static int get_cellconfig(char *cell, struct afsconf_cell *cellconfig, char *local_cell, char *linkedcell)
{
int status = 0;
struct afsconf_dir *configdir;
memset(local_cell, 0, sizeof(local_cell));
memset(cellconfig, 0, sizeof(*cellconfig));
if (!(configdir = afsconf_Open(AFSDIR_CLIENT_ETC_DIRPATH))) {
return AFSCONF_NODB;
}
if (afsconf_GetLocalCell(configdir, local_cell, MAXCELLCHARS)) {
return AFSCONF_FAILURE;
}
if ((cell == NULL) || (cell[0] == 0))
cell = local_cell;
linkedcell[0] = '\0';
if (afsconf_GetCellInfo(configdir, cell, NULL, cellconfig)) {
status = AFSCONF_NOTFOUND;
}
if (cellconfig->linkedCell)
strncpy(linkedcell,cellconfig->linkedCell,MAXCELLCHARS);
(void) afsconf_Close(configdir);
return(status);
}
/*!
* Pick a security class to use for an outgoing connection
*
* This function selects an RX security class to use for an outgoing
* connection, based on the set of security flags provided.
*
* @param[in] dir
* The configuration directory structure for this cell. If NULL,
* no classes requiring local configuration will be returned.
* @param[in] flags
* A set of flags to determine the properties of the security class which
* is selected
* - AFSCONF_SECOPTS_NOAUTH - return an anonymous secirty class
* - AFSCONF_SECOPTS_LOCALAUTH - use classes which have local key
* material available.
* - AFSCONF_SECOPTS_ALWAYSENCRYPT - use classes in encrypting, rather
* than authentication or integrity modes.
* - AFSCONF_SECOPTS_FALLBACK_NULL - if no suitable class can be found,
* then fallback to the rxnull security class.
* @param[in] info
* The cell information structure for the current cell. If this is NULL,
* then use a version locally obtained using the cellName.
* @param[in] cellName
* The cellName to use when obtaining cell information (may be NULL if
* info is specified)
* @param[out] sc
* The selected security class
* @param[out] scIndex
* The index of the selected security class
* @param[out] expires
* The expiry time of the tokens used to construct the class. Will be
* NEVER_DATE if the class has an unlimited lifetime. If NULL, the
* function won't store the expiry date.
*
* @return
* Returns 0 on success, or a com_err error code on failure.
*/
afs_int32
afsconf_PickClientSecObj(struct afsconf_dir *dir, afsconf_secflags flags,
struct afsconf_cell *info,
char *cellName, struct rx_securityClass **sc,
afs_int32 *scIndex, time_t *expires) {
struct afsconf_cell localInfo;
afs_int32 code = 0;
*sc = NULL;
*scIndex = RX_SECIDX_NULL;
if (expires)
expires = 0;
if ( !(flags & AFSCONF_SECOPTS_NOAUTH) ) {
if (!dir)
return AFSCONF_NOCELLDB;
if (flags & AFSCONF_SECOPTS_LOCALAUTH) {
code = afsconf_GetLatestKey(dir, 0, 0);
if (code)
goto out;
if (flags & AFSCONF_SECOPTS_ALWAYSENCRYPT)
code = afsconf_ClientAuthSecure(dir, sc, scIndex);
else
code = afsconf_ClientAuth(dir, sc, scIndex);
if (code)
goto out;
if (expires)
*expires = NEVERDATE;
} else {
if (info == NULL) {
code = afsconf_GetCellInfo(dir, cellName, NULL, &localInfo);
if (code)
goto out;
info = &localInfo;
}
code = afsconf_ClientAuthToken(info, flags, sc, scIndex, expires);
if (code && !(flags & AFSCONF_SECOPTS_FALLBACK_NULL))
goto out;
/* If we didn't get a token, we'll just run anonymously */
code = 0;
}
}
if (*sc == NULL) {
*sc = rxnull_NewClientSecurityObject();
*scIndex = RX_SECIDX_NULL;
if (expires)
*expires = NEVERDATE;
}
out:
return code;
}
static int
_GetCellInfo(char *cell, struct afsconf_cell *celldata)
{
int code;
if (confdir == NULL)
confdir = afsconf_Open(AFSCONF_CLIENTNAME);
if (confdir == NULL) {
return AFSCONF_NODB;
}
code = afsconf_GetCellInfo(confdir, cell, AFSCONF_VLDBSERVICE, celldata);
return code;
}
static int
internal_client_init_dir(const char *confDir, char *cellName, int secFlags,
struct ubik_client **uclientp,
int (*secproc) (struct rx_securityClass *, afs_int32),
afs_int32 maxservers, char *serviceid, afs_int32 deadtime,
afs_uint32 server, afs_uint32 port, afs_int32 usrvid)
{
int code;
const char *progname;
struct afsconf_dir *dir;
struct afsconf_cell info;
progname = getprogname();
if (progname == NULL)
progname = "<unknown>";
if (confDir == NULL)
confDir = AFSDIR_CLIENT_ETC_DIRPATH;
dir = afsconf_Open(confDir);
if (!dir) {
fprintf(stderr,
"%s: Could not process files in configuration directory (%s).\n",
progname, confDir);
return EIO;
}
if (cellName == NULL)
cellName = dir->cellName;
code = afsconf_GetCellInfo(dir, cellName, serviceid, &info);
if (code) {
fprintf(stderr, "%s: can't find cell %s's hosts in %s/%s\n",
progname?progname:"<unknown>", cellName, confDir,
AFSDIR_CELLSERVDB_FILE);
afsconf_Close(dir);
return code;
}
code = internal_client_init(dir, &info, secFlags, uclientp, secproc,
maxservers, serviceid, deadtime, server,
port, usrvid);
afsconf_Close(dir);
return code;
}
int
afsconf_GetExtendedCellInfo(struct afsconf_dir *adir, char *acellName,
char *aservice, struct afsconf_cell *acellInfo,
char clones[])
{
afs_int32 code;
int i;
code = afsconf_GetCellInfo(adir, acellName, aservice, acellInfo);
if (code)
return code;
for (i = 0; i < acellInfo->numServers; i++) {
clones[i] = acellInfo->clone[i];
}
return code;
}
int
unlog_NormalizeCellNames(char **list, int size)
{
char *newCellName;
unsigned index;
struct afsconf_dir *conf;
int code;
struct afsconf_cell cellinfo;
if (!(conf = afsconf_Open(AFSDIR_CLIENT_ETC_DIRPATH))) {
fprintf(stderr, "Cannot get cell configuration info!\n");
exit(1);
}
for (index = 0; index < size; index++, list++) {
newCellName = malloc(MAXKTCREALMLEN);
if (!newCellName) {
perror("unlog_NormalizeCellNames --- malloc failed");
exit(1);
}
lcstring(newCellName, *list, MAXKTCREALMLEN);
code = afsconf_GetCellInfo(conf, newCellName, 0, &cellinfo);
if (code) {
if (code == AFSCONF_NOTFOUND) {
fprintf(stderr, "Unrecognized cell name %s\n", newCellName);
} else {
fprintf(stderr,
"unlog_NormalizeCellNames - afsconf_GetCellInfo");
fprintf(stderr, " failed, code = %d\n", code);
}
exit(1);
}
strcpy(newCellName, cellinfo.name);
*list = newCellName;
}
afsconf_Close(conf);
return 0;
}
int
afsconf_GetExtendedCellInfo(struct afsconf_dir *adir, char *acellName,
char *aservice, struct afsconf_cell *acellInfo,
char clones[])
{
afs_int32 code;
char *cell;
code = afsconf_GetCellInfo(adir, acellName, aservice, acellInfo);
if (code)
return code;
if (acellName)
cell = acellName;
else
cell = (char *)&acellInfo->name;
code = afsconf_OpenInternal(adir, cell, clones);
return code;
}
static int get_cellconfig(char *cell, struct afsconf_cell *cellconfig,
char *local_cell)
{
int status = AKLOG_SUCCESS;
struct afsconf_dir *configdir;
memset(local_cell, 0, sizeof(local_cell));
memset(cellconfig, 0, sizeof(*cellconfig));
if (!(configdir = afsconf_Open(AFSDIR_CLIENT_ETC_DIRPATH)))
{
fprintf(stderr, "%s: can't get afs configuration (afsconf_Open(%s))\n",
progname, AFSDIR_CLIENT_ETC_DIRPATH);
exit(AKLOG_AFS);
}
if (afsconf_GetLocalCell(configdir, local_cell, MAXCELLCHARS))
{
fprintf(stderr, "%s: can't determine local cell.\n", progname);
exit(AKLOG_AFS);
}
if ((cell == NULL) || (cell[0] == 0))
cell = local_cell;
if (afsconf_GetCellInfo(configdir, cell, NULL, cellconfig))
{
fprintf(stderr, "%s: Can't get information about cell %s.\n",
progname, cell);
status = AKLOG_AFS;
}
(void) afsconf_Close(configdir);
return(status);
}
afs_int32
pr_Initialize(IN afs_int32 secLevel, IN const char *confDir, IN char *cell)
{
afs_int32 code;
struct rx_connection *serverconns[MAXSERVERS];
struct rx_securityClass *sc = NULL;
static struct afsconf_dir *tdir = (struct afsconf_dir *)NULL; /* only do this once */
static char tconfDir[100] = "";
static char tcell[64] = "";
afs_int32 scIndex;
afs_int32 secFlags;
static struct afsconf_cell info;
afs_int32 i;
#if !defined(UKERNEL)
char cellstr[64];
#endif
afs_int32 gottdir = 0;
afs_int32 refresh = 0;
initialize_PT_error_table();
initialize_RXK_error_table();
initialize_ACFG_error_table();
initialize_KTC_error_table();
#if defined(UKERNEL)
if (!cell) {
cell = afs_LclCellName;
}
#else /* defined(UKERNEL) */
if (!cell) {
if (!tdir)
tdir = afsconf_Open(confDir);
if (!tdir) {
if (confDir && strcmp(confDir, ""))
fprintf(stderr,
"%s: Could not open configuration directory: %s.\n",
whoami, confDir);
else
fprintf(stderr,
"%s: No configuration directory specified.\n",
whoami);
return -1;
}
gottdir = 1;
code = afsconf_GetLocalCell(tdir, cellstr, sizeof(cellstr));
if (code) {
fprintf(stderr,
"libprot: Could not get local cell. [%d]\n", code);
return code;
}
cell = cellstr;
}
#endif /* defined(UKERNEL) */
if (tdir == NULL || strcmp(confDir, tconfDir) || strcmp(cell, tcell)) {
/*
* force re-evaluation. we either don't have an afsconf_dir,
* the directory has changed or the cell has changed.
*/
if (tdir && !gottdir) {
afsconf_Close(tdir);
tdir = (struct afsconf_dir *)NULL;
}
pruclient = (struct ubik_client *)NULL;
refresh = 1;
}
if (refresh) {
strncpy(tconfDir, confDir, sizeof(tconfDir));
strncpy(tcell, cell, sizeof(tcell));
#if defined(UKERNEL)
tdir = afs_cdir;
#else /* defined(UKERNEL) */
if (!gottdir)
tdir = afsconf_Open(confDir);
if (!tdir) {
if (confDir && strcmp(confDir, ""))
fprintf(stderr,
"libprot: Could not open configuration directory: %s.\n",
confDir);
else
fprintf(stderr,
"libprot: No configuration directory specified.\n");
return -1;
}
#endif /* defined(UKERNEL) */
code = afsconf_GetCellInfo(tdir, cell, "afsprot", &info);
if (code) {
fprintf(stderr, "libprot: Could not locate cell %s in %s/%s\n",
cell, confDir, AFSDIR_CELLSERVDB_FILE);
return code;
}
}
/* If we already have a client and it is at the security level we
* want, don't get a new one. Unless the security level is 2 in
* which case we will get one (and re-read the key file).
*/
if (pruclient && (lastLevel == secLevel) && (secLevel != 2)) {
return 0;
}
code = rx_Init(0);
if (code) {
fprintf(stderr, "libprot: Could not initialize rx.\n");
return code;
}
/* Most callers use secLevel==1, however, the fileserver uses secLevel==2
* to force use of the KeyFile. secLevel == 0 implies -noauth was
* specified. */
if (secLevel == 2) {
code = afsconf_GetLatestKey(tdir, 0, 0);
if (code) {
afs_com_err(whoami, code, "(getting key from local KeyFile)\n");
} else {
/* If secLevel is two assume we're on a file server and use
* ClientAuthSecure if possible. */
code = afsconf_ClientAuthSecure(tdir, &sc, &scIndex);
if (code)
afs_com_err(whoami, code, "(calling client secure)\n");
}
} else if (secLevel > 0) {
secFlags = 0;
if (secLevel > 1)
secFlags |= AFSCONF_SECOPTS_ALWAYSENCRYPT;
code = afsconf_ClientAuthToken(&info, secFlags, &sc, &scIndex, NULL);
if (code) {
afs_com_err(whoami, code, "(getting token)");
if (secLevel > 1)
return code;
}
}
if (sc == NULL) {
sc = rxnull_NewClientSecurityObject();
scIndex = RX_SECIDX_NULL;
}
if ((scIndex == RX_SECIDX_NULL) && (secLevel != 0))
fprintf(stderr,
"%s: Could not get afs tokens, running unauthenticated\n",
whoami);
memset(serverconns, 0, sizeof(serverconns)); /* terminate list!!! */
for (i = 0; i < info.numServers; i++)
serverconns[i] =
rx_NewConnection(info.hostAddr[i].sin_addr.s_addr,
info.hostAddr[i].sin_port, PRSRV, sc,
scIndex);
code = ubik_ClientInit(serverconns, &pruclient);
if (code) {
afs_com_err(whoami, code, "ubik client init failed.");
return code;
}
lastLevel = scIndex;
code = rxs_Release(sc);
return code;
}
/*!
* \brief Get the appropriate type of ubik client structure out from the system.
*/
afs_int32
ugen_ClientInit(int noAuthFlag, const char *confDir, char *cellName, afs_int32 sauth,
struct ubik_client **uclientp,
int (*secproc) (struct rx_securityClass *, afs_int32),
char *funcName, afs_int32 gen_rxkad_level,
afs_int32 maxservers, char *serviceid, afs_int32 deadtime,
afs_uint32 server, afs_uint32 port, afs_int32 usrvid)
{
afs_int32 code, secFlags, i;
afs_int32 scIndex;
struct afsconf_cell info;
struct afsconf_dir *tdir;
struct rx_securityClass *sc;
/* This must change if VLDB_MAXSERVERS becomes larger than MAXSERVERS */
static struct rx_connection *serverconns[MAXSERVERS];
code = rx_Init(0);
if (code) {
fprintf(stderr, "%s: could not initialize rx.\n", funcName);
return code;
}
rx_SetRxDeadTime(deadtime);
secFlags = AFSCONF_SECOPTS_FALLBACK_NULL;
if (sauth) {
secFlags |= AFSCONF_SECOPTS_LOCALAUTH;
confDir = AFSDIR_SERVER_ETC_DIRPATH;
} else {
if (confDir == NULL)
confDir = AFSDIR_CLIENT_ETC_DIRPATH;
}
if (noAuthFlag) {
secFlags |= AFSCONF_SECOPTS_NOAUTH;
}
tdir = afsconf_Open(confDir);
if (!tdir) {
fprintf(stderr,
"%s: Could not process files in configuration directory (%s).\n",
funcName, confDir);
return -1;
}
if (sauth)
cellName = tdir->cellName;
code = afsconf_GetCellInfo(tdir, cellName, serviceid, &info);
if (code) {
afsconf_Close(tdir);
fprintf(stderr, "%s: can't find cell %s's hosts in %s/%s\n",
funcName, cellName, confDir, AFSDIR_CELLSERVDB_FILE);
return -1;
}
code = afsconf_PickClientSecObj(tdir, secFlags, &info, cellName, &sc,
&scIndex, NULL);
if (code) {
fprintf(stderr, "%s: can't create client security object", funcName);
return -1;
}
if (scIndex == RX_SECIDX_NULL && !noAuthFlag) {
fprintf(stderr,
"%s: Could not get afs tokens, running unauthenticated.\n",
funcName);
}
afsconf_Close(tdir);
if (secproc) /* tell UV module about default authentication */
(*secproc) (sc, scIndex);
if (server) {
serverconns[0] = rx_NewConnection(server, port,
usrvid, sc, scIndex);
} else {
if (info.numServers > maxservers) {
fprintf(stderr,
"%s: info.numServers=%d (> maxservers=%d)\n",
funcName, info.numServers, maxservers);
return -1;
}
for (i = 0; i < info.numServers; i++) {
if (!info.hostAddr[i].sin_port && port)
info.hostAddr[i].sin_port = port;
serverconns[i] =
rx_NewConnection(info.hostAddr[i].sin_addr.s_addr,
info.hostAddr[i].sin_port, usrvid,
sc, scIndex);
}
}
/* Are we just setting up connections, or is this really ubik stuff? */
if (uclientp) {
*uclientp = 0;
code = ubik_ClientInit(serverconns, uclientp);
if (code) {
fprintf(stderr, "%s: ubik client init failed.\n", funcName);
return code;
}
}
return 0;
}
static int
CommandProc(struct cmd_syndesc *as, void *arock)
{
krb5_principal princ = 0;
char *cell, *pname, **hrealms, *service;
char service_temp[MAXKTCREALMLEN + 20];
krb5_creds incred[1], mcred[1], *outcred = 0, *afscred;
krb5_ccache cc = 0;
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
krb5_get_init_creds_opt *gic_opts;
#else
krb5_get_init_creds_opt gic_opts[1];
#endif
char *tofree = NULL, *outname;
int code;
char *what;
int i, dosetpag, evil, noprdb, id;
#ifdef AFS_RXK5
int authtype;
#endif
krb5_data enc_part[1];
krb5_prompter_fct pf = NULL;
char *pass = 0;
void *pa = 0;
struct kp_arg klog_arg[1];
char passwd[BUFSIZ];
struct afsconf_cell cellconfig[1];
static char rn[] = "klog"; /*Routine name */
static int Pipe = 0; /* reading from a pipe */
static int Silent = 0; /* Don't want error messages */
int writeTicketFile = 0; /* write ticket file to /tmp */
service = 0;
memset(incred, 0, sizeof *incred);
/* blow away command line arguments */
for (i = 1; i < zero_argc; i++)
memset(zero_argv[i], 0, strlen(zero_argv[i]));
zero_argc = 0;
memset(klog_arg, 0, sizeof *klog_arg);
/* first determine quiet flag based on -silent switch */
Silent = (as->parms[aSILENT].items ? 1 : 0);
if (Silent) {
afs_set_com_err_hook(silent_errors);
}
if ((code = krb5_init_context(&k5context))) {
afs_com_err(rn, code, "while initializing Kerberos 5 library");
KLOGEXIT(code);
}
if ((code = rx_Init(0))) {
afs_com_err(rn, code, "while initializing rx");
KLOGEXIT(code);
}
initialize_U_error_table();
/*initialize_krb5_error_table();*/
initialize_RXK_error_table();
initialize_KTC_error_table();
initialize_ACFG_error_table();
/* initialize_rx_error_table(); */
if (!(tdir = afsconf_Open(AFSDIR_CLIENT_ETC_DIRPATH))) {
afs_com_err(rn, 0, "can't get afs configuration (afsconf_Open(%s))",
AFSDIR_CLIENT_ETC_DIRPATH);
KLOGEXIT(1);
}
/*
* Enable DES enctypes, which are currently still required for AFS.
* krb5_allow_weak_crypto is MIT Kerberos 1.8. krb5_enctype_enable is
* Heimdal.
*/
#if defined(HAVE_KRB5_ENCTYPE_ENABLE)
i = krb5_enctype_valid(k5context, ETYPE_DES_CBC_CRC);
if (i)
krb5_enctype_enable(k5context, ETYPE_DES_CBC_CRC);
#elif defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO)
krb5_allow_weak_crypto(k5context, 1);
#endif
/* Parse remaining arguments. */
dosetpag = !! as->parms[aSETPAG].items;
Pipe = !! as->parms[aPIPE].items;
writeTicketFile = !! as->parms[aTMP].items;
noprdb = !! as->parms[aNOPRDB].items;
evil = (always_evil&1) || !! as->parms[aUNWRAP].items;
#ifdef AFS_RXK5
authtype = 0;
if (as->parms[aK5].items)
authtype |= FORCE_RXK5;
if (as->parms[aK4].items)
authtype |= FORCE_RXKAD;
if (!authtype)
authtype |= env_afs_rxk5_default();
#endif
cell = as->parms[aCELL].items ? as->parms[aCELL].items->data : 0;
if ((code = afsconf_GetCellInfo(tdir, cell, "afsprot", cellconfig))) {
if (cell)
afs_com_err(rn, code, "Can't get cell information for '%s'", cell);
else
afs_com_err(rn, code, "Can't get determine local cell!");
KLOGEXIT(code);
}
if (as->parms[aKRBREALM].items) {
code = krb5_set_default_realm(k5context,
as->parms[aKRBREALM].items->data);
if (code) {
afs_com_err(rn, code, "Can't make <%s> the default realm",
as->parms[aKRBREALM].items->data);
KLOGEXIT(code);
}
}
else if ((code = krb5_get_host_realm(k5context, cellconfig->hostName[0], &hrealms))) {
afs_com_err(rn, code, "Can't get realm for host <%s> in cell <%s>\n",
cellconfig->hostName[0], cellconfig->name);
KLOGEXIT(code);
} else {
if (hrealms && *hrealms) {
code = krb5_set_default_realm(k5context,
*hrealms);
if (code) {
afs_com_err(rn, code, "Can't make <%s> the default realm",
*hrealms);
KLOGEXIT(code);
}
}
if (hrealms) krb5_free_host_realm(k5context, hrealms);
}
id = getuid();
if (as->parms[aPRINCIPAL].items) {
pname = as->parms[aPRINCIPAL].items->data;
} else {
/* No explicit name provided: use Unix uid. */
struct passwd *pw;
pw = getpwuid(id);
if (pw == 0) {
afs_com_err(rn, 0,
"Can't figure out your name from your user id (%d).", id);
if (!Silent)
fprintf(stderr, "%s: Try providing the user name.\n", rn);
KLOGEXIT(1);
}
pname = pw->pw_name;
}
code = krb5_parse_name(k5context, pname, &princ);
if (code) {
afs_com_err(rn, code, "Can't parse principal <%s>", pname);
KLOGEXIT(code);
}
if (as->parms[aPASSWORD].items) {
/*
* Current argument is the desired password string. Remember it in
* our local buffer, and zero out the argument string - anyone can
* see it there with ps!
*/
strncpy(passwd, as->parms[aPASSWORD].items->data, sizeof(passwd));
memset(as->parms[aPASSWORD].items->data, 0,
strlen(as->parms[aPASSWORD].items->data));
pass = passwd;
}
/* Get the password if it wasn't provided. */
if (!pass) {
if (Pipe) {
strncpy(passwd, getpipepass(), sizeof(passwd));
pass = passwd;
} else {
pf = klog_prompter;
pa = klog_arg;
}
}
service = 0;
#ifdef AFS_RXK5
if (authtype & FORCE_RXK5) {
tofree = get_afs_krb5_svc_princ(cellconfig);
snprintf(service_temp, sizeof service_temp, "%s", tofree);
} else
#endif
snprintf (service_temp, sizeof service_temp, "afs/%s", cellconfig->name);
klog_arg->pp = &pass;
klog_arg->pstore = passwd;
klog_arg->allocated = sizeof(passwd);
/* XXX should allow k5 to prompt in most cases -- what about expired pw?*/
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
code = krb5_get_init_creds_opt_alloc(k5context, &gic_opts);
if (code) {
afs_com_err(rn, code, "Can't allocate get_init_creds options");
KLOGEXIT(code);
}
#else
krb5_get_init_creds_opt_init(gic_opts);
#endif
for (;;) {
code = krb5_get_init_creds_password(k5context,
incred,
princ,
pass,
pf, /* prompter */
pa, /* data */
0, /* start_time */
0, /* in_tkt_service */
gic_opts);
if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
break;
}
memset(passwd, 0, sizeof(passwd));
if (code) {
char *r = 0;
if (krb5_get_default_realm(k5context, &r))
r = 0;
if (r)
afs_com_err(rn, code, "Unable to authenticate in realm %s", r);
else
afs_com_err(rn, code, "Unable to authenticate to use cell %s",
cellconfig->name);
if (r) free(r);
KLOGEXIT(code);
}
for (;;writeTicketFile = 0) {
if (writeTicketFile) {
what = "getting default ccache";
code = krb5_cc_default(k5context, &cc);
} else {
what = "krb5_cc_resolve";
code = krb5_cc_resolve(k5context, "MEMORY:core", &cc);
if (code) goto Failed;
}
what = "initializing ccache";
code = krb5_cc_initialize(k5context, cc, princ);
if (code) goto Failed;
what = "writing Kerberos ticket file";
code = krb5_cc_store_cred(k5context, cc, incred);
if (code) goto Failed;
if (writeTicketFile)
fprintf(stderr,
"Wrote ticket file to %s\n",
krb5_cc_get_name(k5context, cc));
break;
Failed:
if (code)
afs_com_err(rn, code, "%s", what);
if (writeTicketFile) {
if (cc) {
krb5_cc_close(k5context, cc);
cc = 0;
}
continue;
}
KLOGEXIT(code);
}
for (service = service_temp;;service = "afs") {
memset(mcred, 0, sizeof *mcred);
mcred->client = princ;
code = krb5_parse_name(k5context, service, &mcred->server);
if (code) {
afs_com_err(rn, code, "Unable to parse service <%s>\n", service);
KLOGEXIT(code);
}
if (tofree) { free(tofree); tofree = 0; }
if (!(code = krb5_unparse_name(k5context, mcred->server, &outname)))
tofree = outname;
else outname = service;
code = krb5_get_credentials(k5context, 0, cc, mcred, &outcred);
krb5_free_principal(k5context, mcred->server);
if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || service != service_temp) break;
#ifdef AFS_RXK5
if (authtype & FORCE_RXK5)
break;
#endif
}
afscred = outcred;
if (code) {
afs_com_err(rn, code, "Unable to get credentials to use %s", outname);
KLOGEXIT(code);
}
#ifdef AFS_RXK5
if (authtype & FORCE_RXK5) {
struct ktc_principal aserver[1];
int viceid = 555;
memset(aserver, 0, sizeof *aserver);
strncpy(aserver->cell, cellconfig->name, MAXKTCREALMLEN-1);
code = ktc_SetK5Token(k5context, aserver, afscred, viceid, dosetpag);
if (code) {
afs_com_err(rn, code, "Unable to store tokens for cell %s\n",
cellconfig->name);
KLOGEXIT(1);
}
} else
#endif
{
struct ktc_principal aserver[1], aclient[1];
struct ktc_token atoken[1];
memset(atoken, 0, sizeof *atoken);
if (evil) {
size_t elen = enc_part->length;
atoken->kvno = RXKAD_TKT_TYPE_KERBEROS_V5_ENCPART_ONLY;
if (afs_krb5_skip_ticket_wrapper(afscred->ticket.data,
afscred->ticket.length, (char **) &enc_part->data,
&elen)) {
afs_com_err(rn, 0, "Can't unwrap %s AFS credential",
cellconfig->name);
KLOGEXIT(1);
}
} else {
atoken->kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
*enc_part = afscred->ticket;
}
atoken->startTime = afscred->times.starttime;
atoken->endTime = afscred->times.endtime;
if (tkt_DeriveDesKey(get_creds_enctype(afscred),
get_cred_keydata(afscred),
get_cred_keylen(afscred), &atoken->sessionKey)) {
afs_com_err(rn, 0,
"Cannot derive DES key from enctype %i of length %u",
get_creds_enctype(afscred),
(unsigned)get_cred_keylen(afscred));
KLOGEXIT(1);
}
memcpy(atoken->ticket, enc_part->data,
atoken->ticketLen = enc_part->length);
memset(aserver, 0, sizeof *aserver);
strncpy(aserver->name, "afs", 4);
strncpy(aserver->cell, cellconfig->name, MAXKTCREALMLEN-1);
memset(aclient, 0, sizeof *aclient);
i = realm_len(k5context, afscred->client);
if (i > MAXKTCREALMLEN-1) i = MAXKTCREALMLEN-1;
memcpy(aclient->cell, realm_data(k5context, afscred->client), i);
if (!noprdb) {
int viceid = 0;
k5_to_k4_name(k5context, afscred->client, aclient);
code = whoami(atoken, cellconfig, aclient, &viceid);
if (code) {
afs_com_err(rn, code, "Can't get your viceid for cell %s", cellconfig->name);
*aclient->name = 0;
} else
snprintf(aclient->name, MAXKTCNAMELEN-1, "AFS ID %d", viceid);
}
if (!*aclient->name)
k5_to_k4_name(k5context, afscred->client, aclient);
code = ktc_SetToken(aserver, atoken, aclient, dosetpag);
if (code) {
afs_com_err(rn, code, "Unable to store tokens for cell %s\n",
cellconfig->name);
KLOGEXIT(1);
}
}
krb5_free_principal(k5context, princ);
krb5_free_cred_contents(k5context, incred);
if (outcred) krb5_free_creds(k5context, outcred);
if (cc)
krb5_cc_close(k5context, cc);
if (tofree) free(tofree);
return 0;
}
static afs_int32
InitThisModule(int a_noAuthFlag, char *a_confDir, char *a_cellName)
{ /*InitThisModule */
#ifdef USS_VOL_DB
static char rn[] = "uss_vol:InitThisModule";
#endif
afs_int32 code; /*Return code */
struct afsconf_dir *tdir; /*Ptr to conf dir info */
struct afsconf_cell info; /*Info about chosen cell */
afs_int32 scIndex; /*Chosen security index */
afs_int32 secFlags;
struct rx_securityClass *sc; /*Generated security object */
afs_int32 i; /*Loop index */
/*
* Only once, guys, will 'ya?
*/
if (initDone) {
#ifdef USS_VOL_DB
printf("[%s] Called multiple times!\n", rn);
#endif /* USS_VOL_DB */
return (0);
}
/*
* Set up our Rx environment.
*/
#ifdef USS_VOL_DB
printf("[%s] Initializing Rx environment\n", rn);
#endif /* USS_VOL_DB */
code = rx_Init(0);
if (code) {
fprintf(stderr, "%s: Couldn't initialize Rx.\n", uss_whoami);
return (code);
}
rx_SetRxDeadTime(50);
/*
* Find out all about our configuration.
*/
#ifdef USS_VOL_DB
printf("[%s] Handling configuration info\n", rn);
#endif /* USS_VOL_DB */
tdir = afsconf_Open(a_confDir);
if (!tdir) {
fprintf(stderr, "%s: Couldn't open configuration directory (%s).\n",
uss_whoami, a_confDir);
return (-1);
}
code = afsconf_GetCellInfo(tdir, a_cellName, AFSCONF_VLDBSERVICE, &info);
if (code) {
printf("%s: Can't find VLDB server(s) for cell %s\n", uss_whoami,
a_cellName);
exit(1);
}
#ifdef USS_VOL_DB
printf("[%s] Getting tickets if needed\n", rn);
#endif /* USS_VOL_DB */
secFlags = AFSCONF_SECOPTS_FALLBACK_NULL;
if (a_noAuthFlag)
secFlags |= AFSCONF_SECOPTS_NOAUTH;
code = afsconf_PickClientSecObj(tdir, secFlags, &info, a_cellName,
&sc, &scIndex, NULL);
if (code) {
printf("%s: Can't create client security object\n", uss_whoami);
exit(1);
}
if (scIndex == RX_SECIDX_NULL && !a_noAuthFlag) {
fprintf(stderr,
"%s: Couldn't get AFS tokens, running unauthenticated.\n",
uss_whoami);
}
/*
* Tell UV module about default authentication.
*/
#ifdef USS_VOL_DB
printf("[%s] Setting UV security: obj 0x%x, index %d\n", rn, sc, scIndex);
#endif /* USS_VOL_DB */
UV_SetSecurity(sc, scIndex);
if (info.numServers > VLDB_MAXSERVERS) {
fprintf(stderr, "%s: info.numServers=%d (> VLDB_MAXSERVERS=%d)\n",
uss_whoami, info.numServers, VLDB_MAXSERVERS);
exit(1);
}
/*
* Connect to each VLDB server for the chosen cell.
*/
for (i = 0; i < info.numServers; i++) {
#ifdef USS_VOL_DB
printf
("[%s] Connecting to VLDB server 0x%x, port %d, service id %d\n",
rn, info.hostAddr[i].sin_addr.s_addr, info.hostAddr[i].sin_port,
USER_SERVICE_ID);
#endif /* USS_VOL_DB */
serverconns[i] =
rx_NewConnection(info.hostAddr[i].sin_addr.s_addr,
info.hostAddr[i].sin_port, USER_SERVICE_ID, sc,
scIndex);
}
/*
* Set up to execute Ubik transactions on the VLDB.
*/
#ifdef USS_VOL_DB
printf("[%s] Initializing Ubik interface\n", rn);
#endif /* USS_VOL_DB */
code = ubik_ClientInit(serverconns, &uconn_vldbP);
if (code) {
fprintf(stderr, "%s: Ubik client init failed.\n", uss_whoami);
return (code);
}
#ifdef USS_VOL_DB
printf("[%s] VLDB ubik connection structure at 0x%x\n", rn, uconn_vldbP);
#endif /* USS_VOL_DB */
/*
* Place the ubik VLDB connection structure in its advertised
* location.
*/
cstruct = uconn_vldbP;
/*
* Success!
*/
initDone = 1;
return (0);
} /*InitThisModule */
long GetCellInfo(struct afsconf_dir **pconfigdir, char* cell,
struct afsconf_cell **pcellconfig)
{
return afsconf_GetCellInfo(*pconfigdir, cell, NULL, *pcellconfig);
}
afs_int32
udbClientInit(int noAuthFlag, int localauth, char *cellName)
{
struct afsconf_cell info;
struct afsconf_dir *acdir;
const char *confdir;
int i;
afs_int32 secFlags;
afs_int32 code = 0;
secFlags = parseSecFlags(noAuthFlag, localauth, &confdir);
secFlags |= AFSCONF_SECOPTS_FALLBACK_NULL;
if (cellName && cellName[0] == '\0')
cellName = NULL;
acdir = afsconf_Open(confdir);
if (!acdir) {
afs_com_err(whoami, 0, "Can't open configuration directory '%s'",
confdir);
ERROR(BC_NOCELLCONFIG);
}
code = afsconf_GetCellInfo(acdir, cellName, 0, &info);
if (code) {
afs_com_err(whoami, code, "; Can't find cell %s's hosts in %s",
cellName, acdir->cellservDB);
ERROR(BC_NOCELLCONFIG);
}
code = afsconf_PickClientSecObj(acdir, secFlags, &info, cellName,
&udbHandle.uh_secobj,
&udbHandle.uh_scIndex, NULL);
if (code) {
afs_com_err(whoami, code, "(configuring connection security)");
ERROR(BC_NOCELLCONFIG);
}
if (udbHandle.uh_scIndex == RX_SECIDX_NULL && !noAuthFlag)
afs_com_err(whoami, 0, "Can't get tokens - running unauthenticated");
/* We have to have space for the trailing NULL that terminates the server
* conneciton array - so we can only store MAXSERVERS-1 real elements in
* that array.
*/
if (info.numServers >= MAXSERVERS) {
afs_com_err(whoami, 0,
"Warning: %d BDB servers exist for cell '%s', can only remember the first %d",
info.numServers, cellName, MAXSERVERS-1);
info.numServers = MAXSERVERS - 1;
}
/* establish connections to the servers. Check for failed connections? */
for (i = 0; i < info.numServers; i++) {
udbHandle.uh_serverConn[i] =
rx_NewConnection(info.hostAddr[i].sin_addr.s_addr,
htons(AFSCONF_BUDBPORT), BUDB_SERVICE,
udbHandle.uh_secobj, udbHandle.uh_scIndex);
}
udbHandle.uh_serverConn[i] = 0;
code = ubik_ClientInit(udbHandle.uh_serverConn, &udbHandle.uh_client);
if (code) {
afs_com_err(whoami, code,
"; Can't initialize ubik connection to backup database");
ERROR(code);
}
/* Try to quickly find a good site by setting deadtime low */
for (i = 0; i < info.numServers; i++)
rx_SetConnDeadTime(udbHandle.uh_client->conns[i], 1);
code =
ubik_BUDB_GetInstanceId(udbHandle.uh_client, 0,
&udbHandle.uh_instanceId);
/* Reset dead time back up to default */
for (i = 0; i < info.numServers; i++)
rx_SetConnDeadTime(udbHandle.uh_client->conns[i], 60);
/* If did not find a site on first quick pass, try again */
if (code == -1)
code =
ubik_BUDB_GetInstanceId(udbHandle.uh_client, 0,
&udbHandle.uh_instanceId);
if (code) {
afs_com_err(whoami, code, "; Can't access backup database");
ERROR(code);
}
error_exit:
if (acdir)
afsconf_Close(acdir);
return (code);
}
/* vldbClientInit
* Initialize a client for the vl ubik database.
*/
int
vldbClientInit(int noAuthFlag, int localauth, char *cellName,
struct ubik_client **cstruct,
time_t *expires)
{
afs_int32 code = 0;
struct afsconf_dir *acdir;
struct rx_securityClass *sc;
afs_int32 i, scIndex = RX_SECIDX_NULL;
struct afsconf_cell info;
struct rx_connection *serverconns[VLDB_MAXSERVERS];
afsconf_secflags secFlags;
const char *confdir;
secFlags = parseSecFlags(noAuthFlag, localauth, &confdir);
secFlags |= AFSCONF_SECOPTS_FALLBACK_NULL;
/* This just preserves old behaviour of using the default cell when
* passed an empty string */
if (cellName && cellName[0] == '\0')
cellName = NULL;
/* Find out about the given cell */
acdir = afsconf_Open(confdir);
if (!acdir) {
afs_com_err(whoami, 0, "Can't open configuration directory '%s'", confdir);
ERROR(BC_NOCELLCONFIG);
}
code = afsconf_GetCellInfo(acdir, cellName, AFSCONF_VLDBSERVICE, &info);
if (code) {
afs_com_err(whoami, code, "; Can't find cell %s's hosts in %s",
cellName, acdir->cellservDB);
ERROR(BC_NOCELLCONFIG);
}
code = afsconf_PickClientSecObj(acdir, secFlags, &info, cellName,
&sc, &scIndex, expires);
if (code) {
afs_com_err(whoami, code, "(configuring connection security)");
ERROR(BC_NOCELLCONFIG);
}
if (scIndex == RX_SECIDX_NULL && !noAuthFlag)
afs_com_err(whoami, 0, "Can't get tokens - running unauthenticated");
/* tell UV module about default authentication */
UV_SetSecurity(sc, scIndex);
if (info.numServers > VLDB_MAXSERVERS) {
afs_com_err(whoami, 0,
"Warning: %d VLDB servers exist for cell '%s', can only remember the first %d",
info.numServers, cellName, VLDB_MAXSERVERS);
info.numServers = VLDB_MAXSERVERS;
}
for (i = 0; i < info.numServers; i++)
serverconns[i] =
rx_NewConnection(info.hostAddr[i].sin_addr.s_addr,
info.hostAddr[i].sin_port, USER_SERVICE_ID, sc,
scIndex);
serverconns[i] = 0;
*cstruct = 0;
code = ubik_ClientInit(serverconns, cstruct);
if (code) {
afs_com_err(whoami, code, "; Can't initialize ubik connection to vldb");
ERROR(code);
}
error_exit:
if (acdir)
afsconf_Close(acdir);
return (code);
}
int
CommandProc(struct cmd_syndesc *as, void *arock)
{
char name[MAXKTCNAMELEN];
char instance[MAXKTCNAMELEN];
char cell[MAXKTCREALMLEN];
char realm[MAXKTCREALMLEN];
afs_uint32 serverList[MAXSERVERS];
char *lcell; /* local cellname */
char lrealm[MAXKTCREALMLEN]; /* uppercase copy of local cellname */
int code;
int i, dosetpag;
Date lifetime; /* requested ticket lifetime */
struct passwd pwent;
struct passwd *pw = &pwent;
struct passwd *lclpw = &pwent;
char passwd[BUFSIZ];
static char rn[] = "klog"; /*Routine name */
static int Pipe = 0; /* reading from a pipe */
static int Silent = 0; /* Don't want error messages */
int explicit; /* servers specified explicitly */
int local; /* explicit cell is same a local one */
int foundPassword = 0; /*Not yet, anyway */
int foundExplicitCell = 0; /*Not yet, anyway */
int writeTicketFile = 0; /* write ticket file to /tmp */
afs_int32 password_expires = -1;
char *reason; /* string describing errors */
/* blow away command line arguments */
for (i = 1; i < zero_argc; i++)
memset(zero_argv[i], 0, strlen(zero_argv[i]));
zero_argc = 0;
/* first determine quiet flag based on -silent switch */
Silent = (as->parms[aSILENT].items ? 1 : 0);
Pipe = (as->parms[aPIPE].items ? 1 : 0);
/* Determine if we should also do a setpag based on -setpag switch */
dosetpag = (as->parms[aSETPAG].items ? 1 : 0);
if (as->parms[aTMP].items) {
writeTicketFile = 1;
}
if (as->parms[aCELL].items) {
/*
* cell name explicitly mentioned; take it in if no other cell name
* has already been specified and if the name actually appears. If
* the given cell name differs from our own, we don't do a lookup.
*/
foundExplicitCell = 1;
strncpy(realm, as->parms[aCELL].items->data, sizeof(realm));
/* XXX the following is just a hack to handle the afscell environment XXX */
(void)afsconf_GetCellInfo((struct afsconf_dir *)0, realm, 0,
(struct afsconf_cell *)0);
}
code = ka_Init(0);
if (code || !(lcell = ka_LocalCell())) {
nocell:
if (!Silent)
afs_com_err(rn, code, "Can't get local cell name!");
KLOGEXIT(code);
}
if ((code = ka_CellToRealm(lcell, lrealm, 0)))
goto nocell;
strcpy(instance, "");
/* Parse our arguments. */
if (as->parms[aCELL].items) {
/*
* cell name explicitly mentioned; take it in if no other cell name
* has already been specified and if the name actually appears. If
* the given cell name differs from our own, we don't do a lookup.
*/
foundExplicitCell = 1;
strncpy(realm, as->parms[aCELL].items->data, sizeof(realm));
}
if (as->parms[aSERVERS].items) {
/* explicit server list */
int i;
struct cmd_item *ip;
char *ap[MAXSERVERS + 2];
for (ip = as->parms[aSERVERS].items, i = 2; ip; ip = ip->next, i++)
ap[i] = ip->data;
ap[0] = "";
ap[1] = "-servers";
code = ubik_ParseClientList(i, ap, serverList);
if (code) {
if (!Silent) {
afs_com_err(rn, code, "could not parse server list");
}
return code;
}
explicit = 1;
} else
