projects / krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 74cb688)
use kdb keytab for kadmind
authorTom Yu <tlyu@mit.edu>
Thu, 6 Mar 2003 02:39:51 +0000 (02:39 +0000)
committerTom Yu <tlyu@mit.edu>
Thu, 6 Mar 2003 02:39:51 +0000 (02:39 +0000)
kadmind previously required a file-based keytab to support its use of
gssapi.  For ease of administration, a kdb-based keytab would be
beneficial.

This commit includes changes to the kdb library to support this goal,
as well as actual changes in the kadmind itself.

ticket: new

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15237 dc483132-0cff-0310-8789-dd5450dbe970

src/include/krb5/ChangeLog patch | blob | history
src/include/krb5/kdb_kt.h patch | blob | history
src/kadmin/server/ChangeLog patch | blob | history
src/kadmin/server/Makefile.in patch | blob | history
src/kadmin/server/ovsec_kadmd.c patch | blob | history
src/kdc/ChangeLog patch | blob | history
src/kdc/main.c patch | blob | history
src/lib/kdb/ChangeLog patch | blob | history
src/lib/kdb/Makefile.in patch | blob | history
src/lib/kdb/kdb_xdr.c patch | blob | history
src/lib/kdb/keytab.c patch | blob | history

diff --git a/src/include/krb5/ChangeLog b/src/include/krb5/ChangeLog
index 226b0a5ae8157fe67e172db28e8570581199b9af..ff3d7b3012da6c0a15f2140012460c0257412d88 100644 (file)
--- a/src/include/krb5/ChangeLog
+++ b/src/include/krb5/ChangeLog
@@ -1,3 +1,8 @@
+2003-03-05  Tom Yu  <tlyu@mit.edu>
+
+       * kdb_kt.h: Add krb5_ktkdb_set_context.  Update prototype of
+       krb5_ktdb_resolve.  Add krb5_kt_kdb_ops.
+
 2003-03-05  Sam Hartman  <hartmans@mit.edu>
 
        * Remove kdb_dbm.h
diff --git a/src/include/krb5/kdb_kt.h b/src/include/krb5/kdb_kt.h
index e0afae1ca4b14230c3181eaad45da91e50840d25..1c06a5bb9b06996b33cf8e9ec8b636550fc0dde5 100644 (file)
--- a/src/include/krb5/kdb_kt.h
+++ b/src/include/krb5/kdb_kt.h
@@ -35,7 +35,11 @@
 
 #include "kdb.h"
 
-krb5_error_code krb5_ktkdb_resolve (krb5_context, krb5_keytab *);
+extern struct _krb5_kt_ops krb5_kt_kdb_ops;
+
+krb5_error_code krb5_ktkdb_resolve (krb5_context, const char *, krb5_keytab *);
+
+krb5_error_code krb5_ktkdb_set_context(krb5_context);
 
 #endif /* !defined(macintosh) */
 #endif /* KRB5_KDB5_DBM__ */
diff --git a/src/kadmin/server/ChangeLog b/src/kadmin/server/ChangeLog
index b1a8f7878238e7d0662407236d6e0a303d86b1ce..c7238e01670872df89c63058c3a35589d137b6fe 100644 (file)
--- a/src/kadmin/server/ChangeLog
+++ b/src/kadmin/server/ChangeLog
@@ -1,3 +1,11 @@
+2003-03-05  Tom Yu  <tlyu@mit.edu>
+
+       * Makefile.in (LOCALINCLUDES): Add gssapi directories in order to
+       get internal includes.
+
+       * ovsec_kadmd.c (main): Go through contortions to set up a kdb
+       keytab for gssapi, so we can avoid needing a file-based keytab.
+
 2003-01-09  Ken Raeburn  <raeburn@mit.edu>
 
        * ovsec_kadmd.c (do_schpw): Use socklen_t when passing address to
diff --git a/src/kadmin/server/Makefile.in b/src/kadmin/server/Makefile.in
index d86529c5ee3918eaf97da66019099cec0624a810..8a1ee6e392409531c45032634ff4bdc95c3995bc 100644 (file)
--- a/src/kadmin/server/Makefile.in
+++ b/src/kadmin/server/Makefile.in
@@ -3,6 +3,9 @@ myfulldir=kadmin/server
 mydir=server
 BUILDTOP=$(REL)..$(S)..
 
+LOCALINCLUDES = -I$(SRCTOP)/lib/gssapi/generic -I$(SRCTOP)/lib/gssapi/krb5 \
+       -I$(BUILDTOP)/lib/gssapi/generic -I$(BUILDTOP)/lib/gssapi/krb5
+
 PROG_LIBPATH=-L$(TOPLIBD)
 PROG_RPATH=$(KRB5_LIBDIR)
 
diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c
index 776eace1edbe383d4d4c4cf262b4f47fd7658bf7..373500398dfde92eca8c2c8748ff3292b9891fec 100644 (file)
--- a/src/kadmin/server/ovsec_kadmd.c
+++ b/src/kadmin/server/ovsec_kadmd.c
@@ -44,12 +44,15 @@
 #include    <netdb.h>
 #include    <gssrpc/rpc.h>
 #include    <gssapi/gssapi.h>
+#include    "gssapiP_krb5.h" /* for kg_get_context */
 #include    <gssrpc/auth_gssapi.h>
 #include    <kadm5/admin.h>
 #include    <kadm5/kadm_rpc.h>
 #include    <kadm5/server_acl.h>
 #include    <krb5/adm_proto.h>
+#include    "krb5/kdb_kt.h"    /* for krb5_ktkdb_set_context */
 #include    <string.h>
+#include    "kadm5/server_internal.h" /* XXX for kadm5_server_handle_t */
 
 #include    "misc.h"
 
@@ -93,12 +96,7 @@ void *global_server_handle;
 #define OVSEC_KADM_ADMIN_SERVICE       "ovsec_adm/admin"
 #define OVSEC_KADM_CHANGEPW_SERVICE    "ovsec_adm/changepw"
 
-/*
- * This enables us to set the keytab that gss_acquire_cred uses, but
- * it also restricts us to linking against the Kv5 GSS-API library.
- * Since this is *k*admind, that shouldn't be a problem.
- */
-extern         char *krb5_overridekeyname;
+extern krb5_keyblock master_keyblock;
 
 char *build_princ_name(char *name, char *realm);
 void log_badauth(OM_uint32 major, OM_uint32 minor,
@@ -188,6 +186,8 @@ static void display_status_1(m, code, type)
 /* XXX yuck.  the signal handlers need this */
 static krb5_context context;
 
+static krb5_context gctx, hctx;
+
 int main(int argc, char *argv[])
 {
      register  SVCXPRT *transp;
@@ -485,10 +485,49 @@ int main(int argc, char *argv[])
          exit(1);
      }
 
-     /* XXX krb5_overridekeyname is an internal library global and should
-        go away.  This is an awful hack. */
-
-     krb5_overridekeyname = params.admin_keytab;
+     /*
+      * Go through some contortions to point gssapi at a kdb keytab.
+      * This prevents kadmind from needing to use an actual file-based
+      * keytab.
+      */
+     ret = kg_get_context(&minor_status, &gctx);
+     if (ret) {
+         krb5_klog_syslog(LOG_ERR, "Can't get krb5_gss internal context.");
+         goto kterr;
+     }
+     /* XXX extract kadm5's krb5_context */
+     hctx = ((kadm5_server_handle_t)global_server_handle)->context;
+     /* Set ktkdb's internal krb5_context. */
+     ret = krb5_ktkdb_set_context(hctx);
+     if (ret) {
+         krb5_klog_syslog(LOG_ERR, "Can't set kdb keytab's internal context.");
+         goto kterr;
+     }
+     /* XXX master_keyblock is in guts of lib/kadm5/server_kdb.c */
+     ret = krb5_db_set_mkey(hctx, &master_keyblock);
+     if (ret) {
+         krb5_klog_syslog(LOG_ERR, "Can't set master key for kdb keytab.");
+         goto kterr;
+     }
+     ret = krb5_kt_register(gctx, &krb5_kt_kdb_ops);
+     if (ret) {
+         krb5_klog_syslog(LOG_ERR, "Can't register kdb keytab.");
+         goto kterr;
+     }
+     /* Tell gssapi about the kdb keytab. */
+     ret = krb5_gss_register_acceptor_identity("KDB:");
+     if (ret) {
+         krb5_klog_syslog(LOG_ERR, "Can't register acceptor keytab.");
+         goto kterr;
+     }
+kterr:
+     if (ret) {
+         krb5_klog_syslog(LOG_ERR, "%s", error_message(ret));
+         fprintf(stderr, "%s: Can't set up keytab for RPC.\n", whoami);
+         kadm5_destroy(global_server_handle);
+         krb5_klog_close(context);
+         exit(1);
+     }
 
      /*
       * Try to acquire creds for the old OV services as well as the
diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index cace0754718e918f8d2213cb9c6d6ff77c205e3f..eb4273615c0aa7f663caa35431c8189a1888a6c9 100644 (file)
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,7 @@
+2003-03-05  Tom Yu  <tlyu@mit.edu>
+
+       * main.c (init_realm): Update call to krb5_ktdb_resolve().
+
 2003-03-04  Ken Raeburn  <raeburn@mit.edu>
 
        * configure.in: Default to --disable-fakeka.
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 4619124f292b72e7d2945d41d6c8bba38902fc8b..3e5091cbf3802b27ac86d0aab52ba28d28902f2e 100644 (file)
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -384,7 +384,7 @@ init_realm(char *progname, kdc_realm_t *rdp, char *realm, char *def_dbname,
     }
 
     /* Set up the keytab */
-    if ((kret = krb5_ktkdb_resolve(rdp->realm_context, 
+    if ((kret = krb5_ktkdb_resolve(rdp->realm_context, NULL,
                                   &rdp->realm_keytab))) {
        com_err(progname, kret,
                "while resolving kdb keytab for realm %s", realm);
diff --git a/src/lib/kdb/ChangeLog b/src/lib/kdb/ChangeLog
index ce72e34e3f72a2ec5f96def348c07565d5c04aad..d685be6d9eb6a43a6c7034d321f87ad3bc8d05ff 100644 (file)
--- a/src/lib/kdb/ChangeLog
+++ b/src/lib/kdb/ChangeLog
@@ -1,3 +1,21 @@
+2003-03-05  Tom Yu  <tlyu@mit.edu>
+
+       * kdb_xdr.c (krb5_dbe_search_enctype): Check for ktype > 0 rather
+       than ktype >= 0; file keytab uses ktype 0 to indicate "first
+       match", as does acquire_cred.  The kdc uses -1, though.
+
+       * Makefile.in (LIBMAJOR): Bump major version due to change in
+       krb5_ktkdb_resolve's signature.
+
+       * keytab.c (krb5_ktkdb_resolve): Add NAME parameter, which is
+       ignored, so that kdb keytab can be registered.
+       (krb5_ktkdb_set_context): New function; allows caller to set a
+       different context for use with ktkdb_get_entry().  This is
+       primarily useful for kadmind, where the gssapi library context,
+       which will be used for the keytab, will necessarily have a
+       different context than that used by the kadm5 library to access
+       the database for its own purposes.
+
 2003-02-08  Tom Yu  <tlyu@mit.edu>
 
        * keytab.c (krb5_ktkdb_get_entry): Fix comment; not going to
diff --git a/src/lib/kdb/Makefile.in b/src/lib/kdb/Makefile.in
index 0afd963ece79194575bc91db50019519f33fd661..ea80b7652566b286e15a810ba82ab8dbdddd92d9 100644 (file)
--- a/src/lib/kdb/Makefile.in
+++ b/src/lib/kdb/Makefile.in
@@ -8,8 +8,8 @@ PROG_LIBPATH=-L$(TOPLIBD)
 PROG_RPATH=$(KRB5_LIBDIR)
 
 LIB=kdb5
-LIBMAJOR=3
-LIBMINOR=2
+LIBMAJOR=4
+LIBMINOR=0
 RELDIR=kdb
 # Depends on libk5crypto and libkrb5
 SHLIB_DBLIB_DEPS = $(SHLIB_DBLIB-@DB_VERSION@)
diff --git a/src/lib/kdb/kdb_xdr.c b/src/lib/kdb/kdb_xdr.c
index 6068444c35ffcb4a0ab11303de9a28d08f5552fb..fb0a41ea4afc7f63f2965e5caed080fa1d977f1d 100644 (file)
--- a/src/lib/kdb/kdb_xdr.c
+++ b/src/lib/kdb/kdb_xdr.c
@@ -764,14 +764,14 @@ krb5_dbe_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
        }
        
 
-       if (ktype >= 0) {
+       if (ktype > 0) {
            if ((ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype,
                                              dbentp->key_data[i].key_data_type[0],
                                              &similar)))
                return(ret);
        }
 
-       if (((ktype < 0) || similar) &&
+       if (((ktype <= 0) || similar) &&
            ((db_stype == stype) || (stype < 0))) {
            if (kvno >= 0) {
                if (kvno == dbentp->key_data[i].key_data_kvno) {
diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c
index d7ee59aad1dba6d65e151b4215d2e7ceff278475..6ec375ac2b1edd3ce61c5c3c7c0fb39c18e2f89f 100644 (file)
--- a/src/lib/kdb/keytab.c
+++ b/src/lib/kdb/keytab.c
@@ -36,7 +36,7 @@ krb5_error_code krb5_ktkdb_get_entry (krb5_context, krb5_keytab, krb5_const_prin
 krb5_kt_ops krb5_kt_kdb_ops = {
     0,
     "KDB",     /* Prefix -- this string should not appear anywhere else! */
-    NULL,                      /* resolve */
+    krb5_ktkdb_resolve,                /* resolve */
     NULL,                      /* get_name */
     krb5_ktkdb_close,          /* close */
     krb5_ktkdb_get_entry,      /* get */
@@ -53,8 +53,9 @@ typedef struct krb5_ktkdb_data {
 } krb5_ktkdb_data;
 
 krb5_error_code
-krb5_ktkdb_resolve(context, id)
+krb5_ktkdb_resolve(context, name, id)
     krb5_context         context;
+    const char         * name;
     krb5_keytab                * id;
 {
     if ((*id = (krb5_keytab) malloc(sizeof(**id))) == NULL)
@@ -83,15 +84,32 @@ krb5_ktkdb_close(context, kt)
   return 0;
 }
 
+static krb5_context ktkdb_ctx = NULL;
+
+/*
+ * Set a different context for use with ktkdb_get_entry().  This is
+ * primarily useful for kadmind, where the gssapi library context,
+ * which will be used for the keytab, will necessarily have a
+ * different context than that used by the kadm5 library to access the
+ * database for its own purposes.
+ */
+krb5_error_code
+krb5_ktkdb_set_context(krb5_context ctx)
+{
+    ktkdb_ctx = ctx;
+    return 0;
+}
+
 krb5_error_code
-krb5_ktkdb_get_entry(context, id, principal, kvno, enctype, entry)
-    krb5_context         context;
+krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry)
+    krb5_context         in_context;
     krb5_keytab          id;
     krb5_const_principal  principal;
     krb5_kvno            kvno;
     krb5_enctype         enctype;
     krb5_keytab_entry  * entry;
 {
+    krb5_context         context;
     krb5_keyblock       * master_key;
     krb5_error_code      kerror = 0;
     krb5_key_data      * key_data;
@@ -99,6 +117,11 @@ krb5_ktkdb_get_entry(context, id, principal, kvno, enctype, entry)
     krb5_boolean         more = 0;
     int                  n = 0;
 
+    if (ktkdb_ctx)
+       context = ktkdb_ctx;
+    else
+       context = in_context;
+
     /* Open database */
     /* krb5_db_init(context); */
     if ((kerror = krb5_db_open_database(context)))
MIT implementation of the Kerberos network authentication protocol. This repo may be rebased, so don't base your work on it. Use git://github.com/krb5/krb5 instead.