Print this page
8485 Remove set but unused variables in usr/src/cmd
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/cmd/krb5/ldap_util/kdb5_ldap_realm.c
+++ new/usr/src/cmd/krb5/ldap_util/kdb5_ldap_realm.c
1 1 /*
2 + * Copyright 2017 Gary Mills
2 3 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
3 4 * Use is subject to license terms.
4 5 */
5 6
6 7 /*
7 8 * kadmin/ldap_util/kdb5_ldap_realm.c
8 9 *
9 10 * Copyright 1990,1991,2001, 2002 by the Massachusetts Institute of Technology.
10 11 * All Rights Reserved.
11 12 *
12 13 * Export of this software from the United States of America may
13 14 * require a specific license from the United States Government.
14 15 * It is the responsibility of any person or organization contemplating
15 16 * export to obtain such a license before exporting.
16 17 *
17 18 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
18 19 * distribute this software and its documentation for any purpose and
19 20 * without fee is hereby granted, provided that the above copyright
20 21 * notice appear in all copies and that both that copyright notice and
21 22 * this permission notice appear in supporting documentation, and that
22 23 * the name of M.I.T. not be used in advertising or publicity pertaining
23 24 * to distribution of the software without specific, written prior
24 25 * permission. Furthermore if you modify this software you must label
25 26 * your software as modified software and not distribute it in such a
26 27 * fashion that it might be confused with the original M.I.T. software.
27 28 * M.I.T. makes no representations about the suitability of
28 29 * this software for any purpose. It is provided "as is" without express
29 30 * or implied warranty.
30 31 */
31 32
32 33 /*
33 34 * Copyright (C) 1998 by the FundsXpress, INC.
34 35 *
35 36 * All rights reserved.
36 37 *
37 38 * Export of this software from the United States of America may require
38 39 * a specific license from the United States Government. It is the
39 40 * responsibility of any person or organization contemplating export to
40 41 * obtain such a license before exporting.
41 42 *
42 43 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43 44 * distribute this software and its documentation for any purpose and
44 45 * without fee is hereby granted, provided that the above copyright
45 46 * notice appear in all copies and that both that copyright notice and
46 47 * this permission notice appear in supporting documentation, and that
47 48 * the name of FundsXpress. not be used in advertising or publicity pertaining
48 49 * to distribution of the software without specific, written prior
49 50 * permission. FundsXpress makes no representations about the suitability of
50 51 * this software for any purpose. It is provided "as is" without express
51 52 * or implied warranty.
52 53 *
53 54 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
54 55 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
55 56 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
56 57 */
57 58
58 59 /* Copyright (c) 2004-2005, Novell, Inc.
59 60 * All rights reserved.
60 61 *
61 62 * Redistribution and use in source and binary forms, with or without
62 63 * modification, are permitted provided that the following conditions are met:
63 64 *
64 65 * * Redistributions of source code must retain the above copyright notice,
65 66 * this list of conditions and the following disclaimer.
66 67 * * Redistributions in binary form must reproduce the above copyright
67 68 * notice, this list of conditions and the following disclaimer in the
68 69 * documentation and/or other materials provided with the distribution.
69 70 * * The copyright holder's name is not used to endorse or promote products
70 71 * derived from this software without specific prior written permission.
71 72 *
72 73 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
73 74 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
74 75 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
75 76 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
76 77 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
77 78 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
78 79 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
79 80 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
80 81 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
81 82 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
82 83 * POSSIBILITY OF SUCH DAMAGE.
83 84 */
84 85
85 86 /*
86 87 * Create / Modify / Destroy / View / List realm(s)
87 88 */
88 89
89 90 /* Needed for getting the definition of KRB5_TL_DB_ARGS */
90 91 #define SECURID
91 92
92 93 #include <stdio.h>
93 94 #include <k5-int.h>
94 95 #include <kadm5/admin.h>
95 96 #include <libintl.h>
96 97 #include <locale.h>
97 98 #include "kdb5_ldap_util.h"
98 99 #include "kdb5_ldap_list.h"
99 100 #include <ldap_principal.h>
100 101 #include <ldap_krbcontainer.h>
101 102 extern time_t get_date(char *); /* kadmin/cli/getdate.o */
102 103
103 104 char *yes = "yes\n"; /* \n to compare against result of fgets */
104 105 krb5_key_salt_tuple def_kslist = {ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL};
105 106
106 107 struct realm_info rblock = {
107 108 KRB5_KDB_MAX_LIFE,
108 109 KRB5_KDB_MAX_RLIFE,
109 110 KRB5_KDB_EXPIRATION,
110 111 KRB5_KDB_DEF_FLAGS,
111 112 (krb5_keyblock *) NULL,
112 113 1,
113 114 &def_kslist
114 115 };
115 116
116 117 krb5_data tgt_princ_entries[] = {
117 118 {0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME},
118 119 {0, 0, 0} };
119 120
120 121 krb5_data db_creator_entries[] = {
121 122 {0, sizeof("db_creation")-1, "db_creation"} };
122 123
123 124
124 125 static krb5_principal_data db_create_princ = {
125 126 0, /* magic number */
126 127 {0, 0, 0}, /* krb5_data realm */
127 128 db_creator_entries, /* krb5_data *data */
128 129 1, /* int length */
129 130 KRB5_NT_SRV_INST /* int type */
130 131 };
131 132
132 133 extern char *mkey_password;
133 134 extern char *progname;
134 135 extern kadm5_config_params global_params;
135 136
136 137 static void print_realm_params(krb5_ldap_realm_params *rparams, int mask);
137 138 static int kdb_ldap_create_principal (krb5_context context, krb5_principal
138 139 princ, enum ap_op op, struct realm_info *pblock);
139 140
140 141
141 142 static char *strdur(time_t duration);
142 143 static int get_ticket_policy(krb5_ldap_realm_params *rparams, int *i, char *argv[],int argc);
143 144 static krb5_error_code krb5_dbe_update_mod_princ_data_new (krb5_context context, krb5_db_entry *entry, krb5_timestamp mod_date, krb5_const_principal mod_princ);
144 145 static krb5_error_code krb5_dbe_update_tl_data_new ( krb5_context context, krb5_db_entry *entry, krb5_tl_data *new_tl_data);
145 146
146 147 #define ADMIN_LIFETIME 60*60*3 /* 3 hours */
147 148 #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
148 149
|
↓ open down ↓ |
137 lines elided |
↑ open up ↑ |
149 150 static int get_ticket_policy(rparams,i,argv,argc)
150 151 krb5_ldap_realm_params *rparams;
151 152 int *i;
152 153 char *argv[];
153 154 int argc;
154 155 {
155 156 time_t date;
156 157 time_t now;
157 158 int mask = 0;
158 159 krb5_error_code retval = 0;
159 - krb5_boolean no_msg = FALSE;
160 160
161 - krb5_boolean print_usage = FALSE;
162 161 /* Solaris Kerberos */
163 162 char *me = progname;
164 163
165 164 time(&now);
166 165 if (!strcmp(argv[*i], "-maxtktlife")) {
167 166 if (++(*i) > argc-1)
168 167 goto err_usage;
169 168 date = get_date(argv[*i]);
170 169 if (date == (time_t)(-1)) {
171 170 retval = EINVAL;
172 171 com_err (me, retval, gettext("while providing time specification"));
173 172 goto err_nomsg;
174 173 }
175 174 rparams->max_life = date-now;
176 175 mask |= LDAP_REALM_MAXTICKETLIFE;
177 176 }
178 177
179 178
180 179 else if (!strcmp(argv[*i], "-maxrenewlife")) {
181 180 if (++(*i) > argc-1)
182 181 goto err_usage;
183 182
184 183 date = get_date(argv[*i]);
185 184 if (date == (time_t)(-1)) {
186 185 retval = EINVAL;
187 186 com_err (me, retval, gettext("while providing time specification"));
188 187 goto err_nomsg;
189 188 }
190 189 rparams->max_renewable_life = date-now;
191 190 mask |= LDAP_REALM_MAXRENEWLIFE;
192 191 } else if (!strcmp((argv[*i] + 1), "allow_postdated")) {
193 192 if (*(argv[*i]) == '+')
194 193 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
195 194 else if (*(argv[*i]) == '-')
196 195 rparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
197 196 else
198 197 goto err_usage;
199 198
200 199 mask |= LDAP_REALM_KRBTICKETFLAGS;
201 200 } else if (!strcmp((argv[*i] + 1), "allow_forwardable")) {
202 201 if (*(argv[*i]) == '+')
203 202 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
204 203
205 204 else if (*(argv[*i]) == '-')
206 205 rparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
207 206 else
208 207 goto err_usage;
209 208
210 209 mask |= LDAP_REALM_KRBTICKETFLAGS;
211 210 } else if (!strcmp((argv[*i] + 1), "allow_renewable")) {
212 211 if (*(argv[*i]) == '+')
213 212 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
214 213 else if (*(argv[*i]) == '-')
215 214 rparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
216 215 else
217 216 goto err_usage;
218 217
219 218 mask |= LDAP_REALM_KRBTICKETFLAGS;
220 219 } else if (!strcmp((argv[*i] + 1), "allow_proxiable")) {
221 220 if (*(argv[*i]) == '+')
222 221 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
223 222 else if (*(argv[*i]) == '-')
224 223 rparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
225 224 else
226 225 goto err_usage;
227 226
228 227 mask |= LDAP_REALM_KRBTICKETFLAGS;
229 228 } else if (!strcmp((argv[*i] + 1), "allow_dup_skey")) {
230 229 if (*(argv[*i]) == '+')
231 230 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
232 231 else if (*(argv[*i]) == '-')
233 232 rparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
234 233 else
235 234 goto err_usage;
236 235
237 236 mask |= LDAP_REALM_KRBTICKETFLAGS;
238 237 }
239 238
240 239 else if (!strcmp((argv[*i] + 1), "requires_preauth")) {
241 240 if (*(argv[*i]) == '+')
242 241 rparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
243 242 else if (*(argv[*i]) == '-')
244 243 rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
245 244 else
246 245 goto err_usage;
247 246
248 247 mask |= LDAP_REALM_KRBTICKETFLAGS;
249 248 } else if (!strcmp((argv[*i] + 1), "requires_hwauth")) {
250 249 if (*(argv[*i]) == '+')
251 250 rparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
252 251 else if (*(argv[*i]) == '-')
253 252 rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
254 253 else
255 254 goto err_usage;
256 255
257 256 mask |= LDAP_REALM_KRBTICKETFLAGS;
258 257 } else if (!strcmp((argv[*i] + 1), "allow_svr")) {
259 258 if (*(argv[*i]) == '+')
260 259 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
261 260 else if (*(argv[*i]) == '-')
262 261 rparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
263 262 else
264 263 goto err_usage;
265 264
266 265 mask |= LDAP_REALM_KRBTICKETFLAGS;
267 266 } else if (!strcmp((argv[*i] + 1), "allow_tgs_req")) {
268 267 if (*(argv[*i]) == '+')
269 268 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
270 269 else if (*(argv[*i]) == '-')
271 270 rparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
272 271 else
273 272 goto err_usage;
274 273
275 274 mask |= LDAP_REALM_KRBTICKETFLAGS;
276 275 } else if (!strcmp((argv[*i] + 1), "allow_tix")) {
277 276 if (*(argv[*i]) == '+')
278 277 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
279 278 else if (*(argv[*i]) == '-')
280 279 rparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
281 280 else
282 281 goto err_usage;
283 282
284 283 mask |= LDAP_REALM_KRBTICKETFLAGS;
285 284 } else if (!strcmp((argv[*i] + 1), "needchange")) {
286 285 if (*(argv[*i]) == '+')
287 286 rparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
288 287 else if (*(argv[*i]) == '-')
289 288 rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
290 289 else
291 290 goto err_usage;
292 291
293 292 mask |= LDAP_REALM_KRBTICKETFLAGS;
294 293 } else if (!strcmp((argv[*i] + 1), "password_changing_service")) {
|
↓ open down ↓ |
123 lines elided |
↑ open up ↑ |
295 294 if (*(argv[*i]) == '+')
296 295 rparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
297 296 else if (*(argv[*i]) == '-')
298 297 rparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
299 298 else
300 299 goto err_usage;
301 300
302 301 mask |=LDAP_REALM_KRBTICKETFLAGS;
303 302 }
304 303 err_usage:
305 - print_usage = TRUE;
306 304
307 305 err_nomsg:
308 - no_msg = TRUE;
309 306
310 307 return mask;
311 308 }
312 309
313 310 /*
314 311 * This function will create a realm on the LDAP Server, with
315 312 * the specified attributes.
316 313 */
317 314 void kdb5_ldap_create(argc, argv)
318 315 int argc;
319 316 char *argv[];
320 317 {
321 318 krb5_error_code retval = 0;
322 319 krb5_keyblock master_keyblock;
323 320 krb5_ldap_realm_params *rparams = NULL;
324 321 krb5_principal master_princ = NULL;
325 322 kdb5_dal_handle *dal_handle = NULL;
326 323 krb5_ldap_context *ldap_context=NULL;
327 324 krb5_boolean realm_obj_created = FALSE;
328 325 krb5_boolean create_complete = FALSE;
329 326 krb5_boolean print_usage = FALSE;
330 327 krb5_boolean no_msg = FALSE;
331 328 char *oldcontainerref=NULL;
332 329 char pw_str[1024];
333 330 int do_stash = 0;
334 331 int i = 0;
335 332 int mask = 0, ret_mask = 0;
336 333 char **list = NULL;
337 334 #ifdef HAVE_EDIRECTORY
338 335 int rightsmask = 0;
339 336 #endif
340 337
341 338 memset(&master_keyblock, 0, sizeof(master_keyblock));
342 339
343 340 rparams = (krb5_ldap_realm_params *)malloc(
344 341 sizeof(krb5_ldap_realm_params));
345 342 if (rparams == NULL) {
346 343 retval = ENOMEM;
347 344 goto cleanup;
348 345 }
349 346 memset(rparams, 0, sizeof(krb5_ldap_realm_params));
350 347
351 348 /* Parse the arguments */
352 349 for (i = 1; i < argc; i++) {
353 350 if (!strcmp(argv[i], "-subtrees")) {
354 351 if (++i > argc-1)
355 352 goto err_usage;
356 353
357 354 if(strncmp(argv[i], "", strlen(argv[i]))!=0) {
358 355 list = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *));
359 356 if (list == NULL) {
360 357 retval = ENOMEM;
361 358 goto cleanup;
362 359 }
363 360 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
364 361 free(list);
365 362 list = NULL;
366 363 goto cleanup;
367 364 }
368 365
369 366 rparams->subtreecount=0;
370 367 while(list[rparams->subtreecount]!=NULL)
371 368 (rparams->subtreecount)++;
372 369 rparams->subtree = list;
373 370 } else if(strncmp(argv[i], "", strlen(argv[i]))==0) {
374 371 /* dont allow subtree value to be set at the root(NULL, "") of the tree */
375 372 /* Solaris Kerberos */
376 373 com_err(progname, EINVAL,
377 374 gettext("for subtree while creating realm '%s'"),
378 375 global_params.realm);
379 376 goto err_nomsg;
380 377 }
381 378 rparams->subtree[rparams->subtreecount] = NULL;
382 379 mask |= LDAP_REALM_SUBTREE;
383 380 } else if (!strcmp(argv[i], "-containerref")) {
384 381 if (++i > argc-1)
385 382 goto err_usage;
386 383 if(strncmp(argv[i], "", strlen(argv[i]))==0) {
387 384 /* dont allow containerref value to be set at the root(NULL, "") of the tree */
388 385 /* Solaris Kerberos */
389 386 com_err(progname, EINVAL,
390 387 gettext("for container reference while creating realm '%s'"),
391 388 global_params.realm);
392 389 goto err_nomsg;
393 390 }
394 391 rparams->containerref = strdup(argv[i]);
395 392 if (rparams->containerref == NULL) {
396 393 retval = ENOMEM;
397 394 goto cleanup;
398 395 }
399 396 mask |= LDAP_REALM_CONTREF;
400 397 } else if (!strcmp(argv[i], "-sscope")) {
401 398 if (++i > argc-1)
402 399 goto err_usage;
403 400 /* Possible values for search scope are
404 401 * one (or 1) and sub (or 2)
405 402 */
406 403 if (!strcasecmp(argv[i], "one")) {
407 404 rparams->search_scope = 1;
408 405 } else if (!strcasecmp(argv[i], "sub")) {
409 406 rparams->search_scope = 2;
410 407 } else {
411 408 rparams->search_scope = atoi(argv[i]);
412 409 if ((rparams->search_scope != 1) &&
413 410 (rparams->search_scope != 2)) {
414 411 /* Solaris Kerberos */
415 412 com_err(progname, EINVAL,
416 413 gettext("invalid search scope while creating realm '%s'"),
417 414 global_params.realm);
418 415 goto err_nomsg;
419 416 }
420 417 }
421 418 mask |= LDAP_REALM_SEARCHSCOPE;
422 419 }
423 420 #ifdef HAVE_EDIRECTORY
424 421 else if (!strcmp(argv[i], "-kdcdn")) {
425 422 if (++i > argc-1)
426 423 goto err_usage;
427 424 rparams->kdcservers = (char **)malloc(
428 425 sizeof(char *) * MAX_LIST_ENTRIES);
429 426 if (rparams->kdcservers == NULL) {
430 427 retval = ENOMEM;
431 428 goto cleanup;
432 429 }
433 430 memset(rparams->kdcservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
434 431 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
435 432 rparams->kdcservers))) {
436 433 goto cleanup;
437 434 }
438 435 mask |= LDAP_REALM_KDCSERVERS;
439 436 } else if (!strcmp(argv[i], "-admindn")) {
440 437 if (++i > argc-1)
441 438 goto err_usage;
442 439 rparams->adminservers = (char **)malloc(
443 440 sizeof(char *) * MAX_LIST_ENTRIES);
444 441 if (rparams->adminservers == NULL) {
445 442 retval = ENOMEM;
446 443 goto cleanup;
447 444 }
448 445 memset(rparams->adminservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
449 446 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
450 447 rparams->adminservers))) {
451 448 goto cleanup;
452 449 }
453 450 mask |= LDAP_REALM_ADMINSERVERS;
454 451 } else if (!strcmp(argv[i], "-pwddn")) {
455 452 if (++i > argc-1)
456 453 goto err_usage;
457 454 rparams->passwdservers = (char **)malloc(
458 455 sizeof(char *) * MAX_LIST_ENTRIES);
459 456 if (rparams->passwdservers == NULL) {
460 457 retval = ENOMEM;
461 458 goto cleanup;
462 459 }
463 460 memset(rparams->passwdservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
464 461 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
465 462 rparams->passwdservers))) {
466 463 goto cleanup;
467 464 }
468 465 mask |= LDAP_REALM_PASSWDSERVERS;
469 466 }
470 467 #endif
471 468 else if (!strcmp(argv[i], "-s")) {
472 469 do_stash = 1;
473 470 } else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) {
474 471 mask|=ret_mask;
475 472 }
476 473
477 474 else {
478 475 printf(gettext("'%s' is an invalid option\n"), argv[i]);
479 476 goto err_usage;
480 477 }
481 478 }
482 479
483 480 /* If the default enctype/salttype is not provided, use the
484 481 * default values and also add to the list of supported
485 482 * enctypes/salttype
486 483 */
487 484
488 485 rblock.max_life = global_params.max_life;
489 486 rblock.max_rlife = global_params.max_rlife;
490 487 rblock.expiration = global_params.expiration;
491 488 rblock.flags = global_params.flags;
492 489 rblock.nkslist = global_params.num_keysalts;
493 490 rblock.kslist = global_params.keysalts;
494 491
495 492 krb5_princ_set_realm_data(util_context, &db_create_princ, global_params.realm);
496 493 krb5_princ_set_realm_length(util_context, &db_create_princ, strlen(global_params.realm));
497 494
498 495 printf(gettext("Initializing database for realm '%s'\n"), global_params.realm);
499 496
500 497 if (!mkey_password) {
501 498 unsigned int pw_size;
502 499 printf(gettext("You will be prompted for the database Master Password.\n"));
503 500 printf(gettext("It is important that you NOT FORGET this password.\n"));
504 501 fflush(stdout);
505 502
506 503 pw_size = sizeof (pw_str);
507 504 memset(pw_str, 0, pw_size);
508 505
509 506 retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2,
510 507 pw_str, &pw_size);
511 508 if (retval) {
512 509 /* Solaris Kerberos */
513 510 com_err(progname, retval, gettext("while reading master key from keyboard"));
514 511 goto err_nomsg;
515 512 }
516 513 mkey_password = pw_str;
517 514 }
518 515
519 516 rparams->mkey.enctype = global_params.enctype;
520 517 /* We are sure that 'mkey_password' is a regular string ... */
521 518 rparams->mkey.length = strlen(mkey_password) + 1;
522 519 rparams->mkey.contents = (krb5_octet *)strdup(mkey_password);
523 520 if (rparams->mkey.contents == NULL) {
524 521 retval = ENOMEM;
525 522 goto cleanup;
526 523 }
527 524
528 525 rparams->realm_name = strdup(global_params.realm);
529 526 if (rparams->realm_name == NULL) {
530 527 retval = ENOMEM;
531 528 /* Solaris Kerberos */
532 529 com_err(progname, ENOMEM, gettext("while creating realm '%s'"),
533 530 global_params.realm);
534 531 goto err_nomsg;
535 532 }
536 533
537 534 dal_handle = (kdb5_dal_handle *) util_context->db_context;
538 535 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
539 536 if (!ldap_context) {
540 537 retval = EINVAL;
541 538 goto cleanup;
542 539 }
543 540
544 541 /* read the kerberos container */
545 542 if ((retval=krb5_ldap_read_krbcontainer_params (util_context,
546 543 &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) {
547 544 /* Prompt the user for entering the DN of Kerberos container */
548 545 char krb_location[MAX_KRB_CONTAINER_LEN];
549 546 krb5_ldap_krbcontainer_params kparams;
550 547 int krb_location_len = 0;
551 548 memset(&kparams, 0, sizeof(kparams));
552 549
553 550 /* Read the kerberos container location from configuration file */
554 551 if (ldap_context->conf_section) {
555 552 if ((retval=profile_get_string(util_context->profile,
556 553 KDB_MODULE_SECTION, ldap_context->conf_section,
557 554 "ldap_kerberos_container_dn", NULL,
558 555 &kparams.DN)) != 0) {
559 556 goto cleanup;
560 557 }
561 558 }
562 559 if (kparams.DN == NULL) {
563 560 if ((retval=profile_get_string(util_context->profile,
564 561 KDB_MODULE_DEF_SECTION,
565 562 "ldap_kerberos_container_dn", NULL,
566 563 NULL, &kparams.DN)) != 0) {
567 564 goto cleanup;
568 565 }
569 566 }
570 567
571 568 printf(gettext("\nKerberos container is missing. Creating now...\n"));
572 569 if (kparams.DN == NULL) {
573 570 #ifdef HAVE_EDIRECTORY
574 571 printf(gettext("Enter DN of Kerberos container [cn=Kerberos,cn=Security]: "));
575 572 #else
576 573 printf(gettext("Enter DN of Kerberos container: "));
577 574 #endif
578 575 if (fgets(krb_location, MAX_KRB_CONTAINER_LEN, stdin) != NULL) {
579 576 /* Remove the newline character at the end */
580 577 krb_location_len = strlen(krb_location);
581 578 if ((krb_location[krb_location_len - 1] == '\n') ||
582 579 (krb_location[krb_location_len - 1] == '\r')) {
583 580 krb_location[krb_location_len - 1] = '\0';
584 581 krb_location_len--;
585 582 }
586 583 /* If the user has not given any input, take the default location */
587 584 else if (krb_location[0] == '\0')
588 585 kparams.DN = NULL;
589 586 else
590 587 kparams.DN = krb_location;
591 588 } else
592 589 kparams.DN = NULL;
593 590 }
594 591
595 592 /* create the kerberos container */
596 593 retval = krb5_ldap_create_krbcontainer(util_context,
597 594 ((kparams.DN != NULL) ? &kparams : NULL));
598 595 if (retval)
599 596 goto cleanup;
600 597
601 598 retval = krb5_ldap_read_krbcontainer_params(util_context,
602 599 &(ldap_context->krbcontainer));
603 600 if (retval) {
604 601 /* Solaris Kerberos */
605 602 com_err(progname, retval, gettext("while reading kerberos container information"));
606 603 goto cleanup;
607 604 }
608 605 } else if (retval) {
609 606 /* Solaris Kerberos */
610 607 com_err(progname, retval, gettext("while reading kerberos container information"));
611 608 goto cleanup;
612 609 }
613 610
614 611 if ((retval = krb5_ldap_create_realm(util_context,
615 612 /* global_params.realm, */ rparams, mask))) {
616 613 goto cleanup;
617 614 }
618 615
619 616 /* We just created the Realm container. Here starts our transaction tracking */
620 617 realm_obj_created = TRUE;
621 618
622 619 if ((retval = krb5_ldap_read_realm_params(util_context,
623 620 global_params.realm,
624 621 &(ldap_context->lrparams),
625 622 &mask))) {
626 623 /* Solaris Kerberos */
627 624 com_err(progname, retval, gettext("while reading information of realm '%s'"),
628 625 global_params.realm);
629 626 goto err_nomsg;
630 627 }
631 628 ldap_context->lrparams->realm_name = strdup(global_params.realm);
632 629 if (ldap_context->lrparams->realm_name == NULL) {
633 630 retval = ENOMEM;
634 631 goto cleanup;
635 632 }
636 633
637 634 /* assemble & parse the master key name */
638 635 if ((retval = krb5_db_setup_mkey_name(util_context,
639 636 global_params.mkey_name,
640 637 global_params.realm,
641 638 0, &master_princ))) {
642 639 /* Solaris Kerberos */
643 640 com_err(progname, retval, gettext("while setting up master key name"));
644 641 goto err_nomsg;
645 642 }
646 643
647 644 /* Obtain master key from master password */
648 645 {
649 646 krb5_data master_salt, pwd;
650 647
651 648 pwd.data = mkey_password;
652 649 pwd.length = strlen(mkey_password);
653 650 retval = krb5_principal2salt(util_context, master_princ, &master_salt);
654 651 if (retval) {
655 652 /* Solaris Kerberos */
656 653 com_err(progname, retval, gettext("while calculating master key salt"));
657 654 goto err_nomsg;
658 655 }
659 656
660 657 retval = krb5_c_string_to_key(util_context, rparams->mkey.enctype,
661 658 &pwd, &master_salt, &master_keyblock);
662 659
663 660 if (master_salt.data)
664 661 free(master_salt.data);
665 662
666 663 if (retval) {
667 664 /* Solaris Kerberos */
668 665 com_err(progname, retval, gettext("while transforming master key from password"));
669 666 goto err_nomsg;
670 667 }
671 668
672 669 }
673 670
674 671 rblock.key = &master_keyblock;
675 672 ldap_context->lrparams->mkey = master_keyblock;
676 673 ldap_context->lrparams->mkey.contents = (krb5_octet *) malloc
677 674 (master_keyblock.length);
678 675 if (ldap_context->lrparams->mkey.contents == NULL) {
679 676 retval = ENOMEM;
680 677 goto cleanup;
681 678 }
682 679 memcpy (ldap_context->lrparams->mkey.contents, master_keyblock.contents,
683 680 master_keyblock.length);
684 681
685 682 /* Create special principals inside the realm subtree */
686 683 {
687 684 char princ_name[MAX_PRINC_SIZE];
688 685 krb5_principal_data tgt_princ = {
689 686 0, /* magic number */
690 687 {0, 0, 0}, /* krb5_data realm */
691 688 tgt_princ_entries, /* krb5_data *data */
692 689 2, /* int length */
693 690 KRB5_NT_SRV_INST /* int type */
694 691 };
695 692 krb5_principal p, temp_p=NULL;
696 693
697 694 krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm);
698 695 krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm));
699 696 krb5_princ_component(util_context, &tgt_princ,1)->data = global_params.realm;
700 697 krb5_princ_component(util_context, &tgt_princ,1)->length = strlen(global_params.realm);
701 698 /* The container reference value is set to NULL, to avoid service principals
702 699 * getting created within the container reference at realm creation */
703 700 if (ldap_context->lrparams->containerref != NULL) {
704 701 oldcontainerref = ldap_context->lrparams->containerref;
705 702 ldap_context->lrparams->containerref = NULL;
706 703 }
707 704
708 705 /* Create 'K/M' ... */
709 706 rblock.flags |= KRB5_KDB_DISALLOW_ALL_TIX;
710 707 if ((retval = kdb_ldap_create_principal(util_context, master_princ, MASTER_KEY, &rblock))) {
711 708 /* Solaris Kerberos */
712 709 com_err(progname, retval, gettext("while adding entries to the database"));
713 710 goto err_nomsg;
714 711 }
715 712
716 713 /* Create 'krbtgt' ... */
717 714 rblock.flags = 0; /* reset the flags */
718 715 if ((retval = kdb_ldap_create_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) {
719 716 /* Solaris Kerberos */
720 717 com_err(progname, retval, gettext("while adding entries to the database"));
721 718 goto err_nomsg;
722 719 }
723 720 /*
724 721 * Solaris Kerberos:
725 722 * The kadmin/admin principal is unused on Solaris. This principal is used
726 723 * in AUTH_GSSAPI but Solaris doesn't support AUTH_GSSAPI. RPCSEC_GSS can only
727 724 * be used with host-based principals.
728 725 *
729 726 */
730 727 #if 0 /* ************ Begin IFDEF'ed OUT ***************************** */
731 728 /* Create 'kadmin/admin' ... */
732 729 snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_ADMIN_SERVICE, global_params.realm);
733 730 if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
734 731 /* Solaris Kerberos */
735 732 com_err(progname, retval, gettext("while adding entries to the database"));
736 733 goto err_nomsg;
737 734 }
738 735 rblock.max_life = ADMIN_LIFETIME;
739 736 rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
740 737 if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
741 738 krb5_free_principal(util_context, p);
742 739 /* Solaris Kerberos */
743 740 com_err(progname, retval, gettext("while adding entries to the database"));
744 741 goto err_nomsg;
745 742 }
746 743 krb5_free_principal(util_context, p);
747 744 #endif /* ************** END IFDEF'ed OUT ***************************** */
748 745
749 746 /* Create 'kadmin/changepw' ... */
750 747 snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_CHANGEPW_SERVICE, global_params.realm);
751 748 if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
752 749 /* Solaris Kerberos */
753 750 com_err(progname, retval, gettext("while adding entries to the database"));
754 751 goto err_nomsg;
755 752 }
756 753 rblock.max_life = CHANGEPW_LIFETIME;
757 754 rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE;
758 755 if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
759 756 krb5_free_principal(util_context, p);
760 757 /* Solaris Kerberos */
761 758 com_err(progname, retval, gettext("while adding entries to the database"));
762 759 goto err_nomsg;
763 760 }
764 761 krb5_free_principal(util_context, p);
765 762
766 763 /* Create 'kadmin/history' ... */
767 764 snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_HIST_PRINCIPAL, global_params.realm);
768 765 if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
769 766 /* Solaris Kerberos */
770 767 com_err(progname, retval, gettext("while adding entries to the database"));
771 768 goto err_nomsg;
772 769 }
773 770 rblock.max_life = global_params.max_life;
774 771 rblock.flags = 0;
775 772 if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
776 773 krb5_free_principal(util_context, p);
777 774 /* Solaris Kerberos */
778 775 com_err(progname, retval, gettext("while adding entries to the database"));
779 776 goto err_nomsg;
780 777 }
781 778 krb5_free_principal(util_context, p);
782 779
783 780 /* Create 'kadmin/<hostname>' ... */
784 781 if ((retval=krb5_sname_to_principal(util_context, NULL, KADM5_ADMIN_HOST_SERVICE, KRB5_NT_SRV_HST, &p))) {
785 782 /* Solaris Kerberos */
786 783 com_err(progname, retval, gettext("krb5_sname_to_principal, while adding entries to the database"));
787 784 goto err_nomsg;
788 785 }
789 786
790 787 if ((retval=krb5_copy_principal(util_context, p, &temp_p))) {
791 788 /* Solaris Kerberos */
792 789 com_err(progname, retval, gettext("krb5_copy_principal, while adding entries to the database"));
793 790 goto err_nomsg;
794 791 }
795 792
796 793 /* change the realm portion to the default realm */
797 794 free(temp_p->realm.data);
798 795 temp_p->realm.length = strlen(util_context->default_realm);
799 796 temp_p->realm.data = strdup(util_context->default_realm);
800 797 if (temp_p->realm.data == NULL) {
801 798 /* Solaris Kerberos */
802 799 com_err(progname, ENOMEM, gettext("while adding entries to the database"));
803 800 goto err_nomsg;
804 801 }
805 802
806 803 rblock.max_life = ADMIN_LIFETIME;
807 804 rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
808 805 if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) {
809 806 krb5_free_principal(util_context, p);
810 807 /* Solaris Kerberos */
811 808 com_err(progname, retval, gettext("while adding entries to the database"));
812 809 goto err_nomsg;
813 810 }
814 811 krb5_free_principal(util_context, temp_p);
815 812 krb5_free_principal(util_context, p);
816 813
817 814 /* Solaris Kerberos: Create 'changepw/<hostname>' ... */
818 815 if ((retval=krb5_sname_to_principal(util_context, NULL, KADM5_CHANGEPW_HOST_SERVICE, KRB5_NT_SRV_HST, &p))) {
819 816 /* Solaris Kerberos */
820 817 com_err(progname, retval, gettext("krb5_sname_to_principal, while adding entries to the database"));
821 818 goto err_nomsg;
822 819 }
823 820
824 821 if ((retval=krb5_copy_principal(util_context, p, &temp_p))) {
825 822 /* Solaris Kerberos */
826 823 com_err(progname, retval, gettext("krb5_copy_principal, while adding entries to the database"));
827 824 goto err_nomsg;
828 825 }
829 826
830 827 /* change the realm portion to the default realm */
831 828 free(temp_p->realm.data);
832 829 temp_p->realm.length = strlen(util_context->default_realm);
833 830 temp_p->realm.data = strdup(util_context->default_realm);
834 831 if (temp_p->realm.data == NULL) {
835 832 /* Solaris Kerberos */
836 833 com_err(progname, ENOMEM, gettext("while adding entries to the database"));
837 834 goto err_nomsg;
838 835 }
839 836
840 837 rblock.max_life = ADMIN_LIFETIME;
841 838 rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE;
842 839 if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) {
843 840 krb5_free_principal(util_context, p);
844 841 /* Solaris Kerberos */
845 842 com_err(progname, retval, gettext("while adding entries to the database"));
846 843 goto err_nomsg;
847 844 }
848 845 krb5_free_principal(util_context, temp_p);
849 846 krb5_free_principal(util_context, p);
850 847
851 848 if (oldcontainerref != NULL) {
852 849 ldap_context->lrparams->containerref = oldcontainerref;
853 850 oldcontainerref=NULL;
854 851 }
855 852 }
856 853
857 854 #ifdef HAVE_EDIRECTORY
858 855 if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
859 856 (mask & LDAP_REALM_PASSWDSERVERS)) {
860 857
861 858 printf(gettext("Changing rights for the service object. Please wait ... "));
862 859 fflush(stdout);
863 860
864 861 rightsmask =0;
865 862 rightsmask |= LDAP_REALM_RIGHTS;
866 863 rightsmask |= LDAP_SUBTREE_RIGHTS;
867 864 if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
868 865 for (i=0; (rparams->kdcservers[i] != NULL); i++) {
869 866 if ((retval=krb5_ldap_add_service_rights(util_context,
870 867 LDAP_KDC_SERVICE, rparams->kdcservers[i],
871 868 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
872 869 printf(gettext("failed\n"));
873 870 /* Solaris Kerberos */
874 871 com_err(progname, retval, gettext("while assigning rights to '%s'"),
875 872 rparams->realm_name);
876 873 goto err_nomsg;
877 874 }
878 875 }
879 876 }
880 877
881 878 rightsmask = 0;
882 879 rightsmask |= LDAP_REALM_RIGHTS;
883 880 rightsmask |= LDAP_SUBTREE_RIGHTS;
884 881 if ((rparams != NULL) && (rparams->adminservers != NULL)) {
885 882 for (i=0; (rparams->adminservers[i] != NULL); i++) {
886 883 if ((retval=krb5_ldap_add_service_rights(util_context,
887 884 LDAP_ADMIN_SERVICE, rparams->adminservers[i],
888 885 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
889 886 printf(gettext("failed\n"));
890 887 /* Solaris Kerberos */
891 888 com_err(progname, retval, gettext("while assigning rights to '%s'"),
892 889 rparams->realm_name);
893 890 goto err_nomsg;
894 891 }
895 892 }
896 893 }
897 894
898 895 rightsmask = 0;
899 896 rightsmask |= LDAP_REALM_RIGHTS;
900 897 rightsmask |= LDAP_SUBTREE_RIGHTS;
901 898 if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
902 899 for (i=0; (rparams->passwdservers[i] != NULL); i++) {
903 900 if ((retval=krb5_ldap_add_service_rights(util_context,
904 901 LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
905 902 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
906 903 printf(gettext("failed\n"));
907 904 /* Solaris Kerberos */
908 905 com_err(progname, retval, gettext("while assigning rights to '%s'"),
909 906 rparams->realm_name);
910 907 goto err_nomsg;
911 908 }
912 909 }
913 910 }
914 911
915 912 printf(gettext("done\n"));
916 913 }
917 914 #endif
918 915 /* The Realm creation is completed. Here is the end of transaction */
919 916 create_complete = TRUE;
920 917
921 918 /* Stash the master key only if '-s' option is specified */
922 919 if (do_stash || global_params.mask & KADM5_CONFIG_STASH_FILE) {
923 920 retval = krb5_def_store_mkey(util_context,
924 921 global_params.stash_file,
925 922 master_princ,
926 923 &master_keyblock, NULL);
927 924 if (retval) {
928 925 /* Solaris Kerberos */
929 926 com_err(progname, errno, gettext("while storing key"));
930 927 printf(gettext("Warning: couldn't stash master key.\n"));
931 928 }
932 929 }
933 930
934 931 goto cleanup;
935 932
936 933
937 934 err_usage:
938 935 print_usage = TRUE;
939 936
940 937 err_nomsg:
941 938 no_msg = TRUE;
942 939
943 940 cleanup:
944 941 /* If the Realm creation is not complete, do the roll-back here */
945 942 if ((realm_obj_created) && (!create_complete))
946 943 krb5_ldap_delete_realm(util_context, global_params.realm);
947 944
948 945 if (rparams)
949 946 krb5_ldap_free_realm_params(rparams);
950 947
951 948 memset (pw_str, 0, sizeof (pw_str));
952 949
953 950 if (print_usage)
954 951 db_usage(CREATE_REALM);
955 952
956 953 if (retval) {
957 954 if (!no_msg) {
958 955 /* Solaris Kerberos */
959 956 com_err(progname, retval, gettext("while creating realm '%s'"),
960 957 global_params.realm);
961 958 }
962 959 exit_status++;
963 960 }
964 961
965 962 return;
966 963 }
967 964
968 965
969 966 /*
970 967 * This function will modify the attributes of a given realm object
971 968 */
972 969 void kdb5_ldap_modify(argc, argv)
973 970 int argc;
974 971 char *argv[];
975 972 {
976 973 krb5_error_code retval = 0;
977 974 krb5_ldap_realm_params *rparams = NULL;
978 975 krb5_boolean print_usage = FALSE;
979 976 krb5_boolean no_msg = FALSE;
980 977 kdb5_dal_handle *dal_handle = NULL;
981 978 krb5_ldap_context *ldap_context=NULL;
982 979 int i = 0;
983 980 int mask = 0, rmask = 0, ret_mask = 0;
984 981 char **slist = {NULL};
985 982 #ifdef HAVE_EDIRECTORY
986 983 int j = 0;
987 984 char *list[MAX_LIST_ENTRIES];
988 985 int existing_entries = 0, list_entries = 0;
989 986 int newkdcdn = 0, newadmindn = 0, newpwddn = 0;
990 987 char **tempstr = NULL;
991 988 char **oldkdcdns = NULL;
992 989 char **oldadmindns = NULL;
993 990 char **oldpwddns = NULL;
994 991 char **newkdcdns = NULL;
995 992 char **newsubtrees = NULL;
996 993 char **newadmindns = NULL;
997 994 char **newpwddns = NULL;
998 995 char **oldsubtrees = {NULL};
999 996 int rightsmask = 0;
1000 997 int subtree_changed = 0;
1001 998 #endif
1002 999
1003 1000 dal_handle = (kdb5_dal_handle *) util_context->db_context;
1004 1001 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
1005 1002 if (!(ldap_context)) {
1006 1003 retval = EINVAL;
1007 1004 goto cleanup;
1008 1005 }
1009 1006
1010 1007 if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
1011 1008 &(ldap_context->krbcontainer)))) {
1012 1009 /* Solaris Kerberos */
1013 1010 com_err(progname, retval, gettext("while reading Kerberos container information"));
1014 1011 goto err_nomsg;
1015 1012 }
1016 1013
1017 1014 retval = krb5_ldap_read_realm_params(util_context,
1018 1015 global_params.realm, &rparams, &rmask);
1019 1016 if (retval)
1020 1017 goto cleanup;
1021 1018 /* Parse the arguments */
1022 1019 for (i = 1; i < argc; i++) {
1023 1020 int k = 0;
1024 1021 if (!strcmp(argv[i], "-subtrees")) {
1025 1022 if (++i > argc-1)
1026 1023 goto err_usage;
1027 1024
1028 1025 if (rmask & LDAP_REALM_SUBTREE) {
1029 1026 if (rparams->subtree) {
1030 1027 #ifdef HAVE_EDIRECTORY
1031 1028 oldsubtrees = (char **) calloc(rparams->subtreecount+1, sizeof(char *));
1032 1029 if (oldsubtrees == NULL) {
1033 1030 retval = ENOMEM;
1034 1031 goto cleanup;
1035 1032 }
1036 1033 for(k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) {
1037 1034 oldsubtrees[k] = strdup(rparams->subtree[k]);
1038 1035 if( oldsubtrees[k] == NULL ) {
1039 1036 retval = ENOMEM;
1040 1037 goto cleanup;
1041 1038 }
1042 1039 }
1043 1040 #endif
1044 1041 for(k=0; k<rparams->subtreecount && rparams->subtree[k]; k++)
1045 1042 free(rparams->subtree[k]);
1046 1043 rparams->subtreecount=0;
1047 1044 }
1048 1045 }
1049 1046 if (strncmp(argv[i] ,"", strlen(argv[i]))!=0) {
1050 1047 slist = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *));
1051 1048 if (slist == NULL) {
1052 1049 retval = ENOMEM;
1053 1050 goto cleanup;
1054 1051 }
1055 1052 if (( retval = krb5_parse_list(argv[i], LIST_DELIMITER, slist))) {
1056 1053 free(slist);
1057 1054 slist = NULL;
1058 1055 goto cleanup;
1059 1056 }
1060 1057
1061 1058 rparams->subtreecount=0;
1062 1059 while(slist[rparams->subtreecount]!=NULL)
1063 1060 (rparams->subtreecount)++;
1064 1061 rparams->subtree = slist;
1065 1062 } else if(strncmp(argv[i], "", strlen(argv[i]))==0) {
1066 1063 /* dont allow subtree value to be set at the root(NULL, "") of the tree */
1067 1064 /* Solaris Kerberos */
1068 1065 com_err(progname, EINVAL,
1069 1066 gettext("for subtree while modifying realm '%s'"),
1070 1067 global_params.realm);
1071 1068 goto err_nomsg;
1072 1069 }
1073 1070 rparams->subtree[rparams->subtreecount] = NULL;
1074 1071 mask |= LDAP_REALM_SUBTREE;
1075 1072 } else if (!strncmp(argv[i], "-containerref", strlen(argv[i]))) {
1076 1073 if (++i > argc-1)
1077 1074 goto err_usage;
1078 1075 if(strncmp(argv[i], "", strlen(argv[i]))==0) {
1079 1076 /* dont allow containerref value to be set at the root(NULL, "") of the tree */
1080 1077 /* Solaris Kerberos */
1081 1078 com_err(progname, EINVAL,
1082 1079 gettext("for container reference while modifying realm '%s'"),
1083 1080 global_params.realm);
1084 1081 goto err_nomsg;
1085 1082 }
1086 1083 rparams->containerref = strdup(argv[i]);
1087 1084 if (rparams->containerref == NULL) {
1088 1085 retval = ENOMEM;
1089 1086 goto cleanup;
1090 1087 }
1091 1088 mask |= LDAP_REALM_CONTREF;
1092 1089 } else if (!strcmp(argv[i], "-sscope")) {
1093 1090 if (++i > argc-1)
1094 1091 goto err_usage;
1095 1092 /* Possible values for search scope are
1096 1093 * one (or 1) and sub (or 2)
1097 1094 */
1098 1095 if (strcasecmp(argv[i], "one") == 0) {
1099 1096 rparams->search_scope = 1;
1100 1097 } else if (strcasecmp(argv[i], "sub") == 0) {
1101 1098 rparams->search_scope = 2;
1102 1099 } else {
1103 1100 rparams->search_scope = atoi(argv[i]);
1104 1101 if ((rparams->search_scope != 1) &&
1105 1102 (rparams->search_scope != 2)) {
1106 1103 retval = EINVAL;
1107 1104 /* Solaris Kerberos */
1108 1105 com_err(progname, retval,
1109 1106 gettext("specified for search scope while modifying information of realm '%s'"),
1110 1107 global_params.realm);
1111 1108 goto err_nomsg;
1112 1109 }
1113 1110 }
1114 1111 mask |= LDAP_REALM_SEARCHSCOPE;
1115 1112 }
1116 1113 #ifdef HAVE_EDIRECTORY
1117 1114 else if (!strcmp(argv[i], "-kdcdn")) {
1118 1115 if (++i > argc-1)
1119 1116 goto err_usage;
1120 1117
1121 1118 if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) {
1122 1119 if (!oldkdcdns) {
1123 1120 /* Store the old kdc dns list for removing rights */
1124 1121 oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1125 1122 if (oldkdcdns == NULL) {
1126 1123 retval = ENOMEM;
1127 1124 goto cleanup;
1128 1125 }
1129 1126
1130 1127 for (j=0; rparams->kdcservers[j] != NULL; j++) {
1131 1128 oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1132 1129 if (oldkdcdns[j] == NULL) {
1133 1130 retval = ENOMEM;
1134 1131 goto cleanup;
1135 1132 }
1136 1133 }
1137 1134 oldkdcdns[j] = NULL;
1138 1135 }
1139 1136
1140 1137 krb5_free_list_entries(rparams->kdcservers);
1141 1138 free(rparams->kdcservers);
1142 1139 }
1143 1140
1144 1141 rparams->kdcservers = (char **)malloc(
1145 1142 sizeof(char *) * MAX_LIST_ENTRIES);
1146 1143 if (rparams->kdcservers == NULL) {
1147 1144 retval = ENOMEM;
1148 1145 goto cleanup;
1149 1146 }
1150 1147 memset(rparams->kdcservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
1151 1148 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
1152 1149 rparams->kdcservers))) {
1153 1150 goto cleanup;
1154 1151 }
1155 1152 mask |= LDAP_REALM_KDCSERVERS;
1156 1153 /* Going to replace the existing value by this new value. Hence
1157 1154 * setting flag indicating that add or clear options will be ignored
1158 1155 */
1159 1156 newkdcdn = 1;
1160 1157 } else if (!strcmp(argv[i], "-clearkdcdn")) {
1161 1158 if (++i > argc-1)
1162 1159 goto err_usage;
1163 1160 if ((!newkdcdn) && (rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) {
1164 1161 if (!oldkdcdns) {
1165 1162 /* Store the old kdc dns list for removing rights */
1166 1163 oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1167 1164 if (oldkdcdns == NULL) {
1168 1165 retval = ENOMEM;
1169 1166 goto cleanup;
1170 1167 }
1171 1168
1172 1169 for (j=0; rparams->kdcservers[j] != NULL; j++) {
1173 1170 oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1174 1171 if (oldkdcdns[j] == NULL) {
1175 1172 retval = ENOMEM;
1176 1173 goto cleanup;
1177 1174 }
1178 1175 }
1179 1176 oldkdcdns[j] = NULL;
1180 1177 }
1181 1178
1182 1179 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1183 1180 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1184 1181 goto cleanup;
1185 1182 }
1186 1183 list_modify_str_array(&rparams->kdcservers, (const char **)list,
1187 1184 LIST_MODE_DELETE);
1188 1185 mask |= LDAP_REALM_KDCSERVERS;
1189 1186 krb5_free_list_entries(list);
1190 1187 }
1191 1188 } else if (!strcmp(argv[i], "-addkdcdn")) {
1192 1189 if (++i > argc-1)
1193 1190 goto err_usage;
1194 1191 if (!newkdcdn) {
1195 1192 if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers) && (!oldkdcdns)) {
1196 1193 /* Store the old kdc dns list for removing rights */
1197 1194 oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1198 1195 if (oldkdcdns == NULL) {
1199 1196 retval = ENOMEM;
1200 1197 goto cleanup;
1201 1198 }
1202 1199
1203 1200 for (j = 0; rparams->kdcservers[j] != NULL; j++) {
1204 1201 oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1205 1202 if (oldkdcdns[j] == NULL) {
1206 1203 retval = ENOMEM;
1207 1204 goto cleanup;
1208 1205 }
1209 1206 }
1210 1207 oldkdcdns[j] = NULL;
1211 1208 }
1212 1209
1213 1210 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1214 1211 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1215 1212 goto cleanup;
1216 1213 }
1217 1214 existing_entries = list_count_str_array(rparams->kdcservers);
1218 1215 list_entries = list_count_str_array(list);
1219 1216 if (rmask & LDAP_REALM_KDCSERVERS) {
1220 1217 tempstr = (char **)realloc(
1221 1218 rparams->kdcservers,
1222 1219 sizeof(char *) * (existing_entries+list_entries+1));
1223 1220 if (tempstr == NULL) {
1224 1221 retval = ENOMEM;
1225 1222 goto cleanup;
1226 1223 }
1227 1224 rparams->kdcservers = tempstr;
1228 1225 } else {
1229 1226 rparams->kdcservers = (char **)malloc(sizeof(char *) * (list_entries+1));
1230 1227 if (rparams->kdcservers == NULL) {
1231 1228 retval = ENOMEM;
1232 1229 goto cleanup;
1233 1230 }
1234 1231 memset(rparams->kdcservers, 0, sizeof(char *) * (list_entries+1));
1235 1232 }
1236 1233 list_modify_str_array(&rparams->kdcservers, (const char **)list,
1237 1234 LIST_MODE_ADD);
1238 1235 mask |= LDAP_REALM_KDCSERVERS;
1239 1236 }
1240 1237 } else if (!strcmp(argv[i], "-admindn")) {
1241 1238 if (++i > argc-1)
1242 1239 goto err_usage;
1243 1240
1244 1241 if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) {
1245 1242 if (!oldadmindns) {
1246 1243 /* Store the old admin dns list for removing rights */
1247 1244 oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1248 1245 if (oldadmindns == NULL) {
1249 1246 retval = ENOMEM;
1250 1247 goto cleanup;
1251 1248 }
1252 1249
1253 1250 for (j=0; rparams->adminservers[j] != NULL; j++) {
1254 1251 oldadmindns[j] = strdup(rparams->adminservers[j]);
1255 1252 if (oldadmindns[j] == NULL) {
1256 1253 retval = ENOMEM;
1257 1254 goto cleanup;
1258 1255 }
1259 1256 }
1260 1257 oldadmindns[j] = NULL;
1261 1258 }
1262 1259
1263 1260 krb5_free_list_entries(rparams->adminservers);
1264 1261 free(rparams->adminservers);
1265 1262 }
1266 1263
1267 1264 rparams->adminservers = (char **)malloc(
1268 1265 sizeof(char *) * MAX_LIST_ENTRIES);
1269 1266 if (rparams->adminservers == NULL) {
1270 1267 retval = ENOMEM;
1271 1268 goto cleanup;
1272 1269 }
1273 1270 memset(rparams->adminservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
1274 1271 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
1275 1272 rparams->adminservers))) {
1276 1273 goto cleanup;
1277 1274 }
1278 1275 mask |= LDAP_REALM_ADMINSERVERS;
1279 1276 /* Going to replace the existing value by this new value. Hence
1280 1277 * setting flag indicating that add or clear options will be ignored
1281 1278 */
1282 1279 newadmindn = 1;
1283 1280 } else if (!strcmp(argv[i], "-clearadmindn")) {
1284 1281 if (++i > argc-1)
1285 1282 goto err_usage;
1286 1283
1287 1284 if ((!newadmindn) && (rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) {
1288 1285 if (!oldadmindns) {
1289 1286 /* Store the old admin dns list for removing rights */
1290 1287 oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1291 1288 if (oldadmindns == NULL) {
1292 1289 retval = ENOMEM;
1293 1290 goto cleanup;
1294 1291 }
1295 1292
1296 1293 for (j=0; rparams->adminservers[j] != NULL; j++) {
1297 1294 oldadmindns[j] = strdup(rparams->adminservers[j]);
1298 1295 if (oldadmindns[j] == NULL) {
1299 1296 retval = ENOMEM;
1300 1297 goto cleanup;
1301 1298 }
1302 1299 }
1303 1300 oldadmindns[j] = NULL;
1304 1301 }
1305 1302
1306 1303 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1307 1304 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1308 1305 goto cleanup;
1309 1306 }
1310 1307 list_modify_str_array(&rparams->adminservers, (const char **)list,
1311 1308 LIST_MODE_DELETE);
1312 1309 mask |= LDAP_REALM_ADMINSERVERS;
1313 1310 krb5_free_list_entries(list);
1314 1311 }
1315 1312 } else if (!strcmp(argv[i], "-addadmindn")) {
1316 1313 if (++i > argc-1)
1317 1314 goto err_usage;
1318 1315 if (!newadmindn) {
1319 1316 if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers) && (!oldadmindns)) {
1320 1317 /* Store the old admin dns list for removing rights */
1321 1318 oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1322 1319 if (oldadmindns == NULL) {
1323 1320 retval = ENOMEM;
1324 1321 goto cleanup;
1325 1322 }
1326 1323
1327 1324 for (j=0; rparams->adminservers[j] != NULL; j++) {
1328 1325 oldadmindns[j] = strdup(rparams->adminservers[j]);
1329 1326 if (oldadmindns[j] == NULL) {
1330 1327 retval = ENOMEM;
1331 1328 goto cleanup;
1332 1329 }
1333 1330 }
1334 1331 oldadmindns[j] = NULL;
1335 1332 }
1336 1333
1337 1334 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1338 1335 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1339 1336 goto cleanup;
1340 1337 }
1341 1338 existing_entries = list_count_str_array(rparams->adminservers);
1342 1339 list_entries = list_count_str_array(list);
1343 1340 if (rmask & LDAP_REALM_ADMINSERVERS) {
1344 1341 tempstr = (char **)realloc(
1345 1342 rparams->adminservers,
1346 1343 sizeof(char *) * (existing_entries+list_entries+1));
1347 1344 if (tempstr == NULL) {
1348 1345 retval = ENOMEM;
1349 1346 goto cleanup;
1350 1347 }
1351 1348 rparams->adminservers = tempstr;
1352 1349 } else {
1353 1350 rparams->adminservers = (char **)malloc(sizeof(char *) * (list_entries+1));
1354 1351 if (rparams->adminservers == NULL) {
1355 1352 retval = ENOMEM;
1356 1353 goto cleanup;
1357 1354 }
1358 1355 memset(rparams->adminservers, 0, sizeof(char *) * (list_entries+1));
1359 1356 }
1360 1357 list_modify_str_array(&rparams->adminservers, (const char **)list,
1361 1358 LIST_MODE_ADD);
1362 1359 mask |= LDAP_REALM_ADMINSERVERS;
1363 1360 }
1364 1361 } else if (!strcmp(argv[i], "-pwddn")) {
1365 1362 if (++i > argc-1)
1366 1363 goto err_usage;
1367 1364
1368 1365 if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) {
1369 1366 if (!oldpwddns) {
1370 1367 /* Store the old pwd dns list for removing rights */
1371 1368 oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1372 1369 if (oldpwddns == NULL) {
1373 1370 retval = ENOMEM;
1374 1371 goto cleanup;
1375 1372 }
1376 1373
1377 1374 for (j=0; rparams->passwdservers[j] != NULL; j++) {
1378 1375 oldpwddns[j] = strdup(rparams->passwdservers[j]);
1379 1376 if (oldpwddns[j] == NULL) {
1380 1377 retval = ENOMEM;
1381 1378 goto cleanup;
1382 1379 }
1383 1380 }
1384 1381 oldpwddns[j] = NULL;
1385 1382 }
1386 1383
1387 1384 krb5_free_list_entries(rparams->passwdservers);
1388 1385 free(rparams->passwdservers);
1389 1386 }
1390 1387
1391 1388 rparams->passwdservers = (char **)malloc(
1392 1389 sizeof(char *) * MAX_LIST_ENTRIES);
1393 1390 if (rparams->passwdservers == NULL) {
1394 1391 retval = ENOMEM;
1395 1392 goto cleanup;
1396 1393 }
1397 1394 memset(rparams->passwdservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
1398 1395 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
1399 1396 rparams->passwdservers))) {
1400 1397 goto cleanup;
1401 1398 }
1402 1399 mask |= LDAP_REALM_PASSWDSERVERS;
1403 1400 /* Going to replace the existing value by this new value. Hence
1404 1401 * setting flag indicating that add or clear options will be ignored
1405 1402 */
1406 1403 newpwddn = 1;
1407 1404 } else if (!strcmp(argv[i], "-clearpwddn")) {
1408 1405 if (++i > argc-1)
1409 1406 goto err_usage;
1410 1407
1411 1408 if ((!newpwddn) && (rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) {
1412 1409 if (!oldpwddns) {
1413 1410 /* Store the old pwd dns list for removing rights */
1414 1411 oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1415 1412 if (oldpwddns == NULL) {
1416 1413 retval = ENOMEM;
1417 1414 goto cleanup;
1418 1415 }
1419 1416
1420 1417 for (j=0; rparams->passwdservers[j] != NULL; j++) {
1421 1418 oldpwddns[j] = strdup(rparams->passwdservers[j]);
1422 1419 if (oldpwddns[j] == NULL) {
1423 1420 retval = ENOMEM;
1424 1421 goto cleanup;
1425 1422 }
1426 1423 }
1427 1424 oldpwddns[j] = NULL;
1428 1425 }
1429 1426
1430 1427 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1431 1428 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1432 1429 goto cleanup;
1433 1430 }
1434 1431 list_modify_str_array(&rparams->passwdservers, (const char**)list,
1435 1432 LIST_MODE_DELETE);
1436 1433 mask |= LDAP_REALM_PASSWDSERVERS;
1437 1434 krb5_free_list_entries(list);
1438 1435 }
1439 1436 } else if (!strcmp(argv[i], "-addpwddn")) {
1440 1437 if (++i > argc-1)
1441 1438 goto err_usage;
1442 1439 if (!newpwddn) {
1443 1440 if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers) && (!oldpwddns)) {
1444 1441 /* Store the old pwd dns list for removing rights */
1445 1442 oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1446 1443 if (oldpwddns == NULL) {
1447 1444 retval = ENOMEM;
1448 1445 goto cleanup;
1449 1446 }
1450 1447
1451 1448 for (j=0; rparams->passwdservers[j] != NULL; j++) {
1452 1449 oldpwddns[j] = strdup(rparams->passwdservers[j]);
1453 1450 if (oldpwddns[j] == NULL) {
1454 1451 retval = ENOMEM;
1455 1452 goto cleanup;
1456 1453 }
1457 1454 }
1458 1455 oldpwddns[j] = NULL;
1459 1456 }
1460 1457
1461 1458 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1462 1459 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1463 1460 goto cleanup;
1464 1461 }
1465 1462 existing_entries = list_count_str_array(rparams->passwdservers);
1466 1463 list_entries = list_count_str_array(list);
1467 1464 if (rmask & LDAP_REALM_PASSWDSERVERS) {
1468 1465 tempstr = (char **)realloc(
1469 1466 rparams->passwdservers,
1470 1467 sizeof(char *) * (existing_entries+list_entries+1));
1471 1468 if (tempstr == NULL) {
1472 1469 retval = ENOMEM;
1473 1470 goto cleanup;
1474 1471 }
1475 1472 rparams->passwdservers = tempstr;
1476 1473 } else {
1477 1474 rparams->passwdservers = (char **)malloc(sizeof(char *) * (list_entries+1));
1478 1475 if (rparams->passwdservers == NULL) {
1479 1476 retval = ENOMEM;
1480 1477 goto cleanup;
1481 1478 }
1482 1479 memset(rparams->passwdservers, 0, sizeof(char *) * (list_entries+1));
1483 1480 }
1484 1481 list_modify_str_array(&rparams->passwdservers, (const char**)list,
1485 1482 LIST_MODE_ADD);
1486 1483 mask |= LDAP_REALM_PASSWDSERVERS;
1487 1484 }
1488 1485 }
1489 1486 #endif
1490 1487 else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) {
1491 1488 mask|=ret_mask;
1492 1489 } else {
1493 1490 printf(gettext("'%s' is an invalid option\n"), argv[i]);
1494 1491 goto err_usage;
1495 1492 }
1496 1493 }
1497 1494
1498 1495 if ((retval = krb5_ldap_modify_realm(util_context,
1499 1496 /* global_params.realm, */ rparams, mask))) {
1500 1497 goto cleanup;
1501 1498 }
1502 1499
1503 1500 #ifdef HAVE_EDIRECTORY
1504 1501 if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_KDCSERVERS) ||
1505 1502 (mask & LDAP_REALM_ADMINSERVERS) || (mask & LDAP_REALM_PASSWDSERVERS)) {
1506 1503
1507 1504 printf(gettext("Changing rights for the service object. Please wait ... "));
1508 1505 fflush(stdout);
1509 1506
1510 1507 if (!(mask & LDAP_REALM_SUBTREE)) {
1511 1508 if (rparams->subtree != NULL) {
1512 1509 for(i=0; rparams->subtree[i]!=NULL;i++) {
1513 1510 oldsubtrees[i] = strdup(rparams->subtree[i]);
1514 1511 if( oldsubtrees[i] == NULL ) {
1515 1512 retval = ENOMEM;
1516 1513 goto cleanup;
1517 1514 }
1518 1515 }
1519 1516 }
1520 1517 }
1521 1518
1522 1519 if ((mask & LDAP_REALM_SUBTREE)) {
1523 1520 int check_subtree = 1;
1524 1521
1525 1522 newsubtrees = (char**) calloc(rparams->subtreecount, sizeof(char*));
1526 1523
1527 1524 if (newsubtrees == NULL) {
1528 1525 retval = ENOMEM;
1529 1526 goto cleanup;
1530 1527 }
1531 1528
1532 1529 if ( (rparams != NULL) && (rparams->subtree != NULL) ) {
1533 1530 for (j=0; j<rparams->subtreecount && rparams->subtree[j]!= NULL; j++) {
1534 1531 newsubtrees[j] = strdup(rparams->subtree[j]);
1535 1532 if (newsubtrees[j] == NULL) {
1536 1533 retval = ENOMEM;
1537 1534 goto cleanup;
1538 1535 }
1539 1536 }
1540 1537 newsubtrees[j] = NULL;
1541 1538 }
1542 1539 for(j=0;oldsubtrees[j]!=NULL;j++) {
1543 1540 check_subtree = 1;
1544 1541 for(i=0; ( (oldsubtrees[j] && !rparams->subtree[i]) ||
1545 1542 (!oldsubtrees[j] && rparams->subtree[i])); i++) {
1546 1543 if(strcasecmp( oldsubtrees[j], rparams->subtree[i]) == 0) {
1547 1544 check_subtree = 0;
1548 1545 continue;
1549 1546 }
1550 1547 }
1551 1548 if (check_subtree != 0) {
1552 1549 subtree_changed=1;
1553 1550 break;
1554 1551 }
1555 1552 }
1556 1553 /* this will return list of the disjoint members */
1557 1554 disjoint_members( oldsubtrees, newsubtrees);
1558 1555 }
1559 1556
1560 1557 if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_KDCSERVERS)) {
1561 1558
1562 1559 newkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1563 1560 if (newkdcdns == NULL) {
1564 1561 retval = ENOMEM;
1565 1562 goto cleanup;
1566 1563 }
1567 1564
1568 1565 if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
1569 1566 for (j=0; rparams->kdcservers[j]!= NULL; j++) {
1570 1567 newkdcdns[j] = strdup(rparams->kdcservers[j]);
1571 1568 if (newkdcdns[j] == NULL) {
1572 1569 retval = ENOMEM;
1573 1570 goto cleanup;
1574 1571 }
1575 1572 }
1576 1573 newkdcdns[j] = NULL;
1577 1574 }
1578 1575
1579 1576 if (!subtree_changed) {
1580 1577 disjoint_members(oldkdcdns, newkdcdns);
1581 1578 } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
1582 1579 if (!(mask & LDAP_REALM_KDCSERVERS)) {
1583 1580
1584 1581 oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1585 1582 if (oldkdcdns == NULL) {
1586 1583 retval = ENOMEM;
1587 1584 goto cleanup;
1588 1585 }
1589 1586
1590 1587 if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
1591 1588 for (j=0; rparams->kdcservers[j]!= NULL; j++) {
1592 1589 oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1593 1590 if (oldkdcdns[j] == NULL) {
1594 1591 retval = ENOMEM;
1595 1592 goto cleanup;
1596 1593 }
1597 1594 }
1598 1595 oldkdcdns[j] = NULL;
1599 1596 }
1600 1597 }
1601 1598 }
1602 1599
1603 1600 rightsmask =0;
1604 1601 rightsmask |= LDAP_REALM_RIGHTS;
1605 1602 rightsmask |= LDAP_SUBTREE_RIGHTS;
1606 1603 /* Remove the rights on the old subtrees */
1607 1604 if (oldkdcdns) {
1608 1605 for (i=0; (oldkdcdns[i] != NULL); i++) {
1609 1606 if ((retval=krb5_ldap_delete_service_rights(util_context,
1610 1607 LDAP_KDC_SERVICE, oldkdcdns[i],
1611 1608 rparams->realm_name, oldsubtrees, rightsmask)) != 0) {
1612 1609 printf(gettext("failed\n"));
1613 1610 /* Solaris Kerberos */
1614 1611 com_err(progname, retval, gettext("while assigning rights '%s'"),
1615 1612 rparams->realm_name);
1616 1613 goto err_nomsg;
1617 1614 }
1618 1615 }
1619 1616 }
1620 1617
1621 1618 rightsmask =0;
1622 1619 rightsmask |= LDAP_REALM_RIGHTS;
1623 1620 rightsmask |= LDAP_SUBTREE_RIGHTS;
1624 1621 if (newkdcdns) {
1625 1622 for (i=0; (newkdcdns[i] != NULL); i++) {
1626 1623
1627 1624 if ((retval=krb5_ldap_add_service_rights(util_context,
1628 1625 LDAP_KDC_SERVICE, newkdcdns[i], rparams->realm_name,
1629 1626 rparams->subtree, rightsmask)) != 0) {
1630 1627 printf(gettext("failed\n"));
1631 1628 /* Solaris Kerberos */
1632 1629 com_err(progname, retval, gettext("while assigning rights to '%s'"),
1633 1630 rparams->realm_name);
1634 1631 goto err_nomsg;
1635 1632 }
1636 1633 }
1637 1634 }
1638 1635 }
1639 1636
1640 1637 if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_ADMINSERVERS)) {
1641 1638
1642 1639 newadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1643 1640 if (newadmindns == NULL) {
1644 1641 retval = ENOMEM;
1645 1642 goto cleanup;
1646 1643 }
1647 1644
1648 1645 if ((rparams != NULL) && (rparams->adminservers != NULL)) {
1649 1646 for (j=0; rparams->adminservers[j]!= NULL; j++) {
1650 1647 newadmindns[j] = strdup(rparams->adminservers[j]);
1651 1648 if (newadmindns[j] == NULL) {
1652 1649 retval = ENOMEM;
1653 1650 goto cleanup;
1654 1651 }
1655 1652 }
1656 1653 newadmindns[j] = NULL;
1657 1654 }
1658 1655
1659 1656 if (!subtree_changed) {
1660 1657 disjoint_members(oldadmindns, newadmindns);
1661 1658 } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
1662 1659 if (!(mask & LDAP_REALM_ADMINSERVERS)) {
1663 1660
1664 1661 oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1665 1662 if (oldadmindns == NULL) {
1666 1663 retval = ENOMEM;
1667 1664 goto cleanup;
1668 1665 }
1669 1666
1670 1667 if ((rparams != NULL) && (rparams->adminservers != NULL)) {
1671 1668 for (j=0; rparams->adminservers[j]!= NULL; j++) {
1672 1669 oldadmindns[j] = strdup(rparams->adminservers[j]);
1673 1670 if (oldadmindns[j] == NULL) {
1674 1671 retval = ENOMEM;
1675 1672 goto cleanup;
1676 1673 }
1677 1674 }
1678 1675 oldadmindns[j] = NULL;
1679 1676 }
1680 1677 }
1681 1678 }
1682 1679
1683 1680 rightsmask = 0;
1684 1681 rightsmask |= LDAP_REALM_RIGHTS;
1685 1682 rightsmask |= LDAP_SUBTREE_RIGHTS;
1686 1683 /* Remove the rights on the old subtrees */
1687 1684 if (oldadmindns) {
1688 1685 for (i=0; (oldadmindns[i] != NULL); i++) {
1689 1686
1690 1687 if ((retval=krb5_ldap_delete_service_rights(util_context,
1691 1688 LDAP_ADMIN_SERVICE, oldadmindns[i],
1692 1689 rparams->realm_name, oldsubtrees, rightsmask)) != 0) {
1693 1690 printf(gettext("failed\n"));
1694 1691 /* Solaris Kerberos */
1695 1692 com_err(progname, retval, gettext("while assigning rights '%s'"),
1696 1693 rparams->realm_name);
1697 1694 goto err_nomsg;
1698 1695 }
1699 1696 }
1700 1697 }
1701 1698
1702 1699 rightsmask = 0;
1703 1700 rightsmask |= LDAP_REALM_RIGHTS;
1704 1701 rightsmask |= LDAP_SUBTREE_RIGHTS;
1705 1702 /* Add rights on the new subtree for all the kdc dns */
1706 1703 if (newadmindns) {
1707 1704 for (i=0; (newadmindns[i] != NULL); i++) {
1708 1705
1709 1706 if ((retval=krb5_ldap_add_service_rights(util_context,
1710 1707 LDAP_ADMIN_SERVICE, newadmindns[i],
1711 1708 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
1712 1709 printf(gettext("failed\n"));
1713 1710 /* Solaris Kerberos */
1714 1711 com_err(progname, retval, gettext("while assigning rights to '%s'"),
1715 1712 rparams->realm_name);
1716 1713 goto err_nomsg;
1717 1714 }
1718 1715 }
1719 1716 }
1720 1717 }
1721 1718
1722 1719
1723 1720 if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_PASSWDSERVERS)) {
1724 1721
1725 1722 newpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1726 1723 if (newpwddns == NULL) {
1727 1724 retval = ENOMEM;
1728 1725 goto cleanup;
1729 1726 }
1730 1727
1731 1728 if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
1732 1729 for (j=0; rparams->passwdservers[j]!= NULL; j++) {
1733 1730 newpwddns[j] = strdup(rparams->passwdservers[j]);
1734 1731 if (newpwddns[j] == NULL) {
1735 1732 retval = ENOMEM;
1736 1733 goto cleanup;
1737 1734 }
1738 1735 }
1739 1736 newpwddns[j] = NULL;
1740 1737 }
1741 1738
1742 1739 if (!subtree_changed) {
1743 1740 disjoint_members(oldpwddns, newpwddns);
1744 1741 } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
1745 1742 if (!(mask & LDAP_REALM_ADMINSERVERS)) {
1746 1743
1747 1744 oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1748 1745 if (oldpwddns == NULL) {
1749 1746 retval = ENOMEM;
1750 1747 goto cleanup;
1751 1748 }
1752 1749
1753 1750 if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
1754 1751 for (j=0; rparams->passwdservers[j]!= NULL; j++) {
1755 1752 oldpwddns[j] = strdup(rparams->passwdservers[j]);
1756 1753 if (oldpwddns[j] == NULL) {
1757 1754 retval = ENOMEM;
1758 1755 goto cleanup;
1759 1756 }
1760 1757 }
1761 1758 oldpwddns[j] = NULL;
1762 1759 }
1763 1760 }
1764 1761 }
1765 1762
1766 1763 rightsmask =0;
1767 1764 rightsmask |= LDAP_REALM_RIGHTS;
1768 1765 rightsmask |= LDAP_SUBTREE_RIGHTS;
1769 1766 /* Remove the rights on the old subtrees */
1770 1767 if (oldpwddns) {
1771 1768 for (i=0; (oldpwddns[i] != NULL); i++) {
1772 1769 if ((retval = krb5_ldap_delete_service_rights(util_context,
1773 1770 LDAP_PASSWD_SERVICE, oldpwddns[i],
1774 1771 rparams->realm_name, oldsubtrees, rightsmask))) {
1775 1772 printf(gettext("failed\n"));
1776 1773 /* Solaris Kerberos */
1777 1774 com_err(progname, retval, gettext("while assigning rights '%s'"),
1778 1775 rparams->realm_name);
1779 1776 goto err_nomsg;
1780 1777 }
1781 1778 }
1782 1779 }
1783 1780
1784 1781 rightsmask =0;
1785 1782 rightsmask |= LDAP_REALM_RIGHTS;
1786 1783 rightsmask |= LDAP_SUBTREE_RIGHTS;
1787 1784 /* Add rights on the new subtree for all the kdc dns */
1788 1785 if (newpwddns) {
1789 1786 for (i=0; (newpwddns[i] != NULL); i++) {
1790 1787 if ((retval = krb5_ldap_add_service_rights(util_context,
1791 1788 LDAP_PASSWD_SERVICE, newpwddns[i],
1792 1789 rparams->realm_name, rparams->subtree, rightsmask))) {
1793 1790 printf(gettext("failed\n"));
1794 1791 /* Solaris Kerberos */
1795 1792 com_err(progname, retval, gettext("while assigning rights to '%s'"),
1796 1793 rparams->realm_name);
1797 1794 goto err_nomsg;
1798 1795 }
1799 1796 }
1800 1797 }
1801 1798 }
1802 1799
1803 1800 printf(gettext("done\n"));
1804 1801 }
1805 1802 #endif
1806 1803
1807 1804 goto cleanup;
1808 1805
1809 1806 err_usage:
1810 1807 print_usage = TRUE;
1811 1808
1812 1809 err_nomsg:
1813 1810 no_msg = TRUE;
1814 1811
1815 1812 cleanup:
1816 1813 krb5_ldap_free_realm_params(rparams);
1817 1814
1818 1815
1819 1816 #ifdef HAVE_EDIRECTORY
1820 1817 if (oldkdcdns) {
1821 1818 for (i=0; oldkdcdns[i] != NULL; i++)
1822 1819 free(oldkdcdns[i]);
1823 1820 free(oldkdcdns);
1824 1821 }
1825 1822 if (oldpwddns) {
1826 1823 for (i=0; oldpwddns[i] != NULL; i++)
1827 1824 free(oldpwddns[i]);
1828 1825 free(oldpwddns);
1829 1826 }
1830 1827 if (oldadmindns) {
1831 1828 for (i=0; oldadmindns[i] != NULL; i++)
1832 1829 free(oldadmindns[i]);
1833 1830 free(oldadmindns);
1834 1831 }
1835 1832 if (newkdcdns) {
1836 1833 for (i=0; newkdcdns[i] != NULL; i++)
1837 1834 free(newkdcdns[i]);
1838 1835 free(newkdcdns);
1839 1836 }
1840 1837 if (newpwddns) {
1841 1838 for (i=0; newpwddns[i] != NULL; i++)
1842 1839 free(newpwddns[i]);
1843 1840 free(newpwddns);
1844 1841 }
1845 1842 if (newadmindns) {
1846 1843 for (i=0; newadmindns[i] != NULL; i++)
1847 1844 free(newadmindns[i]);
1848 1845 free(newadmindns);
1849 1846 }
1850 1847 if (oldsubtrees) {
1851 1848 for (i=0;oldsubtrees[i]!=NULL; i++)
1852 1849 free(oldsubtrees[i]);
1853 1850 free(oldsubtrees);
1854 1851 }
1855 1852 if (newsubtrees) {
1856 1853 for (i=0;newsubtrees[i]!=NULL; i++)
1857 1854 free(newsubtrees[i]);
1858 1855 free(oldsubtrees);
1859 1856 }
1860 1857 #endif
1861 1858 if (print_usage) {
1862 1859 db_usage(MODIFY_REALM);
1863 1860 }
1864 1861
1865 1862 if (retval) {
1866 1863 if (!no_msg) {
1867 1864 /* Solaris Kerberos */
1868 1865 com_err(progname, retval, gettext("while modifying information of realm '%s'"),
1869 1866 global_params.realm);
1870 1867 }
1871 1868 exit_status++;
1872 1869 }
1873 1870
1874 1871 return;
1875 1872 }
1876 1873
1877 1874
1878 1875
1879 1876 /*
1880 1877 * This function displays the attributes of a Realm
1881 1878 */
1882 1879 void kdb5_ldap_view(argc, argv)
1883 1880 int argc;
1884 1881 char *argv[];
1885 1882 {
1886 1883 krb5_ldap_realm_params *rparams = NULL;
1887 1884 krb5_error_code retval = 0;
1888 1885 kdb5_dal_handle *dal_handle=NULL;
1889 1886 krb5_ldap_context *ldap_context=NULL;
1890 1887 int mask = 0;
1891 1888
1892 1889 dal_handle = (kdb5_dal_handle *) util_context->db_context;
1893 1890 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
1894 1891 if (!(ldap_context)) {
1895 1892 retval = EINVAL;
1896 1893 /* Solaris Kerberos */
1897 1894 com_err(progname, retval, gettext("while initializing database"));
1898 1895 exit_status++;
1899 1896 return;
1900 1897 }
1901 1898
1902 1899 /* Read the kerberos container information */
1903 1900 if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
1904 1901 &(ldap_context->krbcontainer))) != 0) {
1905 1902 /* Solaris Kerberos */
1906 1903 com_err(progname, retval, gettext("while reading kerberos container information"));
1907 1904 exit_status++;
1908 1905 return;
1909 1906 }
1910 1907
1911 1908 if ((retval = krb5_ldap_read_realm_params(util_context,
1912 1909 global_params.realm, &rparams, &mask)) || (!rparams)) {
1913 1910 /* Solaris Kerberos */
1914 1911 com_err(progname, retval, gettext("while reading information of realm '%s'"),
1915 1912 global_params.realm);
1916 1913 exit_status++;
1917 1914 return;
1918 1915 }
1919 1916 print_realm_params(rparams, mask);
1920 1917 krb5_ldap_free_realm_params(rparams);
1921 1918
1922 1919 return;
1923 1920 }
1924 1921
1925 1922 static char *strdur(duration)
1926 1923 time_t duration;
1927 1924 {
1928 1925 static char out[50];
1929 1926 int neg, days, hours, minutes, seconds;
1930 1927
1931 1928 if (duration < 0) {
1932 1929 duration *= -1;
1933 1930 neg = 1;
1934 1931 } else
1935 1932 neg = 0;
1936 1933 days = duration / (24 * 3600);
1937 1934 duration %= 24 * 3600;
1938 1935 hours = duration / 3600;
1939 1936 duration %= 3600;
1940 1937 minutes = duration / 60;
1941 1938 duration %= 60;
1942 1939 seconds = duration;
1943 1940 snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
1944 1941 days, days == 1 ? gettext("day") : gettext("days"),
1945 1942 hours, minutes, seconds);
1946 1943 return out;
1947 1944 }
1948 1945
1949 1946 /*
1950 1947 * This function prints the attributes of a given realm to the
1951 1948 * standard output.
1952 1949 */
1953 1950 static void print_realm_params(krb5_ldap_realm_params *rparams, int mask)
1954 1951 {
1955 1952 char **slist = NULL;
1956 1953 int num_entry_printed = 0, i = 0;
1957 1954
1958 1955 /* Print the Realm Attributes on the standard output */
1959 1956 printf("%25s: %-50s\n", gettext("Realm Name"), global_params.realm);
1960 1957 if (mask & LDAP_REALM_SUBTREE) {
1961 1958 for (i=0; rparams->subtree[i]!=NULL; i++)
1962 1959 printf("%25s: %-50s\n", gettext("Subtree"), rparams->subtree[i]);
1963 1960 }
1964 1961 if (mask & LDAP_REALM_CONTREF)
1965 1962 printf("%25s: %-50s\n", gettext("Principal Container Reference"), rparams->containerref);
1966 1963 if (mask & LDAP_REALM_SEARCHSCOPE) {
1967 1964 if ((rparams->search_scope != 1) &&
1968 1965 (rparams->search_scope != 2)) {
1969 1966 printf("%25s: %-50s\n", gettext("SearchScope"), gettext("Invalid !"));
1970 1967 } else {
1971 1968 printf("%25s: %-50s\n", gettext("SearchScope"),
1972 1969 (rparams->search_scope == 1) ? gettext("ONE") : gettext("SUB"));
1973 1970 }
1974 1971 }
1975 1972 if (mask & LDAP_REALM_KDCSERVERS) {
1976 1973 printf("%25s:", gettext("KDC Services"));
1977 1974 if (rparams->kdcservers != NULL) {
1978 1975 num_entry_printed = 0;
1979 1976 for (slist = rparams->kdcservers; *slist != NULL; slist++) {
1980 1977 if (num_entry_printed)
1981 1978 printf(" %25s %-50s\n", " ", *slist);
1982 1979 else
1983 1980 printf(" %-50s\n", *slist);
1984 1981 num_entry_printed++;
1985 1982 }
1986 1983 }
1987 1984 if (num_entry_printed == 0)
1988 1985 printf("\n");
1989 1986 }
1990 1987 if (mask & LDAP_REALM_ADMINSERVERS) {
1991 1988 printf("%25s:", gettext("Admin Services"));
1992 1989 if (rparams->adminservers != NULL) {
1993 1990 num_entry_printed = 0;
1994 1991 for (slist = rparams->adminservers; *slist != NULL; slist++) {
1995 1992 if (num_entry_printed)
1996 1993 printf(" %25s %-50s\n", " ", *slist);
1997 1994 else
1998 1995 printf(" %-50s\n", *slist);
1999 1996 num_entry_printed++;
2000 1997 }
2001 1998 }
2002 1999 if (num_entry_printed == 0)
2003 2000 printf("\n");
2004 2001 }
2005 2002 if (mask & LDAP_REALM_PASSWDSERVERS) {
2006 2003 printf("%25s:", gettext("Passwd Services"));
2007 2004 if (rparams->passwdservers != NULL) {
2008 2005 num_entry_printed = 0;
2009 2006 for (slist = rparams->passwdservers; *slist != NULL; slist++) {
2010 2007 if (num_entry_printed)
2011 2008 printf(" %25s %-50s\n", " ", *slist);
2012 2009 else
2013 2010 printf(" %-50s\n", *slist);
2014 2011 num_entry_printed++;
2015 2012 }
2016 2013 }
2017 2014 if (num_entry_printed == 0)
2018 2015 printf("\n");
2019 2016 }
2020 2017 if (mask & LDAP_REALM_MAXTICKETLIFE) {
2021 2018 printf("%25s:", gettext("Maximum Ticket Life"));
2022 2019 printf(" %s \n", strdur(rparams->max_life));
2023 2020 }
2024 2021
2025 2022 if (mask & LDAP_REALM_MAXRENEWLIFE) {
2026 2023 printf("%25s:", gettext("Maximum Renewable Life"));
2027 2024 printf(" %s \n", strdur(rparams->max_renewable_life));
2028 2025 }
2029 2026
2030 2027 if (mask & LDAP_REALM_KRBTICKETFLAGS) {
2031 2028 int ticketflags = rparams->tktflags;
2032 2029
2033 2030 printf("%25s: ", gettext("Ticket flags"));
2034 2031 if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED)
2035 2032 printf("%s ","DISALLOW_POSTDATED");
2036 2033
2037 2034 if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE)
2038 2035 printf("%s ","DISALLOW_FORWARDABLE");
2039 2036
2040 2037 if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE)
2041 2038 printf("%s ","DISALLOW_RENEWABLE");
2042 2039
2043 2040 if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE)
2044 2041 printf("%s ","DISALLOW_PROXIABLE");
2045 2042
2046 2043 if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY)
2047 2044 printf("%s ","DISALLOW_DUP_SKEY");
2048 2045
2049 2046 if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH)
2050 2047 printf("%s ","REQUIRES_PRE_AUTH");
2051 2048
2052 2049 if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH)
2053 2050 printf("%s ","REQUIRES_HW_AUTH");
2054 2051
2055 2052 if (ticketflags & KRB5_KDB_DISALLOW_SVR)
2056 2053 printf("%s ","DISALLOW_SVR");
2057 2054
2058 2055 if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED)
2059 2056 printf("%s ","DISALLOW_TGT_BASED");
2060 2057
2061 2058 if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX)
2062 2059 printf("%s ","DISALLOW_ALL_TIX");
2063 2060
2064 2061 if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE)
2065 2062 printf("%s ","REQUIRES_PWCHANGE");
2066 2063
2067 2064 if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE)
2068 2065 printf("%s ","PWCHANGE_SERVICE");
2069 2066
2070 2067 printf("\n");
2071 2068 }
2072 2069
2073 2070
2074 2071 return;
2075 2072 }
2076 2073
2077 2074
2078 2075
2079 2076 /*
2080 2077 * This function lists the Realm(s) present under the Kerberos container
2081 2078 * on the LDAP Server.
2082 2079 */
2083 2080 void kdb5_ldap_list(argc, argv)
2084 2081 int argc;
2085 2082 char *argv[];
2086 2083 {
2087 2084 char **list = NULL;
2088 2085 char **plist = NULL;
2089 2086 krb5_error_code retval = 0;
2090 2087 kdb5_dal_handle *dal_handle=NULL;
2091 2088 krb5_ldap_context *ldap_context=NULL;
2092 2089
2093 2090 dal_handle = (kdb5_dal_handle *)util_context->db_context;
2094 2091 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
2095 2092 if (!(ldap_context)) {
2096 2093 retval = EINVAL;
2097 2094 exit_status++;
2098 2095 return;
2099 2096 }
2100 2097
2101 2098 /* Read the kerberos container information */
2102 2099 if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
2103 2100 &(ldap_context->krbcontainer))) != 0) {
2104 2101 /* Solaris Kerberos */
2105 2102 com_err(progname, retval, gettext("while reading kerberos container information"));
2106 2103 exit_status++;
2107 2104 return;
2108 2105 }
2109 2106
2110 2107 retval = krb5_ldap_list_realm(util_context, &list);
2111 2108 if (retval != 0) {
2112 2109 krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
2113 2110 ldap_context->krbcontainer = NULL;
2114 2111 /* Solaris Kerberos */
2115 2112 com_err (progname, retval, gettext("while listing realms"));
2116 2113 exit_status++;
2117 2114 return;
2118 2115 }
2119 2116 /* This is to handle the case of realm not present */
2120 2117 if (list == NULL) {
2121 2118 krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
2122 2119 ldap_context->krbcontainer = NULL;
2123 2120 return;
2124 2121 }
2125 2122
2126 2123 for (plist = list; *plist != NULL; plist++) {
2127 2124 printf("%s\n", *plist);
2128 2125 }
2129 2126 krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
2130 2127 ldap_context->krbcontainer = NULL;
2131 2128 krb5_free_list_entries(list);
2132 2129 free(list);
2133 2130
2134 2131 return;
2135 2132 }
2136 2133
2137 2134 /*
2138 2135 * Duplicating the following two functions here because
2139 2136 * 'krb5_dbe_update_tl_data' uses backend specific memory allocation. The catch
2140 2137 * here is that the backend is not initialized - kdb5_ldap_util doesn't go
2141 2138 * through DAL.
2142 2139 * 1. krb5_dbe_update_tl_data
2143 2140 * 2. krb5_dbe_update_mod_princ_data
2144 2141 */
2145 2142
2146 2143 /* Start duplicate code ... */
2147 2144
2148 2145 static krb5_error_code
2149 2146 krb5_dbe_update_tl_data_new(context, entry, new_tl_data)
2150 2147 krb5_context context;
2151 2148 krb5_db_entry *entry;
2152 2149 krb5_tl_data *new_tl_data;
2153 2150 {
2154 2151 krb5_tl_data *tl_data = NULL;
2155 2152 krb5_octet *tmp;
2156 2153
2157 2154 /* copy the new data first, so we can fail cleanly if malloc()
2158 2155 * fails */
2159 2156 /*
2160 2157 if ((tmp =
2161 2158 (krb5_octet *) krb5_db_alloc(context, NULL,
2162 2159 new_tl_data->tl_data_length)) == NULL)
2163 2160 */
2164 2161 if ((tmp = (krb5_octet *) malloc (new_tl_data->tl_data_length)) == NULL)
2165 2162 return (ENOMEM);
2166 2163
2167 2164 /* Find an existing entry of the specified type and point at
2168 2165 * it, or NULL if not found */
2169 2166
2170 2167 if (new_tl_data->tl_data_type != KRB5_TL_DB_ARGS) { /* db_args can be multiple */
2171 2168 for (tl_data = entry->tl_data; tl_data;
2172 2169 tl_data = tl_data->tl_data_next)
2173 2170 if (tl_data->tl_data_type == new_tl_data->tl_data_type)
2174 2171 break;
2175 2172 }
2176 2173
2177 2174 /* if necessary, chain a new record in the beginning and point at it */
2178 2175
2179 2176 if (!tl_data) {
2180 2177 /*
2181 2178 if ((tl_data =
2182 2179 (krb5_tl_data *) krb5_db_alloc(context, NULL,
2183 2180 sizeof(krb5_tl_data)))
2184 2181 == NULL) {
2185 2182 */
2186 2183 if ((tl_data = (krb5_tl_data *) malloc (sizeof(krb5_tl_data))) == NULL) {
2187 2184 free(tmp);
2188 2185 return (ENOMEM);
2189 2186 }
2190 2187 memset(tl_data, 0, sizeof(krb5_tl_data));
2191 2188 tl_data->tl_data_next = entry->tl_data;
2192 2189 entry->tl_data = tl_data;
2193 2190 entry->n_tl_data++;
2194 2191 }
2195 2192
2196 2193 /* fill in the record */
2197 2194
2198 2195 if (tl_data->tl_data_contents)
2199 2196 krb5_db_free(context, tl_data->tl_data_contents);
2200 2197
2201 2198 tl_data->tl_data_type = new_tl_data->tl_data_type;
2202 2199 tl_data->tl_data_length = new_tl_data->tl_data_length;
2203 2200 tl_data->tl_data_contents = tmp;
2204 2201 memcpy(tmp, new_tl_data->tl_data_contents, tl_data->tl_data_length);
2205 2202
2206 2203 return (0);
2207 2204 }
2208 2205
2209 2206 static krb5_error_code
2210 2207 krb5_dbe_update_mod_princ_data_new(context, entry, mod_date, mod_princ)
2211 2208 krb5_context context;
2212 2209 krb5_db_entry * entry;
2213 2210 krb5_timestamp mod_date;
2214 2211 krb5_const_principal mod_princ;
2215 2212 {
2216 2213 krb5_tl_data tl_data;
2217 2214
2218 2215 krb5_error_code retval = 0;
2219 2216 krb5_octet * nextloc = 0;
2220 2217 char * unparse_mod_princ = 0;
2221 2218 unsigned int unparse_mod_princ_size;
2222 2219
2223 2220 if ((retval = krb5_unparse_name(context, mod_princ,
2224 2221 &unparse_mod_princ)))
2225 2222 return(retval);
2226 2223
2227 2224 unparse_mod_princ_size = strlen(unparse_mod_princ) + 1;
2228 2225
2229 2226 if ((nextloc = (krb5_octet *) malloc(unparse_mod_princ_size + 4))
2230 2227 == NULL) {
2231 2228 free(unparse_mod_princ);
2232 2229 return(ENOMEM);
2233 2230 }
2234 2231
2235 2232 tl_data.tl_data_type = KRB5_TL_MOD_PRINC;
2236 2233 tl_data.tl_data_length = unparse_mod_princ_size + 4;
2237 2234 tl_data.tl_data_contents = nextloc;
2238 2235
2239 2236 /* Mod Date */
2240 2237 krb5_kdb_encode_int32(mod_date, nextloc);
2241 2238
2242 2239 /* Mod Princ */
2243 2240 memcpy(nextloc+4, unparse_mod_princ, unparse_mod_princ_size);
2244 2241
2245 2242 retval = krb5_dbe_update_tl_data_new(context, entry, &tl_data);
2246 2243
2247 2244 free(unparse_mod_princ);
2248 2245 free(nextloc);
2249 2246
2250 2247 return(retval);
2251 2248 }
2252 2249
2253 2250 static krb5_error_code
2254 2251 kdb_ldap_tgt_keysalt_iterate(ksent, ptr)
2255 2252 krb5_key_salt_tuple *ksent;
2256 2253 krb5_pointer ptr;
2257 2254 {
2258 2255 krb5_context context;
2259 2256 krb5_error_code kret;
2260 2257 struct iterate_args *iargs;
2261 2258 krb5_keyblock key;
2262 2259 krb5_int32 ind;
2263 2260 krb5_data pwd;
2264 2261 krb5_db_entry *entry;
2265 2262
2266 2263 iargs = (struct iterate_args *) ptr;
2267 2264 kret = 0;
2268 2265
2269 2266 context = iargs->ctx;
2270 2267 entry = iargs->dbentp;
2271 2268
2272 2269 /*
2273 2270 * Convert the master key password into a key for this particular
2274 2271 * encryption system.
2275 2272 */
2276 2273 pwd.data = mkey_password;
2277 2274 pwd.length = strlen(mkey_password);
2278 2275 kret = krb5_c_random_seed(context, &pwd);
2279 2276 if (kret)
2280 2277 return kret;
2281 2278
2282 2279 /*if (!(kret = krb5_dbe_create_key_data(iargs->ctx, iargs->dbentp))) {*/
2283 2280 if ((entry->key_data =
2284 2281 (krb5_key_data *) realloc(entry->key_data,
2285 2282 (sizeof(krb5_key_data) *
2286 2283 (entry->n_key_data + 1)))) == NULL)
2287 2284 return (ENOMEM);
2288 2285
2289 2286 memset(entry->key_data + entry->n_key_data, 0, sizeof(krb5_key_data));
2290 2287 ind = entry->n_key_data++;
2291 2288
2292 2289 if (!(kret = krb5_c_make_random_key(context, ksent->ks_enctype,
2293 2290 &key))) {
2294 2291 kret = krb5_dbekd_encrypt_key_data(context,
2295 2292 iargs->rblock->key,
2296 2293 &key,
2297 2294 NULL,
2298 2295 1,
2299 2296 &entry->key_data[ind]);
2300 2297 krb5_free_keyblock_contents(context, &key);
2301 2298 }
2302 2299 /*}*/
2303 2300
2304 2301 return(kret);
2305 2302 }
2306 2303 /* End duplicate code */
2307 2304
2308 2305 /*
2309 2306 * This function creates service principals when
2310 2307 * creating the realm object.
2311 2308 */
2312 2309 static int
2313 2310 kdb_ldap_create_principal (context, princ, op, pblock)
2314 2311 krb5_context context;
2315 2312 krb5_principal princ;
2316 2313 enum ap_op op;
2317 2314 struct realm_info *pblock;
2318 2315 {
2319 2316 int retval=0, currlen=0, princtype = 2 /* Service Principal */;
2320 2317 unsigned char *curr=NULL;
2321 2318 krb5_tl_data *tl_data=NULL;
2322 2319 krb5_db_entry entry;
2323 2320 int nentry=1;
2324 2321 long mask = 0;
2325 2322 krb5_keyblock key;
2326 2323 int kvno = 0;
2327 2324 kdb5_dal_handle *dal_handle = NULL;
2328 2325 krb5_ldap_context *ldap_context=NULL;
2329 2326 struct iterate_args iargs;
2330 2327 krb5_data *pdata;
2331 2328
2332 2329 if ((pblock == NULL) || (context == NULL)) {
2333 2330 retval = EINVAL;
2334 2331 goto cleanup;
2335 2332 }
2336 2333 dal_handle = (kdb5_dal_handle *) context->db_context;
2337 2334 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
2338 2335 if (!(ldap_context)) {
2339 2336 retval = EINVAL;
2340 2337 goto cleanup;
2341 2338 }
2342 2339
2343 2340 memset(&entry, 0, sizeof(entry));
2344 2341
2345 2342 tl_data = malloc(sizeof(*tl_data));
2346 2343 if (tl_data == NULL) {
2347 2344 retval = ENOMEM;
2348 2345 goto cleanup;
2349 2346 }
2350 2347 memset(tl_data, 0, sizeof(*tl_data));
2351 2348 tl_data->tl_data_length = 1 + 2 + 2 + 1 + 2 + 4;
2352 2349 tl_data->tl_data_type = 7; /* KDB_TL_USER_INFO */
2353 2350 curr = tl_data->tl_data_contents = malloc(tl_data->tl_data_length);
2354 2351 if (tl_data->tl_data_contents == NULL) {
2355 2352 retval = ENOMEM;
2356 2353 goto cleanup;
2357 2354 }
2358 2355
2359 2356 memset(curr, 1, 1); /* Passing the mask as principal type */
2360 2357 curr += 1;
2361 2358 currlen = 2;
2362 2359 STORE16_INT(curr, currlen);
2363 2360 curr += currlen;
2364 2361 STORE16_INT(curr, princtype);
2365 2362 curr += currlen;
2366 2363
2367 2364 mask |= KADM5_PRINCIPAL;
2368 2365 mask |= KADM5_ATTRIBUTES ;
2369 2366 mask |= KADM5_MAX_LIFE ;
2370 2367 mask |= KADM5_MAX_RLIFE ;
2371 2368 mask |= KADM5_PRINC_EXPIRE_TIME ;
2372 2369 mask |= KADM5_KEY_DATA;
2373 2370
2374 2371 entry.tl_data = tl_data;
2375 2372 entry.n_tl_data += 1;
2376 2373 /* Set the creator's name */
2377 2374 {
2378 2375 krb5_timestamp now;
2379 2376 if ((retval = krb5_timeofday(context, &now)))
2380 2377 goto cleanup;
2381 2378 if ((retval = krb5_dbe_update_mod_princ_data_new(context, &entry,
2382 2379 now, &db_create_princ)))
2383 2380 goto cleanup;
2384 2381 }
2385 2382 entry.attributes = pblock->flags;
2386 2383 entry.max_life = pblock->max_life;
2387 2384 entry.max_renewable_life = pblock->max_rlife;
2388 2385 entry.expiration = pblock->expiration;
2389 2386 entry.mask = mask;
2390 2387 if ((retval = krb5_copy_principal(context, princ, &entry.princ)))
2391 2388 goto cleanup;
2392 2389
2393 2390
2394 2391 switch (op) {
2395 2392 case TGT_KEY:
2396 2393 if ((pdata = krb5_princ_component(context, princ, 1)) &&
2397 2394 pdata->length == strlen("history") &&
2398 2395 !memcmp(pdata->data, "history", strlen("history"))) {
2399 2396
2400 2397 /* Allocate memory for storing the key */
2401 2398 if ((entry.key_data = (krb5_key_data *) malloc(
2402 2399 sizeof(krb5_key_data))) == NULL) {
2403 2400 retval = ENOMEM;
2404 2401 goto cleanup;
2405 2402 }
2406 2403
2407 2404 memset(entry.key_data, 0, sizeof(krb5_key_data));
2408 2405 entry.n_key_data++;
2409 2406
2410 2407 retval = krb5_c_make_random_key(context, global_params.enctype, &key);
2411 2408 if (retval) {
2412 2409 goto cleanup;
2413 2410 }
2414 2411 kvno = 1; /* New key is getting set */
2415 2412 retval = krb5_dbekd_encrypt_key_data(context,
2416 2413 &ldap_context->lrparams->mkey,
2417 2414 &key, NULL, kvno,
2418 2415 &entry.key_data[entry.n_key_data - 1]);
2419 2416 krb5_free_keyblock_contents(context, &key);
2420 2417 if (retval) {
2421 2418 goto cleanup;
2422 2419 }
2423 2420 } else {
2424 2421 /*retval = krb5_c_make_random_key(context, 16, &key) ;*/
2425 2422 iargs.ctx = context;
2426 2423 iargs.rblock = pblock;
2427 2424 iargs.dbentp = &entry;
2428 2425
2429 2426 /*
2430 2427 * create a set of random keys by iterating through the key/salt
2431 2428 * list, ignoring salt types.
2432 2429 */
2433 2430 if ((retval = krb5_keysalt_iterate(pblock->kslist,
2434 2431 pblock->nkslist,
2435 2432 1,
2436 2433 kdb_ldap_tgt_keysalt_iterate,
2437 2434 (krb5_pointer) &iargs)))
2438 2435 return retval;
2439 2436 }
2440 2437 break;
2441 2438
2442 2439 case MASTER_KEY:
2443 2440 /* Allocate memory for storing the key */
2444 2441 if ((entry.key_data = (krb5_key_data *) malloc(
2445 2442 sizeof(krb5_key_data))) == NULL) {
2446 2443 retval = ENOMEM;
2447 2444 goto cleanup;
2448 2445 }
2449 2446
2450 2447 memset(entry.key_data, 0, sizeof(krb5_key_data));
2451 2448 entry.n_key_data++;
2452 2449 kvno = 1; /* New key is getting set */
2453 2450 retval = krb5_dbekd_encrypt_key_data(context, pblock->key,
2454 2451 &ldap_context->lrparams->mkey,
2455 2452 NULL, kvno,
2456 2453 &entry.key_data[entry.n_key_data - 1]);
2457 2454 if (retval) {
2458 2455 goto cleanup;
2459 2456 }
2460 2457 break;
2461 2458
2462 2459 case NULL_KEY:
2463 2460 default:
2464 2461 break;
2465 2462 } /* end of switch */
2466 2463
2467 2464 retval = krb5_ldap_put_principal(context, &entry, &nentry, NULL);
2468 2465 if (retval) {
2469 2466 com_err(NULL, retval, gettext("while adding entries to database"));
2470 2467 goto cleanup;
2471 2468 }
2472 2469
2473 2470 cleanup:
2474 2471 krb5_dbe_free_contents(context, &entry);
2475 2472 return retval;
2476 2473 }
2477 2474
2478 2475
2479 2476 /*
2480 2477 * This function destroys the realm object and the associated principals
2481 2478 */
2482 2479 void
2483 2480 kdb5_ldap_destroy(argc, argv)
2484 2481 int argc;
2485 2482 char *argv[];
2486 2483 {
2487 2484 extern char *optarg;
2488 2485 extern int optind;
2489 2486 int optchar = 0;
2490 2487 char buf[5] = {0};
2491 2488 krb5_error_code retval = 0;
2492 2489 int force = 0;
2493 2490 int mask = 0;
2494 2491 kdb5_dal_handle *dal_handle = NULL;
2495 2492 krb5_ldap_context *ldap_context = NULL;
2496 2493 #ifdef HAVE_EDIRECTORY
2497 2494 int i = 0, rightsmask = 0;
2498 2495 krb5_ldap_realm_params *rparams = NULL;
2499 2496 #endif
2500 2497 /* Solaris Kerberos: to remove stash file */
2501 2498 char *stash_file = NULL;
2502 2499 struct stat stb;
2503 2500
2504 2501 optind = 1;
2505 2502 while ((optchar = getopt(argc, argv, "f")) != -1) {
2506 2503 switch (optchar) {
2507 2504 case 'f':
2508 2505 force++;
2509 2506 break;
2510 2507 case '?':
2511 2508 default:
2512 2509 db_usage(DESTROY_REALM);
2513 2510 return;
2514 2511 /*NOTREACHED*/
2515 2512 }
2516 2513 }
2517 2514
2518 2515 if (!force) {
2519 2516 printf(gettext("Deleting KDC database of '%s', are you sure?\n"), global_params.realm);
2520 2517 printf(gettext("(type 'yes' to confirm)? "));
2521 2518 if (fgets(buf, sizeof(buf), stdin) == NULL) {
2522 2519 exit_status++;
2523 2520 return;
2524 2521 }
2525 2522 if (strcmp(buf, yes)) {
2526 2523 exit_status++;
2527 2524 return;
2528 2525 }
2529 2526 printf(gettext("OK, deleting database of '%s'...\n"), global_params.realm);
2530 2527 }
2531 2528
2532 2529 dal_handle = (kdb5_dal_handle *)util_context->db_context;
2533 2530 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
2534 2531 if (!(ldap_context)) {
2535 2532 /* Solaris Kerberos */
2536 2533 com_err(progname, EINVAL, gettext("while initializing database"));
2537 2534 exit_status++;
2538 2535 return;
2539 2536 }
2540 2537
2541 2538 /* Read the kerberos container from the LDAP Server */
2542 2539 if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
2543 2540 &(ldap_context->krbcontainer))) != 0) {
2544 2541 /* Solaris Kerberos */
2545 2542 com_err(progname, retval, gettext("while reading kerberos container information"));
2546 2543 exit_status++;
2547 2544 return;
2548 2545 }
2549 2546
2550 2547 /* Read the Realm information from the LDAP Server */
2551 2548 if ((retval = krb5_ldap_read_realm_params(util_context, global_params.realm,
2552 2549 &(ldap_context->lrparams), &mask)) != 0) {
2553 2550 /* Solaris Kerberos */
2554 2551 com_err(progname, retval, gettext("while reading realm information"));
2555 2552 exit_status++;
2556 2553 return;
2557 2554 }
2558 2555
2559 2556 #ifdef HAVE_EDIRECTORY
2560 2557 if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
2561 2558 (mask & LDAP_REALM_PASSWDSERVERS)) {
2562 2559
2563 2560 printf(gettext("Changing rights for the service object. Please wait ... "));
2564 2561 fflush(stdout);
2565 2562
2566 2563 rparams = ldap_context->lrparams;
2567 2564 rightsmask = 0;
2568 2565 rightsmask |= LDAP_REALM_RIGHTS;
2569 2566 rightsmask |= LDAP_SUBTREE_RIGHTS;
2570 2567 if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
2571 2568 for (i=0; (rparams->kdcservers[i] != NULL); i++) {
2572 2569 if ((retval = krb5_ldap_delete_service_rights(util_context,
2573 2570 LDAP_KDC_SERVICE, rparams->kdcservers[i],
2574 2571 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
2575 2572 printf(gettext("failed\n"));
2576 2573 /* Solaris Kerberos */
2577 2574 com_err(progname, retval, gettext("while assigning rights to '%s'"),
2578 2575 rparams->realm_name);
2579 2576 return;
2580 2577 }
2581 2578 }
2582 2579 }
2583 2580 rightsmask = 0;
2584 2581 rightsmask |= LDAP_REALM_RIGHTS;
2585 2582 rightsmask |= LDAP_SUBTREE_RIGHTS;
2586 2583 if ((rparams != NULL) && (rparams->adminservers != NULL)) {
2587 2584 for (i=0; (rparams->adminservers[i] != NULL); i++) {
2588 2585 if ((retval = krb5_ldap_delete_service_rights(util_context,
2589 2586 LDAP_ADMIN_SERVICE, rparams->adminservers[i],
2590 2587 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
2591 2588 printf(gettext("failed\n"));
2592 2589 /* Solaris Kerberos */
2593 2590 com_err(progname, retval, gettext("while assigning rights to '%s'"),
2594 2591 rparams->realm_name);
2595 2592 return;
2596 2593 }
2597 2594 }
2598 2595 }
2599 2596 rightsmask = 0;
2600 2597 rightsmask |= LDAP_REALM_RIGHTS;
2601 2598 rightsmask |= LDAP_SUBTREE_RIGHTS;
2602 2599 if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
2603 2600 for (i=0; (rparams->passwdservers[i] != NULL); i++) {
2604 2601 if ((retval = krb5_ldap_delete_service_rights(util_context,
2605 2602 LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
2606 2603 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
2607 2604 printf(gettext("failed\n"));
2608 2605 /* Solaris Kerberos */
2609 2606 com_err(progname, retval, gettext("while assigning rights to '%s'"),
2610 2607 rparams->realm_name);
2611 2608 return;
2612 2609 }
2613 2610 }
2614 2611 }
2615 2612 printf(gettext("done\n"));
2616 2613 }
2617 2614 #endif
2618 2615 /* Delete the realm container and all the associated principals */
2619 2616 retval = krb5_ldap_delete_realm(util_context, global_params.realm);
2620 2617 if (retval) {
2621 2618 /* Solaris Kerberos */
2622 2619 com_err(progname, retval, gettext("deleting database of '%s'"), global_params.realm);
2623 2620 exit_status++;
2624 2621 return;
2625 2622 }
2626 2623
2627 2624 /*
2628 2625 * Solaris Kerberos: check for a stash file and delete it if necessary
2629 2626 * This behavior exists in the Solaris version of kdb5_util destroy.
2630 2627 */
2631 2628 if (global_params.stash_file == NULL) {
2632 2629 char stashbuf[MAXPATHLEN+1];
2633 2630 int realm_len = strlen(global_params.realm);
2634 2631
2635 2632 (void) strlcpy(stashbuf, DEFAULT_KEYFILE_STUB, sizeof (stashbuf));
2636 2633
2637 2634 if (realm_len <= (MAXPATHLEN-strlen(stashbuf))) {
2638 2635 (void) strncat(stashbuf, global_params.realm,
2639 2636 (MAXPATHLEN-strlen(stashbuf)));
2640 2637 } else {
2641 2638 /* Solaris Kerberos */
2642 2639 com_err(progname, EINVAL,
2643 2640 gettext("can not determine stash file name for '%s'"),
2644 2641 global_params.realm);
2645 2642 exit_status++;
2646 2643 return;
2647 2644 }
2648 2645 stash_file = stashbuf;
2649 2646 } else {
2650 2647 stash_file = global_params.stash_file;
2651 2648 }
2652 2649 /* Make sure stash_file is a regular file before unlinking */
2653 2650 if (stat(stash_file, &stb) == 0) {
2654 2651 if ((stb.st_mode & S_IFMT) == S_IFREG) {
2655 2652 (void)unlink(stash_file);
2656 2653 } else {
2657 2654 /* Solaris Kerberos */
2658 2655 com_err(progname, EINVAL,
2659 2656 gettext("stash file '%s' not a regular file, can not delete"),
2660 2657 stash_file);
2661 2658 exit_status++;
2662 2659 return;
2663 2660 }
2664 2661 } else if (errno != ENOENT) {
2665 2662 /*
2666 2663 * If the error is something other than the file doesn't exist set an
2667 2664 * error.
2668 2665 */
2669 2666 /* Solaris Kerberos */
2670 2667 com_err(progname, EINVAL,
2671 2668 gettext("could not stat stash file '%s', could not delete"),
2672 2669 stash_file);
2673 2670 exit_status++;
2674 2671 return;
2675 2672 }
2676 2673
2677 2674 printf(gettext("** Database of '%s' destroyed.\n"), global_params.realm);
2678 2675
2679 2676 return;
2680 2677 }
|
↓ open down ↓ |
2362 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX