static krb5_error_code
v5_convert(krb5_context context, krb5_ccache id,
krb5_creds *cred, uid_t uid,
const char *cell,
struct kafs_token *kt)
{
krb5_error_code ret;
char *c, *val;
c = strdup(cell);
if (c == NULL)
return ENOMEM;
_kafs_foldup(c, c);
krb5_appdefault_string (context, "libkafs",
c,
"afs-use-524", "2b", &val);
free(c);
if (strcasecmp(val, "local") == 0 ||
strcasecmp(val, "2b") == 0)
ret = v5_to_kt(cred, uid, kt, 1);
else if(strcasecmp(val, "yes") == 0 ||
strcasecmp(val, "true") == 0 ||
atoi(val)) {
struct credentials cred4;
if (id == NULL)
ret = krb524_convert_creds_kdc(context, cred, &cred4);
else
ret = krb524_convert_creds_kdc_ccache(context, id, cred, &cred4);
if (ret)
goto out;
ret = _kafs_v4_to_kt(&cred4, uid, kt);
} else
ret = v5_to_kt(cred, uid, kt, 0);
out:
free(val);
return ret;
}
int
v4_get_creds(krb5_context ctx,
pam_handle_t *pamh,
struct _pam_krb5_stash *stash,
struct _pam_krb5_user_info *userinfo,
struct _pam_krb5_options *options,
char *password,
int *result)
{
int i;
#if defined(HAVE_KRB5_524_CONVERT_CREDS) || \
defined(HAVE_KRB524_CONVERT_CREDS_KDC)
krb5_creds *v4_compat_creds, *in_creds;
v4_compat_creds = NULL;
if (options->v4_use_524) {
if (options->debug) {
debug("obtaining v4-compatible key");
}
/* We need a DES-CBC-CRC v5 credential to convert to a proper v4
* credential. */
i = v5_get_creds_etype(ctx, userinfo, options, &stash->v5creds,
ENCTYPE_DES_CBC_CRC, &v4_compat_creds);
if (i == 0) {
if (options->debug) {
debug("obtained des-cbc-crc v5 creds");
}
in_creds = v4_compat_creds;
} else {
if (options->debug) {
debug("failed to obtain des-cbc-crc v5 creds: "
"%d (%s)", i, v5_error_message(i));
}
in_creds = NULL;
if (v5_creds_check_initialized(ctx,
&stash->v5creds) == 0) {
krb5_copy_creds(ctx, &stash->v5creds,
&in_creds);
}
}
#ifdef HAVE_KRB5_524_CONVERT_CREDS
if (options->debug) {
debug("converting v5 creds to v4 creds (etype = %d)",
in_creds ? v5_creds_get_etype(in_creds) : 0);
}
if ((in_creds != NULL) &&
(v5_creds_check_initialized(ctx, in_creds) == 0)) {
i = krb5_524_convert_creds(ctx, in_creds,
&stash->v4creds);
if (i == 0) {
if (options->debug) {
debug("conversion succeeded");
}
stash->v4present = 1;
if (result) {
*result = i;
}
krb5_free_creds(ctx, in_creds);
return PAM_SUCCESS;
} else {
if (options->debug) {
debug("conversion failed: %d (%s)",
i, v5_error_message(i));
}
}
}
#else
#ifdef HAVE_KRB524_CONVERT_CREDS_KDC
if (options->debug) {
debug("converting v5 creds to v4 creds (etype = %d)",
in_creds ? v5_creds_get_etype(in_creds) : 0);
}
if ((in_creds != NULL) &&
(v5_creds_check_initialized(ctx, in_creds) == 0)) {
i = krb524_convert_creds_kdc(ctx, in_creds,
&stash->v4creds);
if (i == 0) {
if (options->debug) {
debug("conversion succeeded");
}
stash->v4present = 1;
if (result) {
*result = i;
}
krb5_free_creds(ctx, in_creds);
return PAM_SUCCESS;
} else {
if (options->debug) {
debug("conversion failed: %d (%s)",
i, v5_error_message(i));
}
}
}
#endif
#endif
if ((in_creds != NULL) &&
(v5_creds_check_initialized(ctx, in_creds) == 0)) {
krb5_free_creds(ctx, in_creds);
}
}
#endif
if ((password != NULL) && (options->v4_use_as_req)) {
if (options->debug) {
debug("attempting to obtain initial v4 creds");
}
i = _pam_krb5_v4_init(ctx, stash, userinfo, options,
KRB5_TGS_NAME, NULL, password, result);
if (i == PAM_SUCCESS) {
if (options->debug) {
debug("initial v4 creds obtained");
}
stash->v4present = 1;
return PAM_SUCCESS;
}
if (options->debug) {
debug("could not obtain initial v4 creds: %d (%s)",
i, v5_error_message(i));
}
}
return PAM_AUTH_ERR;
}
