Print this page
8485 Remove set but unused variables in usr/src/cmd
Split |
Close |
Expand all |
Collapse all |
--- old/usr/src/cmd/krb5/ldap_util/kdb5_ldap_realm.c
+++ new/usr/src/cmd/krb5/ldap_util/kdb5_ldap_realm.c
1 1 /*
2 + * Copyright 2017 Gary Mills
2 3 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
3 4 * Use is subject to license terms.
4 5 */
5 6
6 7 /*
7 8 * kadmin/ldap_util/kdb5_ldap_realm.c
8 9 *
9 10 * Copyright 1990,1991,2001, 2002 by the Massachusetts Institute of Technology.
10 11 * All Rights Reserved.
11 12 *
12 13 * Export of this software from the United States of America may
13 14 * require a specific license from the United States Government.
14 15 * It is the responsibility of any person or organization contemplating
15 16 * export to obtain such a license before exporting.
16 17 *
17 18 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
18 19 * distribute this software and its documentation for any purpose and
19 20 * without fee is hereby granted, provided that the above copyright
20 21 * notice appear in all copies and that both that copyright notice and
21 22 * this permission notice appear in supporting documentation, and that
22 23 * the name of M.I.T. not be used in advertising or publicity pertaining
23 24 * to distribution of the software without specific, written prior
24 25 * permission. Furthermore if you modify this software you must label
25 26 * your software as modified software and not distribute it in such a
26 27 * fashion that it might be confused with the original M.I.T. software.
27 28 * M.I.T. makes no representations about the suitability of
28 29 * this software for any purpose. It is provided "as is" without express
29 30 * or implied warranty.
30 31 */
31 32
32 33 /*
33 34 * Copyright (C) 1998 by the FundsXpress, INC.
34 35 *
35 36 * All rights reserved.
36 37 *
37 38 * Export of this software from the United States of America may require
38 39 * a specific license from the United States Government. It is the
39 40 * responsibility of any person or organization contemplating export to
40 41 * obtain such a license before exporting.
41 42 *
42 43 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43 44 * distribute this software and its documentation for any purpose and
44 45 * without fee is hereby granted, provided that the above copyright
45 46 * notice appear in all copies and that both that copyright notice and
46 47 * this permission notice appear in supporting documentation, and that
47 48 * the name of FundsXpress. not be used in advertising or publicity pertaining
48 49 * to distribution of the software without specific, written prior
49 50 * permission. FundsXpress makes no representations about the suitability of
50 51 * this software for any purpose. It is provided "as is" without express
51 52 * or implied warranty.
52 53 *
53 54 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
54 55 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
55 56 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
56 57 */
57 58
58 59 /* Copyright (c) 2004-2005, Novell, Inc.
59 60 * All rights reserved.
60 61 *
61 62 * Redistribution and use in source and binary forms, with or without
62 63 * modification, are permitted provided that the following conditions are met:
63 64 *
64 65 * * Redistributions of source code must retain the above copyright notice,
65 66 * this list of conditions and the following disclaimer.
66 67 * * Redistributions in binary form must reproduce the above copyright
67 68 * notice, this list of conditions and the following disclaimer in the
68 69 * documentation and/or other materials provided with the distribution.
69 70 * * The copyright holder's name is not used to endorse or promote products
70 71 * derived from this software without specific prior written permission.
71 72 *
72 73 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
73 74 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
74 75 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
75 76 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
76 77 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
77 78 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
78 79 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
79 80 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
80 81 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
81 82 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
82 83 * POSSIBILITY OF SUCH DAMAGE.
83 84 */
84 85
85 86 /*
86 87 * Create / Modify / Destroy / View / List realm(s)
87 88 */
88 89
89 90 /* Needed for getting the definition of KRB5_TL_DB_ARGS */
90 91 #define SECURID
91 92
92 93 #include <stdio.h>
93 94 #include <k5-int.h>
94 95 #include <kadm5/admin.h>
95 96 #include <libintl.h>
96 97 #include <locale.h>
97 98 #include "kdb5_ldap_util.h"
98 99 #include "kdb5_ldap_list.h"
99 100 #include <ldap_principal.h>
100 101 #include <ldap_krbcontainer.h>
101 102 extern time_t get_date(char *); /* kadmin/cli/getdate.o */
102 103
103 104 char *yes = "yes\n"; /* \n to compare against result of fgets */
104 105 krb5_key_salt_tuple def_kslist = {ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL};
105 106
106 107 struct realm_info rblock = {
107 108 KRB5_KDB_MAX_LIFE,
108 109 KRB5_KDB_MAX_RLIFE,
109 110 KRB5_KDB_EXPIRATION,
110 111 KRB5_KDB_DEF_FLAGS,
111 112 (krb5_keyblock *) NULL,
112 113 1,
113 114 &def_kslist
114 115 };
115 116
116 117 krb5_data tgt_princ_entries[] = {
117 118 {0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME},
118 119 {0, 0, 0} };
119 120
120 121 krb5_data db_creator_entries[] = {
121 122 {0, sizeof("db_creation")-1, "db_creation"} };
122 123
123 124
124 125 static krb5_principal_data db_create_princ = {
125 126 0, /* magic number */
126 127 {0, 0, 0}, /* krb5_data realm */
127 128 db_creator_entries, /* krb5_data *data */
128 129 1, /* int length */
129 130 KRB5_NT_SRV_INST /* int type */
130 131 };
131 132
132 133 extern char *mkey_password;
133 134 extern char *progname;
134 135 extern kadm5_config_params global_params;
135 136
136 137 static void print_realm_params(krb5_ldap_realm_params *rparams, int mask);
137 138 static int kdb_ldap_create_principal (krb5_context context, krb5_principal
138 139 princ, enum ap_op op, struct realm_info *pblock);
139 140
140 141
141 142 static char *strdur(time_t duration);
142 143 static int get_ticket_policy(krb5_ldap_realm_params *rparams, int *i, char *argv[],int argc);
143 144 static krb5_error_code krb5_dbe_update_mod_princ_data_new (krb5_context context, krb5_db_entry *entry, krb5_timestamp mod_date, krb5_const_principal mod_princ);
144 145 static krb5_error_code krb5_dbe_update_tl_data_new ( krb5_context context, krb5_db_entry *entry, krb5_tl_data *new_tl_data);
145 146
146 147 #define ADMIN_LIFETIME 60*60*3 /* 3 hours */
147 148 #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
148 149
↓ open down ↓ |
137 lines elided |
↑ open up ↑ |
149 150 static int get_ticket_policy(rparams,i,argv,argc)
150 151 krb5_ldap_realm_params *rparams;
151 152 int *i;
152 153 char *argv[];
153 154 int argc;
154 155 {
155 156 time_t date;
156 157 time_t now;
157 158 int mask = 0;
158 159 krb5_error_code retval = 0;
159 - krb5_boolean no_msg = FALSE;
160 160
161 - krb5_boolean print_usage = FALSE;
162 161 /* Solaris Kerberos */
163 162 char *me = progname;
164 163
165 164 time(&now);
166 165 if (!strcmp(argv[*i], "-maxtktlife")) {
167 166 if (++(*i) > argc-1)
168 - goto err_usage;
167 + goto err;
169 168 date = get_date(argv[*i]);
170 169 if (date == (time_t)(-1)) {
171 170 retval = EINVAL;
172 171 com_err (me, retval, gettext("while providing time specification"));
173 - goto err_nomsg;
172 + goto err;
174 173 }
175 174 rparams->max_life = date-now;
176 175 mask |= LDAP_REALM_MAXTICKETLIFE;
177 176 }
178 177
179 178
180 179 else if (!strcmp(argv[*i], "-maxrenewlife")) {
181 180 if (++(*i) > argc-1)
182 - goto err_usage;
181 + goto err;
183 182
184 183 date = get_date(argv[*i]);
185 184 if (date == (time_t)(-1)) {
186 185 retval = EINVAL;
187 186 com_err (me, retval, gettext("while providing time specification"));
188 - goto err_nomsg;
187 + goto err;
189 188 }
190 189 rparams->max_renewable_life = date-now;
191 190 mask |= LDAP_REALM_MAXRENEWLIFE;
192 191 } else if (!strcmp((argv[*i] + 1), "allow_postdated")) {
193 192 if (*(argv[*i]) == '+')
194 193 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED);
195 194 else if (*(argv[*i]) == '-')
196 195 rparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED;
197 196 else
198 - goto err_usage;
197 + goto err;
199 198
200 199 mask |= LDAP_REALM_KRBTICKETFLAGS;
201 200 } else if (!strcmp((argv[*i] + 1), "allow_forwardable")) {
202 201 if (*(argv[*i]) == '+')
203 202 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE);
204 203
205 204 else if (*(argv[*i]) == '-')
206 205 rparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE;
207 206 else
208 - goto err_usage;
207 + goto err;
209 208
210 209 mask |= LDAP_REALM_KRBTICKETFLAGS;
211 210 } else if (!strcmp((argv[*i] + 1), "allow_renewable")) {
212 211 if (*(argv[*i]) == '+')
213 212 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE);
214 213 else if (*(argv[*i]) == '-')
215 214 rparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE;
216 215 else
217 - goto err_usage;
216 + goto err;
218 217
219 218 mask |= LDAP_REALM_KRBTICKETFLAGS;
220 219 } else if (!strcmp((argv[*i] + 1), "allow_proxiable")) {
221 220 if (*(argv[*i]) == '+')
222 221 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE);
223 222 else if (*(argv[*i]) == '-')
224 223 rparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE;
225 224 else
226 - goto err_usage;
225 + goto err;
227 226
228 227 mask |= LDAP_REALM_KRBTICKETFLAGS;
229 228 } else if (!strcmp((argv[*i] + 1), "allow_dup_skey")) {
230 229 if (*(argv[*i]) == '+')
231 230 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY);
232 231 else if (*(argv[*i]) == '-')
233 232 rparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY;
234 233 else
235 - goto err_usage;
234 + goto err;
236 235
237 236 mask |= LDAP_REALM_KRBTICKETFLAGS;
238 237 }
239 238
240 239 else if (!strcmp((argv[*i] + 1), "requires_preauth")) {
241 240 if (*(argv[*i]) == '+')
242 241 rparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH;
243 242 else if (*(argv[*i]) == '-')
244 243 rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH);
245 244 else
246 - goto err_usage;
245 + goto err;
247 246
248 247 mask |= LDAP_REALM_KRBTICKETFLAGS;
249 248 } else if (!strcmp((argv[*i] + 1), "requires_hwauth")) {
250 249 if (*(argv[*i]) == '+')
251 250 rparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH;
252 251 else if (*(argv[*i]) == '-')
253 252 rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH);
254 253 else
255 - goto err_usage;
254 + goto err;
256 255
257 256 mask |= LDAP_REALM_KRBTICKETFLAGS;
258 257 } else if (!strcmp((argv[*i] + 1), "allow_svr")) {
259 258 if (*(argv[*i]) == '+')
260 259 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR);
261 260 else if (*(argv[*i]) == '-')
262 261 rparams->tktflags |= KRB5_KDB_DISALLOW_SVR;
263 262 else
264 - goto err_usage;
263 + goto err;
265 264
266 265 mask |= LDAP_REALM_KRBTICKETFLAGS;
267 266 } else if (!strcmp((argv[*i] + 1), "allow_tgs_req")) {
268 267 if (*(argv[*i]) == '+')
269 268 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED);
270 269 else if (*(argv[*i]) == '-')
271 270 rparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED;
272 271 else
273 - goto err_usage;
272 + goto err;
274 273
275 274 mask |= LDAP_REALM_KRBTICKETFLAGS;
276 275 } else if (!strcmp((argv[*i] + 1), "allow_tix")) {
277 276 if (*(argv[*i]) == '+')
278 277 rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX);
279 278 else if (*(argv[*i]) == '-')
280 279 rparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX;
281 280 else
282 - goto err_usage;
281 + goto err;
283 282
284 283 mask |= LDAP_REALM_KRBTICKETFLAGS;
285 284 } else if (!strcmp((argv[*i] + 1), "needchange")) {
286 285 if (*(argv[*i]) == '+')
287 286 rparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE;
288 287 else if (*(argv[*i]) == '-')
289 288 rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE);
290 289 else
291 - goto err_usage;
290 + goto err;
292 291
293 292 mask |= LDAP_REALM_KRBTICKETFLAGS;
294 293 } else if (!strcmp((argv[*i] + 1), "password_changing_service")) {
295 294 if (*(argv[*i]) == '+')
296 295 rparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE;
297 296 else if (*(argv[*i]) == '-')
298 297 rparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE);
299 298 else
300 - goto err_usage;
299 + goto err;
301 300
302 301 mask |=LDAP_REALM_KRBTICKETFLAGS;
303 302 }
304 -err_usage:
305 - print_usage = TRUE;
306 303
307 -err_nomsg:
308 - no_msg = TRUE;
304 +err:
309 305
310 306 return mask;
311 307 }
312 308
313 309 /*
314 310 * This function will create a realm on the LDAP Server, with
315 311 * the specified attributes.
316 312 */
317 313 void kdb5_ldap_create(argc, argv)
318 314 int argc;
319 315 char *argv[];
320 316 {
321 317 krb5_error_code retval = 0;
322 318 krb5_keyblock master_keyblock;
323 319 krb5_ldap_realm_params *rparams = NULL;
324 320 krb5_principal master_princ = NULL;
325 321 kdb5_dal_handle *dal_handle = NULL;
326 322 krb5_ldap_context *ldap_context=NULL;
327 323 krb5_boolean realm_obj_created = FALSE;
328 324 krb5_boolean create_complete = FALSE;
329 325 krb5_boolean print_usage = FALSE;
330 326 krb5_boolean no_msg = FALSE;
331 327 char *oldcontainerref=NULL;
332 328 char pw_str[1024];
333 329 int do_stash = 0;
334 330 int i = 0;
335 331 int mask = 0, ret_mask = 0;
336 332 char **list = NULL;
337 333 #ifdef HAVE_EDIRECTORY
338 334 int rightsmask = 0;
339 335 #endif
340 336
341 337 memset(&master_keyblock, 0, sizeof(master_keyblock));
342 338
343 339 rparams = (krb5_ldap_realm_params *)malloc(
344 340 sizeof(krb5_ldap_realm_params));
345 341 if (rparams == NULL) {
346 342 retval = ENOMEM;
347 343 goto cleanup;
348 344 }
349 345 memset(rparams, 0, sizeof(krb5_ldap_realm_params));
350 346
351 347 /* Parse the arguments */
352 348 for (i = 1; i < argc; i++) {
353 349 if (!strcmp(argv[i], "-subtrees")) {
354 350 if (++i > argc-1)
355 351 goto err_usage;
356 352
357 353 if(strncmp(argv[i], "", strlen(argv[i]))!=0) {
358 354 list = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *));
359 355 if (list == NULL) {
360 356 retval = ENOMEM;
361 357 goto cleanup;
362 358 }
363 359 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
364 360 free(list);
365 361 list = NULL;
366 362 goto cleanup;
367 363 }
368 364
369 365 rparams->subtreecount=0;
370 366 while(list[rparams->subtreecount]!=NULL)
371 367 (rparams->subtreecount)++;
372 368 rparams->subtree = list;
373 369 } else if(strncmp(argv[i], "", strlen(argv[i]))==0) {
374 370 /* dont allow subtree value to be set at the root(NULL, "") of the tree */
375 371 /* Solaris Kerberos */
376 372 com_err(progname, EINVAL,
377 373 gettext("for subtree while creating realm '%s'"),
378 374 global_params.realm);
379 375 goto err_nomsg;
380 376 }
381 377 rparams->subtree[rparams->subtreecount] = NULL;
382 378 mask |= LDAP_REALM_SUBTREE;
383 379 } else if (!strcmp(argv[i], "-containerref")) {
384 380 if (++i > argc-1)
385 381 goto err_usage;
386 382 if(strncmp(argv[i], "", strlen(argv[i]))==0) {
387 383 /* dont allow containerref value to be set at the root(NULL, "") of the tree */
388 384 /* Solaris Kerberos */
389 385 com_err(progname, EINVAL,
390 386 gettext("for container reference while creating realm '%s'"),
391 387 global_params.realm);
392 388 goto err_nomsg;
393 389 }
394 390 rparams->containerref = strdup(argv[i]);
395 391 if (rparams->containerref == NULL) {
396 392 retval = ENOMEM;
397 393 goto cleanup;
398 394 }
399 395 mask |= LDAP_REALM_CONTREF;
400 396 } else if (!strcmp(argv[i], "-sscope")) {
401 397 if (++i > argc-1)
402 398 goto err_usage;
403 399 /* Possible values for search scope are
404 400 * one (or 1) and sub (or 2)
405 401 */
406 402 if (!strcasecmp(argv[i], "one")) {
407 403 rparams->search_scope = 1;
408 404 } else if (!strcasecmp(argv[i], "sub")) {
409 405 rparams->search_scope = 2;
410 406 } else {
411 407 rparams->search_scope = atoi(argv[i]);
412 408 if ((rparams->search_scope != 1) &&
413 409 (rparams->search_scope != 2)) {
414 410 /* Solaris Kerberos */
415 411 com_err(progname, EINVAL,
416 412 gettext("invalid search scope while creating realm '%s'"),
417 413 global_params.realm);
418 414 goto err_nomsg;
419 415 }
420 416 }
421 417 mask |= LDAP_REALM_SEARCHSCOPE;
422 418 }
423 419 #ifdef HAVE_EDIRECTORY
424 420 else if (!strcmp(argv[i], "-kdcdn")) {
425 421 if (++i > argc-1)
426 422 goto err_usage;
427 423 rparams->kdcservers = (char **)malloc(
428 424 sizeof(char *) * MAX_LIST_ENTRIES);
429 425 if (rparams->kdcservers == NULL) {
430 426 retval = ENOMEM;
431 427 goto cleanup;
432 428 }
433 429 memset(rparams->kdcservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
434 430 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
435 431 rparams->kdcservers))) {
436 432 goto cleanup;
437 433 }
438 434 mask |= LDAP_REALM_KDCSERVERS;
439 435 } else if (!strcmp(argv[i], "-admindn")) {
440 436 if (++i > argc-1)
441 437 goto err_usage;
442 438 rparams->adminservers = (char **)malloc(
443 439 sizeof(char *) * MAX_LIST_ENTRIES);
444 440 if (rparams->adminservers == NULL) {
445 441 retval = ENOMEM;
446 442 goto cleanup;
447 443 }
448 444 memset(rparams->adminservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
449 445 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
450 446 rparams->adminservers))) {
451 447 goto cleanup;
452 448 }
453 449 mask |= LDAP_REALM_ADMINSERVERS;
454 450 } else if (!strcmp(argv[i], "-pwddn")) {
455 451 if (++i > argc-1)
456 452 goto err_usage;
457 453 rparams->passwdservers = (char **)malloc(
458 454 sizeof(char *) * MAX_LIST_ENTRIES);
459 455 if (rparams->passwdservers == NULL) {
460 456 retval = ENOMEM;
461 457 goto cleanup;
462 458 }
463 459 memset(rparams->passwdservers, 0, sizeof(char*)*MAX_LIST_ENTRIES);
464 460 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
465 461 rparams->passwdservers))) {
466 462 goto cleanup;
467 463 }
468 464 mask |= LDAP_REALM_PASSWDSERVERS;
469 465 }
470 466 #endif
471 467 else if (!strcmp(argv[i], "-s")) {
472 468 do_stash = 1;
473 469 } else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) {
474 470 mask|=ret_mask;
475 471 }
476 472
477 473 else {
478 474 printf(gettext("'%s' is an invalid option\n"), argv[i]);
479 475 goto err_usage;
480 476 }
481 477 }
482 478
483 479 /* If the default enctype/salttype is not provided, use the
484 480 * default values and also add to the list of supported
485 481 * enctypes/salttype
486 482 */
487 483
488 484 rblock.max_life = global_params.max_life;
489 485 rblock.max_rlife = global_params.max_rlife;
490 486 rblock.expiration = global_params.expiration;
491 487 rblock.flags = global_params.flags;
492 488 rblock.nkslist = global_params.num_keysalts;
493 489 rblock.kslist = global_params.keysalts;
494 490
495 491 krb5_princ_set_realm_data(util_context, &db_create_princ, global_params.realm);
496 492 krb5_princ_set_realm_length(util_context, &db_create_princ, strlen(global_params.realm));
497 493
498 494 printf(gettext("Initializing database for realm '%s'\n"), global_params.realm);
499 495
500 496 if (!mkey_password) {
501 497 unsigned int pw_size;
502 498 printf(gettext("You will be prompted for the database Master Password.\n"));
503 499 printf(gettext("It is important that you NOT FORGET this password.\n"));
504 500 fflush(stdout);
505 501
506 502 pw_size = sizeof (pw_str);
507 503 memset(pw_str, 0, pw_size);
508 504
509 505 retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2,
510 506 pw_str, &pw_size);
511 507 if (retval) {
512 508 /* Solaris Kerberos */
513 509 com_err(progname, retval, gettext("while reading master key from keyboard"));
514 510 goto err_nomsg;
515 511 }
516 512 mkey_password = pw_str;
517 513 }
518 514
519 515 rparams->mkey.enctype = global_params.enctype;
520 516 /* We are sure that 'mkey_password' is a regular string ... */
521 517 rparams->mkey.length = strlen(mkey_password) + 1;
522 518 rparams->mkey.contents = (krb5_octet *)strdup(mkey_password);
523 519 if (rparams->mkey.contents == NULL) {
524 520 retval = ENOMEM;
525 521 goto cleanup;
526 522 }
527 523
528 524 rparams->realm_name = strdup(global_params.realm);
529 525 if (rparams->realm_name == NULL) {
530 526 retval = ENOMEM;
531 527 /* Solaris Kerberos */
532 528 com_err(progname, ENOMEM, gettext("while creating realm '%s'"),
533 529 global_params.realm);
534 530 goto err_nomsg;
535 531 }
536 532
537 533 dal_handle = (kdb5_dal_handle *) util_context->db_context;
538 534 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
539 535 if (!ldap_context) {
540 536 retval = EINVAL;
541 537 goto cleanup;
542 538 }
543 539
544 540 /* read the kerberos container */
545 541 if ((retval=krb5_ldap_read_krbcontainer_params (util_context,
546 542 &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) {
547 543 /* Prompt the user for entering the DN of Kerberos container */
548 544 char krb_location[MAX_KRB_CONTAINER_LEN];
549 545 krb5_ldap_krbcontainer_params kparams;
550 546 int krb_location_len = 0;
551 547 memset(&kparams, 0, sizeof(kparams));
552 548
553 549 /* Read the kerberos container location from configuration file */
554 550 if (ldap_context->conf_section) {
555 551 if ((retval=profile_get_string(util_context->profile,
556 552 KDB_MODULE_SECTION, ldap_context->conf_section,
557 553 "ldap_kerberos_container_dn", NULL,
558 554 &kparams.DN)) != 0) {
559 555 goto cleanup;
560 556 }
561 557 }
562 558 if (kparams.DN == NULL) {
563 559 if ((retval=profile_get_string(util_context->profile,
564 560 KDB_MODULE_DEF_SECTION,
565 561 "ldap_kerberos_container_dn", NULL,
566 562 NULL, &kparams.DN)) != 0) {
567 563 goto cleanup;
568 564 }
569 565 }
570 566
571 567 printf(gettext("\nKerberos container is missing. Creating now...\n"));
572 568 if (kparams.DN == NULL) {
573 569 #ifdef HAVE_EDIRECTORY
574 570 printf(gettext("Enter DN of Kerberos container [cn=Kerberos,cn=Security]: "));
575 571 #else
576 572 printf(gettext("Enter DN of Kerberos container: "));
577 573 #endif
578 574 if (fgets(krb_location, MAX_KRB_CONTAINER_LEN, stdin) != NULL) {
579 575 /* Remove the newline character at the end */
580 576 krb_location_len = strlen(krb_location);
581 577 if ((krb_location[krb_location_len - 1] == '\n') ||
582 578 (krb_location[krb_location_len - 1] == '\r')) {
583 579 krb_location[krb_location_len - 1] = '\0';
584 580 krb_location_len--;
585 581 }
586 582 /* If the user has not given any input, take the default location */
587 583 else if (krb_location[0] == '\0')
588 584 kparams.DN = NULL;
589 585 else
590 586 kparams.DN = krb_location;
591 587 } else
592 588 kparams.DN = NULL;
593 589 }
594 590
595 591 /* create the kerberos container */
596 592 retval = krb5_ldap_create_krbcontainer(util_context,
597 593 ((kparams.DN != NULL) ? &kparams : NULL));
598 594 if (retval)
599 595 goto cleanup;
600 596
601 597 retval = krb5_ldap_read_krbcontainer_params(util_context,
602 598 &(ldap_context->krbcontainer));
603 599 if (retval) {
604 600 /* Solaris Kerberos */
605 601 com_err(progname, retval, gettext("while reading kerberos container information"));
606 602 goto cleanup;
607 603 }
608 604 } else if (retval) {
609 605 /* Solaris Kerberos */
610 606 com_err(progname, retval, gettext("while reading kerberos container information"));
611 607 goto cleanup;
612 608 }
613 609
614 610 if ((retval = krb5_ldap_create_realm(util_context,
615 611 /* global_params.realm, */ rparams, mask))) {
616 612 goto cleanup;
617 613 }
618 614
619 615 /* We just created the Realm container. Here starts our transaction tracking */
620 616 realm_obj_created = TRUE;
621 617
622 618 if ((retval = krb5_ldap_read_realm_params(util_context,
623 619 global_params.realm,
624 620 &(ldap_context->lrparams),
625 621 &mask))) {
626 622 /* Solaris Kerberos */
627 623 com_err(progname, retval, gettext("while reading information of realm '%s'"),
628 624 global_params.realm);
629 625 goto err_nomsg;
630 626 }
631 627 ldap_context->lrparams->realm_name = strdup(global_params.realm);
632 628 if (ldap_context->lrparams->realm_name == NULL) {
633 629 retval = ENOMEM;
634 630 goto cleanup;
635 631 }
636 632
637 633 /* assemble & parse the master key name */
638 634 if ((retval = krb5_db_setup_mkey_name(util_context,
639 635 global_params.mkey_name,
640 636 global_params.realm,
641 637 0, &master_princ))) {
642 638 /* Solaris Kerberos */
643 639 com_err(progname, retval, gettext("while setting up master key name"));
644 640 goto err_nomsg;
645 641 }
646 642
647 643 /* Obtain master key from master password */
648 644 {
649 645 krb5_data master_salt, pwd;
650 646
651 647 pwd.data = mkey_password;
652 648 pwd.length = strlen(mkey_password);
653 649 retval = krb5_principal2salt(util_context, master_princ, &master_salt);
654 650 if (retval) {
655 651 /* Solaris Kerberos */
656 652 com_err(progname, retval, gettext("while calculating master key salt"));
657 653 goto err_nomsg;
658 654 }
659 655
660 656 retval = krb5_c_string_to_key(util_context, rparams->mkey.enctype,
661 657 &pwd, &master_salt, &master_keyblock);
662 658
663 659 if (master_salt.data)
664 660 free(master_salt.data);
665 661
666 662 if (retval) {
667 663 /* Solaris Kerberos */
668 664 com_err(progname, retval, gettext("while transforming master key from password"));
669 665 goto err_nomsg;
670 666 }
671 667
672 668 }
673 669
674 670 rblock.key = &master_keyblock;
675 671 ldap_context->lrparams->mkey = master_keyblock;
676 672 ldap_context->lrparams->mkey.contents = (krb5_octet *) malloc
677 673 (master_keyblock.length);
678 674 if (ldap_context->lrparams->mkey.contents == NULL) {
679 675 retval = ENOMEM;
680 676 goto cleanup;
681 677 }
682 678 memcpy (ldap_context->lrparams->mkey.contents, master_keyblock.contents,
683 679 master_keyblock.length);
684 680
685 681 /* Create special principals inside the realm subtree */
686 682 {
687 683 char princ_name[MAX_PRINC_SIZE];
688 684 krb5_principal_data tgt_princ = {
689 685 0, /* magic number */
690 686 {0, 0, 0}, /* krb5_data realm */
691 687 tgt_princ_entries, /* krb5_data *data */
692 688 2, /* int length */
693 689 KRB5_NT_SRV_INST /* int type */
694 690 };
695 691 krb5_principal p, temp_p=NULL;
696 692
697 693 krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm);
698 694 krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm));
699 695 krb5_princ_component(util_context, &tgt_princ,1)->data = global_params.realm;
700 696 krb5_princ_component(util_context, &tgt_princ,1)->length = strlen(global_params.realm);
701 697 /* The container reference value is set to NULL, to avoid service principals
702 698 * getting created within the container reference at realm creation */
703 699 if (ldap_context->lrparams->containerref != NULL) {
704 700 oldcontainerref = ldap_context->lrparams->containerref;
705 701 ldap_context->lrparams->containerref = NULL;
706 702 }
707 703
708 704 /* Create 'K/M' ... */
709 705 rblock.flags |= KRB5_KDB_DISALLOW_ALL_TIX;
710 706 if ((retval = kdb_ldap_create_principal(util_context, master_princ, MASTER_KEY, &rblock))) {
711 707 /* Solaris Kerberos */
712 708 com_err(progname, retval, gettext("while adding entries to the database"));
713 709 goto err_nomsg;
714 710 }
715 711
716 712 /* Create 'krbtgt' ... */
717 713 rblock.flags = 0; /* reset the flags */
718 714 if ((retval = kdb_ldap_create_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) {
719 715 /* Solaris Kerberos */
720 716 com_err(progname, retval, gettext("while adding entries to the database"));
721 717 goto err_nomsg;
722 718 }
723 719 /*
724 720 * Solaris Kerberos:
725 721 * The kadmin/admin principal is unused on Solaris. This principal is used
726 722 * in AUTH_GSSAPI but Solaris doesn't support AUTH_GSSAPI. RPCSEC_GSS can only
727 723 * be used with host-based principals.
728 724 *
729 725 */
730 726 #if 0 /* ************ Begin IFDEF'ed OUT ***************************** */
731 727 /* Create 'kadmin/admin' ... */
732 728 snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_ADMIN_SERVICE, global_params.realm);
733 729 if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
734 730 /* Solaris Kerberos */
735 731 com_err(progname, retval, gettext("while adding entries to the database"));
736 732 goto err_nomsg;
737 733 }
738 734 rblock.max_life = ADMIN_LIFETIME;
739 735 rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
740 736 if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
741 737 krb5_free_principal(util_context, p);
742 738 /* Solaris Kerberos */
743 739 com_err(progname, retval, gettext("while adding entries to the database"));
744 740 goto err_nomsg;
745 741 }
746 742 krb5_free_principal(util_context, p);
747 743 #endif /* ************** END IFDEF'ed OUT ***************************** */
748 744
749 745 /* Create 'kadmin/changepw' ... */
750 746 snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_CHANGEPW_SERVICE, global_params.realm);
751 747 if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
752 748 /* Solaris Kerberos */
753 749 com_err(progname, retval, gettext("while adding entries to the database"));
754 750 goto err_nomsg;
755 751 }
756 752 rblock.max_life = CHANGEPW_LIFETIME;
757 753 rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE;
758 754 if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
759 755 krb5_free_principal(util_context, p);
760 756 /* Solaris Kerberos */
761 757 com_err(progname, retval, gettext("while adding entries to the database"));
762 758 goto err_nomsg;
763 759 }
764 760 krb5_free_principal(util_context, p);
765 761
766 762 /* Create 'kadmin/history' ... */
767 763 snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_HIST_PRINCIPAL, global_params.realm);
768 764 if ((retval = krb5_parse_name(util_context, princ_name, &p))) {
769 765 /* Solaris Kerberos */
770 766 com_err(progname, retval, gettext("while adding entries to the database"));
771 767 goto err_nomsg;
772 768 }
773 769 rblock.max_life = global_params.max_life;
774 770 rblock.flags = 0;
775 771 if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) {
776 772 krb5_free_principal(util_context, p);
777 773 /* Solaris Kerberos */
778 774 com_err(progname, retval, gettext("while adding entries to the database"));
779 775 goto err_nomsg;
780 776 }
781 777 krb5_free_principal(util_context, p);
782 778
783 779 /* Create 'kadmin/<hostname>' ... */
784 780 if ((retval=krb5_sname_to_principal(util_context, NULL, KADM5_ADMIN_HOST_SERVICE, KRB5_NT_SRV_HST, &p))) {
785 781 /* Solaris Kerberos */
786 782 com_err(progname, retval, gettext("krb5_sname_to_principal, while adding entries to the database"));
787 783 goto err_nomsg;
788 784 }
789 785
790 786 if ((retval=krb5_copy_principal(util_context, p, &temp_p))) {
791 787 /* Solaris Kerberos */
792 788 com_err(progname, retval, gettext("krb5_copy_principal, while adding entries to the database"));
793 789 goto err_nomsg;
794 790 }
795 791
796 792 /* change the realm portion to the default realm */
797 793 free(temp_p->realm.data);
798 794 temp_p->realm.length = strlen(util_context->default_realm);
799 795 temp_p->realm.data = strdup(util_context->default_realm);
800 796 if (temp_p->realm.data == NULL) {
801 797 /* Solaris Kerberos */
802 798 com_err(progname, ENOMEM, gettext("while adding entries to the database"));
803 799 goto err_nomsg;
804 800 }
805 801
806 802 rblock.max_life = ADMIN_LIFETIME;
807 803 rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
808 804 if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) {
809 805 krb5_free_principal(util_context, p);
810 806 /* Solaris Kerberos */
811 807 com_err(progname, retval, gettext("while adding entries to the database"));
812 808 goto err_nomsg;
813 809 }
814 810 krb5_free_principal(util_context, temp_p);
815 811 krb5_free_principal(util_context, p);
816 812
817 813 /* Solaris Kerberos: Create 'changepw/<hostname>' ... */
818 814 if ((retval=krb5_sname_to_principal(util_context, NULL, KADM5_CHANGEPW_HOST_SERVICE, KRB5_NT_SRV_HST, &p))) {
819 815 /* Solaris Kerberos */
820 816 com_err(progname, retval, gettext("krb5_sname_to_principal, while adding entries to the database"));
821 817 goto err_nomsg;
822 818 }
823 819
824 820 if ((retval=krb5_copy_principal(util_context, p, &temp_p))) {
825 821 /* Solaris Kerberos */
826 822 com_err(progname, retval, gettext("krb5_copy_principal, while adding entries to the database"));
827 823 goto err_nomsg;
828 824 }
829 825
830 826 /* change the realm portion to the default realm */
831 827 free(temp_p->realm.data);
832 828 temp_p->realm.length = strlen(util_context->default_realm);
833 829 temp_p->realm.data = strdup(util_context->default_realm);
834 830 if (temp_p->realm.data == NULL) {
835 831 /* Solaris Kerberos */
836 832 com_err(progname, ENOMEM, gettext("while adding entries to the database"));
837 833 goto err_nomsg;
838 834 }
839 835
840 836 rblock.max_life = ADMIN_LIFETIME;
841 837 rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE;
842 838 if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) {
843 839 krb5_free_principal(util_context, p);
844 840 /* Solaris Kerberos */
845 841 com_err(progname, retval, gettext("while adding entries to the database"));
846 842 goto err_nomsg;
847 843 }
848 844 krb5_free_principal(util_context, temp_p);
849 845 krb5_free_principal(util_context, p);
850 846
851 847 if (oldcontainerref != NULL) {
852 848 ldap_context->lrparams->containerref = oldcontainerref;
853 849 oldcontainerref=NULL;
854 850 }
855 851 }
856 852
857 853 #ifdef HAVE_EDIRECTORY
858 854 if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
859 855 (mask & LDAP_REALM_PASSWDSERVERS)) {
860 856
861 857 printf(gettext("Changing rights for the service object. Please wait ... "));
862 858 fflush(stdout);
863 859
864 860 rightsmask =0;
865 861 rightsmask |= LDAP_REALM_RIGHTS;
866 862 rightsmask |= LDAP_SUBTREE_RIGHTS;
867 863 if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
868 864 for (i=0; (rparams->kdcservers[i] != NULL); i++) {
869 865 if ((retval=krb5_ldap_add_service_rights(util_context,
870 866 LDAP_KDC_SERVICE, rparams->kdcservers[i],
871 867 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
872 868 printf(gettext("failed\n"));
873 869 /* Solaris Kerberos */
874 870 com_err(progname, retval, gettext("while assigning rights to '%s'"),
875 871 rparams->realm_name);
876 872 goto err_nomsg;
877 873 }
878 874 }
879 875 }
880 876
881 877 rightsmask = 0;
882 878 rightsmask |= LDAP_REALM_RIGHTS;
883 879 rightsmask |= LDAP_SUBTREE_RIGHTS;
884 880 if ((rparams != NULL) && (rparams->adminservers != NULL)) {
885 881 for (i=0; (rparams->adminservers[i] != NULL); i++) {
886 882 if ((retval=krb5_ldap_add_service_rights(util_context,
887 883 LDAP_ADMIN_SERVICE, rparams->adminservers[i],
888 884 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
889 885 printf(gettext("failed\n"));
890 886 /* Solaris Kerberos */
891 887 com_err(progname, retval, gettext("while assigning rights to '%s'"),
892 888 rparams->realm_name);
893 889 goto err_nomsg;
894 890 }
895 891 }
896 892 }
897 893
898 894 rightsmask = 0;
899 895 rightsmask |= LDAP_REALM_RIGHTS;
900 896 rightsmask |= LDAP_SUBTREE_RIGHTS;
901 897 if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
902 898 for (i=0; (rparams->passwdservers[i] != NULL); i++) {
903 899 if ((retval=krb5_ldap_add_service_rights(util_context,
904 900 LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
905 901 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
906 902 printf(gettext("failed\n"));
907 903 /* Solaris Kerberos */
908 904 com_err(progname, retval, gettext("while assigning rights to '%s'"),
909 905 rparams->realm_name);
910 906 goto err_nomsg;
911 907 }
912 908 }
913 909 }
914 910
915 911 printf(gettext("done\n"));
916 912 }
917 913 #endif
918 914 /* The Realm creation is completed. Here is the end of transaction */
919 915 create_complete = TRUE;
920 916
921 917 /* Stash the master key only if '-s' option is specified */
922 918 if (do_stash || global_params.mask & KADM5_CONFIG_STASH_FILE) {
923 919 retval = krb5_def_store_mkey(util_context,
924 920 global_params.stash_file,
925 921 master_princ,
926 922 &master_keyblock, NULL);
927 923 if (retval) {
928 924 /* Solaris Kerberos */
929 925 com_err(progname, errno, gettext("while storing key"));
930 926 printf(gettext("Warning: couldn't stash master key.\n"));
931 927 }
932 928 }
933 929
934 930 goto cleanup;
935 931
936 932
937 933 err_usage:
938 934 print_usage = TRUE;
939 935
940 936 err_nomsg:
941 937 no_msg = TRUE;
942 938
943 939 cleanup:
944 940 /* If the Realm creation is not complete, do the roll-back here */
945 941 if ((realm_obj_created) && (!create_complete))
946 942 krb5_ldap_delete_realm(util_context, global_params.realm);
947 943
948 944 if (rparams)
949 945 krb5_ldap_free_realm_params(rparams);
950 946
951 947 memset (pw_str, 0, sizeof (pw_str));
952 948
953 949 if (print_usage)
954 950 db_usage(CREATE_REALM);
955 951
956 952 if (retval) {
957 953 if (!no_msg) {
958 954 /* Solaris Kerberos */
959 955 com_err(progname, retval, gettext("while creating realm '%s'"),
960 956 global_params.realm);
961 957 }
962 958 exit_status++;
963 959 }
964 960
965 961 return;
966 962 }
967 963
968 964
969 965 /*
970 966 * This function will modify the attributes of a given realm object
971 967 */
972 968 void kdb5_ldap_modify(argc, argv)
973 969 int argc;
974 970 char *argv[];
975 971 {
976 972 krb5_error_code retval = 0;
977 973 krb5_ldap_realm_params *rparams = NULL;
978 974 krb5_boolean print_usage = FALSE;
979 975 krb5_boolean no_msg = FALSE;
980 976 kdb5_dal_handle *dal_handle = NULL;
981 977 krb5_ldap_context *ldap_context=NULL;
982 978 int i = 0;
983 979 int mask = 0, rmask = 0, ret_mask = 0;
984 980 char **slist = {NULL};
985 981 #ifdef HAVE_EDIRECTORY
986 982 int j = 0;
987 983 char *list[MAX_LIST_ENTRIES];
988 984 int existing_entries = 0, list_entries = 0;
989 985 int newkdcdn = 0, newadmindn = 0, newpwddn = 0;
990 986 char **tempstr = NULL;
991 987 char **oldkdcdns = NULL;
992 988 char **oldadmindns = NULL;
993 989 char **oldpwddns = NULL;
994 990 char **newkdcdns = NULL;
995 991 char **newsubtrees = NULL;
996 992 char **newadmindns = NULL;
997 993 char **newpwddns = NULL;
998 994 char **oldsubtrees = {NULL};
999 995 int rightsmask = 0;
1000 996 int subtree_changed = 0;
1001 997 #endif
1002 998
1003 999 dal_handle = (kdb5_dal_handle *) util_context->db_context;
1004 1000 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
1005 1001 if (!(ldap_context)) {
1006 1002 retval = EINVAL;
1007 1003 goto cleanup;
1008 1004 }
1009 1005
1010 1006 if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
1011 1007 &(ldap_context->krbcontainer)))) {
1012 1008 /* Solaris Kerberos */
1013 1009 com_err(progname, retval, gettext("while reading Kerberos container information"));
1014 1010 goto err_nomsg;
1015 1011 }
1016 1012
1017 1013 retval = krb5_ldap_read_realm_params(util_context,
1018 1014 global_params.realm, &rparams, &rmask);
1019 1015 if (retval)
1020 1016 goto cleanup;
1021 1017 /* Parse the arguments */
1022 1018 for (i = 1; i < argc; i++) {
1023 1019 int k = 0;
1024 1020 if (!strcmp(argv[i], "-subtrees")) {
1025 1021 if (++i > argc-1)
1026 1022 goto err_usage;
1027 1023
1028 1024 if (rmask & LDAP_REALM_SUBTREE) {
1029 1025 if (rparams->subtree) {
1030 1026 #ifdef HAVE_EDIRECTORY
1031 1027 oldsubtrees = (char **) calloc(rparams->subtreecount+1, sizeof(char *));
1032 1028 if (oldsubtrees == NULL) {
1033 1029 retval = ENOMEM;
1034 1030 goto cleanup;
1035 1031 }
1036 1032 for(k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) {
1037 1033 oldsubtrees[k] = strdup(rparams->subtree[k]);
1038 1034 if( oldsubtrees[k] == NULL ) {
1039 1035 retval = ENOMEM;
1040 1036 goto cleanup;
1041 1037 }
1042 1038 }
1043 1039 #endif
1044 1040 for(k=0; k<rparams->subtreecount && rparams->subtree[k]; k++)
1045 1041 free(rparams->subtree[k]);
1046 1042 rparams->subtreecount=0;
1047 1043 }
1048 1044 }
1049 1045 if (strncmp(argv[i] ,"", strlen(argv[i]))!=0) {
1050 1046 slist = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *));
1051 1047 if (slist == NULL) {
1052 1048 retval = ENOMEM;
1053 1049 goto cleanup;
1054 1050 }
1055 1051 if (( retval = krb5_parse_list(argv[i], LIST_DELIMITER, slist))) {
1056 1052 free(slist);
1057 1053 slist = NULL;
1058 1054 goto cleanup;
1059 1055 }
1060 1056
1061 1057 rparams->subtreecount=0;
1062 1058 while(slist[rparams->subtreecount]!=NULL)
1063 1059 (rparams->subtreecount)++;
1064 1060 rparams->subtree = slist;
1065 1061 } else if(strncmp(argv[i], "", strlen(argv[i]))==0) {
1066 1062 /* dont allow subtree value to be set at the root(NULL, "") of the tree */
1067 1063 /* Solaris Kerberos */
1068 1064 com_err(progname, EINVAL,
1069 1065 gettext("for subtree while modifying realm '%s'"),
1070 1066 global_params.realm);
1071 1067 goto err_nomsg;
1072 1068 }
1073 1069 rparams->subtree[rparams->subtreecount] = NULL;
1074 1070 mask |= LDAP_REALM_SUBTREE;
1075 1071 } else if (!strncmp(argv[i], "-containerref", strlen(argv[i]))) {
1076 1072 if (++i > argc-1)
1077 1073 goto err_usage;
1078 1074 if(strncmp(argv[i], "", strlen(argv[i]))==0) {
1079 1075 /* dont allow containerref value to be set at the root(NULL, "") of the tree */
1080 1076 /* Solaris Kerberos */
1081 1077 com_err(progname, EINVAL,
1082 1078 gettext("for container reference while modifying realm '%s'"),
1083 1079 global_params.realm);
1084 1080 goto err_nomsg;
1085 1081 }
1086 1082 rparams->containerref = strdup(argv[i]);
1087 1083 if (rparams->containerref == NULL) {
1088 1084 retval = ENOMEM;
1089 1085 goto cleanup;
1090 1086 }
1091 1087 mask |= LDAP_REALM_CONTREF;
1092 1088 } else if (!strcmp(argv[i], "-sscope")) {
1093 1089 if (++i > argc-1)
1094 1090 goto err_usage;
1095 1091 /* Possible values for search scope are
1096 1092 * one (or 1) and sub (or 2)
1097 1093 */
1098 1094 if (strcasecmp(argv[i], "one") == 0) {
1099 1095 rparams->search_scope = 1;
1100 1096 } else if (strcasecmp(argv[i], "sub") == 0) {
1101 1097 rparams->search_scope = 2;
1102 1098 } else {
1103 1099 rparams->search_scope = atoi(argv[i]);
1104 1100 if ((rparams->search_scope != 1) &&
1105 1101 (rparams->search_scope != 2)) {
1106 1102 retval = EINVAL;
1107 1103 /* Solaris Kerberos */
1108 1104 com_err(progname, retval,
1109 1105 gettext("specified for search scope while modifying information of realm '%s'"),
1110 1106 global_params.realm);
1111 1107 goto err_nomsg;
1112 1108 }
1113 1109 }
1114 1110 mask |= LDAP_REALM_SEARCHSCOPE;
1115 1111 }
1116 1112 #ifdef HAVE_EDIRECTORY
1117 1113 else if (!strcmp(argv[i], "-kdcdn")) {
1118 1114 if (++i > argc-1)
1119 1115 goto err_usage;
1120 1116
1121 1117 if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) {
1122 1118 if (!oldkdcdns) {
1123 1119 /* Store the old kdc dns list for removing rights */
1124 1120 oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1125 1121 if (oldkdcdns == NULL) {
1126 1122 retval = ENOMEM;
1127 1123 goto cleanup;
1128 1124 }
1129 1125
1130 1126 for (j=0; rparams->kdcservers[j] != NULL; j++) {
1131 1127 oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1132 1128 if (oldkdcdns[j] == NULL) {
1133 1129 retval = ENOMEM;
1134 1130 goto cleanup;
1135 1131 }
1136 1132 }
1137 1133 oldkdcdns[j] = NULL;
1138 1134 }
1139 1135
1140 1136 krb5_free_list_entries(rparams->kdcservers);
1141 1137 free(rparams->kdcservers);
1142 1138 }
1143 1139
1144 1140 rparams->kdcservers = (char **)malloc(
1145 1141 sizeof(char *) * MAX_LIST_ENTRIES);
1146 1142 if (rparams->kdcservers == NULL) {
1147 1143 retval = ENOMEM;
1148 1144 goto cleanup;
1149 1145 }
1150 1146 memset(rparams->kdcservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
1151 1147 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
1152 1148 rparams->kdcservers))) {
1153 1149 goto cleanup;
1154 1150 }
1155 1151 mask |= LDAP_REALM_KDCSERVERS;
1156 1152 /* Going to replace the existing value by this new value. Hence
1157 1153 * setting flag indicating that add or clear options will be ignored
1158 1154 */
1159 1155 newkdcdn = 1;
1160 1156 } else if (!strcmp(argv[i], "-clearkdcdn")) {
1161 1157 if (++i > argc-1)
1162 1158 goto err_usage;
1163 1159 if ((!newkdcdn) && (rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) {
1164 1160 if (!oldkdcdns) {
1165 1161 /* Store the old kdc dns list for removing rights */
1166 1162 oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1167 1163 if (oldkdcdns == NULL) {
1168 1164 retval = ENOMEM;
1169 1165 goto cleanup;
1170 1166 }
1171 1167
1172 1168 for (j=0; rparams->kdcservers[j] != NULL; j++) {
1173 1169 oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1174 1170 if (oldkdcdns[j] == NULL) {
1175 1171 retval = ENOMEM;
1176 1172 goto cleanup;
1177 1173 }
1178 1174 }
1179 1175 oldkdcdns[j] = NULL;
1180 1176 }
1181 1177
1182 1178 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1183 1179 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1184 1180 goto cleanup;
1185 1181 }
1186 1182 list_modify_str_array(&rparams->kdcservers, (const char **)list,
1187 1183 LIST_MODE_DELETE);
1188 1184 mask |= LDAP_REALM_KDCSERVERS;
1189 1185 krb5_free_list_entries(list);
1190 1186 }
1191 1187 } else if (!strcmp(argv[i], "-addkdcdn")) {
1192 1188 if (++i > argc-1)
1193 1189 goto err_usage;
1194 1190 if (!newkdcdn) {
1195 1191 if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers) && (!oldkdcdns)) {
1196 1192 /* Store the old kdc dns list for removing rights */
1197 1193 oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1198 1194 if (oldkdcdns == NULL) {
1199 1195 retval = ENOMEM;
1200 1196 goto cleanup;
1201 1197 }
1202 1198
1203 1199 for (j = 0; rparams->kdcservers[j] != NULL; j++) {
1204 1200 oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1205 1201 if (oldkdcdns[j] == NULL) {
1206 1202 retval = ENOMEM;
1207 1203 goto cleanup;
1208 1204 }
1209 1205 }
1210 1206 oldkdcdns[j] = NULL;
1211 1207 }
1212 1208
1213 1209 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1214 1210 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1215 1211 goto cleanup;
1216 1212 }
1217 1213 existing_entries = list_count_str_array(rparams->kdcservers);
1218 1214 list_entries = list_count_str_array(list);
1219 1215 if (rmask & LDAP_REALM_KDCSERVERS) {
1220 1216 tempstr = (char **)realloc(
1221 1217 rparams->kdcservers,
1222 1218 sizeof(char *) * (existing_entries+list_entries+1));
1223 1219 if (tempstr == NULL) {
1224 1220 retval = ENOMEM;
1225 1221 goto cleanup;
1226 1222 }
1227 1223 rparams->kdcservers = tempstr;
1228 1224 } else {
1229 1225 rparams->kdcservers = (char **)malloc(sizeof(char *) * (list_entries+1));
1230 1226 if (rparams->kdcservers == NULL) {
1231 1227 retval = ENOMEM;
1232 1228 goto cleanup;
1233 1229 }
1234 1230 memset(rparams->kdcservers, 0, sizeof(char *) * (list_entries+1));
1235 1231 }
1236 1232 list_modify_str_array(&rparams->kdcservers, (const char **)list,
1237 1233 LIST_MODE_ADD);
1238 1234 mask |= LDAP_REALM_KDCSERVERS;
1239 1235 }
1240 1236 } else if (!strcmp(argv[i], "-admindn")) {
1241 1237 if (++i > argc-1)
1242 1238 goto err_usage;
1243 1239
1244 1240 if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) {
1245 1241 if (!oldadmindns) {
1246 1242 /* Store the old admin dns list for removing rights */
1247 1243 oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1248 1244 if (oldadmindns == NULL) {
1249 1245 retval = ENOMEM;
1250 1246 goto cleanup;
1251 1247 }
1252 1248
1253 1249 for (j=0; rparams->adminservers[j] != NULL; j++) {
1254 1250 oldadmindns[j] = strdup(rparams->adminservers[j]);
1255 1251 if (oldadmindns[j] == NULL) {
1256 1252 retval = ENOMEM;
1257 1253 goto cleanup;
1258 1254 }
1259 1255 }
1260 1256 oldadmindns[j] = NULL;
1261 1257 }
1262 1258
1263 1259 krb5_free_list_entries(rparams->adminservers);
1264 1260 free(rparams->adminservers);
1265 1261 }
1266 1262
1267 1263 rparams->adminservers = (char **)malloc(
1268 1264 sizeof(char *) * MAX_LIST_ENTRIES);
1269 1265 if (rparams->adminservers == NULL) {
1270 1266 retval = ENOMEM;
1271 1267 goto cleanup;
1272 1268 }
1273 1269 memset(rparams->adminservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
1274 1270 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
1275 1271 rparams->adminservers))) {
1276 1272 goto cleanup;
1277 1273 }
1278 1274 mask |= LDAP_REALM_ADMINSERVERS;
1279 1275 /* Going to replace the existing value by this new value. Hence
1280 1276 * setting flag indicating that add or clear options will be ignored
1281 1277 */
1282 1278 newadmindn = 1;
1283 1279 } else if (!strcmp(argv[i], "-clearadmindn")) {
1284 1280 if (++i > argc-1)
1285 1281 goto err_usage;
1286 1282
1287 1283 if ((!newadmindn) && (rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) {
1288 1284 if (!oldadmindns) {
1289 1285 /* Store the old admin dns list for removing rights */
1290 1286 oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1291 1287 if (oldadmindns == NULL) {
1292 1288 retval = ENOMEM;
1293 1289 goto cleanup;
1294 1290 }
1295 1291
1296 1292 for (j=0; rparams->adminservers[j] != NULL; j++) {
1297 1293 oldadmindns[j] = strdup(rparams->adminservers[j]);
1298 1294 if (oldadmindns[j] == NULL) {
1299 1295 retval = ENOMEM;
1300 1296 goto cleanup;
1301 1297 }
1302 1298 }
1303 1299 oldadmindns[j] = NULL;
1304 1300 }
1305 1301
1306 1302 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1307 1303 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1308 1304 goto cleanup;
1309 1305 }
1310 1306 list_modify_str_array(&rparams->adminservers, (const char **)list,
1311 1307 LIST_MODE_DELETE);
1312 1308 mask |= LDAP_REALM_ADMINSERVERS;
1313 1309 krb5_free_list_entries(list);
1314 1310 }
1315 1311 } else if (!strcmp(argv[i], "-addadmindn")) {
1316 1312 if (++i > argc-1)
1317 1313 goto err_usage;
1318 1314 if (!newadmindn) {
1319 1315 if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers) && (!oldadmindns)) {
1320 1316 /* Store the old admin dns list for removing rights */
1321 1317 oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1322 1318 if (oldadmindns == NULL) {
1323 1319 retval = ENOMEM;
1324 1320 goto cleanup;
1325 1321 }
1326 1322
1327 1323 for (j=0; rparams->adminservers[j] != NULL; j++) {
1328 1324 oldadmindns[j] = strdup(rparams->adminservers[j]);
1329 1325 if (oldadmindns[j] == NULL) {
1330 1326 retval = ENOMEM;
1331 1327 goto cleanup;
1332 1328 }
1333 1329 }
1334 1330 oldadmindns[j] = NULL;
1335 1331 }
1336 1332
1337 1333 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1338 1334 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1339 1335 goto cleanup;
1340 1336 }
1341 1337 existing_entries = list_count_str_array(rparams->adminservers);
1342 1338 list_entries = list_count_str_array(list);
1343 1339 if (rmask & LDAP_REALM_ADMINSERVERS) {
1344 1340 tempstr = (char **)realloc(
1345 1341 rparams->adminservers,
1346 1342 sizeof(char *) * (existing_entries+list_entries+1));
1347 1343 if (tempstr == NULL) {
1348 1344 retval = ENOMEM;
1349 1345 goto cleanup;
1350 1346 }
1351 1347 rparams->adminservers = tempstr;
1352 1348 } else {
1353 1349 rparams->adminservers = (char **)malloc(sizeof(char *) * (list_entries+1));
1354 1350 if (rparams->adminservers == NULL) {
1355 1351 retval = ENOMEM;
1356 1352 goto cleanup;
1357 1353 }
1358 1354 memset(rparams->adminservers, 0, sizeof(char *) * (list_entries+1));
1359 1355 }
1360 1356 list_modify_str_array(&rparams->adminservers, (const char **)list,
1361 1357 LIST_MODE_ADD);
1362 1358 mask |= LDAP_REALM_ADMINSERVERS;
1363 1359 }
1364 1360 } else if (!strcmp(argv[i], "-pwddn")) {
1365 1361 if (++i > argc-1)
1366 1362 goto err_usage;
1367 1363
1368 1364 if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) {
1369 1365 if (!oldpwddns) {
1370 1366 /* Store the old pwd dns list for removing rights */
1371 1367 oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1372 1368 if (oldpwddns == NULL) {
1373 1369 retval = ENOMEM;
1374 1370 goto cleanup;
1375 1371 }
1376 1372
1377 1373 for (j=0; rparams->passwdservers[j] != NULL; j++) {
1378 1374 oldpwddns[j] = strdup(rparams->passwdservers[j]);
1379 1375 if (oldpwddns[j] == NULL) {
1380 1376 retval = ENOMEM;
1381 1377 goto cleanup;
1382 1378 }
1383 1379 }
1384 1380 oldpwddns[j] = NULL;
1385 1381 }
1386 1382
1387 1383 krb5_free_list_entries(rparams->passwdservers);
1388 1384 free(rparams->passwdservers);
1389 1385 }
1390 1386
1391 1387 rparams->passwdservers = (char **)malloc(
1392 1388 sizeof(char *) * MAX_LIST_ENTRIES);
1393 1389 if (rparams->passwdservers == NULL) {
1394 1390 retval = ENOMEM;
1395 1391 goto cleanup;
1396 1392 }
1397 1393 memset(rparams->passwdservers, 0, sizeof(char *)*MAX_LIST_ENTRIES);
1398 1394 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER,
1399 1395 rparams->passwdservers))) {
1400 1396 goto cleanup;
1401 1397 }
1402 1398 mask |= LDAP_REALM_PASSWDSERVERS;
1403 1399 /* Going to replace the existing value by this new value. Hence
1404 1400 * setting flag indicating that add or clear options will be ignored
1405 1401 */
1406 1402 newpwddn = 1;
1407 1403 } else if (!strcmp(argv[i], "-clearpwddn")) {
1408 1404 if (++i > argc-1)
1409 1405 goto err_usage;
1410 1406
1411 1407 if ((!newpwddn) && (rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) {
1412 1408 if (!oldpwddns) {
1413 1409 /* Store the old pwd dns list for removing rights */
1414 1410 oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1415 1411 if (oldpwddns == NULL) {
1416 1412 retval = ENOMEM;
1417 1413 goto cleanup;
1418 1414 }
1419 1415
1420 1416 for (j=0; rparams->passwdservers[j] != NULL; j++) {
1421 1417 oldpwddns[j] = strdup(rparams->passwdservers[j]);
1422 1418 if (oldpwddns[j] == NULL) {
1423 1419 retval = ENOMEM;
1424 1420 goto cleanup;
1425 1421 }
1426 1422 }
1427 1423 oldpwddns[j] = NULL;
1428 1424 }
1429 1425
1430 1426 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1431 1427 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1432 1428 goto cleanup;
1433 1429 }
1434 1430 list_modify_str_array(&rparams->passwdservers, (const char**)list,
1435 1431 LIST_MODE_DELETE);
1436 1432 mask |= LDAP_REALM_PASSWDSERVERS;
1437 1433 krb5_free_list_entries(list);
1438 1434 }
1439 1435 } else if (!strcmp(argv[i], "-addpwddn")) {
1440 1436 if (++i > argc-1)
1441 1437 goto err_usage;
1442 1438 if (!newpwddn) {
1443 1439 if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers) && (!oldpwddns)) {
1444 1440 /* Store the old pwd dns list for removing rights */
1445 1441 oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1446 1442 if (oldpwddns == NULL) {
1447 1443 retval = ENOMEM;
1448 1444 goto cleanup;
1449 1445 }
1450 1446
1451 1447 for (j=0; rparams->passwdservers[j] != NULL; j++) {
1452 1448 oldpwddns[j] = strdup(rparams->passwdservers[j]);
1453 1449 if (oldpwddns[j] == NULL) {
1454 1450 retval = ENOMEM;
1455 1451 goto cleanup;
1456 1452 }
1457 1453 }
1458 1454 oldpwddns[j] = NULL;
1459 1455 }
1460 1456
1461 1457 memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES);
1462 1458 if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) {
1463 1459 goto cleanup;
1464 1460 }
1465 1461 existing_entries = list_count_str_array(rparams->passwdservers);
1466 1462 list_entries = list_count_str_array(list);
1467 1463 if (rmask & LDAP_REALM_PASSWDSERVERS) {
1468 1464 tempstr = (char **)realloc(
1469 1465 rparams->passwdservers,
1470 1466 sizeof(char *) * (existing_entries+list_entries+1));
1471 1467 if (tempstr == NULL) {
1472 1468 retval = ENOMEM;
1473 1469 goto cleanup;
1474 1470 }
1475 1471 rparams->passwdservers = tempstr;
1476 1472 } else {
1477 1473 rparams->passwdservers = (char **)malloc(sizeof(char *) * (list_entries+1));
1478 1474 if (rparams->passwdservers == NULL) {
1479 1475 retval = ENOMEM;
1480 1476 goto cleanup;
1481 1477 }
1482 1478 memset(rparams->passwdservers, 0, sizeof(char *) * (list_entries+1));
1483 1479 }
1484 1480 list_modify_str_array(&rparams->passwdservers, (const char**)list,
1485 1481 LIST_MODE_ADD);
1486 1482 mask |= LDAP_REALM_PASSWDSERVERS;
1487 1483 }
1488 1484 }
1489 1485 #endif
1490 1486 else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) {
1491 1487 mask|=ret_mask;
1492 1488 } else {
1493 1489 printf(gettext("'%s' is an invalid option\n"), argv[i]);
1494 1490 goto err_usage;
1495 1491 }
1496 1492 }
1497 1493
1498 1494 if ((retval = krb5_ldap_modify_realm(util_context,
1499 1495 /* global_params.realm, */ rparams, mask))) {
1500 1496 goto cleanup;
1501 1497 }
1502 1498
1503 1499 #ifdef HAVE_EDIRECTORY
1504 1500 if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_KDCSERVERS) ||
1505 1501 (mask & LDAP_REALM_ADMINSERVERS) || (mask & LDAP_REALM_PASSWDSERVERS)) {
1506 1502
1507 1503 printf(gettext("Changing rights for the service object. Please wait ... "));
1508 1504 fflush(stdout);
1509 1505
1510 1506 if (!(mask & LDAP_REALM_SUBTREE)) {
1511 1507 if (rparams->subtree != NULL) {
1512 1508 for(i=0; rparams->subtree[i]!=NULL;i++) {
1513 1509 oldsubtrees[i] = strdup(rparams->subtree[i]);
1514 1510 if( oldsubtrees[i] == NULL ) {
1515 1511 retval = ENOMEM;
1516 1512 goto cleanup;
1517 1513 }
1518 1514 }
1519 1515 }
1520 1516 }
1521 1517
1522 1518 if ((mask & LDAP_REALM_SUBTREE)) {
1523 1519 int check_subtree = 1;
1524 1520
1525 1521 newsubtrees = (char**) calloc(rparams->subtreecount, sizeof(char*));
1526 1522
1527 1523 if (newsubtrees == NULL) {
1528 1524 retval = ENOMEM;
1529 1525 goto cleanup;
1530 1526 }
1531 1527
1532 1528 if ( (rparams != NULL) && (rparams->subtree != NULL) ) {
1533 1529 for (j=0; j<rparams->subtreecount && rparams->subtree[j]!= NULL; j++) {
1534 1530 newsubtrees[j] = strdup(rparams->subtree[j]);
1535 1531 if (newsubtrees[j] == NULL) {
1536 1532 retval = ENOMEM;
1537 1533 goto cleanup;
1538 1534 }
1539 1535 }
1540 1536 newsubtrees[j] = NULL;
1541 1537 }
1542 1538 for(j=0;oldsubtrees[j]!=NULL;j++) {
1543 1539 check_subtree = 1;
1544 1540 for(i=0; ( (oldsubtrees[j] && !rparams->subtree[i]) ||
1545 1541 (!oldsubtrees[j] && rparams->subtree[i])); i++) {
1546 1542 if(strcasecmp( oldsubtrees[j], rparams->subtree[i]) == 0) {
1547 1543 check_subtree = 0;
1548 1544 continue;
1549 1545 }
1550 1546 }
1551 1547 if (check_subtree != 0) {
1552 1548 subtree_changed=1;
1553 1549 break;
1554 1550 }
1555 1551 }
1556 1552 /* this will return list of the disjoint members */
1557 1553 disjoint_members( oldsubtrees, newsubtrees);
1558 1554 }
1559 1555
1560 1556 if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_KDCSERVERS)) {
1561 1557
1562 1558 newkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1563 1559 if (newkdcdns == NULL) {
1564 1560 retval = ENOMEM;
1565 1561 goto cleanup;
1566 1562 }
1567 1563
1568 1564 if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
1569 1565 for (j=0; rparams->kdcservers[j]!= NULL; j++) {
1570 1566 newkdcdns[j] = strdup(rparams->kdcservers[j]);
1571 1567 if (newkdcdns[j] == NULL) {
1572 1568 retval = ENOMEM;
1573 1569 goto cleanup;
1574 1570 }
1575 1571 }
1576 1572 newkdcdns[j] = NULL;
1577 1573 }
1578 1574
1579 1575 if (!subtree_changed) {
1580 1576 disjoint_members(oldkdcdns, newkdcdns);
1581 1577 } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
1582 1578 if (!(mask & LDAP_REALM_KDCSERVERS)) {
1583 1579
1584 1580 oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1585 1581 if (oldkdcdns == NULL) {
1586 1582 retval = ENOMEM;
1587 1583 goto cleanup;
1588 1584 }
1589 1585
1590 1586 if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
1591 1587 for (j=0; rparams->kdcservers[j]!= NULL; j++) {
1592 1588 oldkdcdns[j] = strdup(rparams->kdcservers[j]);
1593 1589 if (oldkdcdns[j] == NULL) {
1594 1590 retval = ENOMEM;
1595 1591 goto cleanup;
1596 1592 }
1597 1593 }
1598 1594 oldkdcdns[j] = NULL;
1599 1595 }
1600 1596 }
1601 1597 }
1602 1598
1603 1599 rightsmask =0;
1604 1600 rightsmask |= LDAP_REALM_RIGHTS;
1605 1601 rightsmask |= LDAP_SUBTREE_RIGHTS;
1606 1602 /* Remove the rights on the old subtrees */
1607 1603 if (oldkdcdns) {
1608 1604 for (i=0; (oldkdcdns[i] != NULL); i++) {
1609 1605 if ((retval=krb5_ldap_delete_service_rights(util_context,
1610 1606 LDAP_KDC_SERVICE, oldkdcdns[i],
1611 1607 rparams->realm_name, oldsubtrees, rightsmask)) != 0) {
1612 1608 printf(gettext("failed\n"));
1613 1609 /* Solaris Kerberos */
1614 1610 com_err(progname, retval, gettext("while assigning rights '%s'"),
1615 1611 rparams->realm_name);
1616 1612 goto err_nomsg;
1617 1613 }
1618 1614 }
1619 1615 }
1620 1616
1621 1617 rightsmask =0;
1622 1618 rightsmask |= LDAP_REALM_RIGHTS;
1623 1619 rightsmask |= LDAP_SUBTREE_RIGHTS;
1624 1620 if (newkdcdns) {
1625 1621 for (i=0; (newkdcdns[i] != NULL); i++) {
1626 1622
1627 1623 if ((retval=krb5_ldap_add_service_rights(util_context,
1628 1624 LDAP_KDC_SERVICE, newkdcdns[i], rparams->realm_name,
1629 1625 rparams->subtree, rightsmask)) != 0) {
1630 1626 printf(gettext("failed\n"));
1631 1627 /* Solaris Kerberos */
1632 1628 com_err(progname, retval, gettext("while assigning rights to '%s'"),
1633 1629 rparams->realm_name);
1634 1630 goto err_nomsg;
1635 1631 }
1636 1632 }
1637 1633 }
1638 1634 }
1639 1635
1640 1636 if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_ADMINSERVERS)) {
1641 1637
1642 1638 newadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1643 1639 if (newadmindns == NULL) {
1644 1640 retval = ENOMEM;
1645 1641 goto cleanup;
1646 1642 }
1647 1643
1648 1644 if ((rparams != NULL) && (rparams->adminservers != NULL)) {
1649 1645 for (j=0; rparams->adminservers[j]!= NULL; j++) {
1650 1646 newadmindns[j] = strdup(rparams->adminservers[j]);
1651 1647 if (newadmindns[j] == NULL) {
1652 1648 retval = ENOMEM;
1653 1649 goto cleanup;
1654 1650 }
1655 1651 }
1656 1652 newadmindns[j] = NULL;
1657 1653 }
1658 1654
1659 1655 if (!subtree_changed) {
1660 1656 disjoint_members(oldadmindns, newadmindns);
1661 1657 } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
1662 1658 if (!(mask & LDAP_REALM_ADMINSERVERS)) {
1663 1659
1664 1660 oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1665 1661 if (oldadmindns == NULL) {
1666 1662 retval = ENOMEM;
1667 1663 goto cleanup;
1668 1664 }
1669 1665
1670 1666 if ((rparams != NULL) && (rparams->adminservers != NULL)) {
1671 1667 for (j=0; rparams->adminservers[j]!= NULL; j++) {
1672 1668 oldadmindns[j] = strdup(rparams->adminservers[j]);
1673 1669 if (oldadmindns[j] == NULL) {
1674 1670 retval = ENOMEM;
1675 1671 goto cleanup;
1676 1672 }
1677 1673 }
1678 1674 oldadmindns[j] = NULL;
1679 1675 }
1680 1676 }
1681 1677 }
1682 1678
1683 1679 rightsmask = 0;
1684 1680 rightsmask |= LDAP_REALM_RIGHTS;
1685 1681 rightsmask |= LDAP_SUBTREE_RIGHTS;
1686 1682 /* Remove the rights on the old subtrees */
1687 1683 if (oldadmindns) {
1688 1684 for (i=0; (oldadmindns[i] != NULL); i++) {
1689 1685
1690 1686 if ((retval=krb5_ldap_delete_service_rights(util_context,
1691 1687 LDAP_ADMIN_SERVICE, oldadmindns[i],
1692 1688 rparams->realm_name, oldsubtrees, rightsmask)) != 0) {
1693 1689 printf(gettext("failed\n"));
1694 1690 /* Solaris Kerberos */
1695 1691 com_err(progname, retval, gettext("while assigning rights '%s'"),
1696 1692 rparams->realm_name);
1697 1693 goto err_nomsg;
1698 1694 }
1699 1695 }
1700 1696 }
1701 1697
1702 1698 rightsmask = 0;
1703 1699 rightsmask |= LDAP_REALM_RIGHTS;
1704 1700 rightsmask |= LDAP_SUBTREE_RIGHTS;
1705 1701 /* Add rights on the new subtree for all the kdc dns */
1706 1702 if (newadmindns) {
1707 1703 for (i=0; (newadmindns[i] != NULL); i++) {
1708 1704
1709 1705 if ((retval=krb5_ldap_add_service_rights(util_context,
1710 1706 LDAP_ADMIN_SERVICE, newadmindns[i],
1711 1707 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
1712 1708 printf(gettext("failed\n"));
1713 1709 /* Solaris Kerberos */
1714 1710 com_err(progname, retval, gettext("while assigning rights to '%s'"),
1715 1711 rparams->realm_name);
1716 1712 goto err_nomsg;
1717 1713 }
1718 1714 }
1719 1715 }
1720 1716 }
1721 1717
1722 1718
1723 1719 if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_PASSWDSERVERS)) {
1724 1720
1725 1721 newpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1726 1722 if (newpwddns == NULL) {
1727 1723 retval = ENOMEM;
1728 1724 goto cleanup;
1729 1725 }
1730 1726
1731 1727 if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
1732 1728 for (j=0; rparams->passwdservers[j]!= NULL; j++) {
1733 1729 newpwddns[j] = strdup(rparams->passwdservers[j]);
1734 1730 if (newpwddns[j] == NULL) {
1735 1731 retval = ENOMEM;
1736 1732 goto cleanup;
1737 1733 }
1738 1734 }
1739 1735 newpwddns[j] = NULL;
1740 1736 }
1741 1737
1742 1738 if (!subtree_changed) {
1743 1739 disjoint_members(oldpwddns, newpwddns);
1744 1740 } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */
1745 1741 if (!(mask & LDAP_REALM_ADMINSERVERS)) {
1746 1742
1747 1743 oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*));
1748 1744 if (oldpwddns == NULL) {
1749 1745 retval = ENOMEM;
1750 1746 goto cleanup;
1751 1747 }
1752 1748
1753 1749 if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
1754 1750 for (j=0; rparams->passwdservers[j]!= NULL; j++) {
1755 1751 oldpwddns[j] = strdup(rparams->passwdservers[j]);
1756 1752 if (oldpwddns[j] == NULL) {
1757 1753 retval = ENOMEM;
1758 1754 goto cleanup;
1759 1755 }
1760 1756 }
1761 1757 oldpwddns[j] = NULL;
1762 1758 }
1763 1759 }
1764 1760 }
1765 1761
1766 1762 rightsmask =0;
1767 1763 rightsmask |= LDAP_REALM_RIGHTS;
1768 1764 rightsmask |= LDAP_SUBTREE_RIGHTS;
1769 1765 /* Remove the rights on the old subtrees */
1770 1766 if (oldpwddns) {
1771 1767 for (i=0; (oldpwddns[i] != NULL); i++) {
1772 1768 if ((retval = krb5_ldap_delete_service_rights(util_context,
1773 1769 LDAP_PASSWD_SERVICE, oldpwddns[i],
1774 1770 rparams->realm_name, oldsubtrees, rightsmask))) {
1775 1771 printf(gettext("failed\n"));
1776 1772 /* Solaris Kerberos */
1777 1773 com_err(progname, retval, gettext("while assigning rights '%s'"),
1778 1774 rparams->realm_name);
1779 1775 goto err_nomsg;
1780 1776 }
1781 1777 }
1782 1778 }
1783 1779
1784 1780 rightsmask =0;
1785 1781 rightsmask |= LDAP_REALM_RIGHTS;
1786 1782 rightsmask |= LDAP_SUBTREE_RIGHTS;
1787 1783 /* Add rights on the new subtree for all the kdc dns */
1788 1784 if (newpwddns) {
1789 1785 for (i=0; (newpwddns[i] != NULL); i++) {
1790 1786 if ((retval = krb5_ldap_add_service_rights(util_context,
1791 1787 LDAP_PASSWD_SERVICE, newpwddns[i],
1792 1788 rparams->realm_name, rparams->subtree, rightsmask))) {
1793 1789 printf(gettext("failed\n"));
1794 1790 /* Solaris Kerberos */
1795 1791 com_err(progname, retval, gettext("while assigning rights to '%s'"),
1796 1792 rparams->realm_name);
1797 1793 goto err_nomsg;
1798 1794 }
1799 1795 }
1800 1796 }
1801 1797 }
1802 1798
1803 1799 printf(gettext("done\n"));
1804 1800 }
1805 1801 #endif
1806 1802
1807 1803 goto cleanup;
1808 1804
1809 1805 err_usage:
1810 1806 print_usage = TRUE;
1811 1807
1812 1808 err_nomsg:
1813 1809 no_msg = TRUE;
1814 1810
1815 1811 cleanup:
1816 1812 krb5_ldap_free_realm_params(rparams);
1817 1813
1818 1814
1819 1815 #ifdef HAVE_EDIRECTORY
1820 1816 if (oldkdcdns) {
1821 1817 for (i=0; oldkdcdns[i] != NULL; i++)
1822 1818 free(oldkdcdns[i]);
1823 1819 free(oldkdcdns);
1824 1820 }
1825 1821 if (oldpwddns) {
1826 1822 for (i=0; oldpwddns[i] != NULL; i++)
1827 1823 free(oldpwddns[i]);
1828 1824 free(oldpwddns);
1829 1825 }
1830 1826 if (oldadmindns) {
1831 1827 for (i=0; oldadmindns[i] != NULL; i++)
1832 1828 free(oldadmindns[i]);
1833 1829 free(oldadmindns);
1834 1830 }
1835 1831 if (newkdcdns) {
1836 1832 for (i=0; newkdcdns[i] != NULL; i++)
1837 1833 free(newkdcdns[i]);
1838 1834 free(newkdcdns);
1839 1835 }
1840 1836 if (newpwddns) {
1841 1837 for (i=0; newpwddns[i] != NULL; i++)
1842 1838 free(newpwddns[i]);
1843 1839 free(newpwddns);
1844 1840 }
1845 1841 if (newadmindns) {
1846 1842 for (i=0; newadmindns[i] != NULL; i++)
1847 1843 free(newadmindns[i]);
1848 1844 free(newadmindns);
1849 1845 }
1850 1846 if (oldsubtrees) {
1851 1847 for (i=0;oldsubtrees[i]!=NULL; i++)
1852 1848 free(oldsubtrees[i]);
1853 1849 free(oldsubtrees);
1854 1850 }
1855 1851 if (newsubtrees) {
1856 1852 for (i=0;newsubtrees[i]!=NULL; i++)
1857 1853 free(newsubtrees[i]);
1858 1854 free(oldsubtrees);
1859 1855 }
1860 1856 #endif
1861 1857 if (print_usage) {
1862 1858 db_usage(MODIFY_REALM);
1863 1859 }
1864 1860
1865 1861 if (retval) {
1866 1862 if (!no_msg) {
1867 1863 /* Solaris Kerberos */
1868 1864 com_err(progname, retval, gettext("while modifying information of realm '%s'"),
1869 1865 global_params.realm);
1870 1866 }
1871 1867 exit_status++;
1872 1868 }
1873 1869
1874 1870 return;
1875 1871 }
1876 1872
1877 1873
1878 1874
1879 1875 /*
1880 1876 * This function displays the attributes of a Realm
1881 1877 */
1882 1878 void kdb5_ldap_view(argc, argv)
1883 1879 int argc;
1884 1880 char *argv[];
1885 1881 {
1886 1882 krb5_ldap_realm_params *rparams = NULL;
1887 1883 krb5_error_code retval = 0;
1888 1884 kdb5_dal_handle *dal_handle=NULL;
1889 1885 krb5_ldap_context *ldap_context=NULL;
1890 1886 int mask = 0;
1891 1887
1892 1888 dal_handle = (kdb5_dal_handle *) util_context->db_context;
1893 1889 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
1894 1890 if (!(ldap_context)) {
1895 1891 retval = EINVAL;
1896 1892 /* Solaris Kerberos */
1897 1893 com_err(progname, retval, gettext("while initializing database"));
1898 1894 exit_status++;
1899 1895 return;
1900 1896 }
1901 1897
1902 1898 /* Read the kerberos container information */
1903 1899 if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
1904 1900 &(ldap_context->krbcontainer))) != 0) {
1905 1901 /* Solaris Kerberos */
1906 1902 com_err(progname, retval, gettext("while reading kerberos container information"));
1907 1903 exit_status++;
1908 1904 return;
1909 1905 }
1910 1906
1911 1907 if ((retval = krb5_ldap_read_realm_params(util_context,
1912 1908 global_params.realm, &rparams, &mask)) || (!rparams)) {
1913 1909 /* Solaris Kerberos */
1914 1910 com_err(progname, retval, gettext("while reading information of realm '%s'"),
1915 1911 global_params.realm);
1916 1912 exit_status++;
1917 1913 return;
1918 1914 }
1919 1915 print_realm_params(rparams, mask);
1920 1916 krb5_ldap_free_realm_params(rparams);
1921 1917
1922 1918 return;
1923 1919 }
1924 1920
1925 1921 static char *strdur(duration)
1926 1922 time_t duration;
1927 1923 {
1928 1924 static char out[50];
1929 1925 int neg, days, hours, minutes, seconds;
1930 1926
1931 1927 if (duration < 0) {
1932 1928 duration *= -1;
1933 1929 neg = 1;
1934 1930 } else
1935 1931 neg = 0;
1936 1932 days = duration / (24 * 3600);
1937 1933 duration %= 24 * 3600;
1938 1934 hours = duration / 3600;
1939 1935 duration %= 3600;
1940 1936 minutes = duration / 60;
1941 1937 duration %= 60;
1942 1938 seconds = duration;
1943 1939 snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
1944 1940 days, days == 1 ? gettext("day") : gettext("days"),
1945 1941 hours, minutes, seconds);
1946 1942 return out;
1947 1943 }
1948 1944
1949 1945 /*
1950 1946 * This function prints the attributes of a given realm to the
1951 1947 * standard output.
1952 1948 */
1953 1949 static void print_realm_params(krb5_ldap_realm_params *rparams, int mask)
1954 1950 {
1955 1951 char **slist = NULL;
1956 1952 int num_entry_printed = 0, i = 0;
1957 1953
1958 1954 /* Print the Realm Attributes on the standard output */
1959 1955 printf("%25s: %-50s\n", gettext("Realm Name"), global_params.realm);
1960 1956 if (mask & LDAP_REALM_SUBTREE) {
1961 1957 for (i=0; rparams->subtree[i]!=NULL; i++)
1962 1958 printf("%25s: %-50s\n", gettext("Subtree"), rparams->subtree[i]);
1963 1959 }
1964 1960 if (mask & LDAP_REALM_CONTREF)
1965 1961 printf("%25s: %-50s\n", gettext("Principal Container Reference"), rparams->containerref);
1966 1962 if (mask & LDAP_REALM_SEARCHSCOPE) {
1967 1963 if ((rparams->search_scope != 1) &&
1968 1964 (rparams->search_scope != 2)) {
1969 1965 printf("%25s: %-50s\n", gettext("SearchScope"), gettext("Invalid !"));
1970 1966 } else {
1971 1967 printf("%25s: %-50s\n", gettext("SearchScope"),
1972 1968 (rparams->search_scope == 1) ? gettext("ONE") : gettext("SUB"));
1973 1969 }
1974 1970 }
1975 1971 if (mask & LDAP_REALM_KDCSERVERS) {
1976 1972 printf("%25s:", gettext("KDC Services"));
1977 1973 if (rparams->kdcservers != NULL) {
1978 1974 num_entry_printed = 0;
1979 1975 for (slist = rparams->kdcservers; *slist != NULL; slist++) {
1980 1976 if (num_entry_printed)
1981 1977 printf(" %25s %-50s\n", " ", *slist);
1982 1978 else
1983 1979 printf(" %-50s\n", *slist);
1984 1980 num_entry_printed++;
1985 1981 }
1986 1982 }
1987 1983 if (num_entry_printed == 0)
1988 1984 printf("\n");
1989 1985 }
1990 1986 if (mask & LDAP_REALM_ADMINSERVERS) {
1991 1987 printf("%25s:", gettext("Admin Services"));
1992 1988 if (rparams->adminservers != NULL) {
1993 1989 num_entry_printed = 0;
1994 1990 for (slist = rparams->adminservers; *slist != NULL; slist++) {
1995 1991 if (num_entry_printed)
1996 1992 printf(" %25s %-50s\n", " ", *slist);
1997 1993 else
1998 1994 printf(" %-50s\n", *slist);
1999 1995 num_entry_printed++;
2000 1996 }
2001 1997 }
2002 1998 if (num_entry_printed == 0)
2003 1999 printf("\n");
2004 2000 }
2005 2001 if (mask & LDAP_REALM_PASSWDSERVERS) {
2006 2002 printf("%25s:", gettext("Passwd Services"));
2007 2003 if (rparams->passwdservers != NULL) {
2008 2004 num_entry_printed = 0;
2009 2005 for (slist = rparams->passwdservers; *slist != NULL; slist++) {
2010 2006 if (num_entry_printed)
2011 2007 printf(" %25s %-50s\n", " ", *slist);
2012 2008 else
2013 2009 printf(" %-50s\n", *slist);
2014 2010 num_entry_printed++;
2015 2011 }
2016 2012 }
2017 2013 if (num_entry_printed == 0)
2018 2014 printf("\n");
2019 2015 }
2020 2016 if (mask & LDAP_REALM_MAXTICKETLIFE) {
2021 2017 printf("%25s:", gettext("Maximum Ticket Life"));
2022 2018 printf(" %s \n", strdur(rparams->max_life));
2023 2019 }
2024 2020
2025 2021 if (mask & LDAP_REALM_MAXRENEWLIFE) {
2026 2022 printf("%25s:", gettext("Maximum Renewable Life"));
2027 2023 printf(" %s \n", strdur(rparams->max_renewable_life));
2028 2024 }
2029 2025
2030 2026 if (mask & LDAP_REALM_KRBTICKETFLAGS) {
2031 2027 int ticketflags = rparams->tktflags;
2032 2028
2033 2029 printf("%25s: ", gettext("Ticket flags"));
2034 2030 if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED)
2035 2031 printf("%s ","DISALLOW_POSTDATED");
2036 2032
2037 2033 if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE)
2038 2034 printf("%s ","DISALLOW_FORWARDABLE");
2039 2035
2040 2036 if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE)
2041 2037 printf("%s ","DISALLOW_RENEWABLE");
2042 2038
2043 2039 if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE)
2044 2040 printf("%s ","DISALLOW_PROXIABLE");
2045 2041
2046 2042 if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY)
2047 2043 printf("%s ","DISALLOW_DUP_SKEY");
2048 2044
2049 2045 if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH)
2050 2046 printf("%s ","REQUIRES_PRE_AUTH");
2051 2047
2052 2048 if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH)
2053 2049 printf("%s ","REQUIRES_HW_AUTH");
2054 2050
2055 2051 if (ticketflags & KRB5_KDB_DISALLOW_SVR)
2056 2052 printf("%s ","DISALLOW_SVR");
2057 2053
2058 2054 if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED)
2059 2055 printf("%s ","DISALLOW_TGT_BASED");
2060 2056
2061 2057 if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX)
2062 2058 printf("%s ","DISALLOW_ALL_TIX");
2063 2059
2064 2060 if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE)
2065 2061 printf("%s ","REQUIRES_PWCHANGE");
2066 2062
2067 2063 if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE)
2068 2064 printf("%s ","PWCHANGE_SERVICE");
2069 2065
2070 2066 printf("\n");
2071 2067 }
2072 2068
2073 2069
2074 2070 return;
2075 2071 }
2076 2072
2077 2073
2078 2074
2079 2075 /*
2080 2076 * This function lists the Realm(s) present under the Kerberos container
2081 2077 * on the LDAP Server.
2082 2078 */
2083 2079 void kdb5_ldap_list(argc, argv)
2084 2080 int argc;
2085 2081 char *argv[];
2086 2082 {
2087 2083 char **list = NULL;
2088 2084 char **plist = NULL;
2089 2085 krb5_error_code retval = 0;
2090 2086 kdb5_dal_handle *dal_handle=NULL;
2091 2087 krb5_ldap_context *ldap_context=NULL;
2092 2088
2093 2089 dal_handle = (kdb5_dal_handle *)util_context->db_context;
2094 2090 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
2095 2091 if (!(ldap_context)) {
2096 2092 retval = EINVAL;
2097 2093 exit_status++;
2098 2094 return;
2099 2095 }
2100 2096
2101 2097 /* Read the kerberos container information */
2102 2098 if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
2103 2099 &(ldap_context->krbcontainer))) != 0) {
2104 2100 /* Solaris Kerberos */
2105 2101 com_err(progname, retval, gettext("while reading kerberos container information"));
2106 2102 exit_status++;
2107 2103 return;
2108 2104 }
2109 2105
2110 2106 retval = krb5_ldap_list_realm(util_context, &list);
2111 2107 if (retval != 0) {
2112 2108 krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
2113 2109 ldap_context->krbcontainer = NULL;
2114 2110 /* Solaris Kerberos */
2115 2111 com_err (progname, retval, gettext("while listing realms"));
2116 2112 exit_status++;
2117 2113 return;
2118 2114 }
2119 2115 /* This is to handle the case of realm not present */
2120 2116 if (list == NULL) {
2121 2117 krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
2122 2118 ldap_context->krbcontainer = NULL;
2123 2119 return;
2124 2120 }
2125 2121
2126 2122 for (plist = list; *plist != NULL; plist++) {
2127 2123 printf("%s\n", *plist);
2128 2124 }
2129 2125 krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer);
2130 2126 ldap_context->krbcontainer = NULL;
2131 2127 krb5_free_list_entries(list);
2132 2128 free(list);
2133 2129
2134 2130 return;
2135 2131 }
2136 2132
2137 2133 /*
2138 2134 * Duplicating the following two functions here because
2139 2135 * 'krb5_dbe_update_tl_data' uses backend specific memory allocation. The catch
2140 2136 * here is that the backend is not initialized - kdb5_ldap_util doesn't go
2141 2137 * through DAL.
2142 2138 * 1. krb5_dbe_update_tl_data
2143 2139 * 2. krb5_dbe_update_mod_princ_data
2144 2140 */
2145 2141
2146 2142 /* Start duplicate code ... */
2147 2143
2148 2144 static krb5_error_code
2149 2145 krb5_dbe_update_tl_data_new(context, entry, new_tl_data)
2150 2146 krb5_context context;
2151 2147 krb5_db_entry *entry;
2152 2148 krb5_tl_data *new_tl_data;
2153 2149 {
2154 2150 krb5_tl_data *tl_data = NULL;
2155 2151 krb5_octet *tmp;
2156 2152
2157 2153 /* copy the new data first, so we can fail cleanly if malloc()
2158 2154 * fails */
2159 2155 /*
2160 2156 if ((tmp =
2161 2157 (krb5_octet *) krb5_db_alloc(context, NULL,
2162 2158 new_tl_data->tl_data_length)) == NULL)
2163 2159 */
2164 2160 if ((tmp = (krb5_octet *) malloc (new_tl_data->tl_data_length)) == NULL)
2165 2161 return (ENOMEM);
2166 2162
2167 2163 /* Find an existing entry of the specified type and point at
2168 2164 * it, or NULL if not found */
2169 2165
2170 2166 if (new_tl_data->tl_data_type != KRB5_TL_DB_ARGS) { /* db_args can be multiple */
2171 2167 for (tl_data = entry->tl_data; tl_data;
2172 2168 tl_data = tl_data->tl_data_next)
2173 2169 if (tl_data->tl_data_type == new_tl_data->tl_data_type)
2174 2170 break;
2175 2171 }
2176 2172
2177 2173 /* if necessary, chain a new record in the beginning and point at it */
2178 2174
2179 2175 if (!tl_data) {
2180 2176 /*
2181 2177 if ((tl_data =
2182 2178 (krb5_tl_data *) krb5_db_alloc(context, NULL,
2183 2179 sizeof(krb5_tl_data)))
2184 2180 == NULL) {
2185 2181 */
2186 2182 if ((tl_data = (krb5_tl_data *) malloc (sizeof(krb5_tl_data))) == NULL) {
2187 2183 free(tmp);
2188 2184 return (ENOMEM);
2189 2185 }
2190 2186 memset(tl_data, 0, sizeof(krb5_tl_data));
2191 2187 tl_data->tl_data_next = entry->tl_data;
2192 2188 entry->tl_data = tl_data;
2193 2189 entry->n_tl_data++;
2194 2190 }
2195 2191
2196 2192 /* fill in the record */
2197 2193
2198 2194 if (tl_data->tl_data_contents)
2199 2195 krb5_db_free(context, tl_data->tl_data_contents);
2200 2196
2201 2197 tl_data->tl_data_type = new_tl_data->tl_data_type;
2202 2198 tl_data->tl_data_length = new_tl_data->tl_data_length;
2203 2199 tl_data->tl_data_contents = tmp;
2204 2200 memcpy(tmp, new_tl_data->tl_data_contents, tl_data->tl_data_length);
2205 2201
2206 2202 return (0);
2207 2203 }
2208 2204
2209 2205 static krb5_error_code
2210 2206 krb5_dbe_update_mod_princ_data_new(context, entry, mod_date, mod_princ)
2211 2207 krb5_context context;
2212 2208 krb5_db_entry * entry;
2213 2209 krb5_timestamp mod_date;
2214 2210 krb5_const_principal mod_princ;
2215 2211 {
2216 2212 krb5_tl_data tl_data;
2217 2213
2218 2214 krb5_error_code retval = 0;
2219 2215 krb5_octet * nextloc = 0;
2220 2216 char * unparse_mod_princ = 0;
2221 2217 unsigned int unparse_mod_princ_size;
2222 2218
2223 2219 if ((retval = krb5_unparse_name(context, mod_princ,
2224 2220 &unparse_mod_princ)))
2225 2221 return(retval);
2226 2222
2227 2223 unparse_mod_princ_size = strlen(unparse_mod_princ) + 1;
2228 2224
2229 2225 if ((nextloc = (krb5_octet *) malloc(unparse_mod_princ_size + 4))
2230 2226 == NULL) {
2231 2227 free(unparse_mod_princ);
2232 2228 return(ENOMEM);
2233 2229 }
2234 2230
2235 2231 tl_data.tl_data_type = KRB5_TL_MOD_PRINC;
2236 2232 tl_data.tl_data_length = unparse_mod_princ_size + 4;
2237 2233 tl_data.tl_data_contents = nextloc;
2238 2234
2239 2235 /* Mod Date */
2240 2236 krb5_kdb_encode_int32(mod_date, nextloc);
2241 2237
2242 2238 /* Mod Princ */
2243 2239 memcpy(nextloc+4, unparse_mod_princ, unparse_mod_princ_size);
2244 2240
2245 2241 retval = krb5_dbe_update_tl_data_new(context, entry, &tl_data);
2246 2242
2247 2243 free(unparse_mod_princ);
2248 2244 free(nextloc);
2249 2245
2250 2246 return(retval);
2251 2247 }
2252 2248
2253 2249 static krb5_error_code
2254 2250 kdb_ldap_tgt_keysalt_iterate(ksent, ptr)
2255 2251 krb5_key_salt_tuple *ksent;
2256 2252 krb5_pointer ptr;
2257 2253 {
2258 2254 krb5_context context;
2259 2255 krb5_error_code kret;
2260 2256 struct iterate_args *iargs;
2261 2257 krb5_keyblock key;
2262 2258 krb5_int32 ind;
2263 2259 krb5_data pwd;
2264 2260 krb5_db_entry *entry;
2265 2261
2266 2262 iargs = (struct iterate_args *) ptr;
2267 2263 kret = 0;
2268 2264
2269 2265 context = iargs->ctx;
2270 2266 entry = iargs->dbentp;
2271 2267
2272 2268 /*
2273 2269 * Convert the master key password into a key for this particular
2274 2270 * encryption system.
2275 2271 */
2276 2272 pwd.data = mkey_password;
2277 2273 pwd.length = strlen(mkey_password);
2278 2274 kret = krb5_c_random_seed(context, &pwd);
2279 2275 if (kret)
2280 2276 return kret;
2281 2277
2282 2278 /*if (!(kret = krb5_dbe_create_key_data(iargs->ctx, iargs->dbentp))) {*/
2283 2279 if ((entry->key_data =
2284 2280 (krb5_key_data *) realloc(entry->key_data,
2285 2281 (sizeof(krb5_key_data) *
2286 2282 (entry->n_key_data + 1)))) == NULL)
2287 2283 return (ENOMEM);
2288 2284
2289 2285 memset(entry->key_data + entry->n_key_data, 0, sizeof(krb5_key_data));
2290 2286 ind = entry->n_key_data++;
2291 2287
2292 2288 if (!(kret = krb5_c_make_random_key(context, ksent->ks_enctype,
2293 2289 &key))) {
2294 2290 kret = krb5_dbekd_encrypt_key_data(context,
2295 2291 iargs->rblock->key,
2296 2292 &key,
2297 2293 NULL,
2298 2294 1,
2299 2295 &entry->key_data[ind]);
2300 2296 krb5_free_keyblock_contents(context, &key);
2301 2297 }
2302 2298 /*}*/
2303 2299
2304 2300 return(kret);
2305 2301 }
2306 2302 /* End duplicate code */
2307 2303
2308 2304 /*
2309 2305 * This function creates service principals when
2310 2306 * creating the realm object.
2311 2307 */
2312 2308 static int
2313 2309 kdb_ldap_create_principal (context, princ, op, pblock)
2314 2310 krb5_context context;
2315 2311 krb5_principal princ;
2316 2312 enum ap_op op;
2317 2313 struct realm_info *pblock;
2318 2314 {
2319 2315 int retval=0, currlen=0, princtype = 2 /* Service Principal */;
2320 2316 unsigned char *curr=NULL;
2321 2317 krb5_tl_data *tl_data=NULL;
2322 2318 krb5_db_entry entry;
2323 2319 int nentry=1;
2324 2320 long mask = 0;
2325 2321 krb5_keyblock key;
2326 2322 int kvno = 0;
2327 2323 kdb5_dal_handle *dal_handle = NULL;
2328 2324 krb5_ldap_context *ldap_context=NULL;
2329 2325 struct iterate_args iargs;
2330 2326 krb5_data *pdata;
2331 2327
2332 2328 if ((pblock == NULL) || (context == NULL)) {
2333 2329 retval = EINVAL;
2334 2330 goto cleanup;
2335 2331 }
2336 2332 dal_handle = (kdb5_dal_handle *) context->db_context;
2337 2333 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
2338 2334 if (!(ldap_context)) {
2339 2335 retval = EINVAL;
2340 2336 goto cleanup;
2341 2337 }
2342 2338
2343 2339 memset(&entry, 0, sizeof(entry));
2344 2340
2345 2341 tl_data = malloc(sizeof(*tl_data));
2346 2342 if (tl_data == NULL) {
2347 2343 retval = ENOMEM;
2348 2344 goto cleanup;
2349 2345 }
2350 2346 memset(tl_data, 0, sizeof(*tl_data));
2351 2347 tl_data->tl_data_length = 1 + 2 + 2 + 1 + 2 + 4;
2352 2348 tl_data->tl_data_type = 7; /* KDB_TL_USER_INFO */
2353 2349 curr = tl_data->tl_data_contents = malloc(tl_data->tl_data_length);
2354 2350 if (tl_data->tl_data_contents == NULL) {
2355 2351 retval = ENOMEM;
2356 2352 goto cleanup;
2357 2353 }
2358 2354
2359 2355 memset(curr, 1, 1); /* Passing the mask as principal type */
2360 2356 curr += 1;
2361 2357 currlen = 2;
2362 2358 STORE16_INT(curr, currlen);
2363 2359 curr += currlen;
2364 2360 STORE16_INT(curr, princtype);
2365 2361 curr += currlen;
2366 2362
2367 2363 mask |= KADM5_PRINCIPAL;
2368 2364 mask |= KADM5_ATTRIBUTES ;
2369 2365 mask |= KADM5_MAX_LIFE ;
2370 2366 mask |= KADM5_MAX_RLIFE ;
2371 2367 mask |= KADM5_PRINC_EXPIRE_TIME ;
2372 2368 mask |= KADM5_KEY_DATA;
2373 2369
2374 2370 entry.tl_data = tl_data;
2375 2371 entry.n_tl_data += 1;
2376 2372 /* Set the creator's name */
2377 2373 {
2378 2374 krb5_timestamp now;
2379 2375 if ((retval = krb5_timeofday(context, &now)))
2380 2376 goto cleanup;
2381 2377 if ((retval = krb5_dbe_update_mod_princ_data_new(context, &entry,
2382 2378 now, &db_create_princ)))
2383 2379 goto cleanup;
2384 2380 }
2385 2381 entry.attributes = pblock->flags;
2386 2382 entry.max_life = pblock->max_life;
2387 2383 entry.max_renewable_life = pblock->max_rlife;
2388 2384 entry.expiration = pblock->expiration;
2389 2385 entry.mask = mask;
2390 2386 if ((retval = krb5_copy_principal(context, princ, &entry.princ)))
2391 2387 goto cleanup;
2392 2388
2393 2389
2394 2390 switch (op) {
2395 2391 case TGT_KEY:
2396 2392 if ((pdata = krb5_princ_component(context, princ, 1)) &&
2397 2393 pdata->length == strlen("history") &&
2398 2394 !memcmp(pdata->data, "history", strlen("history"))) {
2399 2395
2400 2396 /* Allocate memory for storing the key */
2401 2397 if ((entry.key_data = (krb5_key_data *) malloc(
2402 2398 sizeof(krb5_key_data))) == NULL) {
2403 2399 retval = ENOMEM;
2404 2400 goto cleanup;
2405 2401 }
2406 2402
2407 2403 memset(entry.key_data, 0, sizeof(krb5_key_data));
2408 2404 entry.n_key_data++;
2409 2405
2410 2406 retval = krb5_c_make_random_key(context, global_params.enctype, &key);
2411 2407 if (retval) {
2412 2408 goto cleanup;
2413 2409 }
2414 2410 kvno = 1; /* New key is getting set */
2415 2411 retval = krb5_dbekd_encrypt_key_data(context,
2416 2412 &ldap_context->lrparams->mkey,
2417 2413 &key, NULL, kvno,
2418 2414 &entry.key_data[entry.n_key_data - 1]);
2419 2415 krb5_free_keyblock_contents(context, &key);
2420 2416 if (retval) {
2421 2417 goto cleanup;
2422 2418 }
2423 2419 } else {
2424 2420 /*retval = krb5_c_make_random_key(context, 16, &key) ;*/
2425 2421 iargs.ctx = context;
2426 2422 iargs.rblock = pblock;
2427 2423 iargs.dbentp = &entry;
2428 2424
2429 2425 /*
2430 2426 * create a set of random keys by iterating through the key/salt
2431 2427 * list, ignoring salt types.
2432 2428 */
2433 2429 if ((retval = krb5_keysalt_iterate(pblock->kslist,
2434 2430 pblock->nkslist,
2435 2431 1,
2436 2432 kdb_ldap_tgt_keysalt_iterate,
2437 2433 (krb5_pointer) &iargs)))
2438 2434 return retval;
2439 2435 }
2440 2436 break;
2441 2437
2442 2438 case MASTER_KEY:
2443 2439 /* Allocate memory for storing the key */
2444 2440 if ((entry.key_data = (krb5_key_data *) malloc(
2445 2441 sizeof(krb5_key_data))) == NULL) {
2446 2442 retval = ENOMEM;
2447 2443 goto cleanup;
2448 2444 }
2449 2445
2450 2446 memset(entry.key_data, 0, sizeof(krb5_key_data));
2451 2447 entry.n_key_data++;
2452 2448 kvno = 1; /* New key is getting set */
2453 2449 retval = krb5_dbekd_encrypt_key_data(context, pblock->key,
2454 2450 &ldap_context->lrparams->mkey,
2455 2451 NULL, kvno,
2456 2452 &entry.key_data[entry.n_key_data - 1]);
2457 2453 if (retval) {
2458 2454 goto cleanup;
2459 2455 }
2460 2456 break;
2461 2457
2462 2458 case NULL_KEY:
2463 2459 default:
2464 2460 break;
2465 2461 } /* end of switch */
2466 2462
2467 2463 retval = krb5_ldap_put_principal(context, &entry, &nentry, NULL);
2468 2464 if (retval) {
2469 2465 com_err(NULL, retval, gettext("while adding entries to database"));
2470 2466 goto cleanup;
2471 2467 }
2472 2468
2473 2469 cleanup:
2474 2470 krb5_dbe_free_contents(context, &entry);
2475 2471 return retval;
2476 2472 }
2477 2473
2478 2474
2479 2475 /*
2480 2476 * This function destroys the realm object and the associated principals
2481 2477 */
2482 2478 void
2483 2479 kdb5_ldap_destroy(argc, argv)
2484 2480 int argc;
2485 2481 char *argv[];
2486 2482 {
2487 2483 extern char *optarg;
2488 2484 extern int optind;
2489 2485 int optchar = 0;
2490 2486 char buf[5] = {0};
2491 2487 krb5_error_code retval = 0;
2492 2488 int force = 0;
2493 2489 int mask = 0;
2494 2490 kdb5_dal_handle *dal_handle = NULL;
2495 2491 krb5_ldap_context *ldap_context = NULL;
2496 2492 #ifdef HAVE_EDIRECTORY
2497 2493 int i = 0, rightsmask = 0;
2498 2494 krb5_ldap_realm_params *rparams = NULL;
2499 2495 #endif
2500 2496 /* Solaris Kerberos: to remove stash file */
2501 2497 char *stash_file = NULL;
2502 2498 struct stat stb;
2503 2499
2504 2500 optind = 1;
2505 2501 while ((optchar = getopt(argc, argv, "f")) != -1) {
2506 2502 switch (optchar) {
2507 2503 case 'f':
2508 2504 force++;
2509 2505 break;
2510 2506 case '?':
2511 2507 default:
2512 2508 db_usage(DESTROY_REALM);
2513 2509 return;
2514 2510 /*NOTREACHED*/
2515 2511 }
2516 2512 }
2517 2513
2518 2514 if (!force) {
2519 2515 printf(gettext("Deleting KDC database of '%s', are you sure?\n"), global_params.realm);
2520 2516 printf(gettext("(type 'yes' to confirm)? "));
2521 2517 if (fgets(buf, sizeof(buf), stdin) == NULL) {
2522 2518 exit_status++;
2523 2519 return;
2524 2520 }
2525 2521 if (strcmp(buf, yes)) {
2526 2522 exit_status++;
2527 2523 return;
2528 2524 }
2529 2525 printf(gettext("OK, deleting database of '%s'...\n"), global_params.realm);
2530 2526 }
2531 2527
2532 2528 dal_handle = (kdb5_dal_handle *)util_context->db_context;
2533 2529 ldap_context = (krb5_ldap_context *) dal_handle->db_context;
2534 2530 if (!(ldap_context)) {
2535 2531 /* Solaris Kerberos */
2536 2532 com_err(progname, EINVAL, gettext("while initializing database"));
2537 2533 exit_status++;
2538 2534 return;
2539 2535 }
2540 2536
2541 2537 /* Read the kerberos container from the LDAP Server */
2542 2538 if ((retval = krb5_ldap_read_krbcontainer_params(util_context,
2543 2539 &(ldap_context->krbcontainer))) != 0) {
2544 2540 /* Solaris Kerberos */
2545 2541 com_err(progname, retval, gettext("while reading kerberos container information"));
2546 2542 exit_status++;
2547 2543 return;
2548 2544 }
2549 2545
2550 2546 /* Read the Realm information from the LDAP Server */
2551 2547 if ((retval = krb5_ldap_read_realm_params(util_context, global_params.realm,
2552 2548 &(ldap_context->lrparams), &mask)) != 0) {
2553 2549 /* Solaris Kerberos */
2554 2550 com_err(progname, retval, gettext("while reading realm information"));
2555 2551 exit_status++;
2556 2552 return;
2557 2553 }
2558 2554
2559 2555 #ifdef HAVE_EDIRECTORY
2560 2556 if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) ||
2561 2557 (mask & LDAP_REALM_PASSWDSERVERS)) {
2562 2558
2563 2559 printf(gettext("Changing rights for the service object. Please wait ... "));
2564 2560 fflush(stdout);
2565 2561
2566 2562 rparams = ldap_context->lrparams;
2567 2563 rightsmask = 0;
2568 2564 rightsmask |= LDAP_REALM_RIGHTS;
2569 2565 rightsmask |= LDAP_SUBTREE_RIGHTS;
2570 2566 if ((rparams != NULL) && (rparams->kdcservers != NULL)) {
2571 2567 for (i=0; (rparams->kdcservers[i] != NULL); i++) {
2572 2568 if ((retval = krb5_ldap_delete_service_rights(util_context,
2573 2569 LDAP_KDC_SERVICE, rparams->kdcservers[i],
2574 2570 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
2575 2571 printf(gettext("failed\n"));
2576 2572 /* Solaris Kerberos */
2577 2573 com_err(progname, retval, gettext("while assigning rights to '%s'"),
2578 2574 rparams->realm_name);
2579 2575 return;
2580 2576 }
2581 2577 }
2582 2578 }
2583 2579 rightsmask = 0;
2584 2580 rightsmask |= LDAP_REALM_RIGHTS;
2585 2581 rightsmask |= LDAP_SUBTREE_RIGHTS;
2586 2582 if ((rparams != NULL) && (rparams->adminservers != NULL)) {
2587 2583 for (i=0; (rparams->adminservers[i] != NULL); i++) {
2588 2584 if ((retval = krb5_ldap_delete_service_rights(util_context,
2589 2585 LDAP_ADMIN_SERVICE, rparams->adminservers[i],
2590 2586 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
2591 2587 printf(gettext("failed\n"));
2592 2588 /* Solaris Kerberos */
2593 2589 com_err(progname, retval, gettext("while assigning rights to '%s'"),
2594 2590 rparams->realm_name);
2595 2591 return;
2596 2592 }
2597 2593 }
2598 2594 }
2599 2595 rightsmask = 0;
2600 2596 rightsmask |= LDAP_REALM_RIGHTS;
2601 2597 rightsmask |= LDAP_SUBTREE_RIGHTS;
2602 2598 if ((rparams != NULL) && (rparams->passwdservers != NULL)) {
2603 2599 for (i=0; (rparams->passwdservers[i] != NULL); i++) {
2604 2600 if ((retval = krb5_ldap_delete_service_rights(util_context,
2605 2601 LDAP_PASSWD_SERVICE, rparams->passwdservers[i],
2606 2602 rparams->realm_name, rparams->subtree, rightsmask)) != 0) {
2607 2603 printf(gettext("failed\n"));
2608 2604 /* Solaris Kerberos */
2609 2605 com_err(progname, retval, gettext("while assigning rights to '%s'"),
2610 2606 rparams->realm_name);
2611 2607 return;
2612 2608 }
2613 2609 }
2614 2610 }
2615 2611 printf(gettext("done\n"));
2616 2612 }
2617 2613 #endif
2618 2614 /* Delete the realm container and all the associated principals */
2619 2615 retval = krb5_ldap_delete_realm(util_context, global_params.realm);
2620 2616 if (retval) {
2621 2617 /* Solaris Kerberos */
2622 2618 com_err(progname, retval, gettext("deleting database of '%s'"), global_params.realm);
2623 2619 exit_status++;
2624 2620 return;
2625 2621 }
2626 2622
2627 2623 /*
2628 2624 * Solaris Kerberos: check for a stash file and delete it if necessary
2629 2625 * This behavior exists in the Solaris version of kdb5_util destroy.
2630 2626 */
2631 2627 if (global_params.stash_file == NULL) {
2632 2628 char stashbuf[MAXPATHLEN+1];
2633 2629 int realm_len = strlen(global_params.realm);
2634 2630
2635 2631 (void) strlcpy(stashbuf, DEFAULT_KEYFILE_STUB, sizeof (stashbuf));
2636 2632
2637 2633 if (realm_len <= (MAXPATHLEN-strlen(stashbuf))) {
2638 2634 (void) strncat(stashbuf, global_params.realm,
2639 2635 (MAXPATHLEN-strlen(stashbuf)));
2640 2636 } else {
2641 2637 /* Solaris Kerberos */
2642 2638 com_err(progname, EINVAL,
2643 2639 gettext("can not determine stash file name for '%s'"),
2644 2640 global_params.realm);
2645 2641 exit_status++;
2646 2642 return;
2647 2643 }
2648 2644 stash_file = stashbuf;
2649 2645 } else {
2650 2646 stash_file = global_params.stash_file;
2651 2647 }
2652 2648 /* Make sure stash_file is a regular file before unlinking */
2653 2649 if (stat(stash_file, &stb) == 0) {
2654 2650 if ((stb.st_mode & S_IFMT) == S_IFREG) {
2655 2651 (void)unlink(stash_file);
2656 2652 } else {
2657 2653 /* Solaris Kerberos */
2658 2654 com_err(progname, EINVAL,
2659 2655 gettext("stash file '%s' not a regular file, can not delete"),
2660 2656 stash_file);
2661 2657 exit_status++;
2662 2658 return;
2663 2659 }
2664 2660 } else if (errno != ENOENT) {
2665 2661 /*
2666 2662 * If the error is something other than the file doesn't exist set an
2667 2663 * error.
2668 2664 */
2669 2665 /* Solaris Kerberos */
2670 2666 com_err(progname, EINVAL,
2671 2667 gettext("could not stat stash file '%s', could not delete"),
2672 2668 stash_file);
2673 2669 exit_status++;
2674 2670 return;
2675 2671 }
2676 2672
2677 2673 printf(gettext("** Database of '%s' destroyed.\n"), global_params.realm);
2678 2674
2679 2675 return;
2680 2676 }
↓ open down ↓ |
2362 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX