* extern.h: Added a krb5_keytab to the realm context. The keytab

		should be associated with a krb5_db_context which will
		make having a krb5_context unnecessary in the realm context.
	* kdc_util.c kdc_process_tgs_req(): Use the realm keytab instead
		of faking up a user-to-user key to pass to krb5_rd_req_decode().
	* main.c: Added code to use the new database keytab routines.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7200 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index 85a23b32b87b48bb7fabbc8010e3bef0375fdaa4..04db8f3c1b053b4bb3894fb75161f03168de084c 100644 (file)
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,13 @@
+
+Tue Dec 12 01:10:34 1995  Chris Provenzano (proven@mit.edu)
+
+       * extern.h: Added a krb5_keytab to the realm context. The keytab
+               should be associated with a krb5_db_context which will
+               make having a krb5_context unnecessary in the realm context.
+       * kdc_util.c kdc_process_tgs_req(): Use the realm keytab instead
+               of faking up a user-to-user key to pass to krb5_rd_req_decode().
+       * main.c: Added code to use the new database keytab routines.
+
 Mon Dec 11 16:58:31 1995  Chris Provenzano (proven@mit.edu)
 
        * kdc_preauth.c return_padata(): Initialize local variable "size" 

diff --git a/src/kdc/extern.h b/src/kdc/extern.h
index 7ea95b8fcf4fedf9e2dec4a38d742988db6a482d..313f20e117a24a69b04118e7266b6d95274485b8 100644 (file)
--- a/src/kdc/extern.h
+++ b/src/kdc/extern.h
@@ -31,7 +31,12 @@ typedef struct __kdc_realm_data {
      * General Kerberos per-realm data.
      */
     char *             realm_name;     /* Realm name                       */
+/* XXX the real context should go away once the db_context is done. 
+ * The db_context is then associated with the realm keytab using 
+ * krb5_ktkdb_resolv(). There should be nothing in the context which 
+ * cannot span multiple realms -- proven */
     krb5_context       realm_context;  /* Context to be used for realm     */
+    krb5_keytab                realm_keytab;   /* keytab to be used for this realm */
     char *             realm_profile;  /* Profile file for this realm      */
     /*
      * Database per-realm data.

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index c76f6fb184ef57368ab0ec07ec3603dd19416a09..4e427ab6ba7233ab5e1dee124a375c44c85de1f8 100644 (file)
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -212,20 +212,25 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey)
                                          kdc_rcache)))
        goto cleanup_auth_context;
 
+/*
     if ((retval = kdc_get_server_key(apreq->ticket, &key, &kvno)))
        goto cleanup_auth_context;
+*/
 
     /*
      * XXX This is currently wrong but to fix it will require making a 
      * new keytab for groveling over the kdb.
      */
+/*
     retval = krb5_auth_con_setuseruserkey(kdc_context, auth_context, key);
     krb5_free_keyblock(kdc_context, key);
     if (retval) 
        goto cleanup_auth_context;
+*/
 
     if ((retval = krb5_rd_req_decoded(kdc_context, &auth_context, apreq, 
-                                     apreq->ticket->server, NULL,
+                                     apreq->ticket->server, 
+                                     kdc_active_realm->realm_keytab,
                                      NULL, ticket))) {
        /*
         * I'm not so sure that this is right, but it's better than nothing
@@ -239,23 +244,17 @@ kdc_process_tgs_req(request, from, pkt, ticket, subkey)
            (retval == KRB5_RC_IO_UNKNOWN)) {
            (void) krb5_rc_close(kdc_context, kdc_rcache);
            kdc_rcache = (krb5_rcache) NULL;
-           if (!(retval = kdc_initialize_rcache(kdc_context,
-                                                (char *) NULL))) {
-               if ((retval = krb5_auth_con_setrcache(kdc_context,
-                                                     auth_context,
+           if (!(retval = kdc_initialize_rcache(kdc_context, (char *) NULL))) {
+               if ((retval = krb5_auth_con_setrcache(kdc_context, auth_context,
                                                      kdc_rcache)) ||
-                   (retval = krb5_rd_req_decoded(kdc_context,
-                                                 &auth_context,
-                                                 apreq, 
-                                                 apreq->ticket->server,
-                                                 NULL,
-                                                 NULL,
-                                                 ticket))
+                   (retval = krb5_rd_req_decoded(kdc_context, &auth_context,
+                                                 apreq, apreq->ticket->server,
+                                                kdc_active_realm->realm_keytab,
+                                                 NULL, ticket))
                    )
                    goto cleanup_auth_context;
            }
-       }
-       else
+       } else
            goto cleanup_auth_context;
     }
 
@@ -317,6 +316,10 @@ cleanup:
     return retval;
 }
 
+/* XXX This function should no longer be necessary. 
+ * The KDC should take the keytab associated with the realm and pass that to 
+ * the krb5_rd_req_decode(). --proven
+ */
 krb5_error_code
 kdc_get_server_key(ticket, key, kvno)
     krb5_ticket        * ticket;

diff --git a/src/kdc/main.c b/src/kdc/main.c
index 49f2a89ed37a276ad59c37029b3d1cb7d07e0add..68e6886dc48596c28faf4ff3f4aeb34469fb23f3 100644 (file)
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -36,6 +36,7 @@
 #include "kdc_util.h"
 #include "extern.h"
 #include "kdc5_err.h"
+#include "kdb_dbc.h"
 #ifdef KRB5_USE_INET
 #include <netinet/in.h>
 #endif
@@ -257,6 +258,8 @@ finish_realm(rdp)
        free(rdp->realm_ports);
     if (rdp->realm_kstypes)
        free(rdp->realm_kstypes);
+    if (rdp->realm_keytab)
+       krb5_kt_close(rdp->realm_context, rdp->realm_keytab);
     if (rdp->realm_context) {
        if (rdp->realm_mprinc)
            krb5_free_principal(rdp->realm_context, rdp->realm_mprinc);
@@ -296,6 +299,7 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname,
     char               *def_ports;
     krb5_boolean       def_manual;
 {
+    krb5_db_context    db_context;
     krb5_error_code    kret;
     krb5_boolean       manual;
     krb5_db_entry      db_entry;
@@ -528,6 +532,20 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname,
                goto whoops;
            }
 
+/* Set master encblock with db_context */
+if ((kret = krb5_dbm_db_set_mkey(rdp->realm_context, &db_context, 
+                                &rdp->realm_encblock))) {
+com_err(progname, kret, "while setting master key for realm %s", realm);
+goto whoops;
+}
+
+/* Set up the keytab */
+if (kret = krb5_ktkdb_resolve(rdp->realm_context, &db_context, 
+                             &rdp->realm_keytab)) {
+com_err(progname, kret, "while resolving kdb keytab for realm %s", realm);
+goto whoops;
+}
+
            /* Preformat the TGS name */
            if ((kret = krb5_build_principal(rdp->realm_context,
                                             &rdp->realm_tgsprinc,