From: Mark Eichin Date: Mon, 11 Nov 1996 21:57:22 +0000 (+0000) Subject: * kadmin/dbutil dumpv4 expiration ("never") fixes X-Git-Tag: krb5-1.0-freeze1~57 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=b4e07db1468aa2b627f2472c3c88bda0877ca009;p=krb5.git * kadmin/dbutil dumpv4 expiration ("never") fixes * kadmin/dbutil loadv4 stashfile, default fixes (original changelogs included.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@9372 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kadmin/dbutil/ChangeLog b/src/kadmin/dbutil/ChangeLog index ee6a8779d..4d529ed54 100644 --- a/src/kadmin/dbutil/ChangeLog +++ b/src/kadmin/dbutil/ChangeLog @@ -1,3 +1,45 @@ +Mon Nov 11 16:50:25 1996 Mark Eichin + + * kadmin/dbutil dumpv4 expiration ("never") fixes + * kadmin/dbutil loadv4 stashfile, default fixes + + Fri Sep 27 18:45:43 1996 Mark Eichin + + * dump.c (read_string): fgetc doesn't return char. + + Wed Sep 11 23:45:11 1996 Mark Eichin + + * loadv4.c (enter_in_v5_db): set last_pwd_change from the + mod_time, not only the mod_princ_data. + + Wed Sep 11 00:02:33 1996 Mark Eichin + + * dumpv4.c (dump_v4_iterator): detect expiration time of "never" + and fill in a reasonable default (namely, the Cygnus 96q1 default + of 12/31/2009.) + + * loadv4.c (v4_dump_find_default): New function. Scans a dumpfile + for a "default" entry, which was probably created at kdb_init time + and probably hasn't changed from either the MIT default of + 12/31/1999 or the Cygnus 96q1 default of 12/31/2009. Check for + either value, and replace it with 0, which is understood as + "never" in V5. If verbose is set (-v flag), log either the match + or the non-matching value. + (process_v4_dump): new argument default_exp_time, the value found + by v4_dump_find_default, actually performs the replacement of + matching entries. + (load_v4db): call v4_dump_find_default to get the default + expiration time. + * kdb5_util.M: document the above changes. + + Sun Sep 8 01:02:47 1996 Mark W. Eichin + + * kdb5_util.c (usage): document load_v4 -s stashfile. + (main): fix typo in usage message. + * kdb5_util.M: document load_v4, including new options, removing + previously eliminated -f option. + * loadv4.c (load_v4db): support -s stashfile option. + Thu Nov 7 20:53:17 1996 Tom Yu * configure.in: Remove spurious WITH_KRB4. diff --git a/src/kadmin/dbutil/configure.in b/src/kadmin/dbutil/configure.in index 4d3b06a8a..539020aeb 100644 --- a/src/kadmin/dbutil/configure.in +++ b/src/kadmin/dbutil/configure.in @@ -1,5 +1,6 @@ AC_INIT(kdb5_create.c) CONFIG_RULES +AC_HAVE_FUNCS(getcwd strstr) AC_PROG_INSTALL AC_PROG_AWK USE_KADMSRV_LIBRARY diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c index 6f9b4b7d7..64522f6c9 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -1012,7 +1012,7 @@ read_string(f, buf, len, lp) retval = 0; for (i=0; if); } + if (entry->expiration == 0) { + /* 0 means "never" expire. V4 didn't support that, so rather than + having everything appear to have expired in 1970, we nail in the + Cygnus 96q1 default value. The value quoted here is directly + from src/admin/kdb_init.c in Cygnus CNS V4 96q1, and is + roughly 12/31/2009. */ + v4_print_time(arg->f, 946702799+((365*10+3)*24*60*60)); + } else { v4_print_time(arg->f, entry->expiration); + } v4_print_time(arg->f, mod_time); fprintf(arg->f, " %s %s\n", principal->mod_name, principal->mod_instance); diff --git a/src/kadmin/dbutil/kdb5_util.M b/src/kadmin/dbutil/kdb5_util.M index b364eeb4b..829e55af8 100644 --- a/src/kadmin/dbutil/kdb5_util.M +++ b/src/kadmin/dbutil/kdb5_util.M @@ -159,7 +159,41 @@ if not specified. \fBdump_v4\fP [\fIfilename\fP] Dumps the current database into the Kerberos 4 database dump format. .TP -\fBload_v4\fP [\fB\-t\fP] [\fB-n\fP] [\fB\-K\fP] [\fB-f\fP] \fIinputfile\fP -Loads a Kerberos 4 database dump file. +\fBload_v4\fP [\fB\-t\fP] [\fB-n\fP] [\fB\-K\fP] [\fB-s \fIstashfile\fP] \fIinputfile\fP +Loads a Kerberos 4 database dump file. Options: +.RS +.TP +.B \-K +prompts for the V5 master key instead of using the stashed version. +.TP +.B \-n +prompts for the V4 master key, instead of reading from the stash file. +.TP +.B \-s \fIstashfile +gets the V4 master key out of \fIstashfile\fP instead of /.k +.TP +.B \-T +creates a new \fIkrbtgt\fP instead of converting the V4 one. The V5 server +will thus not recognize outstanding tickets, so this should be used +with caution. +.TP +.B \-v +lists each principal as it is converted or ignored. +.TP +.B \-t +uses a temporary database, then moves that into place, instead of adding +the keys to the current database. +.PP +Note: if the Kerberos 4 database had a default expiration date of 12/31/1999 +or 12/31/2009 (the compiled in defaults for older or newer Kerberos +releases) then any entries which have the same expiration date will be +converted to "never" expire in the version 5 database. If the default +did not match either value, all expiration dates will be preserved. +.PP +Also, Kerberos 4 stored a single modification time for any change to a +record; Version 5 stores a seperate modification time and last +password change time. In practice, Version 4 "modifications" were +always password changes. \fIload_v4\fP copies the value into both +fields. .SH SEE ALSO kadmin(8) diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c index 06597e7df..c259eba32 100644 --- a/src/kadmin/dbutil/kdb5_util.c +++ b/src/kadmin/dbutil/kdb5_util.c @@ -60,7 +60,7 @@ usage() "\tdump [-old] [-ov] [-b6] [-verbose] [filename [princs...]]\n" "\tload [-old] [-ov] [-b6] [-verbose] [-update] filename\n" "\tdump_v4 [filename]\n" - "\tload_v4 [-t] [-n] [-v] [-K] inputfile\n"); + "\tload_v4 [-t] [-n] [-v] [-K] [-s stashfile] inputfile\n"); exit(1); } diff --git a/src/kadmin/dbutil/loadv4.c b/src/kadmin/dbutil/loadv4.c index d49429b6f..2562eb947 100644 --- a/src/kadmin/dbutil/loadv4.c +++ b/src/kadmin/dbutil/loadv4.c @@ -83,7 +83,9 @@ static int v4init PROTOTYPE((char *, int, char *)); static krb5_error_code enter_in_v5_db PROTOTYPE((krb5_context, char *, Principal *)); static krb5_error_code process_v4_dump PROTOTYPE((krb5_context, char *, - char *)); + char *, long)); +static krb5_error_code v4_dump_find_default PROTOTYPE((krb5_context, char *, + char *, long *)); static krb5_error_code fixup_database PROTOTYPE((krb5_context, char *)); static int create_local_tgt = 0; @@ -142,6 +144,7 @@ char *argv[]; int persist, op_ind; kadm5_config_params newparams; extern kadm5_config_params global_params; + long exp_time = 0; krb5_init_context(&context); @@ -168,6 +171,14 @@ char *argv[]; else if (!strcmp(argv[op_ind], "-n")) { v4manual++; } + else if (!strcmp(argv[op_ind], "-s")) { + if ((argc - op_ind) >= 1) { + v4_mkeyfile = argv[op_ind+1]; + op_ind++; + } else { + usage(); + } + } else if ((argc - op_ind) >= 1) { v4dumpfile = argv[op_ind]; op_ind++; @@ -326,7 +337,12 @@ master key name '%s'\n", return; } - retval = process_v4_dump(context, v4dumpfile, realm); + retval = v4_dump_find_default(context, v4dumpfile, realm, &exp_time); + if (retval) { + com_err(PROGNAME, retval, "warning: default entry not found"); + } + + retval = process_v4_dump(context, v4dumpfile, realm, exp_time); putchar('\n'); if (retval) com_err(PROGNAME, retval, "while translating entries to the database"); @@ -514,6 +530,9 @@ Principal *princ; if (!retval) retval = krb5_dbe_update_mod_princ_data(context, &entry, mod_time, mod_princ); + if (!retval) + retval = krb5_dbe_update_last_pwd_change(context, &entry, mod_time); + if (retval) { krb5_db_free_principal(context, &entry, 1); krb5_free_principal(context, mod_princ); @@ -731,10 +750,11 @@ register char *cp; } static krb5_error_code -process_v4_dump(context, dumpfile, realm) +process_v4_dump(context, dumpfile, realm, default_exp_time) krb5_context context; char *dumpfile; char *realm; +long default_exp_time; { krb5_error_code retval; FILE *input_file; @@ -776,6 +796,8 @@ char *realm; aprinc.kdc_key_ver = (unsigned char) temp2; aprinc.key_version = (unsigned char) temp3; aprinc.exp_date = time_explode(exp_date_str); + if (aprinc.exp_date == default_exp_time) + aprinc.exp_date = 0; aprinc.mod_date = time_explode(mod_date_str); if (aprinc.instance[0] == '*') aprinc.instance[0] = '\0'; @@ -790,6 +812,94 @@ char *realm; return retval; } +static krb5_error_code +v4_dump_find_default(context, dumpfile, realm, exptime) +krb5_context context; +char *dumpfile; +char *realm; +long *exptime; +{ + krb5_error_code retval = 0; + FILE *input_file; + Principal aprinc; + char exp_date_str[50]; + char mod_date_str[50]; + int temp1, temp2, temp3; + long time_explode(); + long foundtime, guess1, guess2; + + /* kdb_init is usually the only thing to touch the time in the + default entry, and everything else just copies that time. If + the site hasn't changed it, we can assume that "never" is an + appropriate value for V5. There have been two values compiled + in, typically: + + MIT V4 had the code + principal.exp_date = 946702799; + strncpy(principal.exp_date_txt, "12/31/99", DATE_SZ); + + Cygnus CNS V4 had the code + principal.exp_date = 946702799+((365*10+3)*24*60*60); + strncpy(principal.exp_date_txt, "12/31/2009", DATE_SZ); + + However, the dump files only store minutes -- so these values + are 59 seconds high. + + Other values could be added later, but in practice these are + likely to be the only ones. */ + + guess1 = 946702799-59; + guess2 = 946702799+((365*10+3)*24*60*60); + + input_file = fopen(dumpfile, "r"); + if (!input_file) + return errno; + + for (;;) { /* explicit break on eof from fscanf */ + int nread; + + memset((char *)&aprinc, 0, sizeof(aprinc)); + nread = fscanf(input_file, + "%s %s %d %d %d %hd %x %x %s %s %s %s\n", + aprinc.name, + aprinc.instance, + &temp1, + &temp2, + &temp3, + &aprinc.attributes, + &aprinc.key_low, + &aprinc.key_high, + exp_date_str, + mod_date_str, + aprinc.mod_name, + aprinc.mod_instance); + if (nread != 12) { + retval = nread == EOF ? 0 : KRB5_KDB_DB_CORRUPT; + break; + } + if (!strcmp(aprinc.name, "default") + && !strcmp(aprinc.instance, "*")) { + foundtime = time_explode(exp_date_str); + if (foundtime == guess1 || foundtime == guess2) + *exptime = foundtime; + if (verbose) { + printf("\ndefault expiration found: "); + if (foundtime == guess1) { + printf("MIT or pre96q1 value (1999)"); + } else if (foundtime == guess2) { + printf("Cygnus CNS post 96q1 value (2009)"); + } else { + printf("non-default start time (%d,%s)", + foundtime, exp_date_str); + } + } + break; + } + } + (void) fclose(input_file); + return retval; +} + static krb5_error_code fixup_database(context, realm) krb5_context context; char * realm; diff --git a/src/kadmin/dbutil/util.c b/src/kadmin/dbutil/util.c index 78de2cd6f..5fdb7aad2 100644 --- a/src/kadmin/dbutil/util.c +++ b/src/kadmin/dbutil/util.c @@ -33,7 +33,7 @@ #include "k5-int.h" #include "./kdb5_edit.h" -#if defined(sysvimp) || ( defined(mips) && defined(SYSTYPE_BSD43)) || (defined(vax) && !defined(ultrix)) +#ifndef HAVE_STRSTR char * strstr(s1, s2) char *s1; @@ -50,7 +50,7 @@ char *s2; } return ((char *) 0); } -#endif /* sysvimp */ +#endif /* HAVE_STRSTR */ void parse_token(token_in, must_be_first_char, num_tokens, tokens_out)