From 416d9a774090ee78c30a844025887bd2b9e79d16 Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Thu, 6 Mar 2003 02:39:51 +0000
Subject: [PATCH] use kdb keytab for kadmind

kadmind previously required a file-based keytab to support its use of
gssapi.  For ease of administration, a kdb-based keytab would be
beneficial.

This commit includes changes to the kdb library to support this goal,
as well as actual changes in the kadmind itself.

ticket: new

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15237 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/include/krb5/ChangeLog      |  5 +++
 src/include/krb5/kdb_kt.h       |  6 +++-
 src/kadmin/server/ChangeLog     |  8 +++++
 src/kadmin/server/Makefile.in   |  3 ++
 src/kadmin/server/ovsec_kadmd.c | 59 +++++++++++++++++++++++++++------
 src/kdc/ChangeLog               |  4 +++
 src/kdc/main.c                  |  2 +-
 src/lib/kdb/ChangeLog           | 18 ++++++++++
 src/lib/kdb/Makefile.in         |  4 +--
 src/lib/kdb/kdb_xdr.c           |  4 +--
 src/lib/kdb/keytab.c            | 31 ++++++++++++++---
 11 files changed, 124 insertions(+), 20 deletions(-)

diff --git a/src/include/krb5/ChangeLog b/src/include/krb5/ChangeLog
index 226b0a5ae..ff3d7b301 100644
--- a/src/include/krb5/ChangeLog
+++ b/src/include/krb5/ChangeLog
@@ -1,3 +1,8 @@
+2003-03-05  Tom Yu  <tlyu@mit.edu>
+
+	* kdb_kt.h: Add krb5_ktkdb_set_context.  Update prototype of
+	krb5_ktdb_resolve.  Add krb5_kt_kdb_ops.
+
 2003-03-05  Sam Hartman  <hartmans@mit.edu>
 
 	* Remove kdb_dbm.h
diff --git a/src/include/krb5/kdb_kt.h b/src/include/krb5/kdb_kt.h
index e0afae1ca..1c06a5bb9 100644
--- a/src/include/krb5/kdb_kt.h
+++ b/src/include/krb5/kdb_kt.h
@@ -35,7 +35,11 @@
 
 #include "kdb.h"
 
-krb5_error_code krb5_ktkdb_resolve (krb5_context, krb5_keytab *);
+extern struct _krb5_kt_ops krb5_kt_kdb_ops;
+
+krb5_error_code krb5_ktkdb_resolve (krb5_context, const char *, krb5_keytab *);
+
+krb5_error_code krb5_ktkdb_set_context(krb5_context);
 
 #endif /* !defined(macintosh) */
 #endif /* KRB5_KDB5_DBM__ */
diff --git a/src/kadmin/server/ChangeLog b/src/kadmin/server/ChangeLog
index b1a8f7878..c7238e016 100644
--- a/src/kadmin/server/ChangeLog
+++ b/src/kadmin/server/ChangeLog
@@ -1,3 +1,11 @@
+2003-03-05  Tom Yu  <tlyu@mit.edu>
+
+	* Makefile.in (LOCALINCLUDES): Add gssapi directories in order to
+	get internal includes.
+
+	* ovsec_kadmd.c (main): Go through contortions to set up a kdb
+	keytab for gssapi, so we can avoid needing a file-based keytab.
+
 2003-01-09  Ken Raeburn  <raeburn@mit.edu>
 
 	* ovsec_kadmd.c (do_schpw): Use socklen_t when passing address to
diff --git a/src/kadmin/server/Makefile.in b/src/kadmin/server/Makefile.in
index d86529c5e..8a1ee6e39 100644
--- a/src/kadmin/server/Makefile.in
+++ b/src/kadmin/server/Makefile.in
@@ -3,6 +3,9 @@ myfulldir=kadmin/server
 mydir=server
 BUILDTOP=$(REL)..$(S)..
 
+LOCALINCLUDES = -I$(SRCTOP)/lib/gssapi/generic -I$(SRCTOP)/lib/gssapi/krb5 \
+	-I$(BUILDTOP)/lib/gssapi/generic -I$(BUILDTOP)/lib/gssapi/krb5
+
 PROG_LIBPATH=-L$(TOPLIBD)
 PROG_RPATH=$(KRB5_LIBDIR)
 
diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c
index 776eace1e..373500398 100644
--- a/src/kadmin/server/ovsec_kadmd.c
+++ b/src/kadmin/server/ovsec_kadmd.c
@@ -44,12 +44,15 @@
 #include    <netdb.h>
 #include    <gssrpc/rpc.h>
 #include    <gssapi/gssapi.h>
+#include    "gssapiP_krb5.h" /* for kg_get_context */
 #include    <gssrpc/auth_gssapi.h>
 #include    <kadm5/admin.h>
 #include    <kadm5/kadm_rpc.h>
 #include    <kadm5/server_acl.h>
 #include    <krb5/adm_proto.h>
+#include    "krb5/kdb_kt.h"	/* for krb5_ktkdb_set_context */
 #include    <string.h>
+#include    "kadm5/server_internal.h" /* XXX for kadm5_server_handle_t */
 
 #include    "misc.h"
 
@@ -93,12 +96,7 @@ void *global_server_handle;
 #define OVSEC_KADM_ADMIN_SERVICE	"ovsec_adm/admin"
 #define OVSEC_KADM_CHANGEPW_SERVICE	"ovsec_adm/changepw"
 
-/*
- * This enables us to set the keytab that gss_acquire_cred uses, but
- * it also restricts us to linking against the Kv5 GSS-API library.
- * Since this is *k*admind, that shouldn't be a problem.
- */
-extern 	char *krb5_overridekeyname;
+extern krb5_keyblock master_keyblock;
 
 char *build_princ_name(char *name, char *realm);
 void log_badauth(OM_uint32 major, OM_uint32 minor,
@@ -188,6 +186,8 @@ static void display_status_1(m, code, type)
 /* XXX yuck.  the signal handlers need this */
 static krb5_context context;
 
+static krb5_context gctx, hctx;
+
 int main(int argc, char *argv[])
 {
      register	SVCXPRT *transp;
@@ -485,10 +485,49 @@ int main(int argc, char *argv[])
 	  exit(1);
      }
 
-     /* XXX krb5_overridekeyname is an internal library global and should
-        go away.  This is an awful hack. */
-
-     krb5_overridekeyname = params.admin_keytab;
+     /*
+      * Go through some contortions to point gssapi at a kdb keytab.
+      * This prevents kadmind from needing to use an actual file-based
+      * keytab.
+      */
+     ret = kg_get_context(&minor_status, &gctx);
+     if (ret) {
+	  krb5_klog_syslog(LOG_ERR, "Can't get krb5_gss internal context.");
+	  goto kterr;
+     }
+     /* XXX extract kadm5's krb5_context */
+     hctx = ((kadm5_server_handle_t)global_server_handle)->context;
+     /* Set ktkdb's internal krb5_context. */
+     ret = krb5_ktkdb_set_context(hctx);
+     if (ret) {
+	  krb5_klog_syslog(LOG_ERR, "Can't set kdb keytab's internal context.");
+	  goto kterr;
+     }
+     /* XXX master_keyblock is in guts of lib/kadm5/server_kdb.c */
+     ret = krb5_db_set_mkey(hctx, &master_keyblock);
+     if (ret) {
+	  krb5_klog_syslog(LOG_ERR, "Can't set master key for kdb keytab.");
+	  goto kterr;
+     }
+     ret = krb5_kt_register(gctx, &krb5_kt_kdb_ops);
+     if (ret) {
+	  krb5_klog_syslog(LOG_ERR, "Can't register kdb keytab.");
+	  goto kterr;
+     }
+     /* Tell gssapi about the kdb keytab. */
+     ret = krb5_gss_register_acceptor_identity("KDB:");
+     if (ret) {
+	  krb5_klog_syslog(LOG_ERR, "Can't register acceptor keytab.");
+	  goto kterr;
+     }
+kterr:
+     if (ret) {
+	  krb5_klog_syslog(LOG_ERR, "%s", error_message(ret));
+	  fprintf(stderr, "%s: Can't set up keytab for RPC.\n", whoami);
+	  kadm5_destroy(global_server_handle);
+	  krb5_klog_close(context);
+	  exit(1);
+     }
 
      /*
       * Try to acquire creds for the old OV services as well as the
diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index cace07547..eb4273615 100644
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,7 @@
+2003-03-05  Tom Yu  <tlyu@mit.edu>
+
+	* main.c (init_realm): Update call to krb5_ktdb_resolve().
+
 2003-03-04  Ken Raeburn  <raeburn@mit.edu>
 
 	* configure.in: Default to --disable-fakeka.
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 4619124f2..3e5091cbf 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -384,7 +384,7 @@ init_realm(char *progname, kdc_realm_t *rdp, char *realm, char *def_dbname,
     }
 
     /* Set up the keytab */
-    if ((kret = krb5_ktkdb_resolve(rdp->realm_context, 
+    if ((kret = krb5_ktkdb_resolve(rdp->realm_context, NULL,
 				   &rdp->realm_keytab))) {
 	com_err(progname, kret,
 		"while resolving kdb keytab for realm %s", realm);
diff --git a/src/lib/kdb/ChangeLog b/src/lib/kdb/ChangeLog
index ce72e34e3..d685be6d9 100644
--- a/src/lib/kdb/ChangeLog
+++ b/src/lib/kdb/ChangeLog
@@ -1,3 +1,21 @@
+2003-03-05  Tom Yu  <tlyu@mit.edu>
+
+	* kdb_xdr.c (krb5_dbe_search_enctype): Check for ktype > 0 rather
+	than ktype >= 0; file keytab uses ktype 0 to indicate "first
+	match", as does acquire_cred.  The kdc uses -1, though.
+
+	* Makefile.in (LIBMAJOR): Bump major version due to change in
+	krb5_ktkdb_resolve's signature.
+
+	* keytab.c (krb5_ktkdb_resolve): Add NAME parameter, which is
+	ignored, so that kdb keytab can be registered.
+	(krb5_ktkdb_set_context): New function; allows caller to set a
+	different context for use with ktkdb_get_entry().  This is
+	primarily useful for kadmind, where the gssapi library context,
+	which will be used for the keytab, will necessarily have a
+	different context than that used by the kadm5 library to access
+	the database for its own purposes.
+
 2003-02-08  Tom Yu  <tlyu@mit.edu>
 
 	* keytab.c (krb5_ktkdb_get_entry): Fix comment; not going to
diff --git a/src/lib/kdb/Makefile.in b/src/lib/kdb/Makefile.in
index 0afd963ec..ea80b7652 100644
--- a/src/lib/kdb/Makefile.in
+++ b/src/lib/kdb/Makefile.in
@@ -8,8 +8,8 @@ PROG_LIBPATH=-L$(TOPLIBD)
 PROG_RPATH=$(KRB5_LIBDIR)
 
 LIB=kdb5
-LIBMAJOR=3
-LIBMINOR=2
+LIBMAJOR=4
+LIBMINOR=0
 RELDIR=kdb
 # Depends on libk5crypto and libkrb5
 SHLIB_DBLIB_DEPS = $(SHLIB_DBLIB-@DB_VERSION@)
diff --git a/src/lib/kdb/kdb_xdr.c b/src/lib/kdb/kdb_xdr.c
index 6068444c3..fb0a41ea4 100644
--- a/src/lib/kdb/kdb_xdr.c
+++ b/src/lib/kdb/kdb_xdr.c
@@ -764,14 +764,14 @@ krb5_dbe_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
 	}
 	
 
-	if (ktype >= 0) {
+	if (ktype > 0) {
 	    if ((ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype,
 					      dbentp->key_data[i].key_data_type[0],
 					      &similar)))
 		return(ret);
 	}
 
-	if (((ktype < 0) || similar) &&
+	if (((ktype <= 0) || similar) &&
 	    ((db_stype == stype) || (stype < 0))) {
 	    if (kvno >= 0) {
 		if (kvno == dbentp->key_data[i].key_data_kvno) {
diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c
index d7ee59aad..6ec375ac2 100644
--- a/src/lib/kdb/keytab.c
+++ b/src/lib/kdb/keytab.c
@@ -36,7 +36,7 @@ krb5_error_code krb5_ktkdb_get_entry (krb5_context, krb5_keytab, krb5_const_prin
 krb5_kt_ops krb5_kt_kdb_ops = {
     0,
     "KDB", 	/* Prefix -- this string should not appear anywhere else! */
-    NULL,			/* resolve */
+    krb5_ktkdb_resolve,		/* resolve */
     NULL,			/* get_name */
     krb5_ktkdb_close,		/* close */
     krb5_ktkdb_get_entry,	/* get */
@@ -53,8 +53,9 @@ typedef struct krb5_ktkdb_data {
 } krb5_ktkdb_data;
 
 krb5_error_code
-krb5_ktkdb_resolve(context, id)
+krb5_ktkdb_resolve(context, name, id)
     krb5_context  	  context;
+    const char		* name;
     krb5_keytab		* id;
 {
     if ((*id = (krb5_keytab) malloc(sizeof(**id))) == NULL)
@@ -83,15 +84,32 @@ krb5_ktkdb_close(context, kt)
   return 0;
 }
 
+static krb5_context ktkdb_ctx = NULL;
+
+/*
+ * Set a different context for use with ktkdb_get_entry().  This is
+ * primarily useful for kadmind, where the gssapi library context,
+ * which will be used for the keytab, will necessarily have a
+ * different context than that used by the kadm5 library to access the
+ * database for its own purposes.
+ */
+krb5_error_code
+krb5_ktkdb_set_context(krb5_context ctx)
+{
+    ktkdb_ctx = ctx;
+    return 0;
+}
+
 krb5_error_code
-krb5_ktkdb_get_entry(context, id, principal, kvno, enctype, entry)
-    krb5_context 	  context;
+krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry)
+    krb5_context 	  in_context;
     krb5_keytab 	  id;
     krb5_const_principal  principal;
     krb5_kvno 	 	  kvno;
     krb5_enctype 	  enctype;
     krb5_keytab_entry 	* entry;
 {
+    krb5_context	  context;
     krb5_keyblock       * master_key;
     krb5_error_code 	  kerror = 0;
     krb5_key_data 	* key_data;
@@ -99,6 +117,11 @@ krb5_ktkdb_get_entry(context, id, principal, kvno, enctype, entry)
     krb5_boolean 	  more = 0;
     int 	 	  n = 0;
 
+    if (ktkdb_ctx)
+	context = ktkdb_ctx;
+    else
+	context = in_context;
+
     /* Open database */
     /* krb5_db_init(context); */
     if ((kerror = krb5_db_open_database(context)))
-- 
2.26.2