17c478bd9Sstevel@tonic-gate /*
2e2f93a30S  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
37c478bd9Sstevel@tonic-gate  * Use is subject to license terms.
47c478bd9Sstevel@tonic-gate  */
57c478bd9Sstevel@tonic-gate 
67c478bd9Sstevel@tonic-gate /*
77c478bd9Sstevel@tonic-gate  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
87c478bd9Sstevel@tonic-gate  *
97c478bd9Sstevel@tonic-gate  * $Id: kadm5_create.c,v 1.6 1998/10/30 02:52:37 marc Exp $
107c478bd9Sstevel@tonic-gate  * $Source: /cvs/krbdev/krb5/src/kadmin/dbutil/kadm5_create.c,v $
117c478bd9Sstevel@tonic-gate  */
127c478bd9Sstevel@tonic-gate 
137c478bd9Sstevel@tonic-gate /*
147c478bd9Sstevel@tonic-gate  * Copyright (C) 1998 by the FundsXpress, INC.
15*55fea89dSDan Cross  *
167c478bd9Sstevel@tonic-gate  * All rights reserved.
17*55fea89dSDan Cross  *
187c478bd9Sstevel@tonic-gate  * Export of this software from the United States of America may require
197c478bd9Sstevel@tonic-gate  * a specific license from the United States Government.  It is the
207c478bd9Sstevel@tonic-gate  * responsibility of any person or organization contemplating export to
217c478bd9Sstevel@tonic-gate  * obtain such a license before exporting.
22*55fea89dSDan Cross  *
237c478bd9Sstevel@tonic-gate  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
247c478bd9Sstevel@tonic-gate  * distribute this software and its documentation for any purpose and
257c478bd9Sstevel@tonic-gate  * without fee is hereby granted, provided that the above copyright
267c478bd9Sstevel@tonic-gate  * notice appear in all copies and that both that copyright notice and
277c478bd9Sstevel@tonic-gate  * this permission notice appear in supporting documentation, and that
287c478bd9Sstevel@tonic-gate  * the name of FundsXpress. not be used in advertising or publicity pertaining
297c478bd9Sstevel@tonic-gate  * to distribution of the software without specific, written prior
307c478bd9Sstevel@tonic-gate  * permission.  FundsXpress makes no representations about the suitability of
317c478bd9Sstevel@tonic-gate  * this software for any purpose.  It is provided "as is" without express
327c478bd9Sstevel@tonic-gate  * or implied warranty.
33*55fea89dSDan Cross  *
347c478bd9Sstevel@tonic-gate  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
357c478bd9Sstevel@tonic-gate  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
367c478bd9Sstevel@tonic-gate  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
377c478bd9Sstevel@tonic-gate  */
387c478bd9Sstevel@tonic-gate 
397c478bd9Sstevel@tonic-gate #include "string_table.h"
407c478bd9Sstevel@tonic-gate 
417c478bd9Sstevel@tonic-gate #include <stdio.h>
427c478bd9Sstevel@tonic-gate #include <stdlib.h>
437c478bd9Sstevel@tonic-gate #include <string.h>
4454925bf6Swillf #include <k5-int.h>
4554925bf6Swillf #include <kdb.h>
467c478bd9Sstevel@tonic-gate #include <kadm5/admin.h>
4756a424ccSmp #include <krb5/adm_proto.h>
4856a424ccSmp 
497c478bd9Sstevel@tonic-gate #include <krb5.h>
507c478bd9Sstevel@tonic-gate #include <krb5/kdb.h>
5154925bf6Swillf #include "kdb5_util.h"
527c478bd9Sstevel@tonic-gate #include <libintl.h>
537c478bd9Sstevel@tonic-gate 
547c478bd9Sstevel@tonic-gate int
557c478bd9Sstevel@tonic-gate add_admin_old_princ(void *handle, krb5_context context,
567c478bd9Sstevel@tonic-gate 		    char *name, char *realm, int attrs, int lifetime);
577c478bd9Sstevel@tonic-gate int
587c478bd9Sstevel@tonic-gate add_admin_sname_princ(void *handle, krb5_context context,
597c478bd9Sstevel@tonic-gate     char *sname, int attrs, int lifetime);
60e2f93a30S static int
617c478bd9Sstevel@tonic-gate add_admin_princ(void *handle, krb5_context context,
627c478bd9Sstevel@tonic-gate     krb5_principal principal, int attrs, int lifetime);
637c478bd9Sstevel@tonic-gate 
6456a424ccSmp static int add_admin_princs(void *handle, krb5_context context, char *realm);
6556a424ccSmp 
6656a424ccSmp #define ERR 1
6756a424ccSmp #define OK 0
687c478bd9Sstevel@tonic-gate 
697c478bd9Sstevel@tonic-gate #define ADMIN_LIFETIME 60*60*3 /* 3 hours */
707c478bd9Sstevel@tonic-gate #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
717c478bd9Sstevel@tonic-gate 
727c478bd9Sstevel@tonic-gate extern char *progname;
737c478bd9Sstevel@tonic-gate 
747c478bd9Sstevel@tonic-gate /*
757c478bd9Sstevel@tonic-gate  * Function: kadm5_create
767c478bd9Sstevel@tonic-gate  *
777c478bd9Sstevel@tonic-gate  * Purpose: create admin principals in KDC database
787c478bd9Sstevel@tonic-gate  *
797c478bd9Sstevel@tonic-gate  * Arguments:	params	(r) configuration parameters to use
80*55fea89dSDan Cross  *
817c478bd9Sstevel@tonic-gate  * Effects:  Creates KADM5_ADMIN_SERVICE and KADM5_CHANGEPW_SERVICE
827c478bd9Sstevel@tonic-gate  * principals in the KDC database and sets their attributes
837c478bd9Sstevel@tonic-gate  * appropriately.
847c478bd9Sstevel@tonic-gate  */
kadm5_create(kadm5_config_params * params)8556a424ccSmp int kadm5_create(kadm5_config_params *params)
867c478bd9Sstevel@tonic-gate {
877c478bd9Sstevel@tonic-gate      int retval;
887c478bd9Sstevel@tonic-gate      krb5_context context;
897c478bd9Sstevel@tonic-gate 
907c478bd9Sstevel@tonic-gate      kadm5_config_params lparams;
917c478bd9Sstevel@tonic-gate 
9254925bf6Swillf      if ((retval = kadm5_init_krb5_context(&context)))
9356a424ccSmp 	  exit(ERR);
947c478bd9Sstevel@tonic-gate 
957c478bd9Sstevel@tonic-gate      (void) memset(&lparams, 0, sizeof (kadm5_config_params));
967c478bd9Sstevel@tonic-gate 
977c478bd9Sstevel@tonic-gate      /*
987c478bd9Sstevel@tonic-gate       * The lock file has to exist before calling kadm5_init, but
997c478bd9Sstevel@tonic-gate       * params->admin_lockfile may not be set yet...
1007c478bd9Sstevel@tonic-gate       */
101159d09a2SMark Phalan      if ((retval = kadm5_get_config_params(context, 1,
10256a424ccSmp 					   params, &lparams))) {
10356a424ccSmp 	com_err(progname, retval, gettext("while looking up the Kerberos configuration"));
10456a424ccSmp 	  return 1;
1057c478bd9Sstevel@tonic-gate      }
10656a424ccSmp 
1077c478bd9Sstevel@tonic-gate      retval = kadm5_create_magic_princs(&lparams, context);
1087c478bd9Sstevel@tonic-gate 
1097c478bd9Sstevel@tonic-gate      kadm5_free_config_params(context, &lparams);
1107c478bd9Sstevel@tonic-gate      krb5_free_context(context);
1117c478bd9Sstevel@tonic-gate 
11256a424ccSmp      return retval;
1137c478bd9Sstevel@tonic-gate }
1147c478bd9Sstevel@tonic-gate 
kadm5_create_magic_princs(kadm5_config_params * params,krb5_context context)11556a424ccSmp int kadm5_create_magic_princs(kadm5_config_params *params,
11656a424ccSmp 			      krb5_context context)
1177c478bd9Sstevel@tonic-gate {
1187c478bd9Sstevel@tonic-gate      int retval;
1197c478bd9Sstevel@tonic-gate      void *handle;
120*55fea89dSDan Cross 
12156a424ccSmp      retval = krb5_klog_init(context, "admin_server", progname, 0);
12256a424ccSmp      if (retval)
12356a424ccSmp 	  return retval;
1247c478bd9Sstevel@tonic-gate      if ((retval = kadm5_init(progname, NULL, NULL, params,
1257c478bd9Sstevel@tonic-gate 			      KADM5_STRUCT_VERSION,
1267c478bd9Sstevel@tonic-gate 			      KADM5_API_VERSION_2,
12754925bf6Swillf 			      db5util_db_args,
1287c478bd9Sstevel@tonic-gate 			      &handle))) {
12956a424ccSmp 	com_err(progname, retval,  gettext("while initializing the Kerberos admin interface"));
13056a424ccSmp 	  return retval;
1317c478bd9Sstevel@tonic-gate      }
13256a424ccSmp 
1337c478bd9Sstevel@tonic-gate      retval = add_admin_princs(handle, context, params->realm);
1347c478bd9Sstevel@tonic-gate 
1357c478bd9Sstevel@tonic-gate      kadm5_destroy(handle);
1367c478bd9Sstevel@tonic-gate 
13756a424ccSmp      krb5_klog_close(context);
13856a424ccSmp 
13956a424ccSmp      return retval;
1407c478bd9Sstevel@tonic-gate }
1417c478bd9Sstevel@tonic-gate 
1427c478bd9Sstevel@tonic-gate /*
1437c478bd9Sstevel@tonic-gate  * Function: build_name_with_realm
1447c478bd9Sstevel@tonic-gate  *
1457c478bd9Sstevel@tonic-gate  * Purpose: concatenate a name and a realm to form a krb5 name
1467c478bd9Sstevel@tonic-gate  *
1477c478bd9Sstevel@tonic-gate  * Arguments:
1487c478bd9Sstevel@tonic-gate  *
1497c478bd9Sstevel@tonic-gate  * 	name	(input) the name
1507c478bd9Sstevel@tonic-gate  * 	realm	(input) the realm
1517c478bd9Sstevel@tonic-gate  *
1527c478bd9Sstevel@tonic-gate  * Returns:
1537c478bd9Sstevel@tonic-gate  *
1547c478bd9Sstevel@tonic-gate  * 	pointer to name@realm, in allocated memory, or NULL if it
1557c478bd9Sstevel@tonic-gate  * 	cannot be allocated
1567c478bd9Sstevel@tonic-gate  *
1577c478bd9Sstevel@tonic-gate  * Requires: both strings are null-terminated
1587c478bd9Sstevel@tonic-gate  */
build_name_with_realm(char * name,char * realm)15956a424ccSmp static char *build_name_with_realm(char *name, char *realm)
1607c478bd9Sstevel@tonic-gate {
1617c478bd9Sstevel@tonic-gate      char *n;
1627c478bd9Sstevel@tonic-gate 
1637c478bd9Sstevel@tonic-gate      n = (char *) malloc(strlen(name) + strlen(realm) + 2);
1647c478bd9Sstevel@tonic-gate      sprintf(n, "%s@%s", name, realm);
16556a424ccSmp      return n;
1667c478bd9Sstevel@tonic-gate }
1677c478bd9Sstevel@tonic-gate 
1687c478bd9Sstevel@tonic-gate /*
1697c478bd9Sstevel@tonic-gate  * Function: add_admin_princs
1707c478bd9Sstevel@tonic-gate  *
1717c478bd9Sstevel@tonic-gate  * Purpose: create admin principals
1727c478bd9Sstevel@tonic-gate  *
1737c478bd9Sstevel@tonic-gate  * Arguments:
1747c478bd9Sstevel@tonic-gate  *
1757c478bd9Sstevel@tonic-gate  * 	rseed		(input) random seed
1767c478bd9Sstevel@tonic-gate  * 	realm		(input) realm, or NULL for default realm
1777c478bd9Sstevel@tonic-gate  *      <return value>  (output) status, 0 for success, 1 for serious error
178*55fea89dSDan Cross  *
1797c478bd9Sstevel@tonic-gate  * Requires:
180*55fea89dSDan Cross  *
1817c478bd9Sstevel@tonic-gate  * Effects:
182*55fea89dSDan Cross  *
1837c478bd9Sstevel@tonic-gate  * add_admin_princs creates KADM5_ADMIN_SERVICE,
1847c478bd9Sstevel@tonic-gate  * KADM5_CHANGEPW_SERVICE.  If any of these exist a message is
1857c478bd9Sstevel@tonic-gate  * printed.  If any of these existing principal do not have the proper
1867c478bd9Sstevel@tonic-gate  * attributes, a warning message is printed.
1877c478bd9Sstevel@tonic-gate  */
add_admin_princs(void * handle,krb5_context context,char * realm)18856a424ccSmp static int add_admin_princs(void *handle, krb5_context context, char *realm)
1897c478bd9Sstevel@tonic-gate {
1907c478bd9Sstevel@tonic-gate   krb5_error_code ret = 0;
191aa5f683fSmp 
192aa5f683fSmp /*
193aa5f683fSmp  * Solaris Kerberos:
194aa5f683fSmp  * The kadmin/admin principal is unused on Solaris. This principal is used
195aa5f683fSmp  * in AUTH_GSSAPI but Solaris doesn't support AUTH_GSSAPI. RPCSEC_GSS can only
196*55fea89dSDan Cross  * be used with host-based principals.
197aa5f683fSmp  *
198*55fea89dSDan Cross  */
199aa5f683fSmp 
200aa5f683fSmp #if 0
201aa5f683fSmp   if ((ret = add_admin_old_princ(handle, context,
202aa5f683fSmp   		     KADM5_ADMIN_SERVICE, realm,
203aa5f683fSmp   		     KRB5_KDB_DISALLOW_TGT_BASED,
204aa5f683fSmp   		     ADMIN_LIFETIME)))
205aa5f683fSmp      goto clean_and_exit;
206*55fea89dSDan Cross #endif
2077c478bd9Sstevel@tonic-gate 
2087c478bd9Sstevel@tonic-gate 	if ((ret = add_admin_old_princ(handle, context,
209*55fea89dSDan Cross 			     KADM5_CHANGEPW_SERVICE, realm,
2107c478bd9Sstevel@tonic-gate 			     KRB5_KDB_DISALLOW_TGT_BASED |
2117c478bd9Sstevel@tonic-gate 			     KRB5_KDB_PWCHANGE_SERVICE,
2127c478bd9Sstevel@tonic-gate 			     CHANGEPW_LIFETIME)))
2137c478bd9Sstevel@tonic-gate        goto clean_and_exit;
214*55fea89dSDan Cross 
2157c478bd9Sstevel@tonic-gate 	if ((ret = add_admin_sname_princ(handle, context,
2167c478bd9Sstevel@tonic-gate 		    KADM5_ADMIN_HOST_SERVICE,
2177c478bd9Sstevel@tonic-gate 		    KRB5_KDB_DISALLOW_TGT_BASED,
2187c478bd9Sstevel@tonic-gate 		    ADMIN_LIFETIME)))
2197c478bd9Sstevel@tonic-gate 		goto clean_and_exit;
2207c478bd9Sstevel@tonic-gate 
2217c478bd9Sstevel@tonic-gate 	if ((ret = add_admin_sname_princ(handle, context,
2227c478bd9Sstevel@tonic-gate 		    KADM5_CHANGEPW_HOST_SERVICE,
2237c478bd9Sstevel@tonic-gate 		    KRB5_KDB_DISALLOW_TGT_BASED |
2247c478bd9Sstevel@tonic-gate 		    KRB5_KDB_PWCHANGE_SERVICE,
2257c478bd9Sstevel@tonic-gate 		    ADMIN_LIFETIME)))
2267c478bd9Sstevel@tonic-gate 		goto clean_and_exit;
2277c478bd9Sstevel@tonic-gate 
228aa5f683fSmp 	if ((ret = add_admin_sname_princ(handle, context,
229aa5f683fSmp 		    KADM5_KIPROP_HOST_SERVICE,
230aa5f683fSmp 		    KRB5_KDB_DISALLOW_TGT_BASED,
231aa5f683fSmp 		    ADMIN_LIFETIME)))
232aa5f683fSmp 		goto clean_and_exit;
233aa5f683fSmp 
2347c478bd9Sstevel@tonic-gate clean_and_exit:
2357c478bd9Sstevel@tonic-gate 
23656a424ccSmp   return ret;
2377c478bd9Sstevel@tonic-gate }
2387c478bd9Sstevel@tonic-gate 
2397c478bd9Sstevel@tonic-gate /*
2407c478bd9Sstevel@tonic-gate  * Function: add_admin_princ
2417c478bd9Sstevel@tonic-gate  *
2427c478bd9Sstevel@tonic-gate  * Arguments:
2437c478bd9Sstevel@tonic-gate  *
2447c478bd9Sstevel@tonic-gate  * 	creator		(r) principal to use as "mod_by"
2457c478bd9Sstevel@tonic-gate  * 	rseed		(r) seed for random key generator
2467c478bd9Sstevel@tonic-gate  *	principal	(r) kerberos principal to add
2477c478bd9Sstevel@tonic-gate  * 	attrs		(r) principal's attributes
2487c478bd9Sstevel@tonic-gate  * 	lifetime	(r) principal's max life, or 0
2497c478bd9Sstevel@tonic-gate  * 	not_unique	(r) error message for multiple entries, never used
2507c478bd9Sstevel@tonic-gate  * 	exists		(r) warning message for principal exists
2517c478bd9Sstevel@tonic-gate  * 	wrong_attrs	(r) warning message for wrong attributes
2527c478bd9Sstevel@tonic-gate  *
2537c478bd9Sstevel@tonic-gate  * Returns:
2547c478bd9Sstevel@tonic-gate  *
25556a424ccSmp  * 	OK on success
25656a424ccSmp  * 	ERR on serious errors
2577c478bd9Sstevel@tonic-gate  *
2587c478bd9Sstevel@tonic-gate  * Effects:
259*55fea89dSDan Cross  *
2607c478bd9Sstevel@tonic-gate  * If the principal is not unique, not_unique is printed (but this
2617c478bd9Sstevel@tonic-gate  * never happens).  If the principal exists, then exists is printed
2627c478bd9Sstevel@tonic-gate  * and if the principals attributes != attrs, wrong_attrs is printed.
2637c478bd9Sstevel@tonic-gate  * Otherwise, the principal is created with mod_by creator and
2647c478bd9Sstevel@tonic-gate  * attributes attrs and max life of lifetime (if not zero).
2657c478bd9Sstevel@tonic-gate  */
2667c478bd9Sstevel@tonic-gate 
add_admin_princ(void * handle,krb5_context context,krb5_principal principal,int attrs,int lifetime)267e2f93a30S static int add_admin_princ(void *handle, krb5_context context,
2687c478bd9Sstevel@tonic-gate     krb5_principal principal, int attrs, int lifetime)
2697c478bd9Sstevel@tonic-gate {
2707c478bd9Sstevel@tonic-gate      char *fullname;
2717c478bd9Sstevel@tonic-gate      krb5_error_code ret;
2727c478bd9Sstevel@tonic-gate      kadm5_principal_ent_rec ent;
2737c478bd9Sstevel@tonic-gate 
2747c478bd9Sstevel@tonic-gate      memset(&ent, 0, sizeof(ent));
2757c478bd9Sstevel@tonic-gate 
2767c478bd9Sstevel@tonic-gate 	if (krb5_unparse_name(context, principal, &fullname))
27756a424ccSmp 		return ERR;
2787c478bd9Sstevel@tonic-gate 
2797c478bd9Sstevel@tonic-gate      ent.principal = principal;
2807c478bd9Sstevel@tonic-gate      ent.max_life = lifetime;
2817c478bd9Sstevel@tonic-gate      ent.attributes = attrs | KRB5_KDB_DISALLOW_ALL_TIX;
282*55fea89dSDan Cross 
28356a424ccSmp      ret = kadm5_create_principal(handle, &ent,
28456a424ccSmp 				  (KADM5_PRINCIPAL | KADM5_MAX_LIFE |
28556a424ccSmp 				   KADM5_ATTRIBUTES),
28656a424ccSmp 				  "to-be-random");
28756a424ccSmp      if (ret) {
2887c478bd9Sstevel@tonic-gate 	  if (ret != KADM5_DUP) {
289159d09a2SMark Phalan 	       com_err(progname, ret,
2907c478bd9Sstevel@tonic-gate 			gettext(str_PUT_PRINC), fullname);
2917c478bd9Sstevel@tonic-gate 	       krb5_free_principal(context, ent.principal);
2927c478bd9Sstevel@tonic-gate 	       free(fullname);
29356a424ccSmp 	       return ERR;
2947c478bd9Sstevel@tonic-gate 	  }
2957c478bd9Sstevel@tonic-gate      } else {
2967c478bd9Sstevel@tonic-gate 	  /* only randomize key if we created the principal */
297e2f93a30S 
298e2f93a30S 	  /*
299e2f93a30S 	   * Solaris Kerberos:
300e2f93a30S 	   * Create kadmind principals with keys for all supported encryption types.
301e2f93a30S 	   * Follows a similar pattern to add_principal() in keytab.c.
302e2f93a30S 	   */
303e2f93a30S 	  krb5_enctype *tmpenc, *enctype = NULL;
304e2f93a30S 	  krb5_key_salt_tuple *keysalt;
305e2f93a30S 	  int num_ks, i;
306e2f93a30S 	  krb5_int32 normalsalttype;
307e2f93a30S 
308e2f93a30S 	  ret = krb5_get_permitted_enctypes(context, &enctype);
309b89e8170SToomas Soome 	  if (ret || *enctype == 0) {
310e2f93a30S 	       com_err(progname, ret,
311e2f93a30S 		   gettext("while getting list of permitted encryption types"));
312e2f93a30S 	       krb5_free_principal(context, ent.principal);
313e2f93a30S 	       free(fullname);
314e2f93a30S 	       return ERR;
315e2f93a30S 	  }
316e2f93a30S 
317e2f93a30S 	  /* Count the number of enc types */
318e2f93a30S 	  for (tmpenc = enctype, num_ks = 0; *tmpenc; tmpenc++)
319e2f93a30S 		num_ks++;
320e2f93a30S 
321e2f93a30S 	  keysalt = malloc (sizeof (krb5_key_salt_tuple) * num_ks);
322e2f93a30S 	  if (keysalt == NULL) {
323e2f93a30S 	       com_err(progname, ENOMEM,
324e2f93a30S 		   gettext("while generating list of key salt tuples"));
325e2f93a30S 	       krb5_free_ktypes(context, enctype);
326e2f93a30S 	       krb5_free_principal(context, ent.principal);
327e2f93a30S 	       free(fullname);
328e2f93a30S 	       return ERR;
329e2f93a30S 	  }
330e2f93a30S 
331e2f93a30S 	  ret = krb5_string_to_salttype("normal", &normalsalttype);
332e2f93a30S 	  if (ret) {
333e2f93a30S 	  	com_err(progname, ret,
334e2f93a30S 	  	 	gettext("while converting \"normal\" to a salttype"));
335e2f93a30S 		free(keysalt);
336e2f93a30S 		krb5_free_ktypes(context, enctype);
337e2f93a30S 	  	krb5_free_principal(context, ent.principal);
338e2f93a30S 	  	free(fullname);
339e2f93a30S 	  	return ERR;
340e2f93a30S 	  }
341e2f93a30S 
342e2f93a30S 	  /* Only create keys with "normal" salttype */
343e2f93a30S 	  for (i = 0; i < num_ks; i++) {
344e2f93a30S 		keysalt[i].ks_enctype = enctype[i];
345e2f93a30S 		keysalt[i].ks_salttype = normalsalttype;
346e2f93a30S 	  }
347e2f93a30S 
348e2f93a30S 	  ret = kadm5_randkey_principal_3(handle, ent.principal, FALSE, num_ks,
349e2f93a30S 	      keysalt, NULL, NULL);
350e2f93a30S 	  free(keysalt);
351e2f93a30S           krb5_free_ktypes (context, enctype);
352e2f93a30S 
353e2f93a30S 
354159d09a2SMark Phalan 	  if (ret) {
355159d09a2SMark Phalan 	       com_err(progname, ret,
3567c478bd9Sstevel@tonic-gate 			gettext(str_RANDOM_KEY), fullname);
35756a424ccSmp 	       krb5_free_principal(context, ent.principal);
35856a424ccSmp 	       free(fullname);
35956a424ccSmp 	       return ERR;
36056a424ccSmp 	  }
361*55fea89dSDan Cross 
36256a424ccSmp 	  ent.attributes = attrs;
36356a424ccSmp 	  ret = kadm5_modify_principal(handle, &ent, KADM5_ATTRIBUTES);
36456a424ccSmp 	  if (ret) {
36556a424ccSmp 	      com_err(progname, ret,
36656a424ccSmp 	       gettext(str_PUT_PRINC), fullname);
36756a424ccSmp 	       krb5_free_principal(context, ent.principal);
36856a424ccSmp 	       free(fullname);
36956a424ccSmp 	       return ERR;
37056a424ccSmp 	  }
37156a424ccSmp      }
372*55fea89dSDan Cross 
37356a424ccSmp      krb5_free_principal(context, ent.principal);
37456a424ccSmp      free(fullname);
3757c478bd9Sstevel@tonic-gate 
37656a424ccSmp      return OK;
3777c478bd9Sstevel@tonic-gate }
3787c478bd9Sstevel@tonic-gate 
3797c478bd9Sstevel@tonic-gate int
add_admin_old_princ(void * handle,krb5_context context,char * name,char * realm,int attrs,int lifetime)3807c478bd9Sstevel@tonic-gate add_admin_old_princ(void *handle, krb5_context context,
3817c478bd9Sstevel@tonic-gate     char *name, char *realm, int attrs, int lifetime)
3827c478bd9Sstevel@tonic-gate {
3837c478bd9Sstevel@tonic-gate 	char *fullname;
3847c478bd9Sstevel@tonic-gate 	krb5_error_code ret;
3857c478bd9Sstevel@tonic-gate 	krb5_principal principal;
3867c478bd9Sstevel@tonic-gate 
3877c478bd9Sstevel@tonic-gate 	fullname = build_name_with_realm(name, realm);
3887c478bd9Sstevel@tonic-gate 	if (ret = krb5_parse_name(context, fullname, &principal)) {
3897c478bd9Sstevel@tonic-gate 		com_err(progname, ret, gettext(str_PARSE_NAME));
39056a424ccSmp 		return (ERR);
3917c478bd9Sstevel@tonic-gate 	}
3927c478bd9Sstevel@tonic-gate 
3937c478bd9Sstevel@tonic-gate 	return (add_admin_princ(handle, context, principal, attrs, lifetime));
3947c478bd9Sstevel@tonic-gate }
3957c478bd9Sstevel@tonic-gate 
3967c478bd9Sstevel@tonic-gate int
add_admin_sname_princ(void * handle,krb5_context context,char * sname,int attrs,int lifetime)3977c478bd9Sstevel@tonic-gate add_admin_sname_princ(void *handle, krb5_context context,
3987c478bd9Sstevel@tonic-gate 	     char *sname, int attrs, int lifetime)
3997c478bd9Sstevel@tonic-gate {
4007c478bd9Sstevel@tonic-gate 	krb5_error_code ret;
4017c478bd9Sstevel@tonic-gate 	krb5_principal principal;
4027c478bd9Sstevel@tonic-gate 
4037c478bd9Sstevel@tonic-gate 	if (ret = krb5_sname_to_principal(context, NULL, sname,
4047c478bd9Sstevel@tonic-gate 					  KRB5_NT_SRV_HST, &principal)) {
4057c478bd9Sstevel@tonic-gate 		com_err(progname, ret,
4067c478bd9Sstevel@tonic-gate 			gettext("Could not get host based "
4077c478bd9Sstevel@tonic-gate 				"service name for %s principal\n"), sname);
40856a424ccSmp 		return (ERR);
4097c478bd9Sstevel@tonic-gate 	}
4107c478bd9Sstevel@tonic-gate 	return (add_admin_princ(handle, context, principal, attrs, lifetime));
4117c478bd9Sstevel@tonic-gate }
4127c478bd9Sstevel@tonic-gate 
4137c478bd9Sstevel@tonic-gate 
414*55fea89dSDan Cross 
415