Initialize (0, confname, aserver.cell))
status = pr_SNameToId (username, &viceId);
if ((status == 0) && (viceId != ANONYMOUSID))
sprintf (username, "AFS ID %d", (int) viceId);
#else
/*
* This actually only works assuming that your uid and pts space match
* and probably this works only for the local cell anyway.
*/
if ((uid = getuid()) == 0) {
if ((pwd = getpwnam(user)) == NULL) {
syslog(LOG_AUTH|LOG_ERR, "LAM aklog: getpwnam %s failed", user);
return AUTH_FAILURE;
}
}
/* Don't do first-time registration. Handle only the simple case */
if ((status == 0) && (viceId != ANONYMOUSID))
sprintf (username, "AFS ID %d", ((uid==0)?(int)pwd->pw_uid:(int)uid));
#endif
/* Reset the "aclient" structure before we call ktc_SetToken.
* This structure was first set by the ktc_GetToken call when
* we were comparing whether identical tokens already existed.
*/
strncpy(aclient.name, username, MAXKTCNAMELEN - 1);
strcpy(aclient.instance, "");
strncpy(aclient.cell, realm_of_user, MAXKTCREALMLEN - 1);
#ifndef AFS_AIX51_ENV
/* on AIX 4.1.4 with AFS 3.4a+ if a write is not done before
* this routine, it will not add the token. It is not clear what
* is going on here! So we will do the following operation.
* On AIX 5 this kills our parent. So we won't.
*/
write(2,"",0); /* dummy write */
#endif
afssetpag = (getpagvalue("afs") > 0) ? 1 : 0;
if (uid == 0) {
struct sigaction newAction, origAction;
pid_t cid, pcid;
int wstatus;
sigemptyset(&newAction.sa_mask);
newAction.sa_handler = SIG_DFL;
newAction.sa_flags = 0;
status = sigaction(SIGCHLD, &newAction, &origAction);
if (status) {
syslog(LOG_AUTH|LOG_ERR, "LAM aklog: sigaction returned %d", status);
return AUTH_FAILURE;
}
syslog(LOG_AUTH|LOG_DEBUG, "LAM aklog: in daemon? forking to set tokens");
cid = fork();
if (cid <= 0) {
syslog(LOG_AUTH|LOG_DEBUG, "LAM aklog child: setting tokens");
setuid(pwd->pw_uid);
status = ktc_SetToken(&aserver, &atoken, &aclient, afssetpag);
if (status != 0)
syslog(LOG_AUTH|LOG_ERR, "LAM aklog child: set tokens, returning %d", status);
exit((status == 0)?0:255);
} else {
do {
pcid = waitpid(cid, &wstatus, 0);
} while ((pcid == -1) && (errno == EINTR));
if ((pcid == cid) && WIFEXITED(wstatus))
status = WEXITSTATUS(wstatus);
else
status = -1;
}
syslog(LOG_AUTH|LOG_DEBUG, "LAM aklog: collected child status %d", status);
sigaction(SIGCHLD, &origAction, NULL);
} else {
status = ktc_SetToken(&aserver, &atoken, &aclient, afssetpag);
}
if (status != 0)
syslog(LOG_AUTH|LOG_ERR, "LAM aklog: set tokens returned %d", status);
else
syslog(LOG_AUTH|LOG_DEBUG, "LAM aklog: set tokens, pag %d", getpagvalue("afs"));
return(status);
}
/*
* Log to a cell. If the cell has already been logged to, return without
* doing anything. Otherwise, log to it and mark that it has been logged
* to. */
static int auth_to_cell(char *cell, char *realm)
{
int status = AKLOG_SUCCESS;
char username[BUFSIZ]; /* To hold client username structure */
long viceId; /* AFS uid of user */
char name[ANAME_SZ]; /* Name of afs key */
char instance[INST_SZ]; /* Instance of afs key */
char realm_of_user[REALM_SZ]; /* Kerberos realm of user */
char realm_of_cell[REALM_SZ]; /* Kerberos realm of cell */
char local_cell[MAXCELLCHARS+1];
char cell_to_use[MAXCELLCHARS+1]; /* Cell to authenticate to */
int i,j;
CREDENTIALS c;
struct ktc_principal aserver;
struct ktc_principal aclient;
struct ktc_token atoken, btoken;
/* try to avoid an expensive call to get_cellconfig */
if (cell && ll_string_check(&authedcells, cell))
{
if (dflag)
printf("Already authenticated to %s (or tried to)\n", cell);
return(AKLOG_SUCCESS);
}
memset(name, 0, sizeof(name));
memset(instance, 0, sizeof(instance));
memset(realm_of_user, 0, sizeof(realm_of_user));
memset(realm_of_cell, 0, sizeof(realm_of_cell));
/* NULL or empty cell returns information on local cell */
if (status = get_cellconfig(cell, &ak_cellconfig, local_cell))
return(status);
strncpy(cell_to_use, ak_cellconfig.name, MAXCELLCHARS);
cell_to_use[MAXCELLCHARS] = 0;
if (ll_string_check(&authedcells, cell_to_use))
{
if (dflag)
printf("Already authenticated to %s (or tried to)\n", cell_to_use);
return(AKLOG_SUCCESS);
}
/*
* Record that we have attempted to log to this cell. We do this
* before we try rather than after so that we will not try
* and fail repeatedly for one cell.
*/
(void)ll_add_string(&authedcells, cell_to_use);
if (dflag)
printf("Authenticating to cell %s.\n", cell_to_use);
if (realm && realm[0])
strcpy(realm_of_cell, realm);
else
strcpy(realm_of_cell, afs_realm_of_cell(&ak_cellconfig));
/* We use the afs.<cellname> convention here... */
strcpy(name, AFSKEY);
strncpy(instance, cell_to_use, sizeof(instance));
instance[sizeof(instance)-1] = '\0';
/*
* Extract the session key from the ticket file and hand-frob an
* afs style authenticator.
*/
/*
* Try to obtain AFS tickets. Because there are two valid service
* names, we will try both, but trying the more specific first.
*
* afs.<cell>@<realm>
* afs@<realm>
*/
if (dflag)
printf("Getting tickets: %s.%s@%s\n", name, instance, realm_of_cell);
status = get_cred(name, instance, realm_of_cell, &c);
if (status == KDC_PR_UNKNOWN)
{
if (dflag)
printf("Getting tickets: %s@%s\n", name, realm_of_cell);
status = get_cred(name, "", realm_of_cell, &c);
}
if (status != KSUCCESS)
{
if (dflag)
printf("Kerberos error code returned by get_cred: %d\n", status);
fprintf(stderr, "%s: Couldn't get %s AFS tickets: %s\n",
progname, cell_to_use, krb_err_txt[status]);
return(AKLOG_KERBEROS);
}
strncpy(aserver.name, AFSKEY, MAXKTCNAMELEN - 1);
strncpy(aserver.instance, AFSINST, MAXKTCNAMELEN - 1);
strncpy(aserver.cell, cell_to_use, MAXKTCREALMLEN - 1);
strcpy (username, c.pname);
if (c.pinst[0])
{
strcat(username, ".");
strcat(username, c.pinst);
}
atoken.kvno = c.kvno;
atoken.startTime = c.issue_date;
/* ticket lifetime is in five-minutes blocks. */
atoken.endTime = c.issue_date + ((unsigned char)c.lifetime * 5 * 60);
memcpy(&atoken.sessionKey, c.session, 8);
atoken.ticketLen = c.ticket_st.length;
memcpy(atoken.ticket, c.ticket_st.dat, atoken.ticketLen);
if (!force &&
!ktc_GetToken(&aserver, &btoken, sizeof(btoken), &aclient) &&
atoken.kvno == btoken.kvno &&
atoken.ticketLen == btoken.ticketLen &&
!memcmp(&atoken.sessionKey, &btoken.sessionKey, sizeof(atoken.sessionKey)) &&
!memcmp(atoken.ticket, btoken.ticket, atoken.ticketLen))
{
if (dflag)
printf("Identical tokens already exist; skipping.\n");
return 0;
}
if (noprdb)
{
if (dflag)
printf("Not resolving name %s to id (-noprdb set)\n", username);
}
else
{
if ((status = krb_get_tf_realm(TKT_FILE, realm_of_user)) != KSUCCESS)
{
fprintf(stderr, "%s: Couldn't determine realm of user: %s)",
progname, krb_err_txt[status]);
return(AKLOG_KERBEROS);
}
if (strcmp(realm_of_user, realm_of_cell))
{
strcat(username, "@");
strcat(username, realm_of_user);
}
if (dflag)
printf("About to resolve name %s to id\n", username);
if (!pr_Initialize (0, AFSDIR_CLIENT_ETC_DIRPATH, aserver.cell))
status = pr_SNameToId (username, &viceId);
if (dflag)
{
if (status)
printf("Error %d\n", status);
else
printf("Id %d\n", viceId);
}
/*
* This is a crock, but it is Transarc's crock, so
* we have to play along in order to get the
* functionality. The way the afs id is stored is
* as a string in the username field of the token.
* Contrary to what you may think by looking at
* the code for tokens, this hack (AFS ID %d) will
* not work if you change %d to something else.
*/
if ((status == 0) && (viceId != ANONYMOUSID))
sprintf (username, "AFS ID %d", viceId);
}
if (dflag)
printf("Set username to %s\n", username);
/* Reset the "aclient" structure before we call ktc_SetToken.
* This structure was first set by the ktc_GetToken call when
* we were comparing whether identical tokens already existed.
*/
strncpy(aclient.name, username, MAXKTCNAMELEN - 1);
strcpy(aclient.instance, "");
strncpy(aclient.cell, c.realm, MAXKTCREALMLEN - 1);
if (dflag)
printf("Getting tokens.\n");
if (status = ktc_SetToken(&aserver, &atoken, &aclient, 0))
{
fprintf(stderr,
"%s: unable to obtain tokens for cell %s (status: %d).\n",
progname, cell_to_use, status);
status = AKLOG_TOKEN;
}
return(status);
}
/*
* Log to a cell. If the cell has already been logged to, return without
* doing anything. Otherwise, log to it and mark that it has been logged
* to. */
static int auth_to_cell(krb5_context context, char *cell, char *realm)
{
int status = AKLOG_SUCCESS;
char username[BUFSIZ]; /* To hold client username structure */
char name[ANAME_SZ]; /* Name of afs key */
char instance[INST_SZ]; /* Instance of afs key */
char realm_of_user[REALM_SZ]; /* Kerberos realm of user */
char realm_of_cell[REALM_SZ]; /* Kerberos realm of cell */
char local_cell[MAXCELLCHARS+1];
char cell_to_use[MAXCELLCHARS+1]; /* Cell to authenticate to */
krb5_creds *v5cred = NULL;
#ifdef HAVE_KRB4
CREDENTIALS c;
#endif
struct ktc_principal aserver;
struct ktc_principal aclient;
struct ktc_token atoken, btoken;
struct afsconf_cell ak_cellconfig; /* General information about the cell */
int i;
int getLinkedCell = 0;
/* try to avoid an expensive call to get_cellconfig */
if (cell && ll_string_check(&authedcells, cell))
{
if (dflag)
printf("Already authenticated to %s (or tried to)\n", cell);
return(AKLOG_SUCCESS);
}
memset(name, 0, sizeof(name));
memset(instance, 0, sizeof(instance));
memset(realm_of_user, 0, sizeof(realm_of_user));
memset(realm_of_cell, 0, sizeof(realm_of_cell));
memset(&ak_cellconfig, 0, sizeof(ak_cellconfig));
/* NULL or empty cell returns information on local cell */
if (status = get_cellconfig(cell, &ak_cellconfig, local_cell))
return(status);
linkedCell:
if (getLinkedCell)
strncpy(cell_to_use, ak_cellconfig.linkedCell, MAXCELLCHARS);
else
strncpy(cell_to_use, ak_cellconfig.name, MAXCELLCHARS);
cell_to_use[MAXCELLCHARS] = 0;
if (ll_string_check(&authedcells, cell_to_use))
{
if (dflag)
printf("Already authenticated to %s (or tried to)\n", cell_to_use);
status = AKLOG_SUCCESS;
goto done2;
}
/*
* Record that we have attempted to log to this cell. We do this
* before we try rather than after so that we will not try
* and fail repeatedly for one cell.
*/
(void)ll_add_string(&authedcells, cell_to_use);
if (dflag)
printf("Authenticating to cell %s.\n", cell_to_use);
/* We use the afs.<cellname> convention here... */
strcpy(name, AFSKEY);
strncpy(instance, cell_to_use, sizeof(instance));
instance[sizeof(instance)-1] = '\0';
/*
* Extract the session key from the ticket file and hand-frob an
* afs style authenticator.
*/
if (usev5)
{ /* using krb5 */
int retry = 1;
int realm_fallback = 0;
if ((status = get_v5_user_realm(context, realm_of_user)) != KSUCCESS) {
char * msg;
if (pkrb5_get_error_message)
msg = pkrb5_get_error_message(context, status);
else
msg = (char *)error_message(status);
fprintf(stderr, "%s: Couldn't determine realm of user: %s\n",
progname, msg);
if (pkrb5_free_error_message)
pkrb5_free_error_message(context, msg);
status = AKLOG_KERBEROS;
goto done;
}
if ( strchr(name,'.') != NULL ) {
fprintf(stderr, "%s: Can't support principal names including a dot.\n",
progname);
status = AKLOG_MISC;
goto done;
}
try_v5:
if (realm && realm[0]) {
if (dflag)
printf("Getting v5 tickets: %s/%s@%s\n", name, instance, realm);
status = get_v5cred(context, name, instance, realm,
#ifdef HAVE_KRB4
use524 ? &c : NULL,
#else
NULL,
#endif
&v5cred);
strcpy(realm_of_cell, realm);
} else {
strcpy(realm_of_cell,
afs_realm_of_cell5(context, &ak_cellconfig, realm_fallback));
if (retry == 1 && realm_fallback == 0) {
/* Only try the realm_of_user once */
status = -1;
if (dflag)
printf("Getting v5 tickets: %s/%s@%s\n", name, instance, realm_of_user);
status = get_v5cred(context, name, instance, realm_of_user,
#ifdef HAVE_KRB4
use524 ? &c : NULL,
#else
NULL,
#endif
&v5cred);
if (status == 0) {
/* we have determined that the client realm
* is a valid cell realm
*/
strcpy(realm_of_cell, realm_of_user);
}
}
if (status != 0 && (!retry || retry && strcmp(realm_of_user,realm_of_cell))) {
if (dflag)
printf("Getting v5 tickets: %s/%s@%s\n", name, instance, realm_of_cell);
status = get_v5cred(context, name, instance, realm_of_cell,
#ifdef HAVE_KRB4
use524 ? &c : NULL,
#else
NULL,
#endif
&v5cred);
if (!status && !strlen(realm_of_cell))
copy_realm_of_ticket(context, realm_of_cell, sizeof(realm_of_cell), v5cred);
}
}
if (!realm_fallback && status == KRB5_ERR_HOST_REALM_UNKNOWN) {
realm_fallback = 1;
goto try_v5;
} else if (status == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
if (!realm_fallback && !realm_of_cell[0]) {
realm_fallback = 1;
goto try_v5;
}
if (dflag)
printf("Getting v5 tickets: %s@%s\n", name, realm_of_cell);
status = get_v5cred(context, name, "", realm_of_cell,
#ifdef HAVE_KRB4
use524 ? &c : NULL,
#else
NULL,
#endif
&v5cred);
if (!status && !strlen(realm_of_cell))
copy_realm_of_ticket(context, realm_of_cell, sizeof(realm_of_cell), v5cred);
}
if ( status == KRB5KRB_AP_ERR_MSG_TYPE && retry ) {
retry = 0;
realm_fallback = 0;
goto try_v5;
}
}
else
{
#ifdef HAVE_KRB4
if (realm && realm[0])
strcpy(realm_of_cell, realm);
else
strcpy(realm_of_cell, afs_realm_of_cell(&ak_cellconfig));
/*
* Try to obtain AFS tickets. Because there are two valid service
* names, we will try both, but trying the more specific first.
*
* afs.<cell>@<realm>
* afs@<realm>
*/
if (dflag)
printf("Getting tickets: %s.%s@%s\n", name, instance, realm_of_cell);
status = get_cred(name, instance, realm_of_cell, &c);
if (status == KDC_PR_UNKNOWN)
{
if (dflag)
printf("Getting tickets: %s@%s\n", name, realm_of_cell);
status = get_cred(name, "", realm_of_cell, &c);
}
#else
status = AKLOG_MISC;
goto done;
#endif
}
if (status != KSUCCESS)
{
char * msg = NULL;
if (dflag)
printf("Kerberos error code returned by get_cred: %d\n", status);
if (usev5) {
if (pkrb5_get_error_message)
msg = pkrb5_get_error_message(context, status);
else
msg = (char *)error_message(status);
}
#ifdef HAVE_KRB4
else
msg = krb_err_text(status);
#endif
fprintf(stderr, "%s: Couldn't get %s AFS tickets: %s\n",
progname, cell_to_use, msg?msg:"(unknown error)");
if (usev5 && pkrb5_free_error_message)
pkrb5_free_error_message(context, msg);
status = AKLOG_KERBEROS;
goto done;
}
strncpy(aserver.name, AFSKEY, MAXKTCNAMELEN - 1);
strncpy(aserver.instance, AFSINST, MAXKTCNAMELEN - 1);
strncpy(aserver.cell, cell_to_use, MAXKTCREALMLEN - 1);
if (usev5 && !use524) {
/* This code inserts the entire K5 ticket into the token
* No need to perform a krb524 translation which is
* commented out in the code below
*/
char * p;
int len;
len = min(v5cred->client->data[0].length,MAXKTCNAMELEN - 1);
strncpy(username, v5cred->client->data[0].data, len);
username[len] = '\0';
if ( v5cred->client->length > 1 ) {
strcat(username, ".");
p = username + strlen(username);
len = min(v5cred->client->data[1].length, (unsigned int)(MAXKTCNAMELEN - strlen(username) - 1));
strncpy(p, v5cred->client->data[1].data, len);
p[len] = '\0';
}
memset(&atoken, '\0', sizeof(atoken));
atoken.kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
atoken.startTime = v5cred->times.starttime;
atoken.endTime = v5cred->times.endtime;
memcpy(&atoken.sessionKey, v5cred->keyblock.contents, v5cred->keyblock.length);
atoken.ticketLen = v5cred->ticket.length;
memcpy(atoken.ticket, v5cred->ticket.data, atoken.ticketLen);
} else {
#ifdef HAVE_KRB4
strcpy (username, c.pname);
if (c.pinst[0])
{
strcat(username, ".");
strcat(username, c.pinst);
}
atoken.kvno = c.kvno;
atoken.startTime = c.issue_date;
/* ticket lifetime is in five-minutes blocks. */
atoken.endTime = c.issue_date + ((unsigned char)c.lifetime * 5 * 60);
memcpy(&atoken.sessionKey, c.session, 8);
atoken.ticketLen = c.ticket_st.length;
memcpy(atoken.ticket, c.ticket_st.dat, atoken.ticketLen);
#else
status = AKLOG_MISC;
goto done;
#endif
}
if (!force &&
!ktc_GetToken(&aserver, &btoken, sizeof(btoken), &aclient) &&
atoken.kvno == btoken.kvno &&
atoken.ticketLen == btoken.ticketLen &&
!memcmp(&atoken.sessionKey, &btoken.sessionKey, sizeof(atoken.sessionKey)) &&
!memcmp(atoken.ticket, btoken.ticket, atoken.ticketLen))
{
if (dflag)
printf("Identical tokens already exist; skipping.\n");
status = AKLOG_SUCCESS;
goto done2;
}
if (noprdb)
{
if (dflag)
printf("Not resolving name %s to id (-noprdb set)\n", username);
}
else
{
if (!usev5) {
#ifdef HAVE_KRB4
if ((status = krb_get_tf_realm(TKT_FILE, realm_of_user)) != KSUCCESS)
{
fprintf(stderr, "%s: Couldn't determine realm of user: %s)",
progname, krb_err_text(status));
status = AKLOG_KERBEROS;
goto done;
}
#else
status = AKLOG_MISC;
goto done;
#endif
}
/* For Network Identity Manager append the realm to the name */
strcat(username, "@");
strcat(username, realm_of_user);
ViceIDToUsername(username, realm_of_user, realm_of_cell, cell_to_use,
#ifdef HAVE_KRB4
&c,
#else
NULL,
#endif
&status, &aclient, &aserver, &atoken);
}
if (dflag)
printf("Set username to %s\n", username);
/* Reset the "aclient" structure before we call ktc_SetToken.
* This structure was first set by the ktc_GetToken call when
* we were comparing whether identical tokens already existed.
*/
strncpy(aclient.name, username, MAXKTCNAMELEN - 1);
strcpy(aclient.instance, "");
if (usev5 && !use524) {
int len = min(v5cred->client->realm.length,MAXKTCNAMELEN - 1);
strncpy(aclient.cell, v5cred->client->realm.data, len);
aclient.cell[len] = '\0';
}
#ifdef HAVE_KRB4
else
strncpy(aclient.cell, c.realm, MAXKTCREALMLEN - 1);
#endif
for ( i=0; aclient.cell[i]; i++ ) {
if ( islower(aclient.cell[i]) )
aclient.cell[i] = toupper(aclient.cell[i]);
}
if (dflag)
printf("Getting tokens.\n");
if (status = ktc_SetToken(&aserver, &atoken, &aclient, 0))
{
afs_com_err(progname, status,
"while obtaining tokens for cell %s\n",
cell_to_use);
status = AKLOG_TOKEN;
}
done2:
if (ak_cellconfig.linkedCell && !getLinkedCell) {
getLinkedCell = 1;
goto linkedCell;
}
done:
#if 0
/*
* intentionally leak the linkedCell field because it was allocated
* using a different C RTL version.
*/
if (ak_cellconfig.linkedCell)
free(ak_cellconfig.linkedCell);
#endif
return(status);
}
int
Leash_afs_klog(
char *service,
char *cell,
char *realm,
int LifeTime
)
{
/////#ifdef NO_AFS
#if defined(NO_AFS) || defined(NO_KRB4)
return(0);
#else
long rc;
////This is defined in krb.h:
CREDENTIALS creds;
KTEXT_ST ticket;
struct ktc_principal aserver;
struct ktc_principal aclient;
char realm_of_user[REALM_SZ]; /* Kerberos realm of user */
char realm_of_cell[REALM_SZ]; /* Kerberos realm of cell */
char local_cell[MAXCELLCHARS+1];
char Dmycell[MAXCELLCHARS+1];
struct ktc_token atoken;
struct ktc_token btoken;
afsconf_cell ak_cellconfig; /* General information about the cell */
char RealmName[128];
char CellName[128];
char ServiceName[128];
DWORD CurrentState;
char HostName[64];
BOOL try_krb5 = 0;
int retry = 0;
int len;
#ifndef NO_KRB5
krb5_context context = 0;
krb5_ccache _krb425_ccache = 0;
krb5_creds increds;
krb5_creds * k5creds = 0;
krb5_error_code r;
krb5_principal client_principal = 0;
krb5_flags flags = 0;
#endif /* NO_KRB5 */
if (!AfsAvailable || GetAfsStatus(&AfsOnLine) && !AfsOnLine)
return(0);
if ( !realm ) realm = "";
if ( !cell ) cell = "";
if ( !service ) service = "";
CurrentState = 0;
memset(HostName, '\0', sizeof(HostName));
gethostname(HostName, sizeof(HostName));
if (GetServiceStatus(HostName, TRANSARCAFSDAEMON, &CurrentState) != NOERROR)
return(0);
if (CurrentState != SERVICE_RUNNING)
return(0);
memset(RealmName, '\0', sizeof(RealmName));
memset(CellName, '\0', sizeof(CellName));
memset(ServiceName, '\0', sizeof(ServiceName));
memset(realm_of_user, '\0', sizeof(realm_of_user));
memset(realm_of_cell, '\0', sizeof(realm_of_cell));
memset(Dmycell, '\0', sizeof(Dmycell));
// NULL or empty cell returns information on local cell
if (cell && cell[0])
strcpy(Dmycell, cell);
rc = get_cellconfig(Dmycell, &ak_cellconfig, local_cell);
if (rc && cell && cell[0]) {
memset(Dmycell, '\0', sizeof(Dmycell));
rc = get_cellconfig(Dmycell, &ak_cellconfig, local_cell);
}
if (rc)
return(rc);
#ifndef NO_KRB5
if (!(r = Leash_krb5_initialize(&context, &_krb425_ccache))) {
int i;
memset((char *)&increds, 0, sizeof(increds));
(*pkrb5_cc_get_principal)(context, _krb425_ccache, &client_principal);
i = krb5_princ_realm(context, client_principal)->length;
if (i > REALM_SZ-1)
i = REALM_SZ-1;
strncpy(realm_of_user,krb5_princ_realm(context, client_principal)->data,i);
realm_of_user[i] = 0;
try_krb5 = 1;
}
#endif /* NO_KRB5 */
#ifndef NO_KRB4
if ( !try_krb5 || !realm_of_user[0] ) {
if ((rc = (*pkrb_get_tf_realm)((*ptkt_string)(), realm_of_user)) != KSUCCESS)
{
return(rc);
}
}
#endif
strcpy(realm_of_cell, afs_realm_of_cell(&ak_cellconfig));
if (strlen(service) == 0)
strcpy(ServiceName, "afs");
else
strcpy(ServiceName, service);
if (strlen(cell) == 0)
strcpy(CellName, local_cell);
else
strcpy(CellName, cell);
if (strlen(realm) == 0)
strcpy(RealmName, realm_of_cell);
else
strcpy(RealmName, realm);
memset(&creds, '\0', sizeof(creds));
#ifndef NO_KRB5
if ( try_krb5 ) {
/* First try Service/Cell@REALM */
if (r = (*pkrb5_build_principal)(context, &increds.server,
strlen(RealmName),
RealmName,
ServiceName,
CellName,
0))
{
try_krb5 = 0;
goto use_krb4;
}
increds.client = client_principal;
increds.times.endtime = 0;
/* Ask for DES since that is what V4 understands */
increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
#ifdef KRB5_TC_NOTICKET
flags = 0;
r = pkrb5_cc_set_flags(context, _krb425_ccache, flags);
#endif
if (r == 0)
r = pkrb5_get_credentials(context, 0, _krb425_ccache, &increds, &k5creds);
if (r == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN ||
r == KRB5KRB_ERR_GENERIC /* Heimdal */) {
/* Next try Service@REALM */
pkrb5_free_principal(context, increds.server);
r = pkrb5_build_principal(context, &increds.server,
strlen(RealmName),
RealmName,
ServiceName,
0);
if (r == 0)
r = pkrb5_get_credentials(context, 0, _krb425_ccache, &increds, &k5creds);
}
pkrb5_free_principal(context, increds.server);
pkrb5_free_principal(context, client_principal);
#ifdef KRB5_TC_NOTICKET
flags = KRB5_TC_NOTICKET;
pkrb5_cc_set_flags(context, _krb425_ccache, flags);
#endif
(void) pkrb5_cc_close(context, _krb425_ccache);
_krb425_ccache = 0;
if (r || k5creds == 0) {
pkrb5_free_context(context);
try_krb5 = 0;
goto use_krb4;
}
/* This code inserts the entire K5 ticket into the token
* No need to perform a krb524 translation which is
* commented out in the code below
*/
if ( use_krb524() || k5creds->ticket.length > MAXKTCTICKETLEN )
goto try_krb524d;
memset(&aserver, '\0', sizeof(aserver));
strncpy(aserver.name, ServiceName, MAXKTCNAMELEN - 1);
strncpy(aserver.cell, CellName, MAXKTCREALMLEN - 1);
memset(&atoken, '\0', sizeof(atoken));
atoken.kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
atoken.startTime = k5creds->times.starttime;
atoken.endTime = k5creds->times.endtime;
memcpy(&atoken.sessionKey, k5creds->keyblock.contents, k5creds->keyblock.length);
atoken.ticketLen = k5creds->ticket.length;
memcpy(atoken.ticket, k5creds->ticket.data, atoken.ticketLen);
retry_gettoken5:
rc = ktc_GetToken(&aserver, &btoken, sizeof(btoken), &aclient);
if (rc != 0 && rc != KTC_NOENT && rc != KTC_NOCELL) {
if ( rc == KTC_NOCM && retry < 20 ) {
Sleep(500);
retry++;
goto retry_gettoken5;
}
goto try_krb524d;
}
if (atoken.kvno == btoken.kvno &&
atoken.ticketLen == btoken.ticketLen &&
!memcmp(&atoken.sessionKey, &btoken.sessionKey, sizeof(atoken.sessionKey)) &&
!memcmp(atoken.ticket, btoken.ticket, atoken.ticketLen))
{
/* Success */
pkrb5_free_creds(context, k5creds);
pkrb5_free_context(context);
return(0);
}
// * Reset the "aclient" structure before we call ktc_SetToken.
// * This structure was first set by the ktc_GetToken call when
// * we were comparing whether identical tokens already existed.
len = min(k5creds->client->data[0].length,MAXKTCNAMELEN - 1);
strncpy(aclient.name, k5creds->client->data[0].data, len);
aclient.name[len] = '\0';
if ( k5creds->client->length > 1 ) {
char * p;
strcat(aclient.name, ".");
p = aclient.name + strlen(aclient.name);
len = min(k5creds->client->data[1].length,MAXKTCNAMELEN - strlen(aclient.name) - 1);
strncpy(p, k5creds->client->data[1].data, len);
p[len] = '\0';
}
aclient.instance[0] = '\0';
strcpy(aclient.cell, realm_of_cell);
len = min(k5creds->client->realm.length,strlen(realm_of_cell));
if ( strncmp(realm_of_cell, k5creds->client->realm.data, len) ) {
char * p;
strcat(aclient.name, "@");
p = aclient.name + strlen(aclient.name);
len = min(k5creds->client->realm.length,MAXKTCNAMELEN - strlen(aclient.name) - 1);
strncpy(p, k5creds->client->realm.data, len);
p[len] = '\0';
}
rc = ktc_SetToken(&aserver, &atoken, &aclient, 0);
if (!rc) {
/* Success */
pkrb5_free_creds(context, k5creds);
pkrb5_free_context(context);
return(0);
}
try_krb524d:
/* This requires krb524d to be running with the KDC */
r = pkrb524_convert_creds_kdc(context, k5creds, &creds);
pkrb5_free_creds(context, k5creds);
pkrb5_free_context(context);
if (r) {
try_krb5 = 0;
goto use_krb4;
}
rc = KSUCCESS;
} else
#endif /* NO_KRB5 */
{
use_krb4:
rc = KFAILURE;
}
if (rc != KSUCCESS)
{
return(rc);
}
memset(&aserver, '\0', sizeof(aserver));
strncpy(aserver.name, ServiceName, MAXKTCNAMELEN - 1);
strncpy(aserver.cell, CellName, MAXKTCNAMELEN - 1);
memset(&atoken, '\0', sizeof(atoken));
atoken.kvno = creds.kvno;
atoken.startTime = creds.issue_date;
atoken.endTime = (*pkrb_life_to_time)(creds.issue_date,creds.lifetime);
memcpy(&atoken.sessionKey, creds.session, 8);
atoken.ticketLen = creds.ticket_st.length;
memcpy(atoken.ticket, creds.ticket_st.dat, atoken.ticketLen);
if (!(rc = ktc_GetToken(&aserver, &btoken, sizeof(btoken), &aclient)) &&
atoken.kvno == btoken.kvno &&
atoken.ticketLen == btoken.ticketLen &&
!memcmp(&atoken.sessionKey, &btoken.sessionKey, sizeof(atoken.sessionKey)) &&
!memcmp(atoken.ticket, btoken.ticket, atoken.ticketLen))
{
return(0);
}
// * Reset the "aclient" structure before we call ktc_SetToken.
// * This structure was first set by the ktc_GetToken call when
// * we were comparing whether identical tokens already existed.
strncpy(aclient.name, creds.pname, MAXKTCNAMELEN - 1);
aclient.name[MAXKTCNAMELEN - 1] = '\0';
if (creds.pinst[0])
{
strncat(aclient.name, ".", MAXKTCNAMELEN - 1 - strlen(aclient.name));
aclient.name[MAXKTCNAMELEN - 1] = '\0';
strncat(aclient.name, creds.pinst, MAXKTCNAMELEN - 1 - strlen(aclient.name));
aclient.name[MAXKTCNAMELEN - 1] = '\0';
}
strcpy(aclient.instance, "");
if ( strcmp(realm_of_cell, creds.realm) )
{
strncat(aclient.name, "@", MAXKTCNAMELEN - 1 - strlen(aclient.name));
aclient.name[MAXKTCNAMELEN - 1] = '\0';
strncat(aclient.name, creds.realm, MAXKTCNAMELEN - 1 - strlen(aclient.name));
aclient.name[MAXKTCNAMELEN - 1] = '\0';
}
aclient.name[MAXKTCNAMELEN-1] = '\0';
strcpy(aclient.cell, CellName);
// * NOTE: On WIN32, the order of SetToken params changed...
// * to ktc_SetToken(&aserver, &aclient, &atoken, 0)
// * from ktc_SetToken(&aserver, &atoken, &aclient, 0) on Unix...
// * The afscompat ktc_SetToken provides the Unix order
if (rc = ktc_SetToken(&aserver, &atoken, &aclient, 0))
{
Leash_afs_error(rc, "ktc_SetToken()");
return(rc);
}
return(0);
#endif
}
