From 776a9fa505e71b6277a8857a2bfd527e02667465 Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Tue, 16 May 2006 01:45:00 +0000 Subject: [PATCH] * lib/kadm5/alt_prof.c (kadm5_get_config_params): Replace filename and envvar arguments with a flag indicating whether KDC config data should be used. Prototype and all callers changed. (krb5_read_realm_params): Delete config file and env var arguments. Prototype and all callers changed. * lib/kadm5/admin.h (KADM5_CONFIG_PROFILE): Commented out. (struct _kadm5_config_params): Delete field PROFILE. * lib/kadm5/alt_prof.c (kadm5_get_config_params): Don't look at it. (kadm5_free_config_params): Don't free it. * kadmin/testing/tcl/util.t: Remove profile data from config params. * kadmin/testing/util/tcl_kadm5.c (config_mask_flags): Deleted KADM5_CONFIG_PROFILE entry. (parse_config_params): Changed to require 20 parameters instead of 21. * lib/kadm5/unit-test/api.2/init-v2.exp (test100): Deleted. * lib/kadm5/alt_prof.c (krb5_aprof_init): Fetch the list of config files from the library and add the caller-indicated config file to the front of the list. * lib/kadm5/clnt/client_init.c (kadm5_init_krb5_context): New function. * lib/kadm5/clnt/libkadm5clnt.exports: Export it. * lib/kadm5/srv/server_init.c: Include k5-int.h, osconf.h, gssapiP_krb5.h. (kadm5_init_krb5_context): New function. * lib/kadm5/srv/libkadm5srv.exports: Export it. * lib/kadm5/srv/Makefile.in (LOCAL_INCLUDES): Add gssapi directories. * lib/kadm5/admin.h (kadm5_init_krb5_context): Declare it. * kadmin/dbutil/kdb5_destroy.c (kdb5_destroy): Call kadm5_init_krb5_context instead of krb5_init_context. * kadmin/dbutil/dump.c (load_db): Likewise. * kadmin/dbutil/kdb5_util.c (main): Likewise. * kadmin/dbutil/kadm5_create.c (kadm5_create): Likewise. * kadmin/dbutil/kdb5_stash.c (kdb5_stash): Likewise. * kadmin/dbutil/loadv4.c (load_v4db): Likewise. * kadmin/server/ovsec_kadmd.c (main): Likewise. * kadmin/cli/kadmin.c (kadmin_startup): Likewise. * kadmin/testing/util/tcl_ovsec_kadm.c (tcl_ovsec_kadm_init): Likewise. * lib/kadm5/unit-test/lock-test.c (main): Likewise. * lib/kadm5/unit-test/handle-test.c (main): Likewise. * lib/kadm5/unit-test/randkey-test.c (main): Likewise. * lib/kadm5/unit-test/setkey-test.c (main): Likewise. * lib/kadm5/chpass_util.c (_kadm5_chpass_principal_util): Likewise. * lib/kadm5/kadm_rpc_xdr.c (xdr_krb5_principal): Likewise. * lib/krb5/os/init_os_ctx.c (add_kdc_config_file): New function. (os_init_paths): Add new argument KDC; call add_kdc_config_file if true. * lib/krb5/krb/init_ctx.c (krb5int_init_context_kdc): New function. (init_common): Add new argument KDC, passed to krb5_os_init_context. * lib/krb5/libkrb5.exports: Export krb5int_init_context_kdc. * k5-int.h (krb5_os_init_context): Update decl. * lib/kadm5/srv/server_init.c (kadm5_init): Call krb5int_init_context_kdc. * krb524/krb524d.c (main): Likewise. * lib/kadm5/unit-test/api.2/init-v2.exp: Don't run test 154 for error for $KRB5_KDC_PROFILE file not present. * lib/krb5/os/init_os_ctx.c (os_get_default_config_files): Rewrite KLL test so as not to confuse Emacs indentation support. * lib/gssapi/krb5/init_sec_context.c (kg_kdc_flag_mutex, kdc_flag): New variables. (krb5_gss_init_context, krb5_gss_use_kdc_context): New functions. * lib/gssapi/krb5/gssapiP_krb5.h (kg_kdc_flag_mutex): Declare. (krb5_gss_init_context, krb5_gss_use_kdc_context): Declare. (krb5_init_context): Define as macro to invoke krb5_gss_init_context for now. * lib/gssapi/gss_libinit.c (gssint_lib_init): Initialize the mutex. (gssint_lib_fini): Destroy it. * lib/gssapi/libgssapi_krb5.exports: Export krb5_gss_use_kdc_context. * lib/kadm5/srv/server_init.c (kadm5_init): Don't complain if the config files specify an admin server, since we now look at krb5.conf as well. * lib/kadm5/unit-test/api.2/init-v2.exp: Delete test test114 for bad server params. * plugins/kdb/db2/adb_openclose.c (osa_adb_init_db): Use krb5int_init_context_kdc instead of krb5_init_context. * kdc/rtest.c (main): Likewise. * kdc/fakeka.c (main): Likewise. * kdc/main.c (main, init_realm): Likewise. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18009 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/adm_proto.h | 2 - src/include/k5-int.h | 2 +- src/kadmin/cli/kadmin.c | 5 +- src/kadmin/dbutil/dump.c | 4 +- src/kadmin/dbutil/kadm5_create.c | 4 +- src/kadmin/dbutil/kdb5_destroy.c | 2 +- src/kadmin/dbutil/kdb5_stash.c | 2 +- src/kadmin/dbutil/kdb5_util.c | 5 +- src/kadmin/dbutil/loadv4.c | 2 +- src/kadmin/server/ovsec_kadmd.c | 10 +- src/kadmin/testing/proto/krb5.conf.proto | 1 - src/kadmin/testing/tcl/util.t | 37 ++++---- src/kadmin/testing/util/tcl_kadm5.c | 48 +++++----- src/kadmin/testing/util/tcl_ovsec_kadm.c | 2 +- src/kdc/fakeka.c | 4 +- src/kdc/main.c | 6 +- src/kdc/rtest.c | 2 +- src/krb524/krb524d.c | 2 +- src/lib/gssapi/gss_libinit.c | 4 + src/lib/gssapi/krb5/gssapiP_krb5.h | 6 ++ src/lib/gssapi/krb5/init_sec_context.c | 40 ++++++++ src/lib/gssapi/libgssapi_krb5.exports | 1 + src/lib/kadm5/admin.h | 7 +- src/lib/kadm5/alt_prof.c | 107 ++++++++++++---------- src/lib/kadm5/chpass_util.c | 2 +- src/lib/kadm5/clnt/client_init.c | 12 ++- src/lib/kadm5/clnt/libkadm5clnt.exports | 1 + src/lib/kadm5/kadm_rpc_xdr.c | 2 +- src/lib/kadm5/srv/Makefile.in | 4 +- src/lib/kadm5/srv/libkadm5srv.exports | 1 + src/lib/kadm5/srv/server_init.c | 24 ++++- src/lib/kadm5/unit-test/api.2/init-v2.exp | 31 +------ src/lib/kadm5/unit-test/handle-test.c | 2 +- src/lib/kadm5/unit-test/lock-test.c | 5 +- src/lib/kadm5/unit-test/randkey-test.c | 2 +- src/lib/kadm5/unit-test/setkey-test.c | 2 +- src/lib/kdb/kdb_default.c | 3 +- src/lib/krb5/krb/init_ctx.c | 16 +++- src/lib/krb5/libkrb5.exports | 1 + src/lib/krb5/os/init_os_ctx.c | 55 ++++++++--- src/plugins/kdb/db2/adb_openclose.c | 2 +- 41 files changed, 281 insertions(+), 189 deletions(-) diff --git a/src/include/adm_proto.h b/src/include/adm_proto.h index 65b116bc4..2202ae72b 100644 --- a/src/include/adm_proto.h +++ b/src/include/adm_proto.h @@ -85,8 +85,6 @@ krb5_error_code krb5_aprof_get_int32 krb5_error_code krb5_aprof_finish (krb5_pointer); krb5_error_code krb5_read_realm_params (krb5_context, - char *, - char *, char *, krb5_realm_params **); krb5_error_code krb5_free_realm_params (krb5_context, diff --git a/src/include/k5-int.h b/src/include/k5-int.h index eaf99322f..da7c3ae09 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -503,7 +503,7 @@ krb5_error_code krb5_sync_disk_file (krb5_context, FILE *fp); krb5_error_code krb5int_get_fq_local_hostname (char *, size_t); -krb5_error_code krb5_os_init_context (krb5_context); +krb5_error_code krb5_os_init_context (krb5_context, krb5_boolean); void krb5_os_free_context (krb5_context); diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c index b24b98ed1..0b1342015 100644 --- a/src/kadmin/cli/kadmin.c +++ b/src/kadmin/cli/kadmin.c @@ -205,16 +205,15 @@ char *kadmin_startup(argc, argv) memset((char *) ¶ms, 0, sizeof(params)); - retval = krb5_init_context(&context); - if (strcmp (whoami, "kadmin.local") == 0) set_com_err_hook(extended_com_err_fn); + retval = kadm5_init_krb5_context(&context); if (retval) { com_err(whoami, retval, "while initializing krb5 library"); exit(1); } - + while ((optchar = getopt(argc, argv, "x:r:p:kq:w:d:s:mc:t:e:ON")) != EOF) { switch (optchar) { case 'x': diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c index 058dd5440..2ce811d0b 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -2158,7 +2158,7 @@ load_db(argc, argv) /* * Initialize the Kerberos context and error tables. */ - if ((kret = krb5_init_context(&kcontext))) { + if ((kret = kadm5_init_krb5_context(&kcontext))) { fprintf(stderr, ctx_err_fmt, programname); free(dbname_tmp); exit_status++; @@ -2242,7 +2242,7 @@ load_db(argc, argv) newparams.mask |= KADM5_CONFIG_DBNAME; newparams.dbname = dbname_tmp; - if ((kret = kadm5_get_config_params(kcontext, NULL, NULL, + if ((kret = kadm5_get_config_params(kcontext, 1, &newparams, &newparams))) { com_err(argv[0], kret, "while retreiving new configuration parameters"); diff --git a/src/kadmin/dbutil/kadm5_create.c b/src/kadmin/dbutil/kadm5_create.c index fe68a0212..878300a6d 100644 --- a/src/kadmin/dbutil/kadm5_create.c +++ b/src/kadmin/dbutil/kadm5_create.c @@ -73,14 +73,14 @@ int kadm5_create(kadm5_config_params *params) kadm5_config_params lparams; - if ((retval = krb5_init_context(&context))) + if ((retval = kadm5_init_krb5_context(&context))) exit(ERR); /* * The lock file has to exist before calling kadm5_init, but * params->admin_lockfile may not be set yet... */ - if ((retval = kadm5_get_config_params(context, NULL, NULL, + if ((retval = kadm5_get_config_params(context, 1, params, &lparams))) { com_err(progname, retval, "while looking up the Kerberos configuration"); return 1; diff --git a/src/kadmin/dbutil/kdb5_destroy.c b/src/kadmin/dbutil/kdb5_destroy.c index 2f5f376cd..22b75eef6 100644 --- a/src/kadmin/dbutil/kdb5_destroy.c +++ b/src/kadmin/dbutil/kdb5_destroy.c @@ -57,7 +57,7 @@ kdb5_destroy(argc, argv) krb5_context context; int force = 0; - retval1 = krb5_init_context(&context); + retval1 = kadm5_init_krb5_context(&context); if( retval1 ) { com_err(argv[0], retval1, "while initializing krb5_context"); diff --git a/src/kadmin/dbutil/kdb5_stash.c b/src/kadmin/dbutil/kdb5_stash.c index 884fa045c..7e8fd3e8b 100644 --- a/src/kadmin/dbutil/kdb5_stash.c +++ b/src/kadmin/dbutil/kdb5_stash.c @@ -85,7 +85,7 @@ kdb5_stash(argc, argv) if (strrchr(argv[0], '/')) argv[0] = strrchr(argv[0], '/')+1; - retval = krb5_init_context(&context); + retval = kadm5_init_krb5_context(&context); if( retval ) { com_err(argv[0], retval, "while initializing krb5_context"); diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c index 0b1a4d0eb..0e308e54e 100644 --- a/src/kadmin/dbutil/kdb5_util.c +++ b/src/kadmin/dbutil/kdb5_util.c @@ -166,8 +166,9 @@ int main(argc, argv) int cmd_argc; krb5_error_code retval; - retval = krb5_init_context(&util_context); set_com_err_hook(extended_com_err_fn); + + retval = kadm5_init_krb5_context(&util_context); if (retval) { com_err (progname, retval, "while initializing Kerberos code"); exit(1); @@ -284,7 +285,7 @@ int main(argc, argv) util_context->default_realm = temp; } - retval = kadm5_get_config_params(util_context, NULL, NULL, + retval = kadm5_get_config_params(util_context, 1, &global_params, &global_params); if (retval) { com_err(argv[0], retval, "while retreiving configuration parameters"); diff --git a/src/kadmin/dbutil/loadv4.c b/src/kadmin/dbutil/loadv4.c index 672db584b..6149e81d8 100644 --- a/src/kadmin/dbutil/loadv4.c +++ b/src/kadmin/dbutil/loadv4.c @@ -180,7 +180,7 @@ load_v4db(argc, argv) krb5_int32 crflags = KRB5_KDB_CREATE_BTREE; krb5_data seed; - retval = krb5_init_context(&context); + retval = kadm5_init_krb5_context(&context); if (retval) { fprintf(stderr, "%s: Could not initialize krb5 context.\n", PROGNAME); return; diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c index 6950ff1a7..6ebe3ee76 100644 --- a/src/kadmin/server/ovsec_kadmd.c +++ b/src/kadmin/server/ovsec_kadmd.c @@ -229,7 +229,7 @@ int main(int argc, char *argv[]) display_status("str_to_oid", major_status, minor_status); exit(1); } - + names[0].name = names[1].name = names[2].name = names[3].name = NULL; names[0].type = names[1].type = names[2].type = names[3].type = nt_krb5_name_oid; @@ -293,7 +293,7 @@ int main(int argc, char *argv[]) if (argc != 0) usage(); - if ((ret = krb5_init_context(&context))) { + if ((ret = kadm5_init_krb5_context(&context))) { fprintf(stderr, "%s: %s while initializing context, aborting\n", whoami, error_message(ret)); exit(1); @@ -301,11 +301,11 @@ int main(int argc, char *argv[]) krb5_klog_init(context, "admin_server", whoami, 1); - krb5_klog_syslog(LOG_INFO, "Seeding random number generator"); ret = krb5_c_random_os_entropy(context, 1, NULL); if(ret) { - krb5_klog_syslog(LOG_ERR, "Error getting random seed: %s, aborting", + krb5_klog_syslog(LOG_ERR, + "Error getting random seed: %s, aborting", krb5_get_error_message (context, ret)); exit(1); } @@ -330,7 +330,7 @@ int main(int argc, char *argv[]) free(db_args), db_args=NULL; } - if ((ret = kadm5_get_config_params(context, NULL, NULL, ¶ms, + if ((ret = kadm5_get_config_params(context, 1, ¶ms, ¶ms))) { const char *e_txt = krb5_get_error_message (context, ret); krb5_klog_syslog(LOG_ERR, "%s: %s while initializing, aborting", diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto index 9fe7ec124..c2648d6c6 100644 --- a/src/kadmin/testing/proto/krb5.conf.proto +++ b/src/kadmin/testing/proto/krb5.conf.proto @@ -7,7 +7,6 @@ __REALM__ = { kdc = __KDCHOST__:1750 admin_server = __KDCHOST__:1751 -# THIS SHOULD BE IN KDC.CONF INSTEAD! database_module = foobar_db2_module_blah } diff --git a/src/kadmin/testing/tcl/util.t b/src/kadmin/testing/tcl/util.t index f4688aeee..0e39061f7 100644 --- a/src/kadmin/testing/tcl/util.t +++ b/src/kadmin/testing/tcl/util.t @@ -15,42 +15,41 @@ proc config_params {masks values} { error "config_params: length of mask and values differ" } - set params [list $masks 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 {}] + set params [list $masks 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 {}] for {set i 0} {$i < [llength $masks]} {incr i} { set mask [lindex $masks $i] set value [lindex $values $i] switch -glob -- $mask { "KADM5_CONFIG_REALM" {set params [lreplace $params 1 1 $value]} - "KADM5_CONFIG_PROFILE" {set params [lreplace $params 2 2 $value]} "KADM5_CONFIG_KADMIND_PORT" { - set params [lreplace $params 3 3 $value]} + set params [lreplace $params 2 2 $value]} "KADM5_CONFIG_ADMIN_SERVER" { - set params [lreplace $params 4 4 $value]} - "KADM5_CONFIG_DBNAME" {set params [lreplace $params 5 5 $value]} - "KADM5_CONFIG_ADBNAME" {set params [lreplace $params 6 6 $value]} + set params [lreplace $params 3 3 $value]} + "KADM5_CONFIG_DBNAME" {set params [lreplace $params 4 4 $value]} + "KADM5_CONFIG_ADBNAME" {set params [lreplace $params 5 5 $value]} "KADM5_CONFIG_ADB_LOCKFILE" { - set params [lreplace $params 7 7 $value]} + set params [lreplace $params 6 6 $value]} "KADM5_CONFIG_ADMIN_KEYTAB" { - set params [lreplace $params 8 8 $value]} - "KADM5_CONFIG_ACL_FILE" {set params [lreplace $params 9 9 $value]} + set params [lreplace $params 7 7 $value]} + "KADM5_CONFIG_ACL_FILE" {set params [lreplace $params 8 8 $value]} "KADM5_CONFIG_DICT_FILE" { - set params [lreplace $params 10 10 $value]} + set params [lreplace $params 9 9 $value]} "KADM5_CONFIG_MKEY_FROM_KBD" { - set params [lreplace $params 11 11 $value]} + set params [lreplace $params 10 10 $value]} "KADM5_CONFIG_STASH_FILE" { - set params [lreplace $params 12 12 $value]} + set params [lreplace $params 11 11 $value]} "KADM5_CONFIG_MKEY_NAME" { - set params [lreplace $params 13 13 $value]} - "KADM5_CONFIG_ENCTYPE" {set params [lreplace $params 14 14 $value]} + set params [lreplace $params 12 12 $value]} + "KADM5_CONFIG_ENCTYPE" {set params [lreplace $params 13 13 $value]} "KADM5_CONFIG_MAX_LIFE" { - set params [lreplace $params 15 15 $value]} + set params [lreplace $params 14 14 $value]} "KADM5_CONFIG_MAX_RLIFE" { - set params [lreplace $params 16 16 $value]} + set params [lreplace $params 15 15 $value]} "KADM5_CONFIG_EXPIRATION" { - set params [lreplace $params 17 17 $value]} - "KADM5_CONFIG_FLAGS" {set params [lreplace $params 18 18 $value]} + set params [lreplace $params 16 16 $value]} + "KADM5_CONFIG_FLAGS" {set params [lreplace $params 17 17 $value]} "KADM5_CONFIG_ENCTYPES" { - set params [lreplace $params 19 20 [llength $value] $value]} + set params [lreplace $params 18 19 [llength $value] $value]} "*" {error "config_params: unknown mask $mask"} } } diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c index e177d7b7d..fb6466db2 100644 --- a/src/kadmin/testing/util/tcl_kadm5.c +++ b/src/kadmin/testing/util/tcl_kadm5.c @@ -87,7 +87,6 @@ static struct flagval config_mask_flags[] = { {"KADM5_CONFIG_ENCTYPE", KADM5_CONFIG_ENCTYPE}, {"KADM5_CONFIG_ADBNAME", KADM5_CONFIG_ADBNAME}, {"KADM5_CONFIG_ADB_LOCKFILE", KADM5_CONFIG_ADB_LOCKFILE}, - {"KADM5_CONFIG_PROFILE", KADM5_CONFIG_PROFILE}, {"KADM5_CONFIG_ACL_FILE", KADM5_CONFIG_ACL_FILE}, {"KADM5_CONFIG_KADMIND_PORT", KADM5_CONFIG_KADMIND_PORT}, {"KADM5_CONFIG_ENCTYPES", KADM5_CONFIG_ENCTYPES}, @@ -994,9 +993,9 @@ static int parse_config_params(Tcl_Interp *interp, char *list, return retcode; } - if (argc != 21) { + if (argc != 20) { sprintf(interp->result, - "wrong # args in config params structure (%d should be 21)", + "wrong # args in config params structure (%d should be 20)", argc); retcode = TCL_ERROR; goto finished; @@ -1015,114 +1014,109 @@ static int parse_config_params(Tcl_Interp *interp, char *list, retcode = TCL_ERROR; goto finished; } - if ((retcode = parse_str(interp, argv[2], ¶ms->profile)) != TCL_OK) { - Tcl_AppendElement(interp, "while parsing profile name"); - retcode = TCL_ERROR; - goto finished; - } - if ((retcode = Tcl_GetInt(interp, argv[3], &tmp)) + if ((retcode = Tcl_GetInt(interp, argv[2], &tmp)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing kadmind_port"); retcode = TCL_ERROR; goto finished; } params->kadmind_port = tmp; - if ((retcode = parse_str(interp, argv[4], ¶ms->admin_server)) + if ((retcode = parse_str(interp, argv[3], ¶ms->admin_server)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing profile name"); retcode = TCL_ERROR; goto finished; } - if ((retcode = parse_str(interp, argv[5], ¶ms->dbname)) != TCL_OK) { + if ((retcode = parse_str(interp, argv[4], ¶ms->dbname)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing profile name"); retcode = TCL_ERROR; goto finished; } - if ((retcode = parse_str(interp, argv[6], ¶ms->admin_dbname)) != TCL_OK) { + if ((retcode = parse_str(interp, argv[5], ¶ms->admin_dbname)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing admin_dbname name"); retcode = TCL_ERROR; goto finished; } - if ((retcode = parse_str(interp, argv[7], ¶ms->admin_lockfile)) != TCL_OK) { + if ((retcode = parse_str(interp, argv[6], ¶ms->admin_lockfile)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing admin_lockfile name"); retcode = TCL_ERROR; goto finished; } - if ((retcode = parse_str(interp, argv[8], ¶ms->admin_keytab)) != TCL_OK) { + if ((retcode = parse_str(interp, argv[7], ¶ms->admin_keytab)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing admin_keytab name"); retcode = TCL_ERROR; goto finished; } - if ((retcode = parse_str(interp, argv[9], ¶ms->acl_file)) != TCL_OK) { + if ((retcode = parse_str(interp, argv[8], ¶ms->acl_file)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing acl_file name"); retcode = TCL_ERROR; goto finished; } - if ((retcode = parse_str(interp, argv[10], ¶ms->dict_file)) != TCL_OK) { + if ((retcode = parse_str(interp, argv[9], ¶ms->dict_file)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing dict_file name"); retcode = TCL_ERROR; goto finished; } - if ((retcode = Tcl_GetInt(interp, argv[11], &tmp)) + if ((retcode = Tcl_GetInt(interp, argv[10], &tmp)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing mkey_from_kbd"); retcode = TCL_ERROR; goto finished; } params->mkey_from_kbd = tmp; - if ((retcode = parse_str(interp, argv[12], ¶ms->stash_file)) != TCL_OK) { + if ((retcode = parse_str(interp, argv[11], ¶ms->stash_file)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing stash_file name"); retcode = TCL_ERROR; goto finished; } - if ((retcode = parse_str(interp, argv[13], ¶ms->mkey_name)) != TCL_OK) { + if ((retcode = parse_str(interp, argv[12], ¶ms->mkey_name)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing mkey_name name"); retcode = TCL_ERROR; goto finished; } - if ((retcode = Tcl_GetInt(interp, argv[14], &tmp)) + if ((retcode = Tcl_GetInt(interp, argv[13], &tmp)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing enctype"); retcode = TCL_ERROR; goto finished; } params->enctype = tmp; - if ((retcode = Tcl_GetInt(interp, argv[15], &tmp)) + if ((retcode = Tcl_GetInt(interp, argv[14], &tmp)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing max_life"); retcode = TCL_ERROR; goto finished; } params->max_life = tmp; - if ((retcode = Tcl_GetInt(interp, argv[16], &tmp)) + if ((retcode = Tcl_GetInt(interp, argv[15], &tmp)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing max_rlife"); retcode = TCL_ERROR; goto finished; } params->max_rlife = tmp; - if ((retcode = Tcl_GetInt(interp, argv[17], &tmp)) + if ((retcode = Tcl_GetInt(interp, argv[16], &tmp)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing expiration"); retcode = TCL_ERROR; goto finished; } params->expiration = tmp; - if ((retcode = parse_krb5_flags(interp, argv[18], &tmp)) + if ((retcode = parse_krb5_flags(interp, argv[17], &tmp)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing flags"); retcode = TCL_ERROR; goto finished; } params->flags = tmp; - if ((retcode = Tcl_GetInt(interp, argv[19], &tmp)) + if ((retcode = Tcl_GetInt(interp, argv[18], &tmp)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing num_keysalts"); retcode = TCL_ERROR; goto finished; } params->num_keysalts = tmp; - if ((retcode = parse_keysalts(interp, argv[20], ¶ms->keysalts, + if ((retcode = parse_keysalts(interp, argv[19], ¶ms->keysalts, params->num_keysalts)) != TCL_OK) { Tcl_AppendElement(interp, "while parsing keysalts"); retcode = TCL_ERROR; @@ -1578,7 +1572,7 @@ static int _tcl_kadm5_init_any(enum init_type init_type, ClientData clientData, argv++, argc--; - krb5_init_context(&context); + kadm5_init_krb5_context(&context); if (argc != 7) { Tcl_AppendResult(interp, whoami, ": ", arg_error, 0); diff --git a/src/kadmin/testing/util/tcl_ovsec_kadm.c b/src/kadmin/testing/util/tcl_ovsec_kadm.c index c64657d75..7e04f04e9 100644 --- a/src/kadmin/testing/util/tcl_ovsec_kadm.c +++ b/src/kadmin/testing/util/tcl_ovsec_kadm.c @@ -1018,7 +1018,7 @@ static int tcl_ovsec_kadm_init(ClientData clientData, Tcl_Interp *interp, argv++, argc--; - krb5_init_context(&context); + kadm5_init_krb5_context(&context); if (argc != 7) { Tcl_AppendResult(interp, whoami, ": ", arg_error, 0); diff --git a/src/kdc/fakeka.c b/src/kdc/fakeka.c index 5d098dc5c..7a6adf535 100644 --- a/src/kdc/fakeka.c +++ b/src/kdc/fakeka.c @@ -1239,7 +1239,7 @@ char **argv; * Initialize kerberos stuff and kadm5 stuff. */ - if ((code = krb5_init_context(&context))) { + if ((code = krb5int_init_context_kdc(&context))) { com_err(argv[0], code, "while initializing Kerberos"); exit(1); } @@ -1261,7 +1261,7 @@ char **argv; exit(1); } - if ((code = kadm5_get_config_params(context, NULL, NULL, NULL, + if ((code = kadm5_get_config_params(context, 1, NULL, &realm_params))) { com_err(argv[0], code, "while getting realm parameters"); exit(1); diff --git a/src/kdc/main.c b/src/kdc/main.c index 7bdc96033..c9b62a843 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -162,7 +162,7 @@ init_realm(char *progname, kdc_realm_t *rdp, char *realm, } rdp->realm_name = realm; - kret = krb5_init_context(&rdp->realm_context); + kret = krb5int_init_context_kdc(&rdp->realm_context); if (kret) { com_err(progname, kret, "while getting context for realm %s", realm); @@ -170,7 +170,7 @@ init_realm(char *progname, kdc_realm_t *rdp, char *realm, } kret = krb5_read_realm_params(rdp->realm_context, rdp->realm_name, - (char *) NULL, (char *) NULL, &rparams); + &rparams); if (kret) { com_err(progname, kret, "while reading realm parameters"); goto whoops; @@ -693,7 +693,7 @@ int main(int argc, char **argv) * reporting. The per-realm operations use the "realm_context" * associated with each realm. */ - retval = krb5_init_context(&kcontext); + retval = krb5int_init_context_kdc(&kcontext); if (retval) { com_err(argv[0], retval, "while initializing krb5"); exit(1); diff --git a/src/kdc/rtest.c b/src/kdc/rtest.c index d63e92fcf..87f4a9652 100644 --- a/src/kdc/rtest.c +++ b/src/kdc/rtest.c @@ -73,7 +73,7 @@ main(int argc, char **argv) /* Get a context */ - kret = krb5_init_context(&kdc_realm.realm_context); + kret = krb5int_init_context_kdc(&kdc_realm.realm_context); if (kret) { com_err(argv[0], kret, "while getting krb5 context"); exit(2); diff --git a/src/krb524/krb524d.c b/src/krb524/krb524d.c index df50b4ad5..599d5bc2d 100644 --- a/src/krb524/krb524d.c +++ b/src/krb524/krb524d.c @@ -129,7 +129,7 @@ int main(argc, argv) whoami = ((whoami = strrchr(argv[0], '/')) ? whoami + 1 : argv[0]); - retval = krb5_init_context(&context); + retval = krb5int_init_context_kdc(&context); if (retval) { com_err(whoami, retval, "while initializing krb5"); exit(1); diff --git a/src/lib/gssapi/gss_libinit.c b/src/lib/gssapi/gss_libinit.c index 5561b5398..f16359497 100644 --- a/src/lib/gssapi/gss_libinit.c +++ b/src/lib/gssapi/gss_libinit.c @@ -33,6 +33,9 @@ int gssint_lib_init(void) if (err) return err; err = k5_key_register(K5_KEY_GSS_KRB5_CCACHE_NAME, free); + if (err) + return err; + err = k5_mutex_finish_init(&kg_kdc_flag_mutex); if (err) return err; return k5_mutex_finish_init(&kg_vdb.mutex); @@ -56,6 +59,7 @@ void gssint_lib_fini(void) k5_key_delete(K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME); k5_key_delete(K5_KEY_GSS_KRB5_CCACHE_NAME); k5_mutex_destroy(&kg_vdb.mutex); + k5_mutex_destroy(&kg_kdc_flag_mutex); k5_mutex_destroy(&gssint_krb5_keytab_lock); } diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index 7d7599c61..071ff3f97 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -631,4 +631,10 @@ OM_uint32 gss_krb5int_unseal_token_v3(krb5_context *contextptr, int *conf_state, int *qop_state, int toktype); +extern k5_mutex_t kg_kdc_flag_mutex; +krb5_error_code krb5_gss_init_context (krb5_context *ctxp); +#define krb5_init_context(C) krb5_gss_init_context(C) + +krb5_error_code krb5_gss_use_kdc_context(void); + #endif /* _GSSAPIP_KRB5_H_ */ diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 91d81fb44..23b18d090 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -966,3 +966,43 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, return(major_status); } + +k5_mutex_t kg_kdc_flag_mutex = K5_MUTEX_PARTIAL_INITIALIZER; +static int kdc_flag = 0; + +krb5_error_code +krb5_gss_init_context (krb5_context *ctxp) +{ + krb5_error_code err; + int is_kdc; + + err = gssint_initialize_library(); + if (err) + return err; + err = k5_mutex_lock(&kg_kdc_flag_mutex); + if (err) + return err; + is_kdc = kdc_flag; + k5_mutex_unlock(&kg_kdc_flag_mutex); + if (is_kdc) + return krb5int_init_context_kdc(ctxp); + else +#undef krb5_init_context + return krb5_init_context(ctxp); +} + +krb5_error_code +krb5_gss_use_kdc_context() +{ + krb5_error_code err; + + err = gssint_initialize_library(); + if (err) + return err; + err = k5_mutex_lock(&kg_kdc_flag_mutex); + if (err) + return err; + kdc_flag = 1; + k5_mutex_unlock(&kg_kdc_flag_mutex); + return 0; +} diff --git a/src/lib/gssapi/libgssapi_krb5.exports b/src/lib/gssapi/libgssapi_krb5.exports index 46a52d168..f67967137 100644 --- a/src/lib/gssapi/libgssapi_krb5.exports +++ b/src/lib/gssapi/libgssapi_krb5.exports @@ -106,3 +106,4 @@ krb5_gss_verify krb5_gss_verify_mic krb5_gss_wrap krb5_gss_wrap_size_limit +krb5_gss_use_kdc_context diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h index f184ea43f..6f0da7935 100644 --- a/src/lib/kadm5/admin.h +++ b/src/lib/kadm5/admin.h @@ -112,7 +112,7 @@ typedef long kadm5_ret_t; #define KADM5_CONFIG_ENCTYPE 0x000200 #define KADM5_CONFIG_ADBNAME 0x000400 #define KADM5_CONFIG_ADB_LOCKFILE 0x000800 -#define KADM5_CONFIG_PROFILE 0x001000 +/*#define KADM5_CONFIG_PROFILE 0x001000*/ #define KADM5_CONFIG_ACL_FILE 0x002000 #define KADM5_CONFIG_KADMIND_PORT 0x004000 #define KADM5_CONFIG_ENCTYPES 0x008000 @@ -208,7 +208,6 @@ typedef struct _kadm5_policy_ent_t { typedef struct _kadm5_config_params { long mask; char * realm; - char * profile; int kadmind_port; int kpasswd_port; @@ -274,7 +273,7 @@ typedef struct __krb5_realm_params { #if USE_KADM5_API_VERSION > 1 krb5_error_code kadm5_get_config_params(krb5_context context, - char *kdcprofile, char *kdcenv, + int use_kdc_config, kadm5_config_params *params_in, kadm5_config_params *params_out); @@ -480,6 +479,8 @@ kadm5_ret_t kadm5_free_key_data(void *server_handle, kadm5_ret_t kadm5_free_name_list(void *server_handle, char **names, int count); +krb5_error_code kadm5_init_krb5_context (krb5_context *); + #if USE_KADM5_API_VERSION == 1 /* * OVSEC_KADM_API_VERSION_1 should be, if possible, compile-time diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c index bb87f8881..5567b0c24 100644 --- a/src/lib/kadm5/alt_prof.c +++ b/src/lib/kadm5/alt_prof.c @@ -66,30 +66,50 @@ krb5_aprof_init(fname, envname, acontextp) krb5_pointer *acontextp; { krb5_error_code kret; - const_profile_filespec_t namelist[2]; profile_t profile; - - namelist[1] = (profile_filespec_t) NULL; - profile = (profile_t) NULL; - if (envname) { - if ((namelist[0] = getenv(envname))) { - kret = profile_init(namelist, &profile); - if (kret) - return kret; - *acontextp = (krb5_pointer) profile; - return 0; - } + const char *kdc_config; + size_t krb5_config_len, kdc_config_len; + char *profile_path; + char **filenames; + int i; + + kret = krb5_get_default_config_files (&filenames); + if (kret) + return kret; + krb5_config_len = 0; + for (i = 0; filenames[i] != NULL; i++) + krb5_config_len += strlen(filenames[i]) + 1; + if (i > 0) + krb5_config_len--; + if (envname == NULL + || (kdc_config = getenv(envname)) == NULL) + kdc_config = fname; + if (kdc_config == NULL) + kdc_config_len = 0; + else + kdc_config_len = strlen(kdc_config); + profile_path = malloc(2 + krb5_config_len + kdc_config_len); + if (profile_path == NULL) { + krb5_free_config_files(filenames); + return errno; } + if (kdc_config_len) + strcpy(profile_path, kdc_config); + else + profile_path[0] = 0; + if (krb5_config_len) + for (i = 0; filenames[i] != NULL; i++) { + if (kdc_config_len || i) + strcat(profile_path, ":"); + strcat(profile_path, filenames[i]); + } + krb5_free_config_files(filenames); profile = (profile_t) NULL; - if (fname) { - kret = profile_init_path(fname, &profile); - if (kret == ENOENT) { - profile = 0; - } else if (kret) - return kret; - *acontextp = (krb5_pointer) profile; - return 0; - } + kret = profile_init_path(profile_path, &profile); + free(profile_path); + if (kret) + return kret; + *acontextp = profile; return 0; } @@ -349,11 +369,10 @@ krb5_aprof_finish(acontext) * in params_in for which the mask is set will be re-assigned to newly copied * versions, overwriting the old pointer value. */ -krb5_error_code kadm5_get_config_params(context, kdcprofile, kdcenv, +krb5_error_code kadm5_get_config_params(context, use_kdc_config, params_in, params_out) krb5_context context; - char *kdcprofile; - char *kdcenv; + int use_kdc_config; kadm5_config_params *params_in, *params_out; { char *filename; @@ -384,22 +403,20 @@ krb5_error_code kadm5_get_config_params(context, kdcprofile, kdcenv, params.realm = lrealm; params.mask |= KADM5_CONFIG_REALM; } - if (params_in->mask & KADM5_CONFIG_PROFILE) { - filename = params.profile = strdup(params_in->profile); - if (params.profile) - params.mask |= KADM5_CONFIG_PROFILE; - envname = NULL; + /* + * XXX These defaults should to work on both client and + * server. kadm5_get_config_params can be implemented as a + * wrapper function in each library that provides correct + * defaults for NULL values. + */ + if (use_kdc_config) { + filename = DEFAULT_KDC_PROFILE; + envname = KDC_PROFILE_ENV; } else { - /* - * XXX These defaults should to work on both client and - * server. kadm5_get_config_params can be implemented as a - * wrapper function in each library that provides correct - * defaults for NULL values. - */ - filename = (kdcprofile) ? kdcprofile : DEFAULT_KDC_PROFILE; - envname = (kdcenv) ? kdcenv : KDC_PROFILE_ENV; - if (context->profile_secure == TRUE) envname = 0; + filename = DEFAULT_PROFILE_PATH; + envname = "KRB5_CONFIG"; } + if (context->profile_secure == TRUE) envname = 0; kret = krb5_aprof_init(filename, envname, &aprofile); if (kret) @@ -594,7 +611,7 @@ krb5_error_code kadm5_get_config_params(context, kdcprofile, kdcenv, params.mask |= KADM5_CONFIG_STASH_FILE; params.stash_file = svalue; } - + /* Get the value for maximum ticket lifetime. */ hierarchy[2] = "max_life"; if (params_in->mask & KADM5_CONFIG_MAX_LIFE) { @@ -739,8 +756,6 @@ kadm5_free_config_params(context, params) kadm5_config_params *params; { if (params) { - if (params->profile) - krb5_xfree(params->profile); if (params->dbname) krb5_xfree(params->dbname); if (params->mkey_name) @@ -783,8 +798,7 @@ kadm5_get_admin_service_name(krb5_context ctx, params_in.mask |= KADM5_CONFIG_REALM; params_in.realm = realm_in; - ret = kadm5_get_config_params(ctx, DEFAULT_PROFILE_PATH, - "KRB5_CONFIG", ¶ms_in, ¶ms_out); + ret = kadm5_get_config_params(ctx, 0, ¶ms_in, ¶ms_out); if (ret) return ret; @@ -820,11 +834,9 @@ err_params: * alternate profile. */ krb5_error_code -krb5_read_realm_params(kcontext, realm, kdcprofile, kdcenv, rparamp) +krb5_read_realm_params(kcontext, realm, rparamp) krb5_context kcontext; char *realm; - char *kdcprofile; - char *kdcenv; krb5_realm_params **rparamp; { char *filename; @@ -838,6 +850,9 @@ krb5_read_realm_params(kcontext, realm, kdcprofile, kdcenv, rparamp) krb5_boolean bvalue; krb5_deltat dtvalue; + char *kdcprofile = 0; + char *kdcenv = 0; + krb5_error_code kret; filename = (kdcprofile) ? kdcprofile : DEFAULT_KDC_PROFILE; diff --git a/src/lib/kadm5/chpass_util.c b/src/lib/kadm5/chpass_util.c index 678af3fb3..dc6ebb61b 100644 --- a/src/lib/kadm5/chpass_util.c +++ b/src/lib/kadm5/chpass_util.c @@ -80,7 +80,7 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle, } else { /* read the password */ krb5_context context; - if ((code = (int) krb5_init_context(&context)) == 0) { + if ((code = (int) kadm5_init_krb5_context(&context)) == 0) { pwsize = sizeof(buffer); code = krb5_read_password(context, KADM5_PW_FIRST_PROMPT, KADM5_PW_SECOND_PROMPT, diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c index a93aeaa45..26a7304d9 100644 --- a/src/lib/kadm5/clnt/client_init.c +++ b/src/lib/kadm5/clnt/client_init.c @@ -256,11 +256,8 @@ static kadm5_ret_t _kadm5_init_any(char *client_name, return KADM5_BAD_CLIENT_PARAMS; } - if ((code = kadm5_get_config_params(handle->context, - DEFAULT_PROFILE_PATH, - "KRB5_CONFIG", - params_in, - &handle->params))) { + if ((code = kadm5_get_config_params(handle->context, 0, + params_in, &handle->params))) { krb5_free_context(handle->context); free(handle); return(code); @@ -748,3 +745,8 @@ int _kadm5_check_handle(void *handle) CHECK_HANDLE(handle); return 0; } + +krb5_error_code kadm5_init_krb5_context (krb5_context *ctx) +{ + return krb5_init_context(ctx); +} diff --git a/src/lib/kadm5/clnt/libkadm5clnt.exports b/src/lib/kadm5/clnt/libkadm5clnt.exports index cb169c410..f7f873e29 100644 --- a/src/lib/kadm5/clnt/libkadm5clnt.exports +++ b/src/lib/kadm5/clnt/libkadm5clnt.exports @@ -24,6 +24,7 @@ kadm5_get_principal kadm5_get_principals kadm5_get_privs kadm5_init +kadm5_init_krb5_context kadm5_init_with_creds kadm5_init_with_password kadm5_init_with_skey diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c index aa2363c3d..d760ff14d 100644 --- a/src/lib/kadm5/kadm_rpc_xdr.c +++ b/src/lib/kadm5/kadm_rpc_xdr.c @@ -962,7 +962,7 @@ xdr_krb5_principal(XDR *xdrs, krb5_principal *objp) ok, and the other solutions are even uglier */ if (!context && - krb5_init_context(&context)) + kadm5_init_krb5_context(&context)) return(FALSE); switch(xdrs->x_op) { diff --git a/src/lib/kadm5/srv/Makefile.in b/src/lib/kadm5/srv/Makefile.in index e82b05264..311e83722 100644 --- a/src/lib/kadm5/srv/Makefile.in +++ b/src/lib/kadm5/srv/Makefile.in @@ -2,7 +2,9 @@ thisconfigdir=./.. myfulldir=lib/kadm5/srv mydir=srv BUILDTOP=$(REL)..$(S)..$(S).. -LOCALINCLUDES = -I$(BUILDTOP)/include/kadm5 +LOCALINCLUDES = -I$(BUILDTOP)/include/kadm5 \ + -I$(SRCTOP)/lib/gssapi/krb5 -I$(SRCTOP)/lib/gssapi/generic \ + -I$(BUILDTOP)/lib/gssapi/krb5 -I$(BUILDTOP)/lib/gssapi/generic DEFINES = @HESIOD_DEFS@ DEFS= diff --git a/src/lib/kadm5/srv/libkadm5srv.exports b/src/lib/kadm5/srv/libkadm5srv.exports index 2bc56b026..96a3e4083 100644 --- a/src/lib/kadm5/srv/libkadm5srv.exports +++ b/src/lib/kadm5/srv/libkadm5srv.exports @@ -38,6 +38,7 @@ kadm5_get_principal kadm5_get_principals kadm5_get_privs kadm5_init +kadm5_init_krb5_context kadm5_init_with_creds kadm5_init_with_password kadm5_init_with_skey diff --git a/src/lib/kadm5/srv/server_init.c b/src/lib/kadm5/srv/server_init.c index 106d3185d..6b1330f71 100644 --- a/src/lib/kadm5/srv/server_init.c +++ b/src/lib/kadm5/srv/server_init.c @@ -13,9 +13,11 @@ static char *rcsid = "$Header$"; #include #include #include +#include "k5-int.h" /* needed for gssapiP_krb5.h */ #include #include #include "server_internal.h" +#include "osconf.h" /* * Function check_handle @@ -178,7 +180,7 @@ kadm5_ret_t kadm5_init(char *client_name, char *pass, return ret; } - ret = (int) krb5_init_context(&(handle->context)); + ret = (int) krb5int_init_context_kdc(&(handle->context)); if (ret) { free_db_args(handle); free(handle); @@ -217,6 +219,8 @@ kadm5_ret_t kadm5_init(char *client_name, char *pass, params_in = ¶ms_local; } +#if 0 /* Now that we look at krb5.conf as well as kdc.conf, we can + expect to see admin_server being set sometimes. */ #define ILLEGAL_PARAMS (KADM5_CONFIG_ADMIN_SERVER) if (params_in && (params_in->mask & ILLEGAL_PARAMS)) { krb5_free_context(handle->context); @@ -224,9 +228,9 @@ kadm5_ret_t kadm5_init(char *client_name, char *pass, free(handle); return KADM5_BAD_SERVER_PARAMS; } +#endif - ret = kadm5_get_config_params(handle->context, (char *) NULL, - (char *) NULL, params_in, + ret = kadm5_get_config_params(handle->context, 1, params_in, &handle->params); if (ret) { krb5_free_context(handle->context); @@ -422,3 +426,17 @@ int _kadm5_check_handle(void *handle) CHECK_HANDLE(handle); return 0; } + +#include "gssapiP_krb5.h" +krb5_error_code kadm5_init_krb5_context (krb5_context *ctx) +{ + static int first_time = 1; + if (first_time) { + krb5_error_code err; + err = krb5_gss_use_kdc_context(); + if (err) + return err; + first_time = 0; + } + return krb5int_init_context_kdc(ctx); +} diff --git a/src/lib/kadm5/unit-test/api.2/init-v2.exp b/src/lib/kadm5/unit-test/api.2/init-v2.exp index 8d78794ba..ae1384727 100644 --- a/src/lib/kadm5/unit-test/api.2/init-v2.exp +++ b/src/lib/kadm5/unit-test/api.2/init-v2.exp @@ -3,22 +3,6 @@ load_lib lib.t api_exit api_start -test "init 100" -proc test100 {} { - global test - - # We used to check for ENOENT, but kadm5_get_config_params no - # longer fails if it cannot find the file---it just provides - # defaults instead.... XXX will fail on srv test! - one_line_fail_test { - kadm5_init admin admin $KADM5_ADMIN_SERVICE \ - [config_params {KADM5_CONFIG_PROFILE} /does-not-exist] \ - $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \ - server_handle - } "MISSING_KRB5_CONF_PARAMS" -} -if {$RPC} test100 - if ![info exists RESOLVE] { set RESOLVE [findfile $objdir/../../../tests/resolve/resolve] } @@ -310,19 +294,6 @@ proc test109 {} { } if {! $RPC} test109 -test "init 114" -proc test114 {} { - global test - - one_line_fail_test { - kadm5_init admin admin $KADM5_ADMIN_SERVICE \ - [config_params {KADM5_CONFIG_ADMIN_SERVER} does.not.exist] \ - $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \ - server_handle - } "BAD_SERVER_PARAMS" -} -if {! $RPC} test114 - test "init 115" proc test115 {} { global test @@ -643,6 +614,6 @@ proc test154 {} { api_exit; lib_start_api } -if {! $RPC} test154 +if {0 && ! $RPC} test154 return "" diff --git a/src/lib/kadm5/unit-test/handle-test.c b/src/lib/kadm5/unit-test/handle-test.c index 6743e6e8e..3f723851d 100644 --- a/src/lib/kadm5/unit-test/handle-test.c +++ b/src/lib/kadm5/unit-test/handle-test.c @@ -22,7 +22,7 @@ int main(int argc, char *argv[]) krb5_context context; - krb5_init_context(&context); + kadm5_init_krb5_context(&context); ret = ovsec_kadm_init("admin/none", "admin", "ovsec_adm/admin", 0, OVSEC_KADM_STRUCT_VERSION, OVSEC_KADM_API_VERSION_1, NULL, diff --git a/src/lib/kadm5/unit-test/lock-test.c b/src/lib/kadm5/unit-test/lock-test.c index 3b6edd6d8..38ad3cdb7 100644 --- a/src/lib/kadm5/unit-test/lock-test.c +++ b/src/lib/kadm5/unit-test/lock-test.c @@ -28,15 +28,14 @@ int main(int argc, char **argv) whoami = argv[0]; - kret = krb5_init_context(&context); + kret = kadm5_init_krb5_context(&context); if (kret) { com_err(whoami, kret, "while initializing krb5"); exit(1); } params.mask = 0; - ret = kadm5_get_config_params(context, NULL, NULL, ¶ms, - ¶ms); + ret = kadm5_get_config_params(context, 1, ¶ms, ¶ms); if (ret) { com_err(whoami, ret, "while retrieving configuration parameters"); exit(1); diff --git a/src/lib/kadm5/unit-test/randkey-test.c b/src/lib/kadm5/unit-test/randkey-test.c index 5722302de..0145df326 100644 --- a/src/lib/kadm5/unit-test/randkey-test.c +++ b/src/lib/kadm5/unit-test/randkey-test.c @@ -18,7 +18,7 @@ int main() int x, i; - krb5_init_context(&context); + kadm5_init_krb5_context(&context); krb5_parse_name(context, "testuser", &tprinc); ret = ovsec_kadm_init("admin", "admin", "ovsec_adm/admin", 0, diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/unit-test/setkey-test.c index eafa039e5..865fc14b7 100644 --- a/src/lib/kadm5/unit-test/setkey-test.c +++ b/src/lib/kadm5/unit-test/setkey-test.c @@ -85,7 +85,7 @@ main(int argc, char **argv) */ memset((char *) &context, 0, sizeof(context)); - krb5_init_context(&context); + kadm5_init_krb5_context(&context); ret = krb5_parse_name(context, principal, &princ); if (ret) { diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index 03e7ba0e3..4eb0f51f3 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -166,10 +166,11 @@ krb5_def_store_mkey(context, keyfile, mname, key, master_pwd) if (!(kf = fopen(keyfile, "w"))) #endif { + int e = errno; #if HAVE_UMASK (void) umask(oumask); #endif - return errno; + return e; } enctype = key->enctype; if ((fwrite((krb5_pointer) &enctype, diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index 82cc4f1cd..9b90f7121 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -79,13 +79,13 @@ extern krb5_error_code krb5_vercheck(); extern void krb5_win_ccdll_load(krb5_context context); #endif -static krb5_error_code init_common (krb5_context *, krb5_boolean); +static krb5_error_code init_common (krb5_context *, krb5_boolean, krb5_boolean); krb5_error_code KRB5_CALLCONV krb5_init_context(krb5_context *context) { - return init_common (context, FALSE); + return init_common (context, FALSE, FALSE); } krb5_error_code KRB5_CALLCONV @@ -94,11 +94,17 @@ krb5_init_secure_context(krb5_context *context) /* This is to make gcc -Wall happy */ if(0) krb5_brand[0] = krb5_brand[0]; - return init_common (context, TRUE); + return init_common (context, TRUE, FALSE); +} + +krb5_error_code KRB5_CALLCONV +krb5int_init_context_kdc(krb5_context *context) +{ + return init_common (context, FALSE, TRUE); } static krb5_error_code -init_common (krb5_context *context, krb5_boolean secure) +init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc) { krb5_context ctx = 0; krb5_error_code retval; @@ -170,7 +176,7 @@ init_common (krb5_context *context, krb5_boolean secure) sizeof(krb5_enctype) * ctx->tgs_ktype_count); ctx->conf_tgs_ktypes_count = ctx->tgs_ktype_count; - if ((retval = krb5_os_init_context(ctx))) + if ((retval = krb5_os_init_context(ctx, kdc))) goto cleanup; /* initialize the prng (not well, but passable) */ diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index afd7846f7..b2fd14e57 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -730,3 +730,4 @@ krb5_vset_error_message krb5_get_error_message krb5_free_error_message krb5_clear_error_message +krb5int_init_context_kdc diff --git a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c index 866038940..d26743ac6 100644 --- a/src/lib/krb5/os/init_os_ctx.c +++ b/src/lib/krb5/os/init_os_ctx.c @@ -242,11 +242,11 @@ os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure) #ifdef USE_LOGIN_LIBRARY /* If __KLAllowHomeDirectoryAccess() == FALSE, we are probably trying to authenticate to a fileserver for the user's homedir. */ - if (secure || !__KLAllowHomeDirectoryAccess ()) { -#else - if (secure) { + if (!__KLAllowHomeDirectoryAccess ()) + secure = 1; #endif - filepath = DEFAULT_SECURE_PROFILE_PATH; + if (secure) { + filepath = DEFAULT_SECURE_PROFILE_PATH; } else { filepath = getenv("KRB5_CONFIG"); if (!filepath) filepath = DEFAULT_PROFILE_PATH; @@ -288,12 +288,42 @@ os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure) return 0; } +static krb5_error_code +add_kdc_config_file(profile_filespec_t **pfiles) +{ + char *file; + size_t count; + profile_filespec_t *newfiles; + + file = getenv(KDC_PROFILE_ENV); + if (file == NULL) + file = DEFAULT_KDC_PROFILE; + + for (count = 0; (*pfiles)[count]; count++) + ; + count += 2; + newfiles = malloc(count * sizeof(*newfiles)); + if (newfiles == NULL) + return errno; + memcpy(newfiles + 1, *pfiles, (count-1) * sizeof(*newfiles)); + newfiles[0] = strdup(file); + if (newfiles[0] == NULL) { + int e = errno; + free(newfiles); + return e; + } + free(*pfiles); + *pfiles = newfiles; + return 0; +} -/* Set the profile paths in the context. If secure is set to TRUE then - do not include user paths (from environment variables, etc.) -*/ + +/* Set the profile paths in the context. If secure is set to TRUE + then do not include user paths (from environment variables, etc). + If kdc is TRUE, include kdc.conf from whereever we expect to find + it. */ static krb5_error_code -os_init_paths(krb5_context ctx) +os_init_paths(krb5_context ctx, krb5_boolean kdc) { krb5_error_code retval = 0; profile_filespec_t *files = 0; @@ -305,6 +335,9 @@ os_init_paths(krb5_context ctx) retval = os_get_default_config_files(&files, secure); + if (retval == 0) + retval = add_kdc_config_file(&files); + if (!retval) { retval = profile_init((const_profile_filespec_t *) files, &ctx->profile); @@ -339,7 +372,7 @@ os_init_paths(krb5_context ctx) } krb5_error_code -krb5_os_init_context(krb5_context ctx) +krb5_os_init_context(krb5_context ctx, krb5_boolean kdc) { krb5_os_context os_ctx; krb5_error_code retval = 0; @@ -358,7 +391,7 @@ krb5_os_init_context(krb5_context ctx) ctx->vtbl = 0; PLUGIN_DIR_INIT(&ctx->libkrb5_plugins); - retval = os_init_paths(ctx); + retval = os_init_paths(ctx, kdc); /* * If there's an error in the profile, return an error. Just * ignoring the error is a Bad Thing (tm). @@ -455,7 +488,7 @@ krb5_secure_config_files(krb5_context ctx) } ctx->profile_secure = TRUE; - retval = os_init_paths(ctx); + retval = os_init_paths(ctx, FALSE); if (retval) return retval; diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c index 97ce1123b..ce963e0da 100644 --- a/src/plugins/kdb/db2/adb_openclose.c +++ b/src/plugins/kdb/db2/adb_openclose.c @@ -188,7 +188,7 @@ krb5_error_code osa_adb_init_db(osa_adb_db_t *dbp, char *filename, /* now initialize lockp->lockinfo if necessary */ if (lockp->lockinfo.lockfile == NULL) { - if ((code = krb5_init_context(&lockp->lockinfo.context))) { + if ((code = krb5int_init_context_kdc(&lockp->lockinfo.context))) { free(db); return((krb5_error_code) code); } -- 2.26.2