17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate * CDDL HEADER START
37c478bd9Sstevel@tonic-gate *
47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the
53bfb48feSsemery * Common Development and Distribution License (the "License").
63bfb48feSsemery * You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate *
87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate * and limitations under the License.
127c478bd9Sstevel@tonic-gate *
137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate *
197c478bd9Sstevel@tonic-gate * CDDL HEADER END
207c478bd9Sstevel@tonic-gate */
217c478bd9Sstevel@tonic-gate /*
228ce3ffdfSPeter Shoults * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
237c478bd9Sstevel@tonic-gate * Use is subject to license terms.
247c478bd9Sstevel@tonic-gate */
257c478bd9Sstevel@tonic-gate
267c478bd9Sstevel@tonic-gate #include <kadm5/admin.h>
277c478bd9Sstevel@tonic-gate #include <krb5.h>
287c478bd9Sstevel@tonic-gate #include <security/pam_appl.h>
297c478bd9Sstevel@tonic-gate #include <security/pam_modules.h>
307c478bd9Sstevel@tonic-gate #include <security/pam_impl.h>
317c478bd9Sstevel@tonic-gate #include <string.h>
327c478bd9Sstevel@tonic-gate #include <stdio.h>
337c478bd9Sstevel@tonic-gate #include <stdlib.h>
347c478bd9Sstevel@tonic-gate #include <pwd.h>
357c478bd9Sstevel@tonic-gate #include <syslog.h>
367c478bd9Sstevel@tonic-gate #include <libintl.h>
377c478bd9Sstevel@tonic-gate
387c478bd9Sstevel@tonic-gate #define KRB5_AUTOMIGRATE_DATA "SUNW-KRB5-AUTOMIGRATE-DATA"
397c478bd9Sstevel@tonic-gate
407c478bd9Sstevel@tonic-gate static void krb5_migrate_cleanup(pam_handle_t *pamh, void *data,
417c478bd9Sstevel@tonic-gate int pam_status);
427c478bd9Sstevel@tonic-gate
437c478bd9Sstevel@tonic-gate /*
447c478bd9Sstevel@tonic-gate * pam_sm_authenticate - Authenticate a host-based client service
457c478bd9Sstevel@tonic-gate * principal to kadmind in order to permit the creation of a new user
467c478bd9Sstevel@tonic-gate * principal in the client's default realm.
477c478bd9Sstevel@tonic-gate */
pam_sm_authenticate(pam_handle_t * pamh,int flags,int argc,const char ** argv)487c478bd9Sstevel@tonic-gate int pam_sm_authenticate(pam_handle_t *pamh, int flags,
497c478bd9Sstevel@tonic-gate int argc, const char **argv)
507c478bd9Sstevel@tonic-gate {
517c478bd9Sstevel@tonic-gate char *user = NULL;
527c478bd9Sstevel@tonic-gate char *userdata = NULL;
534a7ceb24Sjjj char *olduserdata = NULL;
547c478bd9Sstevel@tonic-gate char *password = NULL;
557c478bd9Sstevel@tonic-gate int err, i;
567c478bd9Sstevel@tonic-gate time_t now;
577c478bd9Sstevel@tonic-gate
587c478bd9Sstevel@tonic-gate /* pam.conf options */
597c478bd9Sstevel@tonic-gate int debug = 0;
607c478bd9Sstevel@tonic-gate int quiet = 0;
617c478bd9Sstevel@tonic-gate int expire_pw = 0;
627c478bd9Sstevel@tonic-gate char *service = NULL;
637c478bd9Sstevel@tonic-gate
647c478bd9Sstevel@tonic-gate /* krb5-specific defines */
657c478bd9Sstevel@tonic-gate kadm5_ret_t retval = 0;
667c478bd9Sstevel@tonic-gate krb5_context context = NULL;
677c478bd9Sstevel@tonic-gate kadm5_config_params params;
687c478bd9Sstevel@tonic-gate krb5_principal svcprinc;
697c478bd9Sstevel@tonic-gate char *svcprincstr = NULL;
707c478bd9Sstevel@tonic-gate krb5_principal userprinc;
717c478bd9Sstevel@tonic-gate char *userprincstr = NULL;
727c478bd9Sstevel@tonic-gate int strlength = 0;
737c478bd9Sstevel@tonic-gate kadm5_principal_ent_rec kadm5_userprinc;
747c478bd9Sstevel@tonic-gate char *kadmin_princ = NULL;
757c478bd9Sstevel@tonic-gate char *def_realm = NULL;
767c478bd9Sstevel@tonic-gate void *handle = NULL;
777c478bd9Sstevel@tonic-gate long mask = 0;
787c478bd9Sstevel@tonic-gate
797c478bd9Sstevel@tonic-gate for (i = 0; i < argc; i++) {
807c478bd9Sstevel@tonic-gate if (strcmp(argv[i], "debug") == 0) {
817c478bd9Sstevel@tonic-gate debug = 1;
827c478bd9Sstevel@tonic-gate } else if (strcmp(argv[i], "quiet") == 0) {
837c478bd9Sstevel@tonic-gate quiet = 1;
847c478bd9Sstevel@tonic-gate } else if (strcmp(argv[i], "expire_pw") == 0) {
857c478bd9Sstevel@tonic-gate expire_pw = 1;
867c478bd9Sstevel@tonic-gate } else if ((strstr(argv[i], "client_service=") != NULL) &&
874a7ceb24Sjjj (strcmp((strstr(argv[i], "=") + 1), "") != 0)) {
884a7ceb24Sjjj service = strdup(strstr(argv[i], "=") + 1);
897c478bd9Sstevel@tonic-gate } else {
903bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR,
914a7ceb24Sjjj "PAM-KRB5-AUTOMIGRATE (auth): unrecognized "
924a7ceb24Sjjj "option %s", argv[i]);
937c478bd9Sstevel@tonic-gate }
947c478bd9Sstevel@tonic-gate }
957c478bd9Sstevel@tonic-gate
967c478bd9Sstevel@tonic-gate if (flags & PAM_SILENT)
977c478bd9Sstevel@tonic-gate quiet = 1;
987c478bd9Sstevel@tonic-gate
997c478bd9Sstevel@tonic-gate err = pam_get_item(pamh, PAM_USER, (void**)&user);
1007c478bd9Sstevel@tonic-gate if (err != PAM_SUCCESS) {
1017c478bd9Sstevel@tonic-gate goto cleanup;
1027c478bd9Sstevel@tonic-gate }
1037c478bd9Sstevel@tonic-gate
1047c478bd9Sstevel@tonic-gate /*
1057c478bd9Sstevel@tonic-gate * Check if user name is *not* NULL
1067c478bd9Sstevel@tonic-gate */
1077c478bd9Sstevel@tonic-gate if (user == NULL || (user[0] == '\0')) {
1087c478bd9Sstevel@tonic-gate if (debug)
1093bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
1104a7ceb24Sjjj "PAM-KRB5-AUTOMIGRATE (auth): user empty or null");
1114a7ceb24Sjjj goto cleanup;
1124a7ceb24Sjjj }
1134a7ceb24Sjjj
1144a7ceb24Sjjj /*
1154a7ceb24Sjjj * Can't tolerate memory failure later on. Get a copy
1164a7ceb24Sjjj * before any work is done.
1174a7ceb24Sjjj */
1184a7ceb24Sjjj if ((userdata = strdup(user)) == NULL) {
1194a7ceb24Sjjj __pam_log(LOG_AUTH | LOG_ERR,
1204a7ceb24Sjjj "PAM-KRB5-AUTOMIGRATE (auth): Out of memory");
1217c478bd9Sstevel@tonic-gate goto cleanup;
1227c478bd9Sstevel@tonic-gate }
1237c478bd9Sstevel@tonic-gate
1247c478bd9Sstevel@tonic-gate /*
1257c478bd9Sstevel@tonic-gate * Grok the user password
1267c478bd9Sstevel@tonic-gate */
1277c478bd9Sstevel@tonic-gate err = pam_get_item(pamh, PAM_AUTHTOK, (void **)&password);
1287c478bd9Sstevel@tonic-gate if (err != PAM_SUCCESS) {
1297c478bd9Sstevel@tonic-gate goto cleanup;
1307c478bd9Sstevel@tonic-gate }
1317c478bd9Sstevel@tonic-gate
1327c478bd9Sstevel@tonic-gate if (password == NULL || (password[0] == '\0')) {
1337c478bd9Sstevel@tonic-gate if (debug)
1343bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
1354a7ceb24Sjjj "PAM-KRB5-AUTOMIGRATE (auth): "
1364a7ceb24Sjjj "authentication token is empty or null");
1377c478bd9Sstevel@tonic-gate goto cleanup;
1387c478bd9Sstevel@tonic-gate }
1397c478bd9Sstevel@tonic-gate
1407c478bd9Sstevel@tonic-gate
1417c478bd9Sstevel@tonic-gate /*
1427c478bd9Sstevel@tonic-gate * Now, lets do the all krb5/kadm5 setup for the principal addition
1437c478bd9Sstevel@tonic-gate */
1448ce3ffdfSPeter Shoults if (retval = krb5_init_secure_context(&context)) {
1453bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR,
1464a7ceb24Sjjj "PAM-KRB5-AUTOMIGRATE (auth): Error initializing "
1474a7ceb24Sjjj "krb5: %s", error_message(retval));
1487c478bd9Sstevel@tonic-gate goto cleanup;
1497c478bd9Sstevel@tonic-gate }
1507c478bd9Sstevel@tonic-gate
1517c478bd9Sstevel@tonic-gate (void) memset((char *)¶ms, 0, sizeof (params));
1527c478bd9Sstevel@tonic-gate (void) memset(&kadm5_userprinc, 0, sizeof (kadm5_userprinc));
1537c478bd9Sstevel@tonic-gate
1547c478bd9Sstevel@tonic-gate if (def_realm == NULL && krb5_get_default_realm(context, &def_realm)) {
1553bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR,
1564a7ceb24Sjjj "PAM-KRB5-AUTOMIGRATE (auth): Error while obtaining "
1574a7ceb24Sjjj "default krb5 realm");
1587c478bd9Sstevel@tonic-gate goto cleanup;
1597c478bd9Sstevel@tonic-gate }
1607c478bd9Sstevel@tonic-gate
1617c478bd9Sstevel@tonic-gate params.mask |= KADM5_CONFIG_REALM;
1627c478bd9Sstevel@tonic-gate params.realm = def_realm;
1637c478bd9Sstevel@tonic-gate
1647c478bd9Sstevel@tonic-gate if (kadm5_get_adm_host_srv_name(context, def_realm,
1654a7ceb24Sjjj &kadmin_princ)) {
1663bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR,
1674a7ceb24Sjjj "PAM-KRB5-AUTOMIGRATE (auth): Error while obtaining "
1684a7ceb24Sjjj "host based service name for realm %s\n", def_realm);
1697c478bd9Sstevel@tonic-gate goto cleanup;
1707c478bd9Sstevel@tonic-gate }
1717c478bd9Sstevel@tonic-gate
1727c478bd9Sstevel@tonic-gate if (retval = krb5_sname_to_principal(context, NULL,
1734a7ceb24Sjjj (service != NULL) ? service : "host", KRB5_NT_SRV_HST, &svcprinc)) {
1743bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR,
1754a7ceb24Sjjj "PAM-KRB5-AUTOMIGRATE (auth): Error while creating "
1764a7ceb24Sjjj "krb5 host service principal: %s",
1774a7ceb24Sjjj error_message(retval));
1787c478bd9Sstevel@tonic-gate goto cleanup;
1797c478bd9Sstevel@tonic-gate }
1807c478bd9Sstevel@tonic-gate
1817c478bd9Sstevel@tonic-gate if (retval = krb5_unparse_name(context, svcprinc,
1824a7ceb24Sjjj &svcprincstr)) {
1833bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR,
1844a7ceb24Sjjj "PAM-KRB5-AUTOMIGRATE (auth): Error while "
1854a7ceb24Sjjj "unparsing principal name: %s", error_message(retval));
1867c478bd9Sstevel@tonic-gate krb5_free_principal(context, svcprinc);
1877c478bd9Sstevel@tonic-gate goto cleanup;
1887c478bd9Sstevel@tonic-gate }
1897c478bd9Sstevel@tonic-gate
1907c478bd9Sstevel@tonic-gate krb5_free_principal(context, svcprinc);
1917c478bd9Sstevel@tonic-gate
1927c478bd9Sstevel@tonic-gate /*
1937c478bd9Sstevel@tonic-gate * Initialize the kadm5 connection using the default keytab
1947c478bd9Sstevel@tonic-gate */
1957c478bd9Sstevel@tonic-gate retval = kadm5_init_with_skey(svcprincstr, NULL,
1964a7ceb24Sjjj kadmin_princ, ¶ms, KADM5_STRUCT_VERSION, KADM5_API_VERSION_2,
1974a7ceb24Sjjj NULL, &handle);
1987c478bd9Sstevel@tonic-gate if (retval) {
1993bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR,
2004a7ceb24Sjjj "PAM-KRB5-AUTOMIGRATE (auth): Error while "
2014a7ceb24Sjjj "doing kadm5_init_with_skey: %s", error_message(retval));
2027c478bd9Sstevel@tonic-gate goto cleanup;
2037c478bd9Sstevel@tonic-gate }
2047c478bd9Sstevel@tonic-gate
2057c478bd9Sstevel@tonic-gate
2067c478bd9Sstevel@tonic-gate /*
2077c478bd9Sstevel@tonic-gate * The RPCSEC_GSS connection has been established; Lets check to see
2087c478bd9Sstevel@tonic-gate * if the corresponding user principal exists in the KDC database.
2097c478bd9Sstevel@tonic-gate * If not, lets create a new one.
2107c478bd9Sstevel@tonic-gate */
2117c478bd9Sstevel@tonic-gate
2127c478bd9Sstevel@tonic-gate strlength = strlen(user) + strlen(def_realm) + 2;
2134a7ceb24Sjjj if ((userprincstr = malloc(strlength)) == NULL)
2144a7ceb24Sjjj goto cleanup;
2157c478bd9Sstevel@tonic-gate (void) strlcpy(userprincstr, user, strlength);
2167c478bd9Sstevel@tonic-gate (void) strlcat(userprincstr, "@", strlength);
2177c478bd9Sstevel@tonic-gate (void) strlcat(userprincstr, def_realm, strlength);
2187c478bd9Sstevel@tonic-gate
2197c478bd9Sstevel@tonic-gate
2207c478bd9Sstevel@tonic-gate if (retval = krb5_parse_name(context, userprincstr,
2214a7ceb24Sjjj &userprinc)) {
2223bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR,
2234a7ceb24Sjjj "PAM-KRB5-AUTOMIGRATE (auth): Error while "
2244a7ceb24Sjjj "parsing user principal name: %s",
2254a7ceb24Sjjj error_message(retval));
2267c478bd9Sstevel@tonic-gate goto cleanup;
2277c478bd9Sstevel@tonic-gate }
2287c478bd9Sstevel@tonic-gate
2297c478bd9Sstevel@tonic-gate retval = kadm5_get_principal(handle, userprinc, &kadm5_userprinc,
2304a7ceb24Sjjj KADM5_PRINCIPAL_NORMAL_MASK);
2317c478bd9Sstevel@tonic-gate
2327c478bd9Sstevel@tonic-gate krb5_free_principal(context, userprinc);
2337c478bd9Sstevel@tonic-gate
2347c478bd9Sstevel@tonic-gate if (retval) {
2357c478bd9Sstevel@tonic-gate switch (retval) {
2367c478bd9Sstevel@tonic-gate case KADM5_AUTH_GET:
2377c478bd9Sstevel@tonic-gate if (debug)
2383bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
2397c478bd9Sstevel@tonic-gate "PAM-KRB5-AUTOMIGRATE (auth): %s does "
2407c478bd9Sstevel@tonic-gate "not have the GET privilege "
2413bfb48feSsemery "for kadm5_get_principal: %s",
2427c478bd9Sstevel@tonic-gate svcprincstr, error_message(retval));
2437c478bd9Sstevel@tonic-gate break;
2447c478bd9Sstevel@tonic-gate
2457c478bd9Sstevel@tonic-gate case KADM5_UNK_PRINC:
2467c478bd9Sstevel@tonic-gate default:
2477c478bd9Sstevel@tonic-gate break;
2487c478bd9Sstevel@tonic-gate }
2497c478bd9Sstevel@tonic-gate /*
2507c478bd9Sstevel@tonic-gate * We will try & add this principal anyways, continue on ...
2517c478bd9Sstevel@tonic-gate */
2527c478bd9Sstevel@tonic-gate (void) memset(&kadm5_userprinc, 0, sizeof (kadm5_userprinc));
2537c478bd9Sstevel@tonic-gate } else {
2547c478bd9Sstevel@tonic-gate /*
2557c478bd9Sstevel@tonic-gate * Principal already exists in the KDC database, quit now
2567c478bd9Sstevel@tonic-gate */
2577c478bd9Sstevel@tonic-gate if (debug)
2583bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
2594a7ceb24Sjjj "PAM-KRB5-AUTOMIGRATE (auth): Principal %s "
2604a7ceb24Sjjj "already exists in Kerberos KDC database",
2614a7ceb24Sjjj userprincstr);
2627c478bd9Sstevel@tonic-gate goto cleanup;
2637c478bd9Sstevel@tonic-gate }
2647c478bd9Sstevel@tonic-gate
2657c478bd9Sstevel@tonic-gate
2667c478bd9Sstevel@tonic-gate
2677c478bd9Sstevel@tonic-gate if (retval = krb5_parse_name(context, userprincstr,
2684a7ceb24Sjjj &(kadm5_userprinc.principal))) {
2693bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR,
2704a7ceb24Sjjj "PAM-KRB5-AUTOMIGRATE (auth): Error while "
2714a7ceb24Sjjj "parsing user principal name: %s",
2724a7ceb24Sjjj error_message(retval));
2737c478bd9Sstevel@tonic-gate goto cleanup;
2747c478bd9Sstevel@tonic-gate }
2757c478bd9Sstevel@tonic-gate
2767c478bd9Sstevel@tonic-gate if (expire_pw) {
2777c478bd9Sstevel@tonic-gate (void) time(&now);
2783441f6a1Ssemery /*
2793441f6a1Ssemery * The local system time could actually be later than the
2803441f6a1Ssemery * system time of the KDC we are authenticating to. We expire
2813441f6a1Ssemery * w/the local system time minus clockskew so that we are
2823441f6a1Ssemery * assured that it is expired on this login, not the next.
2833441f6a1Ssemery */
2843441f6a1Ssemery now -= context->clockskew;
2857c478bd9Sstevel@tonic-gate kadm5_userprinc.pw_expiration = now;
2867c478bd9Sstevel@tonic-gate mask |= KADM5_PW_EXPIRATION;
2877c478bd9Sstevel@tonic-gate }
2887c478bd9Sstevel@tonic-gate
2897c478bd9Sstevel@tonic-gate mask |= KADM5_PRINCIPAL;
2907c478bd9Sstevel@tonic-gate retval = kadm5_create_principal(handle, &kadm5_userprinc,
2914a7ceb24Sjjj mask, password);
2927c478bd9Sstevel@tonic-gate if (retval) {
2937c478bd9Sstevel@tonic-gate switch (retval) {
2947c478bd9Sstevel@tonic-gate case KADM5_AUTH_ADD:
2957c478bd9Sstevel@tonic-gate if (debug)
2963bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
2977c478bd9Sstevel@tonic-gate "PAM-KRB5-AUTOMIGRATE (auth): %s does "
2987c478bd9Sstevel@tonic-gate "not have the ADD privilege "
2993bfb48feSsemery "for kadm5_create_principal: %s",
3007c478bd9Sstevel@tonic-gate svcprincstr, error_message(retval));
3017c478bd9Sstevel@tonic-gate break;
3027c478bd9Sstevel@tonic-gate
3037c478bd9Sstevel@tonic-gate default:
3043bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR,
3054a7ceb24Sjjj "PAM-KRB5-AUTOMIGRATE (auth): Generic error"
3064a7ceb24Sjjj "while doing kadm5_create_principal: %s",
3074a7ceb24Sjjj error_message(retval));
3087c478bd9Sstevel@tonic-gate break;
3097c478bd9Sstevel@tonic-gate }
3107c478bd9Sstevel@tonic-gate goto cleanup;
3117c478bd9Sstevel@tonic-gate }
3127c478bd9Sstevel@tonic-gate
3137c478bd9Sstevel@tonic-gate /*
3147c478bd9Sstevel@tonic-gate * Success, new user principal has been added !
3157c478bd9Sstevel@tonic-gate */
3167c478bd9Sstevel@tonic-gate if (!quiet) {
3177c478bd9Sstevel@tonic-gate char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
3187c478bd9Sstevel@tonic-gate
3197c478bd9Sstevel@tonic-gate (void) snprintf(messages[0], sizeof (messages[0]),
3204a7ceb24Sjjj dgettext(TEXT_DOMAIN, "\nUser `%s' has been "
3214a7ceb24Sjjj "automatically migrated to the Kerberos realm %s\n"),
3224a7ceb24Sjjj user, def_realm);
3237c478bd9Sstevel@tonic-gate (void) __pam_display_msg(pamh, PAM_TEXT_INFO, 1,
3244a7ceb24Sjjj messages, NULL);
3257c478bd9Sstevel@tonic-gate }
3267c478bd9Sstevel@tonic-gate if (debug)
3273bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
3284a7ceb24Sjjj "PAM-KRB5-AUTOMIGRATE (auth): User %s "
3294a7ceb24Sjjj "has been added to the Kerberos KDC database",
3304a7ceb24Sjjj userprincstr);
3317c478bd9Sstevel@tonic-gate
3327c478bd9Sstevel@tonic-gate /*
3337c478bd9Sstevel@tonic-gate * Since this is a new krb5 principal, do a pam_set_data()
334*bbf21555SRichard Lowe * for possible use by the acct_mgmt routine of pam_krb5(7)
3357c478bd9Sstevel@tonic-gate */
3367c478bd9Sstevel@tonic-gate if (pam_get_data(pamh, KRB5_AUTOMIGRATE_DATA,
3374a7ceb24Sjjj (const void **)&olduserdata) == PAM_SUCCESS) {
3387c478bd9Sstevel@tonic-gate /*
3397c478bd9Sstevel@tonic-gate * We created a princ in a previous run on the same handle and
3407c478bd9Sstevel@tonic-gate * it must have been for a different PAM_USER / princ name,
3417c478bd9Sstevel@tonic-gate * otherwise we couldn't succeed here, unless that princ
3427c478bd9Sstevel@tonic-gate * got deleted.
3437c478bd9Sstevel@tonic-gate */
3444a7ceb24Sjjj if (olduserdata != NULL)
3454a7ceb24Sjjj free(olduserdata);
3467c478bd9Sstevel@tonic-gate }
3477c478bd9Sstevel@tonic-gate if (pam_set_data(pamh, KRB5_AUTOMIGRATE_DATA, userdata,
3484a7ceb24Sjjj krb5_migrate_cleanup) != PAM_SUCCESS) {
3494a7ceb24Sjjj free(userdata);
3507c478bd9Sstevel@tonic-gate }
3517c478bd9Sstevel@tonic-gate
3527c478bd9Sstevel@tonic-gate cleanup:
3537c478bd9Sstevel@tonic-gate if (service)
3547c478bd9Sstevel@tonic-gate free(service);
3557c478bd9Sstevel@tonic-gate if (kadmin_princ)
3567c478bd9Sstevel@tonic-gate free(kadmin_princ);
3577c478bd9Sstevel@tonic-gate if (svcprincstr)
3587c478bd9Sstevel@tonic-gate free(svcprincstr);
3597c478bd9Sstevel@tonic-gate if (userprincstr)
3607c478bd9Sstevel@tonic-gate free(userprincstr);
3617c478bd9Sstevel@tonic-gate if (def_realm)
3627c478bd9Sstevel@tonic-gate free(def_realm);
3637c478bd9Sstevel@tonic-gate (void) kadm5_free_principal_ent(handle, &kadm5_userprinc);
3647c478bd9Sstevel@tonic-gate (void) kadm5_destroy((void *)handle);
3657c478bd9Sstevel@tonic-gate if (context != NULL)
3667c478bd9Sstevel@tonic-gate krb5_free_context(context);
3677c478bd9Sstevel@tonic-gate
3687c478bd9Sstevel@tonic-gate return (PAM_IGNORE);
3697c478bd9Sstevel@tonic-gate }
3707c478bd9Sstevel@tonic-gate
3717c478bd9Sstevel@tonic-gate /*ARGSUSED*/
3727c478bd9Sstevel@tonic-gate static void
krb5_migrate_cleanup(pam_handle_t * pamh,void * data,int pam_status)3737c478bd9Sstevel@tonic-gate krb5_migrate_cleanup(pam_handle_t *pamh, void *data, int pam_status) {
3747c478bd9Sstevel@tonic-gate if (data != NULL)
3757c478bd9Sstevel@tonic-gate free((char *)data);
3767c478bd9Sstevel@tonic-gate }
3777c478bd9Sstevel@tonic-gate
3787c478bd9Sstevel@tonic-gate /*ARGSUSED*/
3797c478bd9Sstevel@tonic-gate int
pam_sm_setcred(pam_handle_t * pamh,int flags,int argc,const char ** argv)3807c478bd9Sstevel@tonic-gate pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
3817c478bd9Sstevel@tonic-gate {
3827c478bd9Sstevel@tonic-gate return (PAM_IGNORE);
3837c478bd9Sstevel@tonic-gate }
384