From 98b59e5b55dda7eef896bb9edfc36a5b13b1eccb Mon Sep 17 00:00:00 2001
From: Paul Park <pjpark@mit.edu>
Date: Mon, 17 Jul 1995 19:35:58 +0000
Subject: [PATCH] Add KDC profile and stash file support

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6304 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/admin/convert/ChangeLog      |  7 +++
 src/admin/convert/configure.in   |  1 +
 src/admin/convert/kdb5_convert.c | 56 ++++++++++++++++++++-
 src/admin/create/ChangeLog       |  7 +++
 src/admin/create/configure.in    |  1 +
 src/admin/create/kdb5_create.c   | 60 +++++++++++++++++++++--
 src/admin/edit/ChangeLog         |  8 +++
 src/admin/edit/configure.in      |  1 +
 src/admin/edit/dumpv4.c          |  2 +-
 src/admin/edit/kdb5_edit.c       | 70 ++++++++++++++++++++++++--
 src/admin/stash/ChangeLog        |  7 +++
 src/admin/stash/configure.in     |  1 +
 src/admin/stash/kdb5_stash.c     | 45 ++++++++++++++++-
 src/kadmin/v5server/ChangeLog    | 13 +++++
 src/kadmin/v5server/admin.c      | 36 +++++++++-----
 src/kadmin/v5server/kadm5_defs.h | 71 +++++++++++++++------------
 src/kadmin/v5server/kadmind5.M   |  8 +++
 src/kadmin/v5server/srv_key.c    |  4 +-
 src/kadmin/v5server/srv_main.c   | 84 ++++++++++++++++++++++++++++++--
 19 files changed, 423 insertions(+), 59 deletions(-)

diff --git a/src/admin/convert/ChangeLog b/src/admin/convert/ChangeLog
index 2a95d0689..02b81707f 100644
--- a/src/admin/convert/ChangeLog
+++ b/src/admin/convert/ChangeLog
@@ -1,4 +1,11 @@
 
+Mon Jul 17 14:55:58 EDT 1995	Paul Park	(pjpark@mit.edu)
+	* configure.in - Add KADM library.
+	* kdb5_convert.c - Change calling sequence to krb5_db_fetch_mkey(),
+		using the stash file.  Add KDC profile reading/handling as
+		a supplement to command line supplied arguments.
+
+
 Wed Jul 12 11:55:44 EDT 1995	Paul Park	(pjpark@mit.edu)
 	* configure.in - Temporarily add --with-kdb4 option.  Default is without
 		kdb4.  Without kdb4 enables a define.  With kdb4 uses -lkdb4 and
diff --git a/src/admin/convert/configure.in b/src/admin/convert/configure.in
index e44ba56df..444d81d74 100644
--- a/src/admin/convert/configure.in
+++ b/src/admin/convert/configure.in
@@ -14,6 +14,7 @@ if test "$withval" = yes; then
 else
 	AC_DEFINE(KDB4_DISABLE)
 fi
+USE_KADM_LIBRARY
 USE_KDB5_LIBRARY
 USE_KRB4_LIBRARY
 KRB5_LIBRARIES
diff --git a/src/admin/convert/kdb5_convert.c b/src/admin/convert/kdb5_convert.c
index b1a47cb6e..b4c4b8e17 100644
--- a/src/admin/convert/kdb5_convert.c
+++ b/src/admin/convert/kdb5_convert.c
@@ -41,6 +41,8 @@ static long master_key_version;
 
 #include "k5-int.h"
 #include "com_err.h"
+#include "adm.h"
+#include "adm_proto.h"
 #include <stdio.h>
 
 #include <netinet/in.h>			/* ntohl */
@@ -168,6 +170,8 @@ char *argv[];
     int tempdb = 0;
     char *tempdbname;
     krb5_context context;
+    char *stash_file = (char *) NULL;
+    krb5_realm_params *rparams;
 
     krb5_enctype etype = 0xffff;
 
@@ -232,6 +236,56 @@ char *argv[];
 	}
     }
 
+    /*
+     * Attempt to read the KDC profile.  If we do, then read appropriate values
+     * from it and augment values supplied on the command line.
+     */
+    if (!(retval = krb5_read_realm_params(context,
+					  realm,
+					  (char *) NULL,
+					  (char *) NULL,
+					  &rparams))) {
+	/* Get the value for the database */
+	if (rparams->realm_dbname && !dbname)
+	    dbname = strdup(rparams->realm_dbname);
+
+	/* Get the value for the master key name */
+	if (rparams->realm_mkey_name && !mkey_name)
+	    mkey_name = strdup(rparams->realm_mkey_name);
+
+	/* Get the value for the master key type */
+	if (rparams->realm_keytype_valid && !keytypedone) {
+	    master_keyblock.keytype = rparams->realm_keytype;
+	    keytypedone++;
+	}
+
+	/* Get the value for the encryption type */
+	if (rparams->realm_enctype_valid && (etype == 0xffff))
+	    etype = rparams->realm_enctype;
+
+	/* Get the value for the stashfile */
+	if (rparams->realm_stash_file)
+	    stash_file = strdup(rparams->realm_stash_file);
+
+	/* Get the value for maximum ticket lifetime. */
+	if (rparams->realm_max_life_valid)
+	    rblock.max_life = rparams->realm_max_life;
+
+	/* Get the value for maximum renewable ticket lifetime. */
+	if (rparams->realm_max_rlife_valid)
+	    rblock.max_rlife = rparams->realm_max_rlife;
+
+	/* Get the value for the default principal expiration */
+	if (rparams->realm_expiration_valid)
+	    rblock.expiration = rparams->realm_expiration;
+
+	/* Get the value for the default principal flags */
+	if (rparams->realm_flags_valid)
+	    rblock.flags = rparams->realm_flags;
+
+	krb5_free_realm_params(context, rparams);
+    }
+
 #if	defined(ODBM) || defined(KDB4_DISABLE)
     if (!v4dumpfile) {
 	usage(PROGNAME, 1);
@@ -315,7 +369,7 @@ master key name '%s'\n",
     }
 
     if (retval = krb5_db_fetch_mkey(context, master_princ, &master_encblock,
-				    read_mkey, read_mkey, 0, 
+				    read_mkey, read_mkey, stash_file, 0, 
 				    &master_keyblock)) {
 	com_err(PROGNAME, retval, "while reading master key");
 	exit(1);
diff --git a/src/admin/create/ChangeLog b/src/admin/create/ChangeLog
index 0ccc3886b..79a305406 100644
--- a/src/admin/create/ChangeLog
+++ b/src/admin/create/ChangeLog
@@ -1,4 +1,11 @@
 
+Mon Jul 17 14:58:00 EDT 1995	Paul Park	(pjpark@mit.edu)
+	* configure.in - Add KADM library.
+	* kdb5_create.c - Add KDC profile reading/handling as a supplement to
+		command line supplied arguments.  Change calling sequence to
+		krb5_db_fetch_mkey().
+
+
 Fri Jul 7 15:36:00 EDT 1995	Paul Park	(pjpark@mit.edu)
 	* Makefile.in - Remove all explicit library handling and LDFLAGS.
 	* configure.in - Add USE_KDB5_LIBRARY and KRB5_LIBRARIES.
diff --git a/src/admin/create/configure.in b/src/admin/create/configure.in
index 7defabde6..09e936347 100644
--- a/src/admin/create/configure.in
+++ b/src/admin/create/configure.in
@@ -15,6 +15,7 @@ else
 fi
 AC_SUBST(DBFLAGS)dnl
 dnl
+USE_KADM_LIBRARY
 USE_KDB5_LIBRARY
 KRB5_LIBRARIES
 V5_USE_SHARED_LIB
diff --git a/src/admin/create/kdb5_create.c b/src/admin/create/kdb5_create.c
index eaaf248a9..07d724130 100644
--- a/src/admin/create/kdb5_create.c
+++ b/src/admin/create/kdb5_create.c
@@ -26,6 +26,8 @@
 
 #include "k5-int.h"
 #include "com_err.h"
+#include "adm.h"
+#include "adm_proto.h"
 #include <stdio.h>
 
 enum ap_op {
@@ -118,7 +120,7 @@ char *argv[];
     int optchar;
 
     krb5_error_code retval;
-    char *dbname = DEFAULT_KDB_FILE;
+    char *dbname = (char *) NULL;
     char *realm = 0;
     char *mkey_name = 0;
     char *mkey_fullname;
@@ -128,6 +130,7 @@ char *argv[];
     krb5_enctype etype = 0xffff;
     krb5_data scratch, pwd;
     krb5_context context;
+    krb5_realm_params *rparams;
 
     krb5_init_context(&context);
     krb5_init_ets(context);
@@ -163,6 +166,55 @@ char *argv[];
 	}
     }
 
+    /*
+     * Attempt to read the KDC profile.  If we do, then read appropriate values
+     * from it and augment values supplied on the command line.
+     */
+    if (!(retval = krb5_read_realm_params(context,
+					  realm,
+					  (char *) NULL,
+					  (char *) NULL,
+					  &rparams))) {
+	/* Get the value for the database */
+	if (rparams->realm_dbname && !dbname)
+	    dbname = strdup(rparams->realm_dbname);
+
+	/* Get the value for the master key name */
+	if (rparams->realm_mkey_name && !mkey_name)
+	    mkey_name = strdup(rparams->realm_mkey_name);
+
+	/* Get the value for the master key type */
+	if (rparams->realm_keytype_valid && !keytypedone) {
+	    master_keyblock.keytype = rparams->realm_keytype;
+	    keytypedone++;
+	}
+
+	/* Get the value for the encryption type */
+	if (rparams->realm_enctype_valid && (etype == 0xffff))
+	    etype = rparams->realm_enctype;
+
+	/* Get the value for maximum ticket lifetime. */
+	if (rparams->realm_max_life_valid)
+	    rblock.max_life = rparams->realm_max_life;
+
+	/* Get the value for maximum renewable ticket lifetime. */
+	if (rparams->realm_max_rlife_valid)
+	    rblock.max_rlife = rparams->realm_max_rlife;
+
+	/* Get the value for the default principal expiration */
+	if (rparams->realm_expiration_valid)
+	    rblock.expiration = rparams->realm_expiration;
+
+	/* Get the value for the default principal flags */
+	if (rparams->realm_flags_valid)
+	    rblock.flags = rparams->realm_flags;
+
+	krb5_free_realm_params(context, rparams);
+    }
+
+    if (!dbname)
+	dbname = DEFAULT_KDB_FILE;
+
     if (!keytypedone)
 	master_keyblock.keytype = DEFAULT_KDC_KEYTYPE;
 
@@ -241,8 +293,10 @@ master key name '%s'\n",
 	fflush(stdout);
 
 	/* TRUE here means read the keyboard, and do it twice */
-	if (retval = krb5_db_fetch_mkey(context, master_princ, &master_encblock,
-					TRUE, TRUE, 0, &master_keyblock)) {
+	if (retval = krb5_db_fetch_mkey(context, master_princ,
+					&master_encblock,
+					TRUE, TRUE, (char *) NULL,
+					0, &master_keyblock)) {
 	    com_err(argv[0], retval, "while reading master key");
 	    exit(1);
 	}
diff --git a/src/admin/edit/ChangeLog b/src/admin/edit/ChangeLog
index 4cfb5dd3b..8faff7c7b 100644
--- a/src/admin/edit/ChangeLog
+++ b/src/admin/edit/ChangeLog
@@ -1,4 +1,12 @@
 
+Mon Jul 17 15:00:08 EDT 1995	Paul Park	(pjpark@mit.edu)
+	* configure.in - Add KADM library.
+	* dumpv4.c - Change calling sequence to krb5_db_fetch_mkey().
+	* kdb5_edit.c - Change calling sequence to krb5_db_fetch_mkey() which
+		uses the stash file.  Add KDC profile reading/handling as a
+		supplement to command line supplied arguments.
+
+
 Wed Jul 12 12:01:04 EDT 1995	Paul Park	(pjpark@mit.edu)
 	* configure.in - Temporarily add --with-kdb4 option.  Default is without
 		kdb4.  Without kdb4 enables a define.  With kdb4 uses -lkdb4 and
diff --git a/src/admin/edit/configure.in b/src/admin/edit/configure.in
index 10896bdf5..208b6fba8 100644
--- a/src/admin/edit/configure.in
+++ b/src/admin/edit/configure.in
@@ -21,6 +21,7 @@ if test "$withval" = yes; then
 else
 	AC_DEFINE(KDB4_DISABLE)
 fi
+USE_KADM_LIBRARY
 USE_KDB5_LIBRARY
 USE_KRB4_LIBRARY
 USE_SS_LIBRARY
diff --git a/src/admin/edit/dumpv4.c b/src/admin/edit/dumpv4.c
index 70a6ebc7a..50b081f62 100644
--- a/src/admin/edit/dumpv4.c
+++ b/src/admin/edit/dumpv4.c
@@ -322,7 +322,7 @@ int handle_keys(arg)
     master_keyblock.keytype = DEFAULT_KDC_KEYTYPE;
     if (retval = krb5_db_fetch_mkey(edit_context, master_princ, 
 				    &master_encblock, 0,
-				    0, 0, &master_keyblock)) {
+				    0, (char *) NULL, 0, &master_keyblock)) {
 	com_err(arg->comerr_name, retval, "while reading master key");
 	exit(1);
     }
diff --git a/src/admin/edit/kdb5_edit.c b/src/admin/edit/kdb5_edit.c
index 52596c67b..39b0d5165 100644
--- a/src/admin/edit/kdb5_edit.c
+++ b/src/admin/edit/kdb5_edit.c
@@ -26,6 +26,8 @@
 
 #include "k5-int.h"
 #include "com_err.h"
+#include "adm.h"
+#include "adm_proto.h"
 #include <stdio.h>
 #include <time.h>
 /* timeb is part of the interface to get_date. */
@@ -78,6 +80,7 @@ static char search_instance[40];
 static int num_instance_tokens;
 static int must_be_first[2];
 static char *mkey_password = 0;
+static char *stash_file = (char *) NULL;
 
 /*
  * I can't figure out any way for this not to be global, given how ss
@@ -123,12 +126,14 @@ char *kdb5_edit_Init(argc, argv)
     int optchar;
 
     krb5_error_code retval;
-    char *dbname = DEFAULT_KDB_FILE;
+    char *dbname = (char *) NULL;
     char *defrealm;
     int keytypedone = 0;
+    int etypedone = 0;
     krb5_enctype etype = DEFAULT_KDC_ETYPE;
     extern krb5_kt_ops krb5_ktf_writable_ops;
     char	*request = NULL;
+    krb5_realm_params *rparams;
 
     retval = krb5_init_context(&edit_context);
     if (retval) {
@@ -173,6 +178,7 @@ char *kdb5_edit_Init(argc, argv)
 	    break;
 	case 'e':
 	    etype = atoi(optarg);
+	    etypedone++;
 	    break;
 	case 'm':
 	    manual_mkey = TRUE;
@@ -184,6 +190,56 @@ char *kdb5_edit_Init(argc, argv)
 	}
     }
 
+    /*
+     * Attempt to read the KDC profile.  If we do, then read appropriate values
+     * from it and augment values supplied on the command line.
+     */
+    if (!(retval = krb5_read_realm_params(edit_context,
+					  cur_realm,
+					  (char *) NULL,
+					  (char *) NULL,
+					  &rparams))) {
+	/* Get the value for the database */
+	if (rparams->realm_dbname && !dbname)
+	    dbname = strdup(rparams->realm_dbname);
+
+	/* Get the value for the master key name */
+	if (rparams->realm_mkey_name && !mkey_name)
+	    mkey_name = strdup(rparams->realm_mkey_name);
+
+	/* Get the value for the master key type */
+	if (rparams->realm_keytype_valid && !keytypedone) {
+	    master_keyblock.keytype = rparams->realm_keytype;
+	    keytypedone++;
+	}
+
+	/* Get the value for the encryption type */
+	if (rparams->realm_enctype_valid && !etypedone)
+	    etype = rparams->realm_enctype;
+
+	/* Get the value for the stashfile */
+	if (rparams->realm_stash_file)
+	    stash_file = strdup(rparams->realm_stash_file);
+
+	/* Get the value for maximum ticket lifetime. */
+	if (rparams->realm_max_life_valid)
+	    mblock.max_life = rparams->realm_max_life;
+
+	/* Get the value for maximum renewable ticket lifetime. */
+	if (rparams->realm_max_rlife_valid)
+	    mblock.max_rlife = rparams->realm_max_rlife;
+
+	/* Get the value for the default principal expiration */
+	if (rparams->realm_expiration_valid)
+	    mblock.expiration = rparams->realm_expiration;
+
+	/* Get the value for the default principal flags */
+	if (rparams->realm_flags_valid)
+	    mblock.flags = rparams->realm_flags;
+
+	krb5_free_realm_params(edit_context, rparams);
+    }
+
     /* Dump creates files which should not be world-readable.  It is easiest
        to do a single umask call here; any shells run by the ss command
        interface will have umask = 77 but that is not a serious problem. */
@@ -195,6 +251,10 @@ char *kdb5_edit_Init(argc, argv)
 	exit(1);
     }
 
+    /* Handle defaults */
+    if (!dbname)
+	dbname = DEFAULT_KDB_FILE;
+
     if (!keytypedone)
 	master_keyblock.keytype = DEFAULT_KDC_KEYTYPE;
 
@@ -456,9 +516,11 @@ set_dbname_help(pname, dbname)
 	(void) krb5_db_fini(edit_context);
 	return(1);
     }
+#ifdef	notdef
     mblock.max_life = master_entry.max_life;
     mblock.max_rlife = master_entry.max_renewable_life;
     mblock.expiration = master_entry.expiration;
+#endif	/* notdef */
     /* don't set flags, master has some extra restrictions */
     mblock.mkvno = master_entry.kvno;
 
@@ -483,7 +545,8 @@ set_dbname_help(pname, dbname)
 	mkey_password = 0;
     } else if (retval = krb5_db_fetch_mkey(edit_context, master_princ, 
 					   &master_encblock, manual_mkey, 
-					   FALSE, 0, &master_keyblock)) {
+					   FALSE, stash_file,
+					   0, &master_keyblock)) {
 	com_err(pname, retval, "while reading master key");
 	com_err(pname, 0, "Warning: proceeding without master key");
 	exit_status++;
@@ -550,7 +613,8 @@ void enter_master_key(argc, argv)
 		master_keyblock.contents = NULL;
 	}
 	if (retval = krb5_db_fetch_mkey(edit_context, master_princ, &master_encblock,
-					TRUE, FALSE, 0, &master_keyblock)) {
+					TRUE, FALSE, (char *) NULL,
+					0, &master_keyblock)) {
 		com_err(pname, retval, "while reading master key");
 		exit_status++;
 		return;
diff --git a/src/admin/stash/ChangeLog b/src/admin/stash/ChangeLog
index 65ca88b74..f0f9a9603 100644
--- a/src/admin/stash/ChangeLog
+++ b/src/admin/stash/ChangeLog
@@ -1,4 +1,11 @@
 
+Mon Jul 17 15:02:29 EDT 1995	Paul Park	(pjpark@mit.edu)
+	* configure.in - Add KADM library.
+	* kdb5_stash.c - Change calling sequence to krb5_db_fetch_mkey().  Add
+		KDC profile reading/handling as a supplement to command line
+		arguments.
+
+
 Fri Jul 7 15:38:50 EDT 1995	Paul Park	(pjpark@mit.edu)
 	* Makefile.in - Remove all explicit library handling and LDFLAGS.
 	* configure.in - Add USE_KDB5_LIBRARY and KRB5_LIBRARIES.
diff --git a/src/admin/stash/configure.in b/src/admin/stash/configure.in
index eb8220e6d..c37cbcf82 100644
--- a/src/admin/stash/configure.in
+++ b/src/admin/stash/configure.in
@@ -15,6 +15,7 @@ else
 fi
 AC_SUBST(DBFLAGS)dnl
 dnl
+USE_KADM_LIBRARY
 USE_KDB5_LIBRARY
 KRB5_LIBRARIES
 V5_USE_SHARED_LIB
diff --git a/src/admin/stash/kdb5_stash.c b/src/admin/stash/kdb5_stash.c
index 1cc87def0..6d5157316 100644
--- a/src/admin/stash/kdb5_stash.c
+++ b/src/admin/stash/kdb5_stash.c
@@ -26,6 +26,8 @@
 
 #include "k5-int.h"
 #include "com_err.h"
+#include "adm.h"
+#include "adm_proto.h"
 #include <stdio.h>
 
 extern int errno;
@@ -54,12 +56,13 @@ char *argv[];
     extern char *optarg;
     int optchar;
     krb5_error_code retval;
-    char *dbname = DEFAULT_KDB_FILE;
+    char *dbname = (char *) NULL;
     char *realm = 0;
     char *mkey_name = 0;
     char *mkey_fullname;
     char *keyfile = 0;
     krb5_context context;
+    krb5_realm_params *rparams;
 
     int keytypedone = 0;
     krb5_enctype etype = 0xffff;
@@ -98,6 +101,43 @@ char *argv[];
 	}
     }
 
+    /*
+     * Attempt to read the KDC profile.  If we do, then read appropriate values
+     * from it and augment values supplied on the command line.
+     */
+    if (!(retval = krb5_read_realm_params(context,
+					  realm,
+					  (char *) NULL,
+					  (char *) NULL,
+					  &rparams))) {
+	/* Get the value for the database */
+	if (rparams->realm_dbname && !dbname)
+	    dbname = strdup(rparams->realm_dbname);
+
+	/* Get the value for the master key name */
+	if (rparams->realm_mkey_name && !mkey_name)
+	    mkey_name = strdup(rparams->realm_mkey_name);
+
+	/* Get the value for the master key type */
+	if (rparams->realm_keytype_valid && !keytypedone) {
+	    master_keyblock.keytype = rparams->realm_keytype;
+	    keytypedone++;
+	}
+
+	/* Get the value for the stash file */
+	if (rparams->realm_stash_file && !keyfile)
+	    keyfile = strdup(rparams->realm_stash_file);
+
+	/* Get the value for the encryption type */
+	if (rparams->realm_enctype_valid && (etype == 0xffff))
+	    etype = rparams->realm_enctype;
+
+	krb5_free_realm_params(context, rparams);
+    }
+
+    if (!dbname)
+	dbname = DEFAULT_KDB_FILE;
+
     if (!keytypedone)
 	master_keyblock.keytype = DEFAULT_KDC_KEYTYPE;
 
@@ -146,7 +186,8 @@ char *argv[];
 
     /* TRUE here means read the keyboard, but only once */
     if (retval = krb5_db_fetch_mkey(context, master_princ, &master_encblock,
-				    TRUE, FALSE, 0, &master_keyblock)) {
+				    TRUE, FALSE, (char *) NULL,
+				    0, &master_keyblock)) {
 	com_err(argv[0], retval, "while reading master key");
 	(void) krb5_db_fini(context);
 	exit(1);
diff --git a/src/kadmin/v5server/ChangeLog b/src/kadmin/v5server/ChangeLog
index 0f8e1c60c..3aeab5aea 100644
--- a/src/kadmin/v5server/ChangeLog
+++ b/src/kadmin/v5server/ChangeLog
@@ -1,4 +1,17 @@
 
+Mon Jul 17 15:07:08 EDT 1995	Paul Park	(pjpark@mit.edu)
+	* srv_main.c - Add stash-file handling and supply appropriate value to
+		krb5_db_fetch_mkey().  Add KDC profile reading/handling to
+		supercede any values supplied on the command line.  Add call
+		to new admin_init() which initializes the admin module.
+	* srv_key.c - Add stash-file handling.
+	* admin.c - Add admin_init() which takes supplied per-realm defaults to
+		initialize the default database entry.
+	* kadm5_defs.h - Change PROTOTYPE to KRB5_PROTOTYPE.  Update prototype
+		for key_init and add admin_init.
+	* kadmind5.M - Add description of -s stashfile.
+
+
 Fri Jul 7 16:01:37 EDT 1995	Paul Park	(pjpark@mit.edu)
 	* Makefile.in - Remove all explicit library handling and LDFLAGS.
 	* configure.in - Add USE_<mumble> and KRB5_LIBRARIES.
diff --git a/src/kadmin/v5server/admin.c b/src/kadmin/v5server/admin.c
index 5a746fe72..5aed8b706 100644
--- a/src/kadmin/v5server/admin.c
+++ b/src/kadmin/v5server/admin.c
@@ -28,8 +28,8 @@
 
 #include "k5-int.h"
 #include "kadm5_defs.h"
-#include "adm_proto.h"
 #include "adm.h"
+#include "adm_proto.h"
 
 /*
  * Data structure used to pass information in and out of krb5_db_iterate.
@@ -45,7 +45,6 @@ struct inq_context {
 };
 
 static krb5_db_entry admin_def_dbent;
-static krb5_boolean admin_def_dbent_inited = 0;
 
 static const char *admin_perm_denied_fmt = "\004ACL entry prevents %s operation by %s";
 static const char *admin_db_write_err_fmt = "\004database write failed during %s operation by %s";
@@ -71,16 +70,22 @@ extern char *programname;
  * admin_init_def_dbent()	- Initialize the default database entry.
  */
 static void
-admin_init_def_dbent()
+admin_init_def_dbent(mlife, mrlife, evalid, e, fvalid, f)
+    krb5_deltat		mlife;
+    krb5_deltat		mrlife;
+    krb5_boolean	evalid;
+    krb5_timestamp	e;
+    krb5_boolean	fvalid;
+    krb5_flags		f;
 {
     /* Zero it all out, and fill in non-zero defaults */
     memset((char *) &admin_def_dbent, 0, sizeof(admin_def_dbent));
     admin_def_dbent.kvno = 1;
-    admin_def_dbent.max_life = KRB5_KDB_MAX_LIFE;
-    admin_def_dbent.max_renewable_life = KRB5_KDB_MAX_RLIFE;
-    admin_def_dbent.expiration = KRB5_KDB_EXPIRATION;
-    admin_def_dbent.attributes = KRB5_KDB_DEF_FLAGS;
-    admin_def_dbent_inited = 1;
+    admin_def_dbent.max_life = (mlife > 0) ? mlife : KRB5_KDB_MAX_LIFE;
+    admin_def_dbent.max_renewable_life = 
+	(mrlife > 0) ? mrlife : KRB5_KDB_MAX_RLIFE;
+    admin_def_dbent.expiration = (evalid) ? e : KRB5_KDB_EXPIRATION;
+    admin_def_dbent.attributes = (fvalid) ? f : KRB5_KDB_DEF_FLAGS;
 }
 
 /*
@@ -442,10 +447,6 @@ admin_add_modify(kcontext, debug_level, ticket, nargs, arglist,
 						    &temp)))) {
 			    krb5_db_entry	*merge;
 
-			    /* Check if the default is initialized */
-			    if (!admin_def_dbent_inited)
-				admin_init_def_dbent();
-
 			    merge = (should_exist) ?
 				&cur_dbentry : &admin_def_dbent;
 
@@ -1384,3 +1385,14 @@ admin_extract_key(kcontext, debug_level, ticket,
     return(retval);
 }
 
+void
+admin_init(max_life, max_renew_life, e_valid, e, f_valid, f)
+    krb5_deltat		max_life;
+    krb5_deltat		max_renew_life;
+    krb5_boolean	e_valid;
+    krb5_timestamp	e;
+    krb5_boolean	f_valid;
+    krb5_flags		f;
+{
+    admin_init_def_dbent(max_life, max_renew_life, e_valid, e, f_valid, f);
+}
diff --git a/src/kadmin/v5server/kadm5_defs.h b/src/kadmin/v5server/kadm5_defs.h
index 7d3d4d095..3ac067de7 100644
--- a/src/kadmin/v5server/kadm5_defs.h
+++ b/src/kadmin/v5server/kadm5_defs.h
@@ -88,7 +88,7 @@
 
 /* srv_key.c */
 krb5_error_code key_init
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int,
 		   int,
 		   int,
@@ -96,12 +96,13 @@ krb5_error_code key_init
 		   int,
 		   char *,
 		   char *,
+		   char *,
 		   char *));
 void key_finish
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int));
 krb5_error_code key_string_to_keys
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   krb5_principal,
 		   krb5_data *,
 		   krb5_int32,
@@ -111,24 +112,24 @@ krb5_error_code key_string_to_keys
 		   krb5_data *,
 		   krb5_data *));
 krb5_error_code key_random_key
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   krb5_keyblock *));
 krb5_error_code key_encrypt_keys
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   krb5_principal,
 		   krb5_keyblock *,
 		   krb5_keyblock *,
 		   krb5_encrypted_keyblock *,
 		   krb5_encrypted_keyblock *));
 krb5_error_code key_decrypt_keys
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   krb5_principal,
 		   krb5_encrypted_keyblock *,
 		   krb5_encrypted_keyblock *,
 		   krb5_keyblock *,
 		   krb5_keyblock *));
 krb5_boolean key_pwd_is_weak
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   krb5_principal,
 		   krb5_data *,
 		   krb5_int32,
@@ -140,34 +141,34 @@ krb5_keyblock *key_admin_key();
 
 /* srv_acl.c */
 krb5_error_code acl_init
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int,
 		   char *));
 void acl_finish
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int));
 krb5_boolean acl_op_permitted
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   krb5_principal,
 		   krb5_int32));
 
 /* srv_output.c */
 krb5_error_code output_init
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int,
 		   char *,
 		   krb5_boolean));
 void output_finish
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int));
 krb5_boolean output_lang_supported
-	PROTOTYPE((char *));
+	KRB5_PROTOTYPE((char *));
 char *output_krb5_errmsg
-	PROTOTYPE((char *,
+	KRB5_PROTOTYPE((char *,
 		   krb5_boolean,
 		   krb5_int32));
 char *output_adm_error
-	PROTOTYPE((char *,
+	KRB5_PROTOTYPE((char *,
 		   krb5_boolean,
 		   krb5_int32,
 		   krb5_int32,
@@ -176,26 +177,26 @@ char *output_adm_error
 
 /* srv_net.c */
 krb5_error_code net_init
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int,
 		   krb5_int32));
 void net_finish
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int));
 krb5_error_code net_dispatch
-	PROTOTYPE((krb5_context));
+	KRB5_PROTOTYPE((krb5_context));
 krb5_principal net_server_princ();
 
 /* proto_serv.c */
 krb5_error_code proto_init
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int,
 		   int));
 void proto_finish
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int));
 krb5_error_code proto_serv
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   krb5_int32,
 		   int,
 		   void *,
@@ -203,14 +204,14 @@ krb5_error_code proto_serv
 
 /* passwd.c */
 krb5_int32 passwd_check
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int,
 		   krb5_auth_context,
 		   krb5_ticket *,
 		   krb5_data *,
 		   krb5_int32 *));
 krb5_int32 passwd_change
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int,
 		   krb5_auth_context,
 		   krb5_ticket *,
@@ -218,7 +219,7 @@ krb5_int32 passwd_change
 		   krb5_data *,
 		   krb5_int32 *));
 krb5_boolean passwd_check_npass_ok
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int,
 		   krb5_principal,
 		   krb5_db_entry *,
@@ -227,52 +228,58 @@ krb5_boolean passwd_check_npass_ok
 
 /* admin.c */
 krb5_error_code admin_add_principal
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int,
 		   krb5_ticket *,
 		   krb5_int32,
 		   krb5_data *));
 krb5_error_code admin_delete_principal
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int,
 		   krb5_ticket *,
 		   krb5_data *));
 krb5_error_code admin_rename_principal
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int,
 		   krb5_ticket *,
 		   krb5_data *,
 		   krb5_data *));
 krb5_error_code admin_modify_principal
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int,
 		   krb5_ticket *,
 		   krb5_int32,
 		   krb5_data *));
 krb5_error_code admin_change_opw
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int,
 		   krb5_ticket *,
 		   krb5_data *,
 		   krb5_data *));
 krb5_error_code admin_change_orandpw
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int,
 		   krb5_ticket *,
 		   krb5_data *));
 krb5_error_code admin_inquire
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int,
 		   krb5_ticket *,
 		   krb5_data *,
 		   krb5_int32 *,
 		   krb5_data **));
 krb5_error_code admin_extract_key
-	PROTOTYPE((krb5_context,
+	KRB5_PROTOTYPE((krb5_context,
 		   int,
 		   krb5_ticket *,
 		   krb5_data *,
 		   krb5_data *,
 		   krb5_int32 *,
 		   krb5_data **));
+void admin_init KRB5_PROTOTYPE((krb5_deltat,
+				krb5_deltat,
+				krb5_boolean,
+				krb5_timestamp,
+				krb5_boolean,
+				krb5_flags));
 #endif	/* KADM5_DEFS_H__ */
diff --git a/src/kadmin/v5server/kadmind5.M b/src/kadmin/v5server/kadmind5.M
index d494ec436..88eafc01a 100644
--- a/src/kadmin/v5server/kadmind5.M
+++ b/src/kadmin/v5server/kadmind5.M
@@ -49,6 +49,9 @@ port
 .B \-r
 realm
 ] [
+.B \-s
+keystash
+] [
 .B \-t
 timeout
 ] [
@@ -87,6 +90,11 @@ Indicates that the master key name is to be entered manually.
 .IP \-e
 .B enctype
 specifies the encryption type which is to be used.
+.IP \-s
+.B keystash
+specifies the key stash file ( created by
+.I kdb5_stash(8)
+) used for automatic restart.
 .IP \-T
 .B keytab
 specifies the name of the service key table. 
diff --git a/src/kadmin/v5server/srv_key.c b/src/kadmin/v5server/srv_key.c
index 768b55b9d..08453f0c0 100644
--- a/src/kadmin/v5server/srv_key.c
+++ b/src/kadmin/v5server/srv_key.c
@@ -298,7 +298,7 @@ key_get_admin_entry(kcontext)
  */
 krb5_error_code
 key_init(kcontext, debug_level, enc_type, key_type, master_key_name, manual,
-	 db_file, db_realm, kt_name)
+	 db_file, db_realm, kt_name, sf_name)
     krb5_context	kcontext;
     int			debug_level;
     int			enc_type;
@@ -308,6 +308,7 @@ key_init(kcontext, debug_level, enc_type, key_type, master_key_name, manual,
     char		*db_file;
     char		*db_realm;
     char		*kt_name;
+    char		*sf_name;
 {
     krb5_enctype 	kdc_etype;
     char		*mkey_name;
@@ -439,6 +440,7 @@ key_init(kcontext, debug_level, enc_type, key_type, master_key_name, manual,
 			      &master_encblock,
 			      manual,
 			      FALSE,		/* Only read once if manual */
+			      sf_name,		/* stash file */
 			      0,		/* No salt */
 			      &master_keyblock);
     if (kret) {
diff --git a/src/kadmin/v5server/srv_main.c b/src/kadmin/v5server/srv_main.c
index 866e064fe..ba906e365 100644
--- a/src/kadmin/v5server/srv_main.c
+++ b/src/kadmin/v5server/srv_main.c
@@ -33,18 +33,21 @@
 #include <setjmp.h>
 #include "k5-int.h"
 #include "com_err.h"
+#include "adm.h"
 #include "adm_proto.h"
 
 #ifdef	LANGUAGES_SUPPORTED
-static const char *usage_format =	"%s: usage is %s [-a aclfile] [-d database] [-e enctype] [-m]\n\t[-k mkeytype] [-l langlist] [-p portnum] [-r realm] [-t timeout] [-n]\n\t[-D dbg] [-M mkeyname] [-T ktabname].\n";
+static const char *usage_format =	"%s: usage is %s [-a aclfile] [-d database] [-e enctype] [-m]\n\t[-k mkeytype] [-l langlist] [-p portnum] [-r realm] [-s stash] [-t timeout] [-n]\n\t[-D dbg] [-M mkeyname] [-T ktabname].\n";
 static const char *getopt_string =	"a:d:e:k:l:mnp:r:t:D:M:T:";
 #else	/* LANGUAGES_SUPPORTED */
-static const char *usage_format =	"%s: usage is %s [-a aclfile] [-d database] [-e enctype] [-m]\n\t[-k mkeytype] [-p portnum] [-r realm] [-t timeout] [-n]\n\t[-D dbg] [-M mkeyname] [-T ktabname].\n";
+static const char *usage_format =	"%s: usage is %s [-a aclfile] [-d database] [-e enctype] [-m]\n\t[-k mkeytype] [-p portnum] [-r realm] [-s stash] [-t timeout] [-n]\n\t[-D dbg] [-M mkeyname] [-T ktabname].\n";
 static const char *getopt_string =	"a:d:e:k:mnp:r:t:D:M:T:";
 #endif	/* LANGUAGES_SUPPORTED */
 static const char *fval_not_number =	"%s: value (%s) specified for -%c is not numeric.\n";
 static const char *extra_params =	"%s extra paramters beginning with %s... \n";
 static const char *daemon_err =		"%s: cannot spawn and detach.\n";
+static const char *grealm_err =		"%s: cannot get default realm.\n";
+static const char *pinit_err = 		"%s: cannot open configuration file %s.\n";
 static const char *no_memory_fmt =	"%s: cannot allocate %d bytes for %s.\n";
 static const char *begin_op_msg =	"\007%s starting.";
 static const char *disp_err_fmt =	"\004dispatch error.";
@@ -108,6 +111,13 @@ main(argc, argv)
     char		*db_realm = (char *) NULL;
     char		*master_key_name = (char *) NULL;
     char		*keytab_name = (char *) NULL;
+    char		*stash_name = (char *) NULL;
+    krb5_deltat		maxlife = -1;
+    krb5_deltat		maxrlife = -1;
+    krb5_timestamp	def_expiration;
+    krb5_flags		def_flags;
+    krb5_boolean	exp_valid, flags_valid;
+    krb5_realm_params	*rparams;
 
     /* Kerberatic contexts */
     krb5_context	kcontext;
@@ -126,12 +136,14 @@ main(argc, argv)
      *			[-n]			<do not fork/disassociate>
      *			[-p portnumber]		<listen on port>
      *			[-r realmname]		<realm>
+     *			[-s stashfile]		<stashfile>
      *			[-t timeout]		<inactivity timeout>
      *			[-D debugmask]		<debug mask>
      *			[-M masterkeyname]	<name of master key>
      *			[-T keytabname]		<key table file>
      */
     error = 0;
+    exp_valid = flags_valid = FALSE;
     while ((option = getopt(argc, argv, getopt_string)) != EOF) {
 	switch (option) {
 	case 'a':
@@ -173,6 +185,9 @@ main(argc, argv)
 	case 'r':
 	    db_realm = optarg;
 	    break;
+	case 's':
+	    stash_name = optarg;
+	    break;
 	case 't':
 	    if (sscanf(optarg, "%d", &timeout) != 1) {
 		fprintf(stderr, fval_not_number, argv[0], optarg, 't');
@@ -233,6 +248,62 @@ main(argc, argv)
     krb5_init_ets(kcontext);
     krb5_klog_init(kcontext, "admin_server", programname, 1);
 
+    /*
+     * Attempt to read the KDC profile.  If we do, then read appropriate values
+     * from it and supercede values supplied on the command line.
+     */
+    if (!(error = krb5_read_realm_params(kcontext,
+					 db_realm,
+					 (char *) NULL,
+					 (char *) NULL,
+					 &rparams))) {
+	/* Get the value for the database */
+	if (rparams->realm_dbname)
+	    db_file = strdup(rparams->realm_dbname);
+
+	/* Get the value for the master key name */
+	if (rparams->realm_mkey_name)
+	    master_key_name = strdup(rparams->realm_mkey_name);
+
+	/* Get the value for the master key type */
+	if (rparams->realm_keytype_valid)
+	    key_type = rparams->realm_keytype;
+
+	/* Get the value for the port */
+	if (rparams->realm_kadmind_port_valid)
+	    service_port = rparams->realm_kadmind_port;
+
+	/* Get the value for the encryption type */
+	if (rparams->realm_enctype_valid)
+	    enc_type = rparams->realm_enctype;
+
+	/* Get the value for the stashfile */
+	if (rparams->realm_stash_file)
+	    stash_name = strdup(rparams->realm_stash_file);
+
+	/* Get the value for maximum ticket lifetime. */
+	if (rparams->realm_max_life_valid)
+	    maxlife = rparams->realm_max_life;
+
+	/* Get the value for maximum renewable ticket lifetime. */
+	if (rparams->realm_max_rlife_valid)
+	    maxrlife = rparams->realm_max_rlife;
+
+	/* Get the value for the default principal expiration */
+	if (rparams->realm_expiration_valid) {
+	    def_expiration = rparams->realm_expiration;
+	    exp_valid = TRUE;
+	}
+
+	/* Get the value for the default principal flags */
+	if (rparams->realm_flags_valid) {
+	    def_flags = rparams->realm_flags;
+	    flags_valid = TRUE;
+	}
+
+	krb5_free_realm_params(kcontext, rparams);
+    }
+
     if ((signal_number =
 #if	POSIX_SETJMP
 	 sigsetjmp(terminal_jmp, 1)
@@ -273,7 +344,7 @@ main(argc, argv)
 	 */
 	error = key_init(kcontext, debug_level, enc_type, key_type,
 			 master_key_name, manual_entry, db_file, db_realm,
-			 keytab_name);
+			 keytab_name, stash_name);
 	if (!error) {
 	    error = acl_init(kcontext, debug_level, acl_file);
 	    if (!error) {
@@ -283,7 +354,12 @@ main(argc, argv)
 		    error = net_init(kcontext, debug_level, service_port);
 		    if (!error) {
 			error = proto_init(kcontext, debug_level, timeout);
-
+			admin_init(maxlife,
+				   maxrlife,
+				   exp_valid,
+				   def_expiration,
+				   flags_valid,
+				   def_flags);
 			if (error)
 			    errmsg = proto_msg;
 		    }
-- 
2.26.2