1*54925bf6Swillf /* 2*54925bf6Swillf * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 3*54925bf6Swillf * Use is subject to license terms. 4*54925bf6Swillf */ 5*54925bf6Swillf 6*54925bf6Swillf #pragma ident "%Z%%M% %I% %E% SMI" 7*54925bf6Swillf 8*54925bf6Swillf /* 9*54925bf6Swillf * kadmin/ldap_util/kdb5_ldap_realm.c 10*54925bf6Swillf * 11*54925bf6Swillf * Copyright 1990,1991,2001, 2002 by the Massachusetts Institute of Technology. 12*54925bf6Swillf * All Rights Reserved. 13*54925bf6Swillf * 14*54925bf6Swillf * Export of this software from the United States of America may 15*54925bf6Swillf * require a specific license from the United States Government. 16*54925bf6Swillf * It is the responsibility of any person or organization contemplating 17*54925bf6Swillf * export to obtain such a license before exporting. 18*54925bf6Swillf * 19*54925bf6Swillf * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 20*54925bf6Swillf * distribute this software and its documentation for any purpose and 21*54925bf6Swillf * without fee is hereby granted, provided that the above copyright 22*54925bf6Swillf * notice appear in all copies and that both that copyright notice and 23*54925bf6Swillf * this permission notice appear in supporting documentation, and that 24*54925bf6Swillf * the name of M.I.T. not be used in advertising or publicity pertaining 25*54925bf6Swillf * to distribution of the software without specific, written prior 26*54925bf6Swillf * permission. Furthermore if you modify this software you must label 27*54925bf6Swillf * your software as modified software and not distribute it in such a 28*54925bf6Swillf * fashion that it might be confused with the original M.I.T. software. 29*54925bf6Swillf * M.I.T. makes no representations about the suitability of 30*54925bf6Swillf * this software for any purpose. It is provided "as is" without express 31*54925bf6Swillf * or implied warranty. 32*54925bf6Swillf */ 33*54925bf6Swillf 34*54925bf6Swillf /* 35*54925bf6Swillf * Copyright (C) 1998 by the FundsXpress, INC. 36*54925bf6Swillf * 37*54925bf6Swillf * All rights reserved. 38*54925bf6Swillf * 39*54925bf6Swillf * Export of this software from the United States of America may require 40*54925bf6Swillf * a specific license from the United States Government. It is the 41*54925bf6Swillf * responsibility of any person or organization contemplating export to 42*54925bf6Swillf * obtain such a license before exporting. 43*54925bf6Swillf * 44*54925bf6Swillf * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 45*54925bf6Swillf * distribute this software and its documentation for any purpose and 46*54925bf6Swillf * without fee is hereby granted, provided that the above copyright 47*54925bf6Swillf * notice appear in all copies and that both that copyright notice and 48*54925bf6Swillf * this permission notice appear in supporting documentation, and that 49*54925bf6Swillf * the name of FundsXpress. not be used in advertising or publicity pertaining 50*54925bf6Swillf * to distribution of the software without specific, written prior 51*54925bf6Swillf * permission. FundsXpress makes no representations about the suitability of 52*54925bf6Swillf * this software for any purpose. It is provided "as is" without express 53*54925bf6Swillf * or implied warranty. 54*54925bf6Swillf * 55*54925bf6Swillf * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 56*54925bf6Swillf * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 57*54925bf6Swillf * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 58*54925bf6Swillf */ 59*54925bf6Swillf 60*54925bf6Swillf /* Copyright (c) 2004-2005, Novell, Inc. 61*54925bf6Swillf * All rights reserved. 62*54925bf6Swillf * 63*54925bf6Swillf * Redistribution and use in source and binary forms, with or without 64*54925bf6Swillf * modification, are permitted provided that the following conditions are met: 65*54925bf6Swillf * 66*54925bf6Swillf * * Redistributions of source code must retain the above copyright notice, 67*54925bf6Swillf * this list of conditions and the following disclaimer. 68*54925bf6Swillf * * Redistributions in binary form must reproduce the above copyright 69*54925bf6Swillf * notice, this list of conditions and the following disclaimer in the 70*54925bf6Swillf * documentation and/or other materials provided with the distribution. 71*54925bf6Swillf * * The copyright holder's name is not used to endorse or promote products 72*54925bf6Swillf * derived from this software without specific prior written permission. 73*54925bf6Swillf * 74*54925bf6Swillf * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 75*54925bf6Swillf * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 76*54925bf6Swillf * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 77*54925bf6Swillf * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 78*54925bf6Swillf * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 79*54925bf6Swillf * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 80*54925bf6Swillf * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 81*54925bf6Swillf * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 82*54925bf6Swillf * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 83*54925bf6Swillf * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 84*54925bf6Swillf * POSSIBILITY OF SUCH DAMAGE. 85*54925bf6Swillf */ 86*54925bf6Swillf 87*54925bf6Swillf /* 88*54925bf6Swillf * Create / Modify / Destroy / View / List realm(s) 89*54925bf6Swillf */ 90*54925bf6Swillf 91*54925bf6Swillf /* Needed for getting the definition of KRB5_TL_DB_ARGS */ 92*54925bf6Swillf #define SECURID 93*54925bf6Swillf 94*54925bf6Swillf #include <stdio.h> 95*54925bf6Swillf #include <k5-int.h> 96*54925bf6Swillf #include <kadm5/admin.h> 97*54925bf6Swillf #include <libintl.h> 98*54925bf6Swillf #include <locale.h> 99*54925bf6Swillf #include "kdb5_ldap_util.h" 100*54925bf6Swillf #include "kdb5_ldap_list.h" 101*54925bf6Swillf #include <ldap_principal.h> 102*54925bf6Swillf #include <ldap_krbcontainer.h> 103*54925bf6Swillf extern time_t get_date(char *); /* kadmin/cli/getdate.o */ 104*54925bf6Swillf 105*54925bf6Swillf char *yes = "yes\n"; /* \n to compare against result of fgets */ 106*54925bf6Swillf krb5_key_salt_tuple def_kslist = {ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL}; 107*54925bf6Swillf 108*54925bf6Swillf struct realm_info rblock = { 109*54925bf6Swillf KRB5_KDB_MAX_LIFE, 110*54925bf6Swillf KRB5_KDB_MAX_RLIFE, 111*54925bf6Swillf KRB5_KDB_EXPIRATION, 112*54925bf6Swillf KRB5_KDB_DEF_FLAGS, 113*54925bf6Swillf (krb5_keyblock *) NULL, 114*54925bf6Swillf 1, 115*54925bf6Swillf &def_kslist 116*54925bf6Swillf }; 117*54925bf6Swillf 118*54925bf6Swillf krb5_data tgt_princ_entries[] = { 119*54925bf6Swillf {0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME}, 120*54925bf6Swillf {0, 0, 0} }; 121*54925bf6Swillf 122*54925bf6Swillf krb5_data db_creator_entries[] = { 123*54925bf6Swillf {0, sizeof("db_creation")-1, "db_creation"} }; 124*54925bf6Swillf 125*54925bf6Swillf 126*54925bf6Swillf static krb5_principal_data db_create_princ = { 127*54925bf6Swillf 0, /* magic number */ 128*54925bf6Swillf {0, 0, 0}, /* krb5_data realm */ 129*54925bf6Swillf db_creator_entries, /* krb5_data *data */ 130*54925bf6Swillf 1, /* int length */ 131*54925bf6Swillf KRB5_NT_SRV_INST /* int type */ 132*54925bf6Swillf }; 133*54925bf6Swillf 134*54925bf6Swillf extern char *mkey_password; 135*54925bf6Swillf extern char *progname; 136*54925bf6Swillf extern kadm5_config_params global_params; 137*54925bf6Swillf 138*54925bf6Swillf static void print_realm_params(krb5_ldap_realm_params *rparams, int mask); 139*54925bf6Swillf static int kdb_ldap_create_principal (krb5_context context, krb5_principal 140*54925bf6Swillf princ, enum ap_op op, struct realm_info *pblock); 141*54925bf6Swillf 142*54925bf6Swillf 143*54925bf6Swillf static char *strdur(time_t duration); 144*54925bf6Swillf static int get_ticket_policy(krb5_ldap_realm_params *rparams, int *i, char *argv[],int argc); 145*54925bf6Swillf static krb5_error_code krb5_dbe_update_mod_princ_data_new (krb5_context context, krb5_db_entry *entry, krb5_timestamp mod_date, krb5_const_principal mod_princ); 146*54925bf6Swillf static krb5_error_code krb5_dbe_update_tl_data_new ( krb5_context context, krb5_db_entry *entry, krb5_tl_data *new_tl_data); 147*54925bf6Swillf 148*54925bf6Swillf #define ADMIN_LIFETIME 60*60*3 /* 3 hours */ 149*54925bf6Swillf #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */ 150*54925bf6Swillf 151*54925bf6Swillf static int get_ticket_policy(rparams,i,argv,argc) 152*54925bf6Swillf krb5_ldap_realm_params *rparams; 153*54925bf6Swillf int *i; 154*54925bf6Swillf char *argv[]; 155*54925bf6Swillf int argc; 156*54925bf6Swillf { 157*54925bf6Swillf time_t date; 158*54925bf6Swillf time_t now; 159*54925bf6Swillf int mask = 0; 160*54925bf6Swillf krb5_error_code retval = 0; 161*54925bf6Swillf krb5_boolean no_msg = FALSE; 162*54925bf6Swillf 163*54925bf6Swillf krb5_boolean print_usage = FALSE; 164*54925bf6Swillf char *me = argv[0]; 165*54925bf6Swillf 166*54925bf6Swillf time(&now); 167*54925bf6Swillf if (!strcmp(argv[*i], "-maxtktlife")) { 168*54925bf6Swillf if (++(*i) > argc-1) 169*54925bf6Swillf goto err_usage; 170*54925bf6Swillf date = get_date(argv[*i]); 171*54925bf6Swillf if (date == (time_t)(-1)) { 172*54925bf6Swillf retval = EINVAL; 173*54925bf6Swillf com_err (me, retval, gettext("while providing time specification")); 174*54925bf6Swillf goto err_nomsg; 175*54925bf6Swillf } 176*54925bf6Swillf rparams->max_life = date-now; 177*54925bf6Swillf mask |= LDAP_REALM_MAXTICKETLIFE; 178*54925bf6Swillf } 179*54925bf6Swillf 180*54925bf6Swillf 181*54925bf6Swillf else if (!strcmp(argv[*i], "-maxrenewlife")) { 182*54925bf6Swillf if (++(*i) > argc-1) 183*54925bf6Swillf goto err_usage; 184*54925bf6Swillf 185*54925bf6Swillf date = get_date(argv[*i]); 186*54925bf6Swillf if (date == (time_t)(-1)) { 187*54925bf6Swillf retval = EINVAL; 188*54925bf6Swillf com_err (me, retval, gettext("while providing time specification")); 189*54925bf6Swillf goto err_nomsg; 190*54925bf6Swillf } 191*54925bf6Swillf rparams->max_renewable_life = date-now; 192*54925bf6Swillf mask |= LDAP_REALM_MAXRENEWLIFE; 193*54925bf6Swillf } else if (!strcmp((argv[*i] + 1), "allow_postdated")) { 194*54925bf6Swillf if (*(argv[*i]) == '+') 195*54925bf6Swillf rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_POSTDATED); 196*54925bf6Swillf else if (*(argv[*i]) == '-') 197*54925bf6Swillf rparams->tktflags |= KRB5_KDB_DISALLOW_POSTDATED; 198*54925bf6Swillf else 199*54925bf6Swillf goto err_usage; 200*54925bf6Swillf 201*54925bf6Swillf mask |= LDAP_REALM_KRBTICKETFLAGS; 202*54925bf6Swillf } else if (!strcmp((argv[*i] + 1), "allow_forwardable")) { 203*54925bf6Swillf if (*(argv[*i]) == '+') 204*54925bf6Swillf rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_FORWARDABLE); 205*54925bf6Swillf 206*54925bf6Swillf else if (*(argv[*i]) == '-') 207*54925bf6Swillf rparams->tktflags |= KRB5_KDB_DISALLOW_FORWARDABLE; 208*54925bf6Swillf else 209*54925bf6Swillf goto err_usage; 210*54925bf6Swillf 211*54925bf6Swillf mask |= LDAP_REALM_KRBTICKETFLAGS; 212*54925bf6Swillf } else if (!strcmp((argv[*i] + 1), "allow_renewable")) { 213*54925bf6Swillf if (*(argv[*i]) == '+') 214*54925bf6Swillf rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_RENEWABLE); 215*54925bf6Swillf else if (*(argv[*i]) == '-') 216*54925bf6Swillf rparams->tktflags |= KRB5_KDB_DISALLOW_RENEWABLE; 217*54925bf6Swillf else 218*54925bf6Swillf goto err_usage; 219*54925bf6Swillf 220*54925bf6Swillf mask |= LDAP_REALM_KRBTICKETFLAGS; 221*54925bf6Swillf } else if (!strcmp((argv[*i] + 1), "allow_proxiable")) { 222*54925bf6Swillf if (*(argv[*i]) == '+') 223*54925bf6Swillf rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_PROXIABLE); 224*54925bf6Swillf else if (*(argv[*i]) == '-') 225*54925bf6Swillf rparams->tktflags |= KRB5_KDB_DISALLOW_PROXIABLE; 226*54925bf6Swillf else 227*54925bf6Swillf goto err_usage; 228*54925bf6Swillf 229*54925bf6Swillf mask |= LDAP_REALM_KRBTICKETFLAGS; 230*54925bf6Swillf } else if (!strcmp((argv[*i] + 1), "allow_dup_skey")) { 231*54925bf6Swillf if (*(argv[*i]) == '+') 232*54925bf6Swillf rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_DUP_SKEY); 233*54925bf6Swillf else if (*(argv[*i]) == '-') 234*54925bf6Swillf rparams->tktflags |= KRB5_KDB_DISALLOW_DUP_SKEY; 235*54925bf6Swillf else 236*54925bf6Swillf goto err_usage; 237*54925bf6Swillf 238*54925bf6Swillf mask |= LDAP_REALM_KRBTICKETFLAGS; 239*54925bf6Swillf } 240*54925bf6Swillf 241*54925bf6Swillf else if (!strcmp((argv[*i] + 1), "requires_preauth")) { 242*54925bf6Swillf if (*(argv[*i]) == '+') 243*54925bf6Swillf rparams->tktflags |= KRB5_KDB_REQUIRES_PRE_AUTH; 244*54925bf6Swillf else if (*(argv[*i]) == '-') 245*54925bf6Swillf rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PRE_AUTH); 246*54925bf6Swillf else 247*54925bf6Swillf goto err_usage; 248*54925bf6Swillf 249*54925bf6Swillf mask |= LDAP_REALM_KRBTICKETFLAGS; 250*54925bf6Swillf } else if (!strcmp((argv[*i] + 1), "requires_hwauth")) { 251*54925bf6Swillf if (*(argv[*i]) == '+') 252*54925bf6Swillf rparams->tktflags |= KRB5_KDB_REQUIRES_HW_AUTH; 253*54925bf6Swillf else if (*(argv[*i]) == '-') 254*54925bf6Swillf rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_HW_AUTH); 255*54925bf6Swillf else 256*54925bf6Swillf goto err_usage; 257*54925bf6Swillf 258*54925bf6Swillf mask |= LDAP_REALM_KRBTICKETFLAGS; 259*54925bf6Swillf } else if (!strcmp((argv[*i] + 1), "allow_svr")) { 260*54925bf6Swillf if (*(argv[*i]) == '+') 261*54925bf6Swillf rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_SVR); 262*54925bf6Swillf else if (*(argv[*i]) == '-') 263*54925bf6Swillf rparams->tktflags |= KRB5_KDB_DISALLOW_SVR; 264*54925bf6Swillf else 265*54925bf6Swillf goto err_usage; 266*54925bf6Swillf 267*54925bf6Swillf mask |= LDAP_REALM_KRBTICKETFLAGS; 268*54925bf6Swillf } else if (!strcmp((argv[*i] + 1), "allow_tgs_req")) { 269*54925bf6Swillf if (*(argv[*i]) == '+') 270*54925bf6Swillf rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_TGT_BASED); 271*54925bf6Swillf else if (*(argv[*i]) == '-') 272*54925bf6Swillf rparams->tktflags |= KRB5_KDB_DISALLOW_TGT_BASED; 273*54925bf6Swillf else 274*54925bf6Swillf goto err_usage; 275*54925bf6Swillf 276*54925bf6Swillf mask |= LDAP_REALM_KRBTICKETFLAGS; 277*54925bf6Swillf } else if (!strcmp((argv[*i] + 1), "allow_tix")) { 278*54925bf6Swillf if (*(argv[*i]) == '+') 279*54925bf6Swillf rparams->tktflags &= (int)(~KRB5_KDB_DISALLOW_ALL_TIX); 280*54925bf6Swillf else if (*(argv[*i]) == '-') 281*54925bf6Swillf rparams->tktflags |= KRB5_KDB_DISALLOW_ALL_TIX; 282*54925bf6Swillf else 283*54925bf6Swillf goto err_usage; 284*54925bf6Swillf 285*54925bf6Swillf mask |= LDAP_REALM_KRBTICKETFLAGS; 286*54925bf6Swillf } else if (!strcmp((argv[*i] + 1), "needchange")) { 287*54925bf6Swillf if (*(argv[*i]) == '+') 288*54925bf6Swillf rparams->tktflags |= KRB5_KDB_REQUIRES_PWCHANGE; 289*54925bf6Swillf else if (*(argv[*i]) == '-') 290*54925bf6Swillf rparams->tktflags &= (int)(~KRB5_KDB_REQUIRES_PWCHANGE); 291*54925bf6Swillf else 292*54925bf6Swillf goto err_usage; 293*54925bf6Swillf 294*54925bf6Swillf mask |= LDAP_REALM_KRBTICKETFLAGS; 295*54925bf6Swillf } else if (!strcmp((argv[*i] + 1), "password_changing_service")) { 296*54925bf6Swillf if (*(argv[*i]) == '+') 297*54925bf6Swillf rparams->tktflags |= KRB5_KDB_PWCHANGE_SERVICE; 298*54925bf6Swillf else if (*(argv[*i]) == '-') 299*54925bf6Swillf rparams->tktflags &= (int)(~KRB5_KDB_PWCHANGE_SERVICE); 300*54925bf6Swillf else 301*54925bf6Swillf goto err_usage; 302*54925bf6Swillf 303*54925bf6Swillf mask |=LDAP_REALM_KRBTICKETFLAGS; 304*54925bf6Swillf } 305*54925bf6Swillf err_usage: 306*54925bf6Swillf print_usage = TRUE; 307*54925bf6Swillf 308*54925bf6Swillf err_nomsg: 309*54925bf6Swillf no_msg = TRUE; 310*54925bf6Swillf 311*54925bf6Swillf return mask; 312*54925bf6Swillf } 313*54925bf6Swillf 314*54925bf6Swillf /* 315*54925bf6Swillf * This function will create a realm on the LDAP Server, with 316*54925bf6Swillf * the specified attributes. 317*54925bf6Swillf */ 318*54925bf6Swillf void kdb5_ldap_create(argc, argv) 319*54925bf6Swillf int argc; 320*54925bf6Swillf char *argv[]; 321*54925bf6Swillf { 322*54925bf6Swillf krb5_error_code retval = 0; 323*54925bf6Swillf krb5_keyblock master_keyblock; 324*54925bf6Swillf krb5_ldap_realm_params *rparams = NULL; 325*54925bf6Swillf krb5_principal master_princ = NULL; 326*54925bf6Swillf kdb5_dal_handle *dal_handle = NULL; 327*54925bf6Swillf krb5_ldap_context *ldap_context=NULL; 328*54925bf6Swillf krb5_boolean realm_obj_created = FALSE; 329*54925bf6Swillf krb5_boolean create_complete = FALSE; 330*54925bf6Swillf krb5_boolean print_usage = FALSE; 331*54925bf6Swillf krb5_boolean no_msg = FALSE; 332*54925bf6Swillf char *oldcontainerref=NULL; 333*54925bf6Swillf char pw_str[1024]; 334*54925bf6Swillf int do_stash = 0; 335*54925bf6Swillf int i = 0; 336*54925bf6Swillf int mask = 0, ret_mask = 0; 337*54925bf6Swillf char **list = NULL; 338*54925bf6Swillf #ifdef HAVE_EDIRECTORY 339*54925bf6Swillf int rightsmask = 0; 340*54925bf6Swillf #endif 341*54925bf6Swillf 342*54925bf6Swillf memset(&master_keyblock, 0, sizeof(master_keyblock)); 343*54925bf6Swillf 344*54925bf6Swillf rparams = (krb5_ldap_realm_params *)malloc( 345*54925bf6Swillf sizeof(krb5_ldap_realm_params)); 346*54925bf6Swillf if (rparams == NULL) { 347*54925bf6Swillf retval = ENOMEM; 348*54925bf6Swillf goto cleanup; 349*54925bf6Swillf } 350*54925bf6Swillf memset(rparams, 0, sizeof(krb5_ldap_realm_params)); 351*54925bf6Swillf 352*54925bf6Swillf /* Parse the arguments */ 353*54925bf6Swillf for (i = 1; i < argc; i++) { 354*54925bf6Swillf if (!strcmp(argv[i], "-subtrees")) { 355*54925bf6Swillf if (++i > argc-1) 356*54925bf6Swillf goto err_usage; 357*54925bf6Swillf 358*54925bf6Swillf if(strncmp(argv[i], "", strlen(argv[i]))!=0) { 359*54925bf6Swillf list = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *)); 360*54925bf6Swillf if (list == NULL) { 361*54925bf6Swillf retval = ENOMEM; 362*54925bf6Swillf goto cleanup; 363*54925bf6Swillf } 364*54925bf6Swillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { 365*54925bf6Swillf free(list); 366*54925bf6Swillf list = NULL; 367*54925bf6Swillf goto cleanup; 368*54925bf6Swillf } 369*54925bf6Swillf 370*54925bf6Swillf rparams->subtreecount=0; 371*54925bf6Swillf while(list[rparams->subtreecount]!=NULL) 372*54925bf6Swillf (rparams->subtreecount)++; 373*54925bf6Swillf rparams->subtree = list; 374*54925bf6Swillf } else if(strncmp(argv[i], "", strlen(argv[i]))==0) { 375*54925bf6Swillf /* dont allow subtree value to be set at the root(NULL, "") of the tree */ 376*54925bf6Swillf com_err(argv[0], EINVAL, 377*54925bf6Swillf gettext("for subtree while creating realm '%s'"), 378*54925bf6Swillf global_params.realm); 379*54925bf6Swillf goto err_nomsg; 380*54925bf6Swillf } 381*54925bf6Swillf rparams->subtree[rparams->subtreecount] = NULL; 382*54925bf6Swillf mask |= LDAP_REALM_SUBTREE; 383*54925bf6Swillf } else if (!strcmp(argv[i], "-containerref")) { 384*54925bf6Swillf if (++i > argc-1) 385*54925bf6Swillf goto err_usage; 386*54925bf6Swillf if(strncmp(argv[i], "", strlen(argv[i]))==0) { 387*54925bf6Swillf /* dont allow containerref value to be set at the root(NULL, "") of the tree */ 388*54925bf6Swillf com_err(argv[0], EINVAL, 389*54925bf6Swillf gettext("for container reference while creating realm '%s'"), 390*54925bf6Swillf global_params.realm); 391*54925bf6Swillf goto err_nomsg; 392*54925bf6Swillf } 393*54925bf6Swillf rparams->containerref = strdup(argv[i]); 394*54925bf6Swillf if (rparams->containerref == NULL) { 395*54925bf6Swillf retval = ENOMEM; 396*54925bf6Swillf goto cleanup; 397*54925bf6Swillf } 398*54925bf6Swillf mask |= LDAP_REALM_CONTREF; 399*54925bf6Swillf } else if (!strcmp(argv[i], "-sscope")) { 400*54925bf6Swillf if (++i > argc-1) 401*54925bf6Swillf goto err_usage; 402*54925bf6Swillf /* Possible values for search scope are 403*54925bf6Swillf * one (or 1) and sub (or 2) 404*54925bf6Swillf */ 405*54925bf6Swillf if (!strcasecmp(argv[i], "one")) { 406*54925bf6Swillf rparams->search_scope = 1; 407*54925bf6Swillf } else if (!strcasecmp(argv[i], "sub")) { 408*54925bf6Swillf rparams->search_scope = 2; 409*54925bf6Swillf } else { 410*54925bf6Swillf rparams->search_scope = atoi(argv[i]); 411*54925bf6Swillf if ((rparams->search_scope != 1) && 412*54925bf6Swillf (rparams->search_scope != 2)) { 413*54925bf6Swillf com_err(argv[0], EINVAL, 414*54925bf6Swillf gettext("invalid search scope while creating realm '%s'"), 415*54925bf6Swillf global_params.realm); 416*54925bf6Swillf goto err_nomsg; 417*54925bf6Swillf } 418*54925bf6Swillf } 419*54925bf6Swillf mask |= LDAP_REALM_SEARCHSCOPE; 420*54925bf6Swillf } 421*54925bf6Swillf #ifdef HAVE_EDIRECTORY 422*54925bf6Swillf else if (!strcmp(argv[i], "-kdcdn")) { 423*54925bf6Swillf if (++i > argc-1) 424*54925bf6Swillf goto err_usage; 425*54925bf6Swillf rparams->kdcservers = (char **)malloc( 426*54925bf6Swillf sizeof(char *) * MAX_LIST_ENTRIES); 427*54925bf6Swillf if (rparams->kdcservers == NULL) { 428*54925bf6Swillf retval = ENOMEM; 429*54925bf6Swillf goto cleanup; 430*54925bf6Swillf } 431*54925bf6Swillf memset(rparams->kdcservers, 0, sizeof(char*)*MAX_LIST_ENTRIES); 432*54925bf6Swillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, 433*54925bf6Swillf rparams->kdcservers))) { 434*54925bf6Swillf goto cleanup; 435*54925bf6Swillf } 436*54925bf6Swillf mask |= LDAP_REALM_KDCSERVERS; 437*54925bf6Swillf } else if (!strcmp(argv[i], "-admindn")) { 438*54925bf6Swillf if (++i > argc-1) 439*54925bf6Swillf goto err_usage; 440*54925bf6Swillf rparams->adminservers = (char **)malloc( 441*54925bf6Swillf sizeof(char *) * MAX_LIST_ENTRIES); 442*54925bf6Swillf if (rparams->adminservers == NULL) { 443*54925bf6Swillf retval = ENOMEM; 444*54925bf6Swillf goto cleanup; 445*54925bf6Swillf } 446*54925bf6Swillf memset(rparams->adminservers, 0, sizeof(char*)*MAX_LIST_ENTRIES); 447*54925bf6Swillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, 448*54925bf6Swillf rparams->adminservers))) { 449*54925bf6Swillf goto cleanup; 450*54925bf6Swillf } 451*54925bf6Swillf mask |= LDAP_REALM_ADMINSERVERS; 452*54925bf6Swillf } else if (!strcmp(argv[i], "-pwddn")) { 453*54925bf6Swillf if (++i > argc-1) 454*54925bf6Swillf goto err_usage; 455*54925bf6Swillf rparams->passwdservers = (char **)malloc( 456*54925bf6Swillf sizeof(char *) * MAX_LIST_ENTRIES); 457*54925bf6Swillf if (rparams->passwdservers == NULL) { 458*54925bf6Swillf retval = ENOMEM; 459*54925bf6Swillf goto cleanup; 460*54925bf6Swillf } 461*54925bf6Swillf memset(rparams->passwdservers, 0, sizeof(char*)*MAX_LIST_ENTRIES); 462*54925bf6Swillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, 463*54925bf6Swillf rparams->passwdservers))) { 464*54925bf6Swillf goto cleanup; 465*54925bf6Swillf } 466*54925bf6Swillf mask |= LDAP_REALM_PASSWDSERVERS; 467*54925bf6Swillf } 468*54925bf6Swillf #endif 469*54925bf6Swillf else if (!strcmp(argv[i], "-s")) { 470*54925bf6Swillf do_stash = 1; 471*54925bf6Swillf } else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) { 472*54925bf6Swillf mask|=ret_mask; 473*54925bf6Swillf } 474*54925bf6Swillf 475*54925bf6Swillf else { 476*54925bf6Swillf printf(gettext("'%s' is an invalid option\n"), argv[i]); 477*54925bf6Swillf goto err_usage; 478*54925bf6Swillf } 479*54925bf6Swillf } 480*54925bf6Swillf 481*54925bf6Swillf /* If the default enctype/salttype is not provided, use the 482*54925bf6Swillf * default values and also add to the list of supported 483*54925bf6Swillf * enctypes/salttype 484*54925bf6Swillf */ 485*54925bf6Swillf 486*54925bf6Swillf rblock.max_life = global_params.max_life; 487*54925bf6Swillf rblock.max_rlife = global_params.max_rlife; 488*54925bf6Swillf rblock.expiration = global_params.expiration; 489*54925bf6Swillf rblock.flags = global_params.flags; 490*54925bf6Swillf rblock.nkslist = global_params.num_keysalts; 491*54925bf6Swillf rblock.kslist = global_params.keysalts; 492*54925bf6Swillf 493*54925bf6Swillf krb5_princ_set_realm_data(util_context, &db_create_princ, global_params.realm); 494*54925bf6Swillf krb5_princ_set_realm_length(util_context, &db_create_princ, strlen(global_params.realm)); 495*54925bf6Swillf 496*54925bf6Swillf printf(gettext("Initializing database for realm '%s'\n"), global_params.realm); 497*54925bf6Swillf 498*54925bf6Swillf if (!mkey_password) { 499*54925bf6Swillf unsigned int pw_size; 500*54925bf6Swillf printf(gettext("You will be prompted for the database Master Password.\n")); 501*54925bf6Swillf printf(gettext("It is important that you NOT FORGET this password.\n")); 502*54925bf6Swillf fflush(stdout); 503*54925bf6Swillf 504*54925bf6Swillf pw_size = sizeof (pw_str); 505*54925bf6Swillf memset(pw_str, 0, pw_size); 506*54925bf6Swillf 507*54925bf6Swillf retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2, 508*54925bf6Swillf pw_str, &pw_size); 509*54925bf6Swillf if (retval) { 510*54925bf6Swillf com_err(argv[0], retval, gettext("while reading master key from keyboard")); 511*54925bf6Swillf goto err_nomsg; 512*54925bf6Swillf } 513*54925bf6Swillf mkey_password = pw_str; 514*54925bf6Swillf } 515*54925bf6Swillf 516*54925bf6Swillf rparams->mkey.enctype = global_params.enctype; 517*54925bf6Swillf /* We are sure that 'mkey_password' is a regular string ... */ 518*54925bf6Swillf rparams->mkey.length = strlen(mkey_password) + 1; 519*54925bf6Swillf rparams->mkey.contents = (krb5_octet *)strdup(mkey_password); 520*54925bf6Swillf if (rparams->mkey.contents == NULL) { 521*54925bf6Swillf retval = ENOMEM; 522*54925bf6Swillf goto cleanup; 523*54925bf6Swillf } 524*54925bf6Swillf 525*54925bf6Swillf rparams->realm_name = strdup(global_params.realm); 526*54925bf6Swillf if (rparams->realm_name == NULL) { 527*54925bf6Swillf retval = ENOMEM; 528*54925bf6Swillf com_err(argv[0], ENOMEM, gettext("while creating realm '%s'"), 529*54925bf6Swillf global_params.realm); 530*54925bf6Swillf goto err_nomsg; 531*54925bf6Swillf } 532*54925bf6Swillf 533*54925bf6Swillf dal_handle = (kdb5_dal_handle *) util_context->db_context; 534*54925bf6Swillf ldap_context = (krb5_ldap_context *) dal_handle->db_context; 535*54925bf6Swillf if (!ldap_context) { 536*54925bf6Swillf retval = EINVAL; 537*54925bf6Swillf goto cleanup; 538*54925bf6Swillf } 539*54925bf6Swillf 540*54925bf6Swillf /* read the kerberos container */ 541*54925bf6Swillf if ((retval=krb5_ldap_read_krbcontainer_params (util_context, 542*54925bf6Swillf &(ldap_context->krbcontainer))) == KRB5_KDB_NOENTRY) { 543*54925bf6Swillf /* Prompt the user for entering the DN of Kerberos container */ 544*54925bf6Swillf char krb_location[MAX_KRB_CONTAINER_LEN]; 545*54925bf6Swillf krb5_ldap_krbcontainer_params kparams; 546*54925bf6Swillf int krb_location_len = 0; 547*54925bf6Swillf memset(&kparams, 0, sizeof(kparams)); 548*54925bf6Swillf 549*54925bf6Swillf /* Read the kerberos container location from configuration file */ 550*54925bf6Swillf if (ldap_context->conf_section) { 551*54925bf6Swillf if ((retval=profile_get_string(util_context->profile, 552*54925bf6Swillf KDB_MODULE_SECTION, ldap_context->conf_section, 553*54925bf6Swillf "ldap_kerberos_container_dn", NULL, 554*54925bf6Swillf &kparams.DN)) != 0) { 555*54925bf6Swillf goto cleanup; 556*54925bf6Swillf } 557*54925bf6Swillf } 558*54925bf6Swillf if (kparams.DN == NULL) { 559*54925bf6Swillf if ((retval=profile_get_string(util_context->profile, 560*54925bf6Swillf KDB_MODULE_DEF_SECTION, 561*54925bf6Swillf "ldap_kerberos_container_dn", NULL, 562*54925bf6Swillf NULL, &kparams.DN)) != 0) { 563*54925bf6Swillf goto cleanup; 564*54925bf6Swillf } 565*54925bf6Swillf } 566*54925bf6Swillf 567*54925bf6Swillf printf(gettext("\nKerberos container is missing. Creating now...\n")); 568*54925bf6Swillf if (kparams.DN == NULL) { 569*54925bf6Swillf #ifdef HAVE_EDIRECTORY 570*54925bf6Swillf printf(gettext("Enter DN of Kerberos container [cn=Kerberos,cn=Security]: ")); 571*54925bf6Swillf #else 572*54925bf6Swillf printf(gettext("Enter DN of Kerberos container: ")); 573*54925bf6Swillf #endif 574*54925bf6Swillf if (fgets(krb_location, MAX_KRB_CONTAINER_LEN, stdin) != NULL) { 575*54925bf6Swillf /* Remove the newline character at the end */ 576*54925bf6Swillf krb_location_len = strlen(krb_location); 577*54925bf6Swillf if ((krb_location[krb_location_len - 1] == '\n') || 578*54925bf6Swillf (krb_location[krb_location_len - 1] == '\r')) { 579*54925bf6Swillf krb_location[krb_location_len - 1] = '\0'; 580*54925bf6Swillf krb_location_len--; 581*54925bf6Swillf } 582*54925bf6Swillf /* If the user has not given any input, take the default location */ 583*54925bf6Swillf else if (krb_location[0] == '\0') 584*54925bf6Swillf kparams.DN = NULL; 585*54925bf6Swillf else 586*54925bf6Swillf kparams.DN = krb_location; 587*54925bf6Swillf } else 588*54925bf6Swillf kparams.DN = NULL; 589*54925bf6Swillf } 590*54925bf6Swillf 591*54925bf6Swillf /* create the kerberos container */ 592*54925bf6Swillf retval = krb5_ldap_create_krbcontainer(util_context, 593*54925bf6Swillf ((kparams.DN != NULL) ? &kparams : NULL)); 594*54925bf6Swillf if (retval) 595*54925bf6Swillf goto cleanup; 596*54925bf6Swillf 597*54925bf6Swillf retval = krb5_ldap_read_krbcontainer_params(util_context, 598*54925bf6Swillf &(ldap_context->krbcontainer)); 599*54925bf6Swillf if (retval) { 600*54925bf6Swillf com_err(argv[0], retval, gettext("while reading kerberos container information")); 601*54925bf6Swillf goto cleanup; 602*54925bf6Swillf } 603*54925bf6Swillf } else if (retval) { 604*54925bf6Swillf com_err(argv[0], retval, gettext("while reading kerberos container information")); 605*54925bf6Swillf goto cleanup; 606*54925bf6Swillf } 607*54925bf6Swillf 608*54925bf6Swillf if ((retval = krb5_ldap_create_realm(util_context, 609*54925bf6Swillf /* global_params.realm, */ rparams, mask))) { 610*54925bf6Swillf goto cleanup; 611*54925bf6Swillf } 612*54925bf6Swillf 613*54925bf6Swillf /* We just created the Realm container. Here starts our transaction tracking */ 614*54925bf6Swillf realm_obj_created = TRUE; 615*54925bf6Swillf 616*54925bf6Swillf if ((retval = krb5_ldap_read_realm_params(util_context, 617*54925bf6Swillf global_params.realm, 618*54925bf6Swillf &(ldap_context->lrparams), 619*54925bf6Swillf &mask))) { 620*54925bf6Swillf com_err(argv[0], retval, gettext("while reading information of realm '%s'"), 621*54925bf6Swillf global_params.realm); 622*54925bf6Swillf goto err_nomsg; 623*54925bf6Swillf } 624*54925bf6Swillf ldap_context->lrparams->realm_name = strdup(global_params.realm); 625*54925bf6Swillf if (ldap_context->lrparams->realm_name == NULL) { 626*54925bf6Swillf retval = ENOMEM; 627*54925bf6Swillf goto cleanup; 628*54925bf6Swillf } 629*54925bf6Swillf 630*54925bf6Swillf /* assemble & parse the master key name */ 631*54925bf6Swillf if ((retval = krb5_db_setup_mkey_name(util_context, 632*54925bf6Swillf global_params.mkey_name, 633*54925bf6Swillf global_params.realm, 634*54925bf6Swillf 0, &master_princ))) { 635*54925bf6Swillf com_err(argv[0], retval, gettext("while setting up master key name")); 636*54925bf6Swillf goto err_nomsg; 637*54925bf6Swillf } 638*54925bf6Swillf 639*54925bf6Swillf /* Obtain master key from master password */ 640*54925bf6Swillf { 641*54925bf6Swillf krb5_data master_salt, pwd; 642*54925bf6Swillf 643*54925bf6Swillf pwd.data = mkey_password; 644*54925bf6Swillf pwd.length = strlen(mkey_password); 645*54925bf6Swillf retval = krb5_principal2salt(util_context, master_princ, &master_salt); 646*54925bf6Swillf if (retval) { 647*54925bf6Swillf com_err(argv[0], retval, gettext("while calculating master key salt")); 648*54925bf6Swillf goto err_nomsg; 649*54925bf6Swillf } 650*54925bf6Swillf 651*54925bf6Swillf retval = krb5_c_string_to_key(util_context, rparams->mkey.enctype, 652*54925bf6Swillf &pwd, &master_salt, &master_keyblock); 653*54925bf6Swillf 654*54925bf6Swillf if (master_salt.data) 655*54925bf6Swillf free(master_salt.data); 656*54925bf6Swillf 657*54925bf6Swillf if (retval) { 658*54925bf6Swillf com_err(argv[0], retval, gettext("while transforming master key from password")); 659*54925bf6Swillf goto err_nomsg; 660*54925bf6Swillf } 661*54925bf6Swillf 662*54925bf6Swillf } 663*54925bf6Swillf 664*54925bf6Swillf rblock.key = &master_keyblock; 665*54925bf6Swillf ldap_context->lrparams->mkey = master_keyblock; 666*54925bf6Swillf ldap_context->lrparams->mkey.contents = (krb5_octet *) malloc 667*54925bf6Swillf (master_keyblock.length); 668*54925bf6Swillf if (ldap_context->lrparams->mkey.contents == NULL) { 669*54925bf6Swillf retval = ENOMEM; 670*54925bf6Swillf goto cleanup; 671*54925bf6Swillf } 672*54925bf6Swillf memcpy (ldap_context->lrparams->mkey.contents, master_keyblock.contents, 673*54925bf6Swillf master_keyblock.length); 674*54925bf6Swillf 675*54925bf6Swillf /* Create special principals inside the realm subtree */ 676*54925bf6Swillf { 677*54925bf6Swillf char princ_name[MAX_PRINC_SIZE]; 678*54925bf6Swillf krb5_principal_data tgt_princ = { 679*54925bf6Swillf 0, /* magic number */ 680*54925bf6Swillf {0, 0, 0}, /* krb5_data realm */ 681*54925bf6Swillf tgt_princ_entries, /* krb5_data *data */ 682*54925bf6Swillf 2, /* int length */ 683*54925bf6Swillf KRB5_NT_SRV_INST /* int type */ 684*54925bf6Swillf }; 685*54925bf6Swillf krb5_principal p, temp_p=NULL; 686*54925bf6Swillf 687*54925bf6Swillf krb5_princ_set_realm_data(util_context, &tgt_princ, global_params.realm); 688*54925bf6Swillf krb5_princ_set_realm_length(util_context, &tgt_princ, strlen(global_params.realm)); 689*54925bf6Swillf krb5_princ_component(util_context, &tgt_princ,1)->data = global_params.realm; 690*54925bf6Swillf krb5_princ_component(util_context, &tgt_princ,1)->length = strlen(global_params.realm); 691*54925bf6Swillf /* The container reference value is set to NULL, to avoid service principals 692*54925bf6Swillf * getting created within the container reference at realm creation */ 693*54925bf6Swillf if (ldap_context->lrparams->containerref != NULL) { 694*54925bf6Swillf oldcontainerref = ldap_context->lrparams->containerref; 695*54925bf6Swillf ldap_context->lrparams->containerref = NULL; 696*54925bf6Swillf } 697*54925bf6Swillf 698*54925bf6Swillf /* Create 'K/M' ... */ 699*54925bf6Swillf rblock.flags |= KRB5_KDB_DISALLOW_ALL_TIX; 700*54925bf6Swillf if ((retval = kdb_ldap_create_principal(util_context, master_princ, MASTER_KEY, &rblock))) { 701*54925bf6Swillf com_err(argv[0], retval, gettext("while adding entries to the database")); 702*54925bf6Swillf goto err_nomsg; 703*54925bf6Swillf } 704*54925bf6Swillf 705*54925bf6Swillf /* Create 'krbtgt' ... */ 706*54925bf6Swillf rblock.flags = 0; /* reset the flags */ 707*54925bf6Swillf if ((retval = kdb_ldap_create_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) { 708*54925bf6Swillf com_err(argv[0], retval, gettext("while adding entries to the database")); 709*54925bf6Swillf goto err_nomsg; 710*54925bf6Swillf } 711*54925bf6Swillf /* 712*54925bf6Swillf * Solaris Kerberos: 713*54925bf6Swillf * The kadmin/admin principal is unused on Solaris. This principal is used 714*54925bf6Swillf * in AUTH_GSSAPI but Solaris doesn't support AUTH_GSSAPI. RPCSEC_GSS can only 715*54925bf6Swillf * be used with host-based principals. 716*54925bf6Swillf * 717*54925bf6Swillf */ 718*54925bf6Swillf #if 0 /* ************ Begin IFDEF'ed OUT ***************************** */ 719*54925bf6Swillf /* Create 'kadmin/admin' ... */ 720*54925bf6Swillf snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_ADMIN_SERVICE, global_params.realm); 721*54925bf6Swillf if ((retval = krb5_parse_name(util_context, princ_name, &p))) { 722*54925bf6Swillf com_err(argv[0], retval, gettext("while adding entries to the database")); 723*54925bf6Swillf goto err_nomsg; 724*54925bf6Swillf } 725*54925bf6Swillf rblock.max_life = ADMIN_LIFETIME; 726*54925bf6Swillf rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; 727*54925bf6Swillf if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { 728*54925bf6Swillf krb5_free_principal(util_context, p); 729*54925bf6Swillf com_err(argv[0], retval, gettext("while adding entries to the database")); 730*54925bf6Swillf goto err_nomsg; 731*54925bf6Swillf } 732*54925bf6Swillf krb5_free_principal(util_context, p); 733*54925bf6Swillf #endif /* ************** END IFDEF'ed OUT ***************************** */ 734*54925bf6Swillf 735*54925bf6Swillf /* Create 'kadmin/changepw' ... */ 736*54925bf6Swillf snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_CHANGEPW_SERVICE, global_params.realm); 737*54925bf6Swillf if ((retval = krb5_parse_name(util_context, princ_name, &p))) { 738*54925bf6Swillf com_err(argv[0], retval, gettext("while adding entries to the database")); 739*54925bf6Swillf goto err_nomsg; 740*54925bf6Swillf } 741*54925bf6Swillf rblock.max_life = CHANGEPW_LIFETIME; 742*54925bf6Swillf rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE; 743*54925bf6Swillf if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { 744*54925bf6Swillf krb5_free_principal(util_context, p); 745*54925bf6Swillf com_err(argv[0], retval, gettext("while adding entries to the database")); 746*54925bf6Swillf goto err_nomsg; 747*54925bf6Swillf } 748*54925bf6Swillf krb5_free_principal(util_context, p); 749*54925bf6Swillf 750*54925bf6Swillf /* Create 'kadmin/history' ... */ 751*54925bf6Swillf snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_HIST_PRINCIPAL, global_params.realm); 752*54925bf6Swillf if ((retval = krb5_parse_name(util_context, princ_name, &p))) { 753*54925bf6Swillf com_err(argv[0], retval, gettext("while adding entries to the database")); 754*54925bf6Swillf goto err_nomsg; 755*54925bf6Swillf } 756*54925bf6Swillf rblock.max_life = global_params.max_life; 757*54925bf6Swillf rblock.flags = 0; 758*54925bf6Swillf if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { 759*54925bf6Swillf krb5_free_principal(util_context, p); 760*54925bf6Swillf com_err(argv[0], retval, gettext("while adding entries to the database")); 761*54925bf6Swillf goto err_nomsg; 762*54925bf6Swillf } 763*54925bf6Swillf krb5_free_principal(util_context, p); 764*54925bf6Swillf 765*54925bf6Swillf /* Create 'kadmin/<hostname>' ... */ 766*54925bf6Swillf if ((retval=krb5_sname_to_principal(util_context, NULL, KADM5_ADMIN_HOST_SERVICE, KRB5_NT_SRV_HST, &p))) { 767*54925bf6Swillf com_err(argv[0], retval, gettext("krb5_sname_to_principal, while adding entries to the database")); 768*54925bf6Swillf goto err_nomsg; 769*54925bf6Swillf } 770*54925bf6Swillf 771*54925bf6Swillf if ((retval=krb5_copy_principal(util_context, p, &temp_p))) { 772*54925bf6Swillf com_err(argv[0], retval, gettext("krb5_copy_principal, while adding entries to the database")); 773*54925bf6Swillf goto err_nomsg; 774*54925bf6Swillf } 775*54925bf6Swillf 776*54925bf6Swillf /* change the realm portion to the default realm */ 777*54925bf6Swillf free(temp_p->realm.data); 778*54925bf6Swillf temp_p->realm.length = strlen(util_context->default_realm); 779*54925bf6Swillf temp_p->realm.data = strdup(util_context->default_realm); 780*54925bf6Swillf if (temp_p->realm.data == NULL) { 781*54925bf6Swillf com_err(argv[0], ENOMEM, gettext("while adding entries to the database")); 782*54925bf6Swillf goto err_nomsg; 783*54925bf6Swillf } 784*54925bf6Swillf 785*54925bf6Swillf rblock.max_life = ADMIN_LIFETIME; 786*54925bf6Swillf rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; 787*54925bf6Swillf if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) { 788*54925bf6Swillf krb5_free_principal(util_context, p); 789*54925bf6Swillf com_err(argv[0], retval, gettext("while adding entries to the database")); 790*54925bf6Swillf goto err_nomsg; 791*54925bf6Swillf } 792*54925bf6Swillf krb5_free_principal(util_context, temp_p); 793*54925bf6Swillf krb5_free_principal(util_context, p); 794*54925bf6Swillf 795*54925bf6Swillf /* Solaris Kerberos: Create 'changepw/<hostname>' ... */ 796*54925bf6Swillf if ((retval=krb5_sname_to_principal(util_context, NULL, KADM5_CHANGEPW_HOST_SERVICE, KRB5_NT_SRV_HST, &p))) { 797*54925bf6Swillf com_err(argv[0], retval, gettext("krb5_sname_to_principal, while adding entries to the database")); 798*54925bf6Swillf goto err_nomsg; 799*54925bf6Swillf } 800*54925bf6Swillf 801*54925bf6Swillf if ((retval=krb5_copy_principal(util_context, p, &temp_p))) { 802*54925bf6Swillf com_err(argv[0], retval, gettext("krb5_copy_principal, while adding entries to the database")); 803*54925bf6Swillf goto err_nomsg; 804*54925bf6Swillf } 805*54925bf6Swillf 806*54925bf6Swillf /* change the realm portion to the default realm */ 807*54925bf6Swillf free(temp_p->realm.data); 808*54925bf6Swillf temp_p->realm.length = strlen(util_context->default_realm); 809*54925bf6Swillf temp_p->realm.data = strdup(util_context->default_realm); 810*54925bf6Swillf if (temp_p->realm.data == NULL) { 811*54925bf6Swillf com_err(argv[0], ENOMEM, gettext("while adding entries to the database")); 812*54925bf6Swillf goto err_nomsg; 813*54925bf6Swillf } 814*54925bf6Swillf 815*54925bf6Swillf rblock.max_life = ADMIN_LIFETIME; 816*54925bf6Swillf rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE; 817*54925bf6Swillf if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) { 818*54925bf6Swillf krb5_free_principal(util_context, p); 819*54925bf6Swillf com_err(argv[0], retval, gettext("while adding entries to the database")); 820*54925bf6Swillf goto err_nomsg; 821*54925bf6Swillf } 822*54925bf6Swillf krb5_free_principal(util_context, temp_p); 823*54925bf6Swillf krb5_free_principal(util_context, p); 824*54925bf6Swillf 825*54925bf6Swillf if (oldcontainerref != NULL) { 826*54925bf6Swillf ldap_context->lrparams->containerref = oldcontainerref; 827*54925bf6Swillf oldcontainerref=NULL; 828*54925bf6Swillf } 829*54925bf6Swillf } 830*54925bf6Swillf 831*54925bf6Swillf #ifdef HAVE_EDIRECTORY 832*54925bf6Swillf if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) || 833*54925bf6Swillf (mask & LDAP_REALM_PASSWDSERVERS)) { 834*54925bf6Swillf 835*54925bf6Swillf printf(gettext("Changing rights for the service object. Please wait ... ")); 836*54925bf6Swillf fflush(stdout); 837*54925bf6Swillf 838*54925bf6Swillf rightsmask =0; 839*54925bf6Swillf rightsmask |= LDAP_REALM_RIGHTS; 840*54925bf6Swillf rightsmask |= LDAP_SUBTREE_RIGHTS; 841*54925bf6Swillf if ((rparams != NULL) && (rparams->kdcservers != NULL)) { 842*54925bf6Swillf for (i=0; (rparams->kdcservers[i] != NULL); i++) { 843*54925bf6Swillf if ((retval=krb5_ldap_add_service_rights(util_context, 844*54925bf6Swillf LDAP_KDC_SERVICE, rparams->kdcservers[i], 845*54925bf6Swillf rparams->realm_name, rparams->subtree, rightsmask)) != 0) { 846*54925bf6Swillf printf(gettext("failed\n")); 847*54925bf6Swillf com_err(argv[0], retval, gettext("while assigning rights to '%s'"), 848*54925bf6Swillf rparams->realm_name); 849*54925bf6Swillf goto err_nomsg; 850*54925bf6Swillf } 851*54925bf6Swillf } 852*54925bf6Swillf } 853*54925bf6Swillf 854*54925bf6Swillf rightsmask = 0; 855*54925bf6Swillf rightsmask |= LDAP_REALM_RIGHTS; 856*54925bf6Swillf rightsmask |= LDAP_SUBTREE_RIGHTS; 857*54925bf6Swillf if ((rparams != NULL) && (rparams->adminservers != NULL)) { 858*54925bf6Swillf for (i=0; (rparams->adminservers[i] != NULL); i++) { 859*54925bf6Swillf if ((retval=krb5_ldap_add_service_rights(util_context, 860*54925bf6Swillf LDAP_ADMIN_SERVICE, rparams->adminservers[i], 861*54925bf6Swillf rparams->realm_name, rparams->subtree, rightsmask)) != 0) { 862*54925bf6Swillf printf(gettext("failed\n")); 863*54925bf6Swillf com_err(argv[0], retval, gettext("while assigning rights to '%s'"), 864*54925bf6Swillf rparams->realm_name); 865*54925bf6Swillf goto err_nomsg; 866*54925bf6Swillf } 867*54925bf6Swillf } 868*54925bf6Swillf } 869*54925bf6Swillf 870*54925bf6Swillf rightsmask = 0; 871*54925bf6Swillf rightsmask |= LDAP_REALM_RIGHTS; 872*54925bf6Swillf rightsmask |= LDAP_SUBTREE_RIGHTS; 873*54925bf6Swillf if ((rparams != NULL) && (rparams->passwdservers != NULL)) { 874*54925bf6Swillf for (i=0; (rparams->passwdservers[i] != NULL); i++) { 875*54925bf6Swillf if ((retval=krb5_ldap_add_service_rights(util_context, 876*54925bf6Swillf LDAP_PASSWD_SERVICE, rparams->passwdservers[i], 877*54925bf6Swillf rparams->realm_name, rparams->subtree, rightsmask)) != 0) { 878*54925bf6Swillf printf(gettext("failed\n")); 879*54925bf6Swillf com_err(argv[0], retval, gettext("while assigning rights to '%s'"), 880*54925bf6Swillf rparams->realm_name); 881*54925bf6Swillf goto err_nomsg; 882*54925bf6Swillf } 883*54925bf6Swillf } 884*54925bf6Swillf } 885*54925bf6Swillf 886*54925bf6Swillf printf(gettext("done\n")); 887*54925bf6Swillf } 888*54925bf6Swillf #endif 889*54925bf6Swillf /* The Realm creation is completed. Here is the end of transaction */ 890*54925bf6Swillf create_complete = TRUE; 891*54925bf6Swillf 892*54925bf6Swillf /* Stash the master key only if '-s' option is specified */ 893*54925bf6Swillf if (do_stash || global_params.mask & KADM5_CONFIG_STASH_FILE) { 894*54925bf6Swillf retval = krb5_def_store_mkey(util_context, 895*54925bf6Swillf global_params.stash_file, 896*54925bf6Swillf master_princ, 897*54925bf6Swillf &master_keyblock, NULL); 898*54925bf6Swillf if (retval) { 899*54925bf6Swillf com_err(argv[0], errno, gettext("while storing key")); 900*54925bf6Swillf printf(gettext("Warning: couldn't stash master key.\n")); 901*54925bf6Swillf } 902*54925bf6Swillf } 903*54925bf6Swillf 904*54925bf6Swillf goto cleanup; 905*54925bf6Swillf 906*54925bf6Swillf 907*54925bf6Swillf err_usage: 908*54925bf6Swillf print_usage = TRUE; 909*54925bf6Swillf 910*54925bf6Swillf err_nomsg: 911*54925bf6Swillf no_msg = TRUE; 912*54925bf6Swillf 913*54925bf6Swillf cleanup: 914*54925bf6Swillf /* If the Realm creation is not complete, do the roll-back here */ 915*54925bf6Swillf if ((realm_obj_created) && (!create_complete)) 916*54925bf6Swillf krb5_ldap_delete_realm(util_context, global_params.realm); 917*54925bf6Swillf 918*54925bf6Swillf if (rparams) 919*54925bf6Swillf krb5_ldap_free_realm_params(rparams); 920*54925bf6Swillf 921*54925bf6Swillf memset (pw_str, 0, sizeof (pw_str)); 922*54925bf6Swillf 923*54925bf6Swillf if (print_usage) 924*54925bf6Swillf db_usage(CREATE_REALM); 925*54925bf6Swillf 926*54925bf6Swillf if (retval) { 927*54925bf6Swillf if (!no_msg) { 928*54925bf6Swillf com_err(argv[0], retval, gettext("while creating realm '%s'"), 929*54925bf6Swillf global_params.realm); 930*54925bf6Swillf } 931*54925bf6Swillf exit_status++; 932*54925bf6Swillf } 933*54925bf6Swillf 934*54925bf6Swillf return; 935*54925bf6Swillf } 936*54925bf6Swillf 937*54925bf6Swillf 938*54925bf6Swillf /* 939*54925bf6Swillf * This function will modify the attributes of a given realm object 940*54925bf6Swillf */ 941*54925bf6Swillf void kdb5_ldap_modify(argc, argv) 942*54925bf6Swillf int argc; 943*54925bf6Swillf char *argv[]; 944*54925bf6Swillf { 945*54925bf6Swillf krb5_error_code retval = 0; 946*54925bf6Swillf krb5_ldap_realm_params *rparams = NULL; 947*54925bf6Swillf krb5_boolean print_usage = FALSE; 948*54925bf6Swillf krb5_boolean no_msg = FALSE; 949*54925bf6Swillf kdb5_dal_handle *dal_handle = NULL; 950*54925bf6Swillf krb5_ldap_context *ldap_context=NULL; 951*54925bf6Swillf int i = 0; 952*54925bf6Swillf int mask = 0, rmask = 0, ret_mask = 0; 953*54925bf6Swillf char **slist = {NULL}; 954*54925bf6Swillf #ifdef HAVE_EDIRECTORY 955*54925bf6Swillf int j = 0; 956*54925bf6Swillf char *list[MAX_LIST_ENTRIES]; 957*54925bf6Swillf int existing_entries = 0, list_entries = 0; 958*54925bf6Swillf int newkdcdn = 0, newadmindn = 0, newpwddn = 0; 959*54925bf6Swillf char **tempstr = NULL; 960*54925bf6Swillf char **oldkdcdns = NULL; 961*54925bf6Swillf char **oldadmindns = NULL; 962*54925bf6Swillf char **oldpwddns = NULL; 963*54925bf6Swillf char **newkdcdns = NULL; 964*54925bf6Swillf char **newsubtrees = NULL; 965*54925bf6Swillf char **newadmindns = NULL; 966*54925bf6Swillf char **newpwddns = NULL; 967*54925bf6Swillf char **oldsubtrees = {NULL}; 968*54925bf6Swillf int rightsmask = 0; 969*54925bf6Swillf int subtree_changed = 0; 970*54925bf6Swillf #endif 971*54925bf6Swillf 972*54925bf6Swillf dal_handle = (kdb5_dal_handle *) util_context->db_context; 973*54925bf6Swillf ldap_context = (krb5_ldap_context *) dal_handle->db_context; 974*54925bf6Swillf if (!(ldap_context)) { 975*54925bf6Swillf retval = EINVAL; 976*54925bf6Swillf goto cleanup; 977*54925bf6Swillf } 978*54925bf6Swillf 979*54925bf6Swillf if ((retval = krb5_ldap_read_krbcontainer_params(util_context, 980*54925bf6Swillf &(ldap_context->krbcontainer)))) { 981*54925bf6Swillf com_err(argv[0], retval, gettext("while reading Kerberos container information")); 982*54925bf6Swillf goto err_nomsg; 983*54925bf6Swillf } 984*54925bf6Swillf 985*54925bf6Swillf retval = krb5_ldap_read_realm_params(util_context, 986*54925bf6Swillf global_params.realm, &rparams, &rmask); 987*54925bf6Swillf if (retval) 988*54925bf6Swillf goto cleanup; 989*54925bf6Swillf /* Parse the arguments */ 990*54925bf6Swillf for (i = 1; i < argc; i++) { 991*54925bf6Swillf int k = 0; 992*54925bf6Swillf if (!strcmp(argv[i], "-subtrees")) { 993*54925bf6Swillf if (++i > argc-1) 994*54925bf6Swillf goto err_usage; 995*54925bf6Swillf 996*54925bf6Swillf if (rmask & LDAP_REALM_SUBTREE) { 997*54925bf6Swillf if (rparams->subtree) { 998*54925bf6Swillf #ifdef HAVE_EDIRECTORY 999*54925bf6Swillf oldsubtrees = (char **) calloc(rparams->subtreecount+1, sizeof(char *)); 1000*54925bf6Swillf if (oldsubtrees == NULL) { 1001*54925bf6Swillf retval = ENOMEM; 1002*54925bf6Swillf goto cleanup; 1003*54925bf6Swillf } 1004*54925bf6Swillf for(k=0; rparams->subtree[k]!=NULL && rparams->subtreecount; k++) { 1005*54925bf6Swillf oldsubtrees[k] = strdup(rparams->subtree[k]); 1006*54925bf6Swillf if( oldsubtrees[k] == NULL ) { 1007*54925bf6Swillf retval = ENOMEM; 1008*54925bf6Swillf goto cleanup; 1009*54925bf6Swillf } 1010*54925bf6Swillf } 1011*54925bf6Swillf #endif 1012*54925bf6Swillf for(k=0; k<rparams->subtreecount && rparams->subtree[k]; k++) 1013*54925bf6Swillf free(rparams->subtree[k]); 1014*54925bf6Swillf rparams->subtreecount=0; 1015*54925bf6Swillf } 1016*54925bf6Swillf } 1017*54925bf6Swillf if (strncmp(argv[i] ,"", strlen(argv[i]))!=0) { 1018*54925bf6Swillf slist = (char **) calloc(MAX_LIST_ENTRIES, sizeof(char *)); 1019*54925bf6Swillf if (slist == NULL) { 1020*54925bf6Swillf retval = ENOMEM; 1021*54925bf6Swillf goto cleanup; 1022*54925bf6Swillf } 1023*54925bf6Swillf if (( retval = krb5_parse_list(argv[i], LIST_DELIMITER, slist))) { 1024*54925bf6Swillf free(slist); 1025*54925bf6Swillf slist = NULL; 1026*54925bf6Swillf goto cleanup; 1027*54925bf6Swillf } 1028*54925bf6Swillf 1029*54925bf6Swillf rparams->subtreecount=0; 1030*54925bf6Swillf while(slist[rparams->subtreecount]!=NULL) 1031*54925bf6Swillf (rparams->subtreecount)++; 1032*54925bf6Swillf rparams->subtree = slist; 1033*54925bf6Swillf } else if(strncmp(argv[i], "", strlen(argv[i]))==0) { 1034*54925bf6Swillf /* dont allow subtree value to be set at the root(NULL, "") of the tree */ 1035*54925bf6Swillf com_err(argv[0], EINVAL, 1036*54925bf6Swillf gettext("for subtree while modifying realm '%s'"), 1037*54925bf6Swillf global_params.realm); 1038*54925bf6Swillf goto err_nomsg; 1039*54925bf6Swillf } 1040*54925bf6Swillf rparams->subtree[rparams->subtreecount] = NULL; 1041*54925bf6Swillf mask |= LDAP_REALM_SUBTREE; 1042*54925bf6Swillf } else if (!strncmp(argv[i], "-containerref", strlen(argv[i]))) { 1043*54925bf6Swillf if (++i > argc-1) 1044*54925bf6Swillf goto err_usage; 1045*54925bf6Swillf if(strncmp(argv[i], "", strlen(argv[i]))==0) { 1046*54925bf6Swillf /* dont allow containerref value to be set at the root(NULL, "") of the tree */ 1047*54925bf6Swillf com_err(argv[0], EINVAL, 1048*54925bf6Swillf gettext("for container reference while modifying realm '%s'"), 1049*54925bf6Swillf global_params.realm); 1050*54925bf6Swillf goto err_nomsg; 1051*54925bf6Swillf } 1052*54925bf6Swillf rparams->containerref = strdup(argv[i]); 1053*54925bf6Swillf if (rparams->containerref == NULL) { 1054*54925bf6Swillf retval = ENOMEM; 1055*54925bf6Swillf goto cleanup; 1056*54925bf6Swillf } 1057*54925bf6Swillf mask |= LDAP_REALM_CONTREF; 1058*54925bf6Swillf } else if (!strcmp(argv[i], "-sscope")) { 1059*54925bf6Swillf if (++i > argc-1) 1060*54925bf6Swillf goto err_usage; 1061*54925bf6Swillf /* Possible values for search scope are 1062*54925bf6Swillf * one (or 1) and sub (or 2) 1063*54925bf6Swillf */ 1064*54925bf6Swillf if (strcasecmp(argv[i], "one") == 0) { 1065*54925bf6Swillf rparams->search_scope = 1; 1066*54925bf6Swillf } else if (strcasecmp(argv[i], "sub") == 0) { 1067*54925bf6Swillf rparams->search_scope = 2; 1068*54925bf6Swillf } else { 1069*54925bf6Swillf rparams->search_scope = atoi(argv[i]); 1070*54925bf6Swillf if ((rparams->search_scope != 1) && 1071*54925bf6Swillf (rparams->search_scope != 2)) { 1072*54925bf6Swillf retval = EINVAL; 1073*54925bf6Swillf com_err(argv[0], retval, 1074*54925bf6Swillf gettext("specified for search scope while modifying information of realm '%s'"), 1075*54925bf6Swillf global_params.realm); 1076*54925bf6Swillf goto err_nomsg; 1077*54925bf6Swillf } 1078*54925bf6Swillf } 1079*54925bf6Swillf mask |= LDAP_REALM_SEARCHSCOPE; 1080*54925bf6Swillf } 1081*54925bf6Swillf #ifdef HAVE_EDIRECTORY 1082*54925bf6Swillf else if (!strcmp(argv[i], "-kdcdn")) { 1083*54925bf6Swillf if (++i > argc-1) 1084*54925bf6Swillf goto err_usage; 1085*54925bf6Swillf 1086*54925bf6Swillf if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) { 1087*54925bf6Swillf if (!oldkdcdns) { 1088*54925bf6Swillf /* Store the old kdc dns list for removing rights */ 1089*54925bf6Swillf oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); 1090*54925bf6Swillf if (oldkdcdns == NULL) { 1091*54925bf6Swillf retval = ENOMEM; 1092*54925bf6Swillf goto cleanup; 1093*54925bf6Swillf } 1094*54925bf6Swillf 1095*54925bf6Swillf for (j=0; rparams->kdcservers[j] != NULL; j++) { 1096*54925bf6Swillf oldkdcdns[j] = strdup(rparams->kdcservers[j]); 1097*54925bf6Swillf if (oldkdcdns[j] == NULL) { 1098*54925bf6Swillf retval = ENOMEM; 1099*54925bf6Swillf goto cleanup; 1100*54925bf6Swillf } 1101*54925bf6Swillf } 1102*54925bf6Swillf oldkdcdns[j] = NULL; 1103*54925bf6Swillf } 1104*54925bf6Swillf 1105*54925bf6Swillf krb5_free_list_entries(rparams->kdcservers); 1106*54925bf6Swillf free(rparams->kdcservers); 1107*54925bf6Swillf } 1108*54925bf6Swillf 1109*54925bf6Swillf rparams->kdcservers = (char **)malloc( 1110*54925bf6Swillf sizeof(char *) * MAX_LIST_ENTRIES); 1111*54925bf6Swillf if (rparams->kdcservers == NULL) { 1112*54925bf6Swillf retval = ENOMEM; 1113*54925bf6Swillf goto cleanup; 1114*54925bf6Swillf } 1115*54925bf6Swillf memset(rparams->kdcservers, 0, sizeof(char *)*MAX_LIST_ENTRIES); 1116*54925bf6Swillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, 1117*54925bf6Swillf rparams->kdcservers))) { 1118*54925bf6Swillf goto cleanup; 1119*54925bf6Swillf } 1120*54925bf6Swillf mask |= LDAP_REALM_KDCSERVERS; 1121*54925bf6Swillf /* Going to replace the existing value by this new value. Hence 1122*54925bf6Swillf * setting flag indicating that add or clear options will be ignored 1123*54925bf6Swillf */ 1124*54925bf6Swillf newkdcdn = 1; 1125*54925bf6Swillf } else if (!strcmp(argv[i], "-clearkdcdn")) { 1126*54925bf6Swillf if (++i > argc-1) 1127*54925bf6Swillf goto err_usage; 1128*54925bf6Swillf if ((!newkdcdn) && (rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers)) { 1129*54925bf6Swillf if (!oldkdcdns) { 1130*54925bf6Swillf /* Store the old kdc dns list for removing rights */ 1131*54925bf6Swillf oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); 1132*54925bf6Swillf if (oldkdcdns == NULL) { 1133*54925bf6Swillf retval = ENOMEM; 1134*54925bf6Swillf goto cleanup; 1135*54925bf6Swillf } 1136*54925bf6Swillf 1137*54925bf6Swillf for (j=0; rparams->kdcservers[j] != NULL; j++) { 1138*54925bf6Swillf oldkdcdns[j] = strdup(rparams->kdcservers[j]); 1139*54925bf6Swillf if (oldkdcdns[j] == NULL) { 1140*54925bf6Swillf retval = ENOMEM; 1141*54925bf6Swillf goto cleanup; 1142*54925bf6Swillf } 1143*54925bf6Swillf } 1144*54925bf6Swillf oldkdcdns[j] = NULL; 1145*54925bf6Swillf } 1146*54925bf6Swillf 1147*54925bf6Swillf memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); 1148*54925bf6Swillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { 1149*54925bf6Swillf goto cleanup; 1150*54925bf6Swillf } 1151*54925bf6Swillf list_modify_str_array(&rparams->kdcservers, (const char **)list, 1152*54925bf6Swillf LIST_MODE_DELETE); 1153*54925bf6Swillf mask |= LDAP_REALM_KDCSERVERS; 1154*54925bf6Swillf krb5_free_list_entries(list); 1155*54925bf6Swillf } 1156*54925bf6Swillf } else if (!strcmp(argv[i], "-addkdcdn")) { 1157*54925bf6Swillf if (++i > argc-1) 1158*54925bf6Swillf goto err_usage; 1159*54925bf6Swillf if (!newkdcdn) { 1160*54925bf6Swillf if ((rmask & LDAP_REALM_KDCSERVERS) && (rparams->kdcservers) && (!oldkdcdns)) { 1161*54925bf6Swillf /* Store the old kdc dns list for removing rights */ 1162*54925bf6Swillf oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); 1163*54925bf6Swillf if (oldkdcdns == NULL) { 1164*54925bf6Swillf retval = ENOMEM; 1165*54925bf6Swillf goto cleanup; 1166*54925bf6Swillf } 1167*54925bf6Swillf 1168*54925bf6Swillf for (j = 0; rparams->kdcservers[j] != NULL; j++) { 1169*54925bf6Swillf oldkdcdns[j] = strdup(rparams->kdcservers[j]); 1170*54925bf6Swillf if (oldkdcdns[j] == NULL) { 1171*54925bf6Swillf retval = ENOMEM; 1172*54925bf6Swillf goto cleanup; 1173*54925bf6Swillf } 1174*54925bf6Swillf } 1175*54925bf6Swillf oldkdcdns[j] = NULL; 1176*54925bf6Swillf } 1177*54925bf6Swillf 1178*54925bf6Swillf memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); 1179*54925bf6Swillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { 1180*54925bf6Swillf goto cleanup; 1181*54925bf6Swillf } 1182*54925bf6Swillf existing_entries = list_count_str_array(rparams->kdcservers); 1183*54925bf6Swillf list_entries = list_count_str_array(list); 1184*54925bf6Swillf if (rmask & LDAP_REALM_KDCSERVERS) { 1185*54925bf6Swillf tempstr = (char **)realloc( 1186*54925bf6Swillf rparams->kdcservers, 1187*54925bf6Swillf sizeof(char *) * (existing_entries+list_entries+1)); 1188*54925bf6Swillf if (tempstr == NULL) { 1189*54925bf6Swillf retval = ENOMEM; 1190*54925bf6Swillf goto cleanup; 1191*54925bf6Swillf } 1192*54925bf6Swillf rparams->kdcservers = tempstr; 1193*54925bf6Swillf } else { 1194*54925bf6Swillf rparams->kdcservers = (char **)malloc(sizeof(char *) * (list_entries+1)); 1195*54925bf6Swillf if (rparams->kdcservers == NULL) { 1196*54925bf6Swillf retval = ENOMEM; 1197*54925bf6Swillf goto cleanup; 1198*54925bf6Swillf } 1199*54925bf6Swillf memset(rparams->kdcservers, 0, sizeof(char *) * (list_entries+1)); 1200*54925bf6Swillf } 1201*54925bf6Swillf list_modify_str_array(&rparams->kdcservers, (const char **)list, 1202*54925bf6Swillf LIST_MODE_ADD); 1203*54925bf6Swillf mask |= LDAP_REALM_KDCSERVERS; 1204*54925bf6Swillf } 1205*54925bf6Swillf } else if (!strcmp(argv[i], "-admindn")) { 1206*54925bf6Swillf if (++i > argc-1) 1207*54925bf6Swillf goto err_usage; 1208*54925bf6Swillf 1209*54925bf6Swillf if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) { 1210*54925bf6Swillf if (!oldadmindns) { 1211*54925bf6Swillf /* Store the old admin dns list for removing rights */ 1212*54925bf6Swillf oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); 1213*54925bf6Swillf if (oldadmindns == NULL) { 1214*54925bf6Swillf retval = ENOMEM; 1215*54925bf6Swillf goto cleanup; 1216*54925bf6Swillf } 1217*54925bf6Swillf 1218*54925bf6Swillf for (j=0; rparams->adminservers[j] != NULL; j++) { 1219*54925bf6Swillf oldadmindns[j] = strdup(rparams->adminservers[j]); 1220*54925bf6Swillf if (oldadmindns[j] == NULL) { 1221*54925bf6Swillf retval = ENOMEM; 1222*54925bf6Swillf goto cleanup; 1223*54925bf6Swillf } 1224*54925bf6Swillf } 1225*54925bf6Swillf oldadmindns[j] = NULL; 1226*54925bf6Swillf } 1227*54925bf6Swillf 1228*54925bf6Swillf krb5_free_list_entries(rparams->adminservers); 1229*54925bf6Swillf free(rparams->adminservers); 1230*54925bf6Swillf } 1231*54925bf6Swillf 1232*54925bf6Swillf rparams->adminservers = (char **)malloc( 1233*54925bf6Swillf sizeof(char *) * MAX_LIST_ENTRIES); 1234*54925bf6Swillf if (rparams->adminservers == NULL) { 1235*54925bf6Swillf retval = ENOMEM; 1236*54925bf6Swillf goto cleanup; 1237*54925bf6Swillf } 1238*54925bf6Swillf memset(rparams->adminservers, 0, sizeof(char *)*MAX_LIST_ENTRIES); 1239*54925bf6Swillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, 1240*54925bf6Swillf rparams->adminservers))) { 1241*54925bf6Swillf goto cleanup; 1242*54925bf6Swillf } 1243*54925bf6Swillf mask |= LDAP_REALM_ADMINSERVERS; 1244*54925bf6Swillf /* Going to replace the existing value by this new value. Hence 1245*54925bf6Swillf * setting flag indicating that add or clear options will be ignored 1246*54925bf6Swillf */ 1247*54925bf6Swillf newadmindn = 1; 1248*54925bf6Swillf } else if (!strcmp(argv[i], "-clearadmindn")) { 1249*54925bf6Swillf if (++i > argc-1) 1250*54925bf6Swillf goto err_usage; 1251*54925bf6Swillf 1252*54925bf6Swillf if ((!newadmindn) && (rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers)) { 1253*54925bf6Swillf if (!oldadmindns) { 1254*54925bf6Swillf /* Store the old admin dns list for removing rights */ 1255*54925bf6Swillf oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); 1256*54925bf6Swillf if (oldadmindns == NULL) { 1257*54925bf6Swillf retval = ENOMEM; 1258*54925bf6Swillf goto cleanup; 1259*54925bf6Swillf } 1260*54925bf6Swillf 1261*54925bf6Swillf for (j=0; rparams->adminservers[j] != NULL; j++) { 1262*54925bf6Swillf oldadmindns[j] = strdup(rparams->adminservers[j]); 1263*54925bf6Swillf if (oldadmindns[j] == NULL) { 1264*54925bf6Swillf retval = ENOMEM; 1265*54925bf6Swillf goto cleanup; 1266*54925bf6Swillf } 1267*54925bf6Swillf } 1268*54925bf6Swillf oldadmindns[j] = NULL; 1269*54925bf6Swillf } 1270*54925bf6Swillf 1271*54925bf6Swillf memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); 1272*54925bf6Swillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { 1273*54925bf6Swillf goto cleanup; 1274*54925bf6Swillf } 1275*54925bf6Swillf list_modify_str_array(&rparams->adminservers, (const char **)list, 1276*54925bf6Swillf LIST_MODE_DELETE); 1277*54925bf6Swillf mask |= LDAP_REALM_ADMINSERVERS; 1278*54925bf6Swillf krb5_free_list_entries(list); 1279*54925bf6Swillf } 1280*54925bf6Swillf } else if (!strcmp(argv[i], "-addadmindn")) { 1281*54925bf6Swillf if (++i > argc-1) 1282*54925bf6Swillf goto err_usage; 1283*54925bf6Swillf if (!newadmindn) { 1284*54925bf6Swillf if ((rmask & LDAP_REALM_ADMINSERVERS) && (rparams->adminservers) && (!oldadmindns)) { 1285*54925bf6Swillf /* Store the old admin dns list for removing rights */ 1286*54925bf6Swillf oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); 1287*54925bf6Swillf if (oldadmindns == NULL) { 1288*54925bf6Swillf retval = ENOMEM; 1289*54925bf6Swillf goto cleanup; 1290*54925bf6Swillf } 1291*54925bf6Swillf 1292*54925bf6Swillf for (j=0; rparams->adminservers[j] != NULL; j++) { 1293*54925bf6Swillf oldadmindns[j] = strdup(rparams->adminservers[j]); 1294*54925bf6Swillf if (oldadmindns[j] == NULL) { 1295*54925bf6Swillf retval = ENOMEM; 1296*54925bf6Swillf goto cleanup; 1297*54925bf6Swillf } 1298*54925bf6Swillf } 1299*54925bf6Swillf oldadmindns[j] = NULL; 1300*54925bf6Swillf } 1301*54925bf6Swillf 1302*54925bf6Swillf memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); 1303*54925bf6Swillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { 1304*54925bf6Swillf goto cleanup; 1305*54925bf6Swillf } 1306*54925bf6Swillf existing_entries = list_count_str_array(rparams->adminservers); 1307*54925bf6Swillf list_entries = list_count_str_array(list); 1308*54925bf6Swillf if (rmask & LDAP_REALM_ADMINSERVERS) { 1309*54925bf6Swillf tempstr = (char **)realloc( 1310*54925bf6Swillf rparams->adminservers, 1311*54925bf6Swillf sizeof(char *) * (existing_entries+list_entries+1)); 1312*54925bf6Swillf if (tempstr == NULL) { 1313*54925bf6Swillf retval = ENOMEM; 1314*54925bf6Swillf goto cleanup; 1315*54925bf6Swillf } 1316*54925bf6Swillf rparams->adminservers = tempstr; 1317*54925bf6Swillf } else { 1318*54925bf6Swillf rparams->adminservers = (char **)malloc(sizeof(char *) * (list_entries+1)); 1319*54925bf6Swillf if (rparams->adminservers == NULL) { 1320*54925bf6Swillf retval = ENOMEM; 1321*54925bf6Swillf goto cleanup; 1322*54925bf6Swillf } 1323*54925bf6Swillf memset(rparams->adminservers, 0, sizeof(char *) * (list_entries+1)); 1324*54925bf6Swillf } 1325*54925bf6Swillf list_modify_str_array(&rparams->adminservers, (const char **)list, 1326*54925bf6Swillf LIST_MODE_ADD); 1327*54925bf6Swillf mask |= LDAP_REALM_ADMINSERVERS; 1328*54925bf6Swillf } 1329*54925bf6Swillf } else if (!strcmp(argv[i], "-pwddn")) { 1330*54925bf6Swillf if (++i > argc-1) 1331*54925bf6Swillf goto err_usage; 1332*54925bf6Swillf 1333*54925bf6Swillf if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) { 1334*54925bf6Swillf if (!oldpwddns) { 1335*54925bf6Swillf /* Store the old pwd dns list for removing rights */ 1336*54925bf6Swillf oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); 1337*54925bf6Swillf if (oldpwddns == NULL) { 1338*54925bf6Swillf retval = ENOMEM; 1339*54925bf6Swillf goto cleanup; 1340*54925bf6Swillf } 1341*54925bf6Swillf 1342*54925bf6Swillf for (j=0; rparams->passwdservers[j] != NULL; j++) { 1343*54925bf6Swillf oldpwddns[j] = strdup(rparams->passwdservers[j]); 1344*54925bf6Swillf if (oldpwddns[j] == NULL) { 1345*54925bf6Swillf retval = ENOMEM; 1346*54925bf6Swillf goto cleanup; 1347*54925bf6Swillf } 1348*54925bf6Swillf } 1349*54925bf6Swillf oldpwddns[j] = NULL; 1350*54925bf6Swillf } 1351*54925bf6Swillf 1352*54925bf6Swillf krb5_free_list_entries(rparams->passwdservers); 1353*54925bf6Swillf free(rparams->passwdservers); 1354*54925bf6Swillf } 1355*54925bf6Swillf 1356*54925bf6Swillf rparams->passwdservers = (char **)malloc( 1357*54925bf6Swillf sizeof(char *) * MAX_LIST_ENTRIES); 1358*54925bf6Swillf if (rparams->passwdservers == NULL) { 1359*54925bf6Swillf retval = ENOMEM; 1360*54925bf6Swillf goto cleanup; 1361*54925bf6Swillf } 1362*54925bf6Swillf memset(rparams->passwdservers, 0, sizeof(char *)*MAX_LIST_ENTRIES); 1363*54925bf6Swillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, 1364*54925bf6Swillf rparams->passwdservers))) { 1365*54925bf6Swillf goto cleanup; 1366*54925bf6Swillf } 1367*54925bf6Swillf mask |= LDAP_REALM_PASSWDSERVERS; 1368*54925bf6Swillf /* Going to replace the existing value by this new value. Hence 1369*54925bf6Swillf * setting flag indicating that add or clear options will be ignored 1370*54925bf6Swillf */ 1371*54925bf6Swillf newpwddn = 1; 1372*54925bf6Swillf } else if (!strcmp(argv[i], "-clearpwddn")) { 1373*54925bf6Swillf if (++i > argc-1) 1374*54925bf6Swillf goto err_usage; 1375*54925bf6Swillf 1376*54925bf6Swillf if ((!newpwddn) && (rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers)) { 1377*54925bf6Swillf if (!oldpwddns) { 1378*54925bf6Swillf /* Store the old pwd dns list for removing rights */ 1379*54925bf6Swillf oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); 1380*54925bf6Swillf if (oldpwddns == NULL) { 1381*54925bf6Swillf retval = ENOMEM; 1382*54925bf6Swillf goto cleanup; 1383*54925bf6Swillf } 1384*54925bf6Swillf 1385*54925bf6Swillf for (j=0; rparams->passwdservers[j] != NULL; j++) { 1386*54925bf6Swillf oldpwddns[j] = strdup(rparams->passwdservers[j]); 1387*54925bf6Swillf if (oldpwddns[j] == NULL) { 1388*54925bf6Swillf retval = ENOMEM; 1389*54925bf6Swillf goto cleanup; 1390*54925bf6Swillf } 1391*54925bf6Swillf } 1392*54925bf6Swillf oldpwddns[j] = NULL; 1393*54925bf6Swillf } 1394*54925bf6Swillf 1395*54925bf6Swillf memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); 1396*54925bf6Swillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { 1397*54925bf6Swillf goto cleanup; 1398*54925bf6Swillf } 1399*54925bf6Swillf list_modify_str_array(&rparams->passwdservers, (const char**)list, 1400*54925bf6Swillf LIST_MODE_DELETE); 1401*54925bf6Swillf mask |= LDAP_REALM_PASSWDSERVERS; 1402*54925bf6Swillf krb5_free_list_entries(list); 1403*54925bf6Swillf } 1404*54925bf6Swillf } else if (!strcmp(argv[i], "-addpwddn")) { 1405*54925bf6Swillf if (++i > argc-1) 1406*54925bf6Swillf goto err_usage; 1407*54925bf6Swillf if (!newpwddn) { 1408*54925bf6Swillf if ((rmask & LDAP_REALM_PASSWDSERVERS) && (rparams->passwdservers) && (!oldpwddns)) { 1409*54925bf6Swillf /* Store the old pwd dns list for removing rights */ 1410*54925bf6Swillf oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); 1411*54925bf6Swillf if (oldpwddns == NULL) { 1412*54925bf6Swillf retval = ENOMEM; 1413*54925bf6Swillf goto cleanup; 1414*54925bf6Swillf } 1415*54925bf6Swillf 1416*54925bf6Swillf for (j=0; rparams->passwdservers[j] != NULL; j++) { 1417*54925bf6Swillf oldpwddns[j] = strdup(rparams->passwdservers[j]); 1418*54925bf6Swillf if (oldpwddns[j] == NULL) { 1419*54925bf6Swillf retval = ENOMEM; 1420*54925bf6Swillf goto cleanup; 1421*54925bf6Swillf } 1422*54925bf6Swillf } 1423*54925bf6Swillf oldpwddns[j] = NULL; 1424*54925bf6Swillf } 1425*54925bf6Swillf 1426*54925bf6Swillf memset(list, 0, sizeof(char *) * MAX_LIST_ENTRIES); 1427*54925bf6Swillf if ((retval = krb5_parse_list(argv[i], LIST_DELIMITER, list))) { 1428*54925bf6Swillf goto cleanup; 1429*54925bf6Swillf } 1430*54925bf6Swillf existing_entries = list_count_str_array(rparams->passwdservers); 1431*54925bf6Swillf list_entries = list_count_str_array(list); 1432*54925bf6Swillf if (rmask & LDAP_REALM_PASSWDSERVERS) { 1433*54925bf6Swillf tempstr = (char **)realloc( 1434*54925bf6Swillf rparams->passwdservers, 1435*54925bf6Swillf sizeof(char *) * (existing_entries+list_entries+1)); 1436*54925bf6Swillf if (tempstr == NULL) { 1437*54925bf6Swillf retval = ENOMEM; 1438*54925bf6Swillf goto cleanup; 1439*54925bf6Swillf } 1440*54925bf6Swillf rparams->passwdservers = tempstr; 1441*54925bf6Swillf } else { 1442*54925bf6Swillf rparams->passwdservers = (char **)malloc(sizeof(char *) * (list_entries+1)); 1443*54925bf6Swillf if (rparams->passwdservers == NULL) { 1444*54925bf6Swillf retval = ENOMEM; 1445*54925bf6Swillf goto cleanup; 1446*54925bf6Swillf } 1447*54925bf6Swillf memset(rparams->passwdservers, 0, sizeof(char *) * (list_entries+1)); 1448*54925bf6Swillf } 1449*54925bf6Swillf list_modify_str_array(&rparams->passwdservers, (const char**)list, 1450*54925bf6Swillf LIST_MODE_ADD); 1451*54925bf6Swillf mask |= LDAP_REALM_PASSWDSERVERS; 1452*54925bf6Swillf } 1453*54925bf6Swillf } 1454*54925bf6Swillf #endif 1455*54925bf6Swillf else if ((ret_mask= get_ticket_policy(rparams,&i,argv,argc)) !=0) { 1456*54925bf6Swillf mask|=ret_mask; 1457*54925bf6Swillf } else { 1458*54925bf6Swillf printf(gettext("'%s' is an invalid option\n"), argv[i]); 1459*54925bf6Swillf goto err_usage; 1460*54925bf6Swillf } 1461*54925bf6Swillf } 1462*54925bf6Swillf 1463*54925bf6Swillf if ((retval = krb5_ldap_modify_realm(util_context, 1464*54925bf6Swillf /* global_params.realm, */ rparams, mask))) { 1465*54925bf6Swillf goto cleanup; 1466*54925bf6Swillf } 1467*54925bf6Swillf 1468*54925bf6Swillf #ifdef HAVE_EDIRECTORY 1469*54925bf6Swillf if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_KDCSERVERS) || 1470*54925bf6Swillf (mask & LDAP_REALM_ADMINSERVERS) || (mask & LDAP_REALM_PASSWDSERVERS)) { 1471*54925bf6Swillf 1472*54925bf6Swillf printf(gettext("Changing rights for the service object. Please wait ... ")); 1473*54925bf6Swillf fflush(stdout); 1474*54925bf6Swillf 1475*54925bf6Swillf if (!(mask & LDAP_REALM_SUBTREE)) { 1476*54925bf6Swillf if (rparams->subtree != NULL) { 1477*54925bf6Swillf for(i=0; rparams->subtree[i]!=NULL;i++) { 1478*54925bf6Swillf oldsubtrees[i] = strdup(rparams->subtree[i]); 1479*54925bf6Swillf if( oldsubtrees[i] == NULL ) { 1480*54925bf6Swillf retval = ENOMEM; 1481*54925bf6Swillf goto cleanup; 1482*54925bf6Swillf } 1483*54925bf6Swillf } 1484*54925bf6Swillf } 1485*54925bf6Swillf } 1486*54925bf6Swillf 1487*54925bf6Swillf if ((mask & LDAP_REALM_SUBTREE)) { 1488*54925bf6Swillf int check_subtree = 1; 1489*54925bf6Swillf 1490*54925bf6Swillf newsubtrees = (char**) calloc(rparams->subtreecount, sizeof(char*)); 1491*54925bf6Swillf 1492*54925bf6Swillf if (newsubtrees == NULL) { 1493*54925bf6Swillf retval = ENOMEM; 1494*54925bf6Swillf goto cleanup; 1495*54925bf6Swillf } 1496*54925bf6Swillf 1497*54925bf6Swillf if ( (rparams != NULL) && (rparams->subtree != NULL) ) { 1498*54925bf6Swillf for (j=0; j<rparams->subtreecount && rparams->subtree[j]!= NULL; j++) { 1499*54925bf6Swillf newsubtrees[j] = strdup(rparams->subtree[j]); 1500*54925bf6Swillf if (newsubtrees[j] == NULL) { 1501*54925bf6Swillf retval = ENOMEM; 1502*54925bf6Swillf goto cleanup; 1503*54925bf6Swillf } 1504*54925bf6Swillf } 1505*54925bf6Swillf newsubtrees[j] = NULL; 1506*54925bf6Swillf } 1507*54925bf6Swillf for(j=0;oldsubtrees[j]!=NULL;j++) { 1508*54925bf6Swillf check_subtree = 1; 1509*54925bf6Swillf for(i=0; ( (oldsubtrees[j] && !rparams->subtree[i]) || 1510*54925bf6Swillf (!oldsubtrees[j] && rparams->subtree[i])); i++) { 1511*54925bf6Swillf if(strcasecmp( oldsubtrees[j], rparams->subtree[i]) == 0) { 1512*54925bf6Swillf check_subtree = 0; 1513*54925bf6Swillf continue; 1514*54925bf6Swillf } 1515*54925bf6Swillf } 1516*54925bf6Swillf if (check_subtree != 0) { 1517*54925bf6Swillf subtree_changed=1; 1518*54925bf6Swillf break; 1519*54925bf6Swillf } 1520*54925bf6Swillf } 1521*54925bf6Swillf /* this will return list of the disjoint members */ 1522*54925bf6Swillf disjoint_members( oldsubtrees, newsubtrees); 1523*54925bf6Swillf } 1524*54925bf6Swillf 1525*54925bf6Swillf if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_KDCSERVERS)) { 1526*54925bf6Swillf 1527*54925bf6Swillf newkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); 1528*54925bf6Swillf if (newkdcdns == NULL) { 1529*54925bf6Swillf retval = ENOMEM; 1530*54925bf6Swillf goto cleanup; 1531*54925bf6Swillf } 1532*54925bf6Swillf 1533*54925bf6Swillf if ((rparams != NULL) && (rparams->kdcservers != NULL)) { 1534*54925bf6Swillf for (j=0; rparams->kdcservers[j]!= NULL; j++) { 1535*54925bf6Swillf newkdcdns[j] = strdup(rparams->kdcservers[j]); 1536*54925bf6Swillf if (newkdcdns[j] == NULL) { 1537*54925bf6Swillf retval = ENOMEM; 1538*54925bf6Swillf goto cleanup; 1539*54925bf6Swillf } 1540*54925bf6Swillf } 1541*54925bf6Swillf newkdcdns[j] = NULL; 1542*54925bf6Swillf } 1543*54925bf6Swillf 1544*54925bf6Swillf if (!subtree_changed) { 1545*54925bf6Swillf disjoint_members(oldkdcdns, newkdcdns); 1546*54925bf6Swillf } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */ 1547*54925bf6Swillf if (!(mask & LDAP_REALM_KDCSERVERS)) { 1548*54925bf6Swillf 1549*54925bf6Swillf oldkdcdns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); 1550*54925bf6Swillf if (oldkdcdns == NULL) { 1551*54925bf6Swillf retval = ENOMEM; 1552*54925bf6Swillf goto cleanup; 1553*54925bf6Swillf } 1554*54925bf6Swillf 1555*54925bf6Swillf if ((rparams != NULL) && (rparams->kdcservers != NULL)) { 1556*54925bf6Swillf for (j=0; rparams->kdcservers[j]!= NULL; j++) { 1557*54925bf6Swillf oldkdcdns[j] = strdup(rparams->kdcservers[j]); 1558*54925bf6Swillf if (oldkdcdns[j] == NULL) { 1559*54925bf6Swillf retval = ENOMEM; 1560*54925bf6Swillf goto cleanup; 1561*54925bf6Swillf } 1562*54925bf6Swillf } 1563*54925bf6Swillf oldkdcdns[j] = NULL; 1564*54925bf6Swillf } 1565*54925bf6Swillf } 1566*54925bf6Swillf } 1567*54925bf6Swillf 1568*54925bf6Swillf rightsmask =0; 1569*54925bf6Swillf rightsmask |= LDAP_REALM_RIGHTS; 1570*54925bf6Swillf rightsmask |= LDAP_SUBTREE_RIGHTS; 1571*54925bf6Swillf /* Remove the rights on the old subtrees */ 1572*54925bf6Swillf if (oldkdcdns) { 1573*54925bf6Swillf for (i=0; (oldkdcdns[i] != NULL); i++) { 1574*54925bf6Swillf if ((retval=krb5_ldap_delete_service_rights(util_context, 1575*54925bf6Swillf LDAP_KDC_SERVICE, oldkdcdns[i], 1576*54925bf6Swillf rparams->realm_name, oldsubtrees, rightsmask)) != 0) { 1577*54925bf6Swillf printf(gettext("failed\n")); 1578*54925bf6Swillf com_err(argv[0], retval, gettext("while assigning rights '%s'"), 1579*54925bf6Swillf rparams->realm_name); 1580*54925bf6Swillf goto err_nomsg; 1581*54925bf6Swillf } 1582*54925bf6Swillf } 1583*54925bf6Swillf } 1584*54925bf6Swillf 1585*54925bf6Swillf rightsmask =0; 1586*54925bf6Swillf rightsmask |= LDAP_REALM_RIGHTS; 1587*54925bf6Swillf rightsmask |= LDAP_SUBTREE_RIGHTS; 1588*54925bf6Swillf if (newkdcdns) { 1589*54925bf6Swillf for (i=0; (newkdcdns[i] != NULL); i++) { 1590*54925bf6Swillf 1591*54925bf6Swillf if ((retval=krb5_ldap_add_service_rights(util_context, 1592*54925bf6Swillf LDAP_KDC_SERVICE, newkdcdns[i], rparams->realm_name, 1593*54925bf6Swillf rparams->subtree, rightsmask)) != 0) { 1594*54925bf6Swillf printf(gettext("failed\n")); 1595*54925bf6Swillf com_err(argv[0], retval, gettext("while assigning rights to '%s'"), 1596*54925bf6Swillf rparams->realm_name); 1597*54925bf6Swillf goto err_nomsg; 1598*54925bf6Swillf } 1599*54925bf6Swillf } 1600*54925bf6Swillf } 1601*54925bf6Swillf } 1602*54925bf6Swillf 1603*54925bf6Swillf if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_ADMINSERVERS)) { 1604*54925bf6Swillf 1605*54925bf6Swillf newadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); 1606*54925bf6Swillf if (newadmindns == NULL) { 1607*54925bf6Swillf retval = ENOMEM; 1608*54925bf6Swillf goto cleanup; 1609*54925bf6Swillf } 1610*54925bf6Swillf 1611*54925bf6Swillf if ((rparams != NULL) && (rparams->adminservers != NULL)) { 1612*54925bf6Swillf for (j=0; rparams->adminservers[j]!= NULL; j++) { 1613*54925bf6Swillf newadmindns[j] = strdup(rparams->adminservers[j]); 1614*54925bf6Swillf if (newadmindns[j] == NULL) { 1615*54925bf6Swillf retval = ENOMEM; 1616*54925bf6Swillf goto cleanup; 1617*54925bf6Swillf } 1618*54925bf6Swillf } 1619*54925bf6Swillf newadmindns[j] = NULL; 1620*54925bf6Swillf } 1621*54925bf6Swillf 1622*54925bf6Swillf if (!subtree_changed) { 1623*54925bf6Swillf disjoint_members(oldadmindns, newadmindns); 1624*54925bf6Swillf } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */ 1625*54925bf6Swillf if (!(mask & LDAP_REALM_ADMINSERVERS)) { 1626*54925bf6Swillf 1627*54925bf6Swillf oldadmindns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); 1628*54925bf6Swillf if (oldadmindns == NULL) { 1629*54925bf6Swillf retval = ENOMEM; 1630*54925bf6Swillf goto cleanup; 1631*54925bf6Swillf } 1632*54925bf6Swillf 1633*54925bf6Swillf if ((rparams != NULL) && (rparams->adminservers != NULL)) { 1634*54925bf6Swillf for (j=0; rparams->adminservers[j]!= NULL; j++) { 1635*54925bf6Swillf oldadmindns[j] = strdup(rparams->adminservers[j]); 1636*54925bf6Swillf if (oldadmindns[j] == NULL) { 1637*54925bf6Swillf retval = ENOMEM; 1638*54925bf6Swillf goto cleanup; 1639*54925bf6Swillf } 1640*54925bf6Swillf } 1641*54925bf6Swillf oldadmindns[j] = NULL; 1642*54925bf6Swillf } 1643*54925bf6Swillf } 1644*54925bf6Swillf } 1645*54925bf6Swillf 1646*54925bf6Swillf rightsmask = 0; 1647*54925bf6Swillf rightsmask |= LDAP_REALM_RIGHTS; 1648*54925bf6Swillf rightsmask |= LDAP_SUBTREE_RIGHTS; 1649*54925bf6Swillf /* Remove the rights on the old subtrees */ 1650*54925bf6Swillf if (oldadmindns) { 1651*54925bf6Swillf for (i=0; (oldadmindns[i] != NULL); i++) { 1652*54925bf6Swillf 1653*54925bf6Swillf if ((retval=krb5_ldap_delete_service_rights(util_context, 1654*54925bf6Swillf LDAP_ADMIN_SERVICE, oldadmindns[i], 1655*54925bf6Swillf rparams->realm_name, oldsubtrees, rightsmask)) != 0) { 1656*54925bf6Swillf printf(gettext("failed\n")); 1657*54925bf6Swillf com_err(argv[0], retval, gettext("while assigning rights '%s'"), 1658*54925bf6Swillf rparams->realm_name); 1659*54925bf6Swillf goto err_nomsg; 1660*54925bf6Swillf } 1661*54925bf6Swillf } 1662*54925bf6Swillf } 1663*54925bf6Swillf 1664*54925bf6Swillf rightsmask = 0; 1665*54925bf6Swillf rightsmask |= LDAP_REALM_RIGHTS; 1666*54925bf6Swillf rightsmask |= LDAP_SUBTREE_RIGHTS; 1667*54925bf6Swillf /* Add rights on the new subtree for all the kdc dns */ 1668*54925bf6Swillf if (newadmindns) { 1669*54925bf6Swillf for (i=0; (newadmindns[i] != NULL); i++) { 1670*54925bf6Swillf 1671*54925bf6Swillf if ((retval=krb5_ldap_add_service_rights(util_context, 1672*54925bf6Swillf LDAP_ADMIN_SERVICE, newadmindns[i], 1673*54925bf6Swillf rparams->realm_name, rparams->subtree, rightsmask)) != 0) { 1674*54925bf6Swillf printf(gettext("failed\n")); 1675*54925bf6Swillf com_err(argv[0], retval, gettext("while assigning rights to '%s'"), 1676*54925bf6Swillf rparams->realm_name); 1677*54925bf6Swillf goto err_nomsg; 1678*54925bf6Swillf } 1679*54925bf6Swillf } 1680*54925bf6Swillf } 1681*54925bf6Swillf } 1682*54925bf6Swillf 1683*54925bf6Swillf 1684*54925bf6Swillf if ((mask & LDAP_REALM_SUBTREE) || (mask & LDAP_REALM_PASSWDSERVERS)) { 1685*54925bf6Swillf 1686*54925bf6Swillf newpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); 1687*54925bf6Swillf if (newpwddns == NULL) { 1688*54925bf6Swillf retval = ENOMEM; 1689*54925bf6Swillf goto cleanup; 1690*54925bf6Swillf } 1691*54925bf6Swillf 1692*54925bf6Swillf if ((rparams != NULL) && (rparams->passwdservers != NULL)) { 1693*54925bf6Swillf for (j=0; rparams->passwdservers[j]!= NULL; j++) { 1694*54925bf6Swillf newpwddns[j] = strdup(rparams->passwdservers[j]); 1695*54925bf6Swillf if (newpwddns[j] == NULL) { 1696*54925bf6Swillf retval = ENOMEM; 1697*54925bf6Swillf goto cleanup; 1698*54925bf6Swillf } 1699*54925bf6Swillf } 1700*54925bf6Swillf newpwddns[j] = NULL; 1701*54925bf6Swillf } 1702*54925bf6Swillf 1703*54925bf6Swillf if (!subtree_changed) { 1704*54925bf6Swillf disjoint_members(oldpwddns, newpwddns); 1705*54925bf6Swillf } else { /* Only the subtrees was changed. Remove the rights on the old subtrees. */ 1706*54925bf6Swillf if (!(mask & LDAP_REALM_ADMINSERVERS)) { 1707*54925bf6Swillf 1708*54925bf6Swillf oldpwddns = (char**) calloc(MAX_LIST_ENTRIES, sizeof(char*)); 1709*54925bf6Swillf if (oldpwddns == NULL) { 1710*54925bf6Swillf retval = ENOMEM; 1711*54925bf6Swillf goto cleanup; 1712*54925bf6Swillf } 1713*54925bf6Swillf 1714*54925bf6Swillf if ((rparams != NULL) && (rparams->passwdservers != NULL)) { 1715*54925bf6Swillf for (j=0; rparams->passwdservers[j]!= NULL; j++) { 1716*54925bf6Swillf oldpwddns[j] = strdup(rparams->passwdservers[j]); 1717*54925bf6Swillf if (oldpwddns[j] == NULL) { 1718*54925bf6Swillf retval = ENOMEM; 1719*54925bf6Swillf goto cleanup; 1720*54925bf6Swillf } 1721*54925bf6Swillf } 1722*54925bf6Swillf oldpwddns[j] = NULL; 1723*54925bf6Swillf } 1724*54925bf6Swillf } 1725*54925bf6Swillf } 1726*54925bf6Swillf 1727*54925bf6Swillf rightsmask =0; 1728*54925bf6Swillf rightsmask |= LDAP_REALM_RIGHTS; 1729*54925bf6Swillf rightsmask |= LDAP_SUBTREE_RIGHTS; 1730*54925bf6Swillf /* Remove the rights on the old subtrees */ 1731*54925bf6Swillf if (oldpwddns) { 1732*54925bf6Swillf for (i=0; (oldpwddns[i] != NULL); i++) { 1733*54925bf6Swillf if ((retval = krb5_ldap_delete_service_rights(util_context, 1734*54925bf6Swillf LDAP_PASSWD_SERVICE, oldpwddns[i], 1735*54925bf6Swillf rparams->realm_name, oldsubtrees, rightsmask))) { 1736*54925bf6Swillf printf(gettext("failed\n")); 1737*54925bf6Swillf com_err(argv[0], retval, gettext("while assigning rights '%s'"), 1738*54925bf6Swillf rparams->realm_name); 1739*54925bf6Swillf goto err_nomsg; 1740*54925bf6Swillf } 1741*54925bf6Swillf } 1742*54925bf6Swillf } 1743*54925bf6Swillf 1744*54925bf6Swillf rightsmask =0; 1745*54925bf6Swillf rightsmask |= LDAP_REALM_RIGHTS; 1746*54925bf6Swillf rightsmask |= LDAP_SUBTREE_RIGHTS; 1747*54925bf6Swillf /* Add rights on the new subtree for all the kdc dns */ 1748*54925bf6Swillf if (newpwddns) { 1749*54925bf6Swillf for (i=0; (newpwddns[i] != NULL); i++) { 1750*54925bf6Swillf if ((retval = krb5_ldap_add_service_rights(util_context, 1751*54925bf6Swillf LDAP_PASSWD_SERVICE, newpwddns[i], 1752*54925bf6Swillf rparams->realm_name, rparams->subtree, rightsmask))) { 1753*54925bf6Swillf printf(gettext("failed\n")); 1754*54925bf6Swillf com_err(argv[0], retval, gettext("while assigning rights to '%s'"), 1755*54925bf6Swillf rparams->realm_name); 1756*54925bf6Swillf goto err_nomsg; 1757*54925bf6Swillf } 1758*54925bf6Swillf } 1759*54925bf6Swillf } 1760*54925bf6Swillf } 1761*54925bf6Swillf 1762*54925bf6Swillf printf(gettext("done\n")); 1763*54925bf6Swillf } 1764*54925bf6Swillf #endif 1765*54925bf6Swillf 1766*54925bf6Swillf goto cleanup; 1767*54925bf6Swillf 1768*54925bf6Swillf err_usage: 1769*54925bf6Swillf print_usage = TRUE; 1770*54925bf6Swillf 1771*54925bf6Swillf err_nomsg: 1772*54925bf6Swillf no_msg = TRUE; 1773*54925bf6Swillf 1774*54925bf6Swillf cleanup: 1775*54925bf6Swillf krb5_ldap_free_realm_params(rparams); 1776*54925bf6Swillf 1777*54925bf6Swillf 1778*54925bf6Swillf #ifdef HAVE_EDIRECTORY 1779*54925bf6Swillf if (oldkdcdns) { 1780*54925bf6Swillf for (i=0; oldkdcdns[i] != NULL; i++) 1781*54925bf6Swillf free(oldkdcdns[i]); 1782*54925bf6Swillf free(oldkdcdns); 1783*54925bf6Swillf } 1784*54925bf6Swillf if (oldpwddns) { 1785*54925bf6Swillf for (i=0; oldpwddns[i] != NULL; i++) 1786*54925bf6Swillf free(oldpwddns[i]); 1787*54925bf6Swillf free(oldpwddns); 1788*54925bf6Swillf } 1789*54925bf6Swillf if (oldadmindns) { 1790*54925bf6Swillf for (i=0; oldadmindns[i] != NULL; i++) 1791*54925bf6Swillf free(oldadmindns[i]); 1792*54925bf6Swillf free(oldadmindns); 1793*54925bf6Swillf } 1794*54925bf6Swillf if (newkdcdns) { 1795*54925bf6Swillf for (i=0; newkdcdns[i] != NULL; i++) 1796*54925bf6Swillf free(newkdcdns[i]); 1797*54925bf6Swillf free(newkdcdns); 1798*54925bf6Swillf } 1799*54925bf6Swillf if (newpwddns) { 1800*54925bf6Swillf for (i=0; newpwddns[i] != NULL; i++) 1801*54925bf6Swillf free(newpwddns[i]); 1802*54925bf6Swillf free(newpwddns); 1803*54925bf6Swillf } 1804*54925bf6Swillf if (newadmindns) { 1805*54925bf6Swillf for (i=0; newadmindns[i] != NULL; i++) 1806*54925bf6Swillf free(newadmindns[i]); 1807*54925bf6Swillf free(newadmindns); 1808*54925bf6Swillf } 1809*54925bf6Swillf if (oldsubtrees) { 1810*54925bf6Swillf for (i=0;oldsubtrees[i]!=NULL; i++) 1811*54925bf6Swillf free(oldsubtrees[i]); 1812*54925bf6Swillf free(oldsubtrees); 1813*54925bf6Swillf } 1814*54925bf6Swillf if (newsubtrees) { 1815*54925bf6Swillf for (i=0;newsubtrees[i]!=NULL; i++) 1816*54925bf6Swillf free(newsubtrees[i]); 1817*54925bf6Swillf free(oldsubtrees); 1818*54925bf6Swillf } 1819*54925bf6Swillf #endif 1820*54925bf6Swillf if (print_usage) { 1821*54925bf6Swillf db_usage(MODIFY_REALM); 1822*54925bf6Swillf } 1823*54925bf6Swillf 1824*54925bf6Swillf if (retval) { 1825*54925bf6Swillf if (!no_msg) 1826*54925bf6Swillf com_err(argv[0], retval, gettext("while modifying information of realm '%s'"), 1827*54925bf6Swillf global_params.realm); 1828*54925bf6Swillf exit_status++; 1829*54925bf6Swillf } 1830*54925bf6Swillf 1831*54925bf6Swillf return; 1832*54925bf6Swillf } 1833*54925bf6Swillf 1834*54925bf6Swillf 1835*54925bf6Swillf 1836*54925bf6Swillf /* 1837*54925bf6Swillf * This function displays the attributes of a Realm 1838*54925bf6Swillf */ 1839*54925bf6Swillf void kdb5_ldap_view(argc, argv) 1840*54925bf6Swillf int argc; 1841*54925bf6Swillf char *argv[]; 1842*54925bf6Swillf { 1843*54925bf6Swillf krb5_ldap_realm_params *rparams = NULL; 1844*54925bf6Swillf krb5_error_code retval = 0; 1845*54925bf6Swillf kdb5_dal_handle *dal_handle=NULL; 1846*54925bf6Swillf krb5_ldap_context *ldap_context=NULL; 1847*54925bf6Swillf int mask = 0; 1848*54925bf6Swillf 1849*54925bf6Swillf dal_handle = (kdb5_dal_handle *) util_context->db_context; 1850*54925bf6Swillf ldap_context = (krb5_ldap_context *) dal_handle->db_context; 1851*54925bf6Swillf if (!(ldap_context)) { 1852*54925bf6Swillf retval = EINVAL; 1853*54925bf6Swillf com_err(argv[0], retval, gettext("while initializing database")); 1854*54925bf6Swillf exit_status++; 1855*54925bf6Swillf return; 1856*54925bf6Swillf } 1857*54925bf6Swillf 1858*54925bf6Swillf /* Read the kerberos container information */ 1859*54925bf6Swillf if ((retval = krb5_ldap_read_krbcontainer_params(util_context, 1860*54925bf6Swillf &(ldap_context->krbcontainer))) != 0) { 1861*54925bf6Swillf com_err(argv[0], retval, gettext("while reading kerberos container information")); 1862*54925bf6Swillf exit_status++; 1863*54925bf6Swillf return; 1864*54925bf6Swillf } 1865*54925bf6Swillf 1866*54925bf6Swillf if ((retval = krb5_ldap_read_realm_params(util_context, 1867*54925bf6Swillf global_params.realm, &rparams, &mask)) || (!rparams)) { 1868*54925bf6Swillf com_err(argv[0], retval, gettext("while reading information of realm '%s'"), 1869*54925bf6Swillf global_params.realm); 1870*54925bf6Swillf exit_status++; 1871*54925bf6Swillf return; 1872*54925bf6Swillf } 1873*54925bf6Swillf print_realm_params(rparams, mask); 1874*54925bf6Swillf krb5_ldap_free_realm_params(rparams); 1875*54925bf6Swillf 1876*54925bf6Swillf return; 1877*54925bf6Swillf } 1878*54925bf6Swillf 1879*54925bf6Swillf static char *strdur(duration) 1880*54925bf6Swillf time_t duration; 1881*54925bf6Swillf { 1882*54925bf6Swillf static char out[50]; 1883*54925bf6Swillf int neg, days, hours, minutes, seconds; 1884*54925bf6Swillf 1885*54925bf6Swillf if (duration < 0) { 1886*54925bf6Swillf duration *= -1; 1887*54925bf6Swillf neg = 1; 1888*54925bf6Swillf } else 1889*54925bf6Swillf neg = 0; 1890*54925bf6Swillf days = duration / (24 * 3600); 1891*54925bf6Swillf duration %= 24 * 3600; 1892*54925bf6Swillf hours = duration / 3600; 1893*54925bf6Swillf duration %= 3600; 1894*54925bf6Swillf minutes = duration / 60; 1895*54925bf6Swillf duration %= 60; 1896*54925bf6Swillf seconds = duration; 1897*54925bf6Swillf snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "", 1898*54925bf6Swillf days, days == 1 ? gettext("day") : gettext("days"), 1899*54925bf6Swillf hours, minutes, seconds); 1900*54925bf6Swillf return out; 1901*54925bf6Swillf } 1902*54925bf6Swillf 1903*54925bf6Swillf /* 1904*54925bf6Swillf * This function prints the attributes of a given realm to the 1905*54925bf6Swillf * standard output. 1906*54925bf6Swillf */ 1907*54925bf6Swillf static void print_realm_params(krb5_ldap_realm_params *rparams, int mask) 1908*54925bf6Swillf { 1909*54925bf6Swillf char **slist = NULL; 1910*54925bf6Swillf int num_entry_printed = 0, i = 0; 1911*54925bf6Swillf 1912*54925bf6Swillf /* Print the Realm Attributes on the standard output */ 1913*54925bf6Swillf printf("%25s: %-50s\n", gettext("Realm Name"), global_params.realm); 1914*54925bf6Swillf if (mask & LDAP_REALM_SUBTREE) { 1915*54925bf6Swillf for (i=0; rparams->subtree[i]!=NULL; i++) 1916*54925bf6Swillf printf("%25s: %-50s\n", gettext("Subtree"), rparams->subtree[i]); 1917*54925bf6Swillf } 1918*54925bf6Swillf if (mask & LDAP_REALM_CONTREF) 1919*54925bf6Swillf printf("%25s: %-50s\n", gettext("Principal Container Reference"), rparams->containerref); 1920*54925bf6Swillf if (mask & LDAP_REALM_SEARCHSCOPE) { 1921*54925bf6Swillf if ((rparams->search_scope != 1) && 1922*54925bf6Swillf (rparams->search_scope != 2)) { 1923*54925bf6Swillf printf("%25s: %-50s\n", gettext("SearchScope"), gettext("Invalid !")); 1924*54925bf6Swillf } else { 1925*54925bf6Swillf printf("%25s: %-50s\n", gettext("SearchScope"), 1926*54925bf6Swillf (rparams->search_scope == 1) ? gettext("ONE") : gettext("SUB")); 1927*54925bf6Swillf } 1928*54925bf6Swillf } 1929*54925bf6Swillf if (mask & LDAP_REALM_KDCSERVERS) { 1930*54925bf6Swillf printf("%25s:", gettext("KDC Services")); 1931*54925bf6Swillf if (rparams->kdcservers != NULL) { 1932*54925bf6Swillf num_entry_printed = 0; 1933*54925bf6Swillf for (slist = rparams->kdcservers; *slist != NULL; slist++) { 1934*54925bf6Swillf if (num_entry_printed) 1935*54925bf6Swillf printf(" %25s %-50s\n", " ", *slist); 1936*54925bf6Swillf else 1937*54925bf6Swillf printf(" %-50s\n", *slist); 1938*54925bf6Swillf num_entry_printed++; 1939*54925bf6Swillf } 1940*54925bf6Swillf } 1941*54925bf6Swillf if (num_entry_printed == 0) 1942*54925bf6Swillf printf("\n"); 1943*54925bf6Swillf } 1944*54925bf6Swillf if (mask & LDAP_REALM_ADMINSERVERS) { 1945*54925bf6Swillf printf("%25s:", gettext("Admin Services")); 1946*54925bf6Swillf if (rparams->adminservers != NULL) { 1947*54925bf6Swillf num_entry_printed = 0; 1948*54925bf6Swillf for (slist = rparams->adminservers; *slist != NULL; slist++) { 1949*54925bf6Swillf if (num_entry_printed) 1950*54925bf6Swillf printf(" %25s %-50s\n", " ", *slist); 1951*54925bf6Swillf else 1952*54925bf6Swillf printf(" %-50s\n", *slist); 1953*54925bf6Swillf num_entry_printed++; 1954*54925bf6Swillf } 1955*54925bf6Swillf } 1956*54925bf6Swillf if (num_entry_printed == 0) 1957*54925bf6Swillf printf("\n"); 1958*54925bf6Swillf } 1959*54925bf6Swillf if (mask & LDAP_REALM_PASSWDSERVERS) { 1960*54925bf6Swillf printf("%25s:", gettext("Passwd Services")); 1961*54925bf6Swillf if (rparams->passwdservers != NULL) { 1962*54925bf6Swillf num_entry_printed = 0; 1963*54925bf6Swillf for (slist = rparams->passwdservers; *slist != NULL; slist++) { 1964*54925bf6Swillf if (num_entry_printed) 1965*54925bf6Swillf printf(" %25s %-50s\n", " ", *slist); 1966*54925bf6Swillf else 1967*54925bf6Swillf printf(" %-50s\n", *slist); 1968*54925bf6Swillf num_entry_printed++; 1969*54925bf6Swillf } 1970*54925bf6Swillf } 1971*54925bf6Swillf if (num_entry_printed == 0) 1972*54925bf6Swillf printf("\n"); 1973*54925bf6Swillf } 1974*54925bf6Swillf if (mask & LDAP_REALM_MAXTICKETLIFE) { 1975*54925bf6Swillf printf("%25s:", gettext("Maximum Ticket Life")); 1976*54925bf6Swillf printf(" %s \n", strdur(rparams->max_life)); 1977*54925bf6Swillf } 1978*54925bf6Swillf 1979*54925bf6Swillf if (mask & LDAP_REALM_MAXRENEWLIFE) { 1980*54925bf6Swillf printf("%25s:", gettext("Maximum Renewable Life")); 1981*54925bf6Swillf printf(" %s \n", strdur(rparams->max_renewable_life)); 1982*54925bf6Swillf } 1983*54925bf6Swillf 1984*54925bf6Swillf if (mask & LDAP_REALM_KRBTICKETFLAGS) { 1985*54925bf6Swillf int ticketflags = rparams->tktflags; 1986*54925bf6Swillf 1987*54925bf6Swillf printf("%25s: ", gettext("Ticket flags")); 1988*54925bf6Swillf if (ticketflags & KRB5_KDB_DISALLOW_POSTDATED) 1989*54925bf6Swillf printf("%s ","DISALLOW_POSTDATED"); 1990*54925bf6Swillf 1991*54925bf6Swillf if (ticketflags & KRB5_KDB_DISALLOW_FORWARDABLE) 1992*54925bf6Swillf printf("%s ","DISALLOW_FORWARDABLE"); 1993*54925bf6Swillf 1994*54925bf6Swillf if (ticketflags & KRB5_KDB_DISALLOW_RENEWABLE) 1995*54925bf6Swillf printf("%s ","DISALLOW_RENEWABLE"); 1996*54925bf6Swillf 1997*54925bf6Swillf if (ticketflags & KRB5_KDB_DISALLOW_PROXIABLE) 1998*54925bf6Swillf printf("%s ","DISALLOW_PROXIABLE"); 1999*54925bf6Swillf 2000*54925bf6Swillf if (ticketflags & KRB5_KDB_DISALLOW_DUP_SKEY) 2001*54925bf6Swillf printf("%s ","DISALLOW_DUP_SKEY"); 2002*54925bf6Swillf 2003*54925bf6Swillf if (ticketflags & KRB5_KDB_REQUIRES_PRE_AUTH) 2004*54925bf6Swillf printf("%s ","REQUIRES_PRE_AUTH"); 2005*54925bf6Swillf 2006*54925bf6Swillf if (ticketflags & KRB5_KDB_REQUIRES_HW_AUTH) 2007*54925bf6Swillf printf("%s ","REQUIRES_HW_AUTH"); 2008*54925bf6Swillf 2009*54925bf6Swillf if (ticketflags & KRB5_KDB_DISALLOW_SVR) 2010*54925bf6Swillf printf("%s ","DISALLOW_SVR"); 2011*54925bf6Swillf 2012*54925bf6Swillf if (ticketflags & KRB5_KDB_DISALLOW_TGT_BASED) 2013*54925bf6Swillf printf("%s ","DISALLOW_TGT_BASED"); 2014*54925bf6Swillf 2015*54925bf6Swillf if (ticketflags & KRB5_KDB_DISALLOW_ALL_TIX) 2016*54925bf6Swillf printf("%s ","DISALLOW_ALL_TIX"); 2017*54925bf6Swillf 2018*54925bf6Swillf if (ticketflags & KRB5_KDB_REQUIRES_PWCHANGE) 2019*54925bf6Swillf printf("%s ","REQUIRES_PWCHANGE"); 2020*54925bf6Swillf 2021*54925bf6Swillf if (ticketflags & KRB5_KDB_PWCHANGE_SERVICE) 2022*54925bf6Swillf printf("%s ","PWCHANGE_SERVICE"); 2023*54925bf6Swillf 2024*54925bf6Swillf printf("\n"); 2025*54925bf6Swillf } 2026*54925bf6Swillf 2027*54925bf6Swillf 2028*54925bf6Swillf return; 2029*54925bf6Swillf } 2030*54925bf6Swillf 2031*54925bf6Swillf 2032*54925bf6Swillf 2033*54925bf6Swillf /* 2034*54925bf6Swillf * This function lists the Realm(s) present under the Kerberos container 2035*54925bf6Swillf * on the LDAP Server. 2036*54925bf6Swillf */ 2037*54925bf6Swillf void kdb5_ldap_list(argc, argv) 2038*54925bf6Swillf int argc; 2039*54925bf6Swillf char *argv[]; 2040*54925bf6Swillf { 2041*54925bf6Swillf char **list = NULL; 2042*54925bf6Swillf char **plist = NULL; 2043*54925bf6Swillf krb5_error_code retval = 0; 2044*54925bf6Swillf kdb5_dal_handle *dal_handle=NULL; 2045*54925bf6Swillf krb5_ldap_context *ldap_context=NULL; 2046*54925bf6Swillf 2047*54925bf6Swillf dal_handle = (kdb5_dal_handle *)util_context->db_context; 2048*54925bf6Swillf ldap_context = (krb5_ldap_context *) dal_handle->db_context; 2049*54925bf6Swillf if (!(ldap_context)) { 2050*54925bf6Swillf retval = EINVAL; 2051*54925bf6Swillf exit_status++; 2052*54925bf6Swillf return; 2053*54925bf6Swillf } 2054*54925bf6Swillf 2055*54925bf6Swillf /* Read the kerberos container information */ 2056*54925bf6Swillf if ((retval = krb5_ldap_read_krbcontainer_params(util_context, 2057*54925bf6Swillf &(ldap_context->krbcontainer))) != 0) { 2058*54925bf6Swillf com_err(argv[0], retval, gettext("while reading kerberos container information")); 2059*54925bf6Swillf exit_status++; 2060*54925bf6Swillf return; 2061*54925bf6Swillf } 2062*54925bf6Swillf 2063*54925bf6Swillf retval = krb5_ldap_list_realm(util_context, &list); 2064*54925bf6Swillf if (retval != 0) { 2065*54925bf6Swillf krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); 2066*54925bf6Swillf ldap_context->krbcontainer = NULL; 2067*54925bf6Swillf com_err (argv[0], retval, gettext("while listing realms")); 2068*54925bf6Swillf exit_status++; 2069*54925bf6Swillf return; 2070*54925bf6Swillf } 2071*54925bf6Swillf /* This is to handle the case of realm not present */ 2072*54925bf6Swillf if (list == NULL) { 2073*54925bf6Swillf krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); 2074*54925bf6Swillf ldap_context->krbcontainer = NULL; 2075*54925bf6Swillf return; 2076*54925bf6Swillf } 2077*54925bf6Swillf 2078*54925bf6Swillf for (plist = list; *plist != NULL; plist++) { 2079*54925bf6Swillf printf("%s\n", *plist); 2080*54925bf6Swillf } 2081*54925bf6Swillf krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); 2082*54925bf6Swillf ldap_context->krbcontainer = NULL; 2083*54925bf6Swillf krb5_free_list_entries(list); 2084*54925bf6Swillf free(list); 2085*54925bf6Swillf 2086*54925bf6Swillf return; 2087*54925bf6Swillf } 2088*54925bf6Swillf 2089*54925bf6Swillf /* 2090*54925bf6Swillf * Duplicating the following two functions here because 2091*54925bf6Swillf * 'krb5_dbe_update_tl_data' uses backend specific memory allocation. The catch 2092*54925bf6Swillf * here is that the backend is not initialized - kdb5_ldap_util doesn't go 2093*54925bf6Swillf * through DAL. 2094*54925bf6Swillf * 1. krb5_dbe_update_tl_data 2095*54925bf6Swillf * 2. krb5_dbe_update_mod_princ_data 2096*54925bf6Swillf */ 2097*54925bf6Swillf 2098*54925bf6Swillf /* Start duplicate code ... */ 2099*54925bf6Swillf 2100*54925bf6Swillf static krb5_error_code 2101*54925bf6Swillf krb5_dbe_update_tl_data_new(context, entry, new_tl_data) 2102*54925bf6Swillf krb5_context context; 2103*54925bf6Swillf krb5_db_entry *entry; 2104*54925bf6Swillf krb5_tl_data *new_tl_data; 2105*54925bf6Swillf { 2106*54925bf6Swillf krb5_tl_data *tl_data = NULL; 2107*54925bf6Swillf krb5_octet *tmp; 2108*54925bf6Swillf 2109*54925bf6Swillf /* copy the new data first, so we can fail cleanly if malloc() 2110*54925bf6Swillf * fails */ 2111*54925bf6Swillf /* 2112*54925bf6Swillf if ((tmp = 2113*54925bf6Swillf (krb5_octet *) krb5_db_alloc(context, NULL, 2114*54925bf6Swillf new_tl_data->tl_data_length)) == NULL) 2115*54925bf6Swillf */ 2116*54925bf6Swillf if ((tmp = (krb5_octet *) malloc (new_tl_data->tl_data_length)) == NULL) 2117*54925bf6Swillf return (ENOMEM); 2118*54925bf6Swillf 2119*54925bf6Swillf /* Find an existing entry of the specified type and point at 2120*54925bf6Swillf * it, or NULL if not found */ 2121*54925bf6Swillf 2122*54925bf6Swillf if (new_tl_data->tl_data_type != KRB5_TL_DB_ARGS) { /* db_args can be multiple */ 2123*54925bf6Swillf for (tl_data = entry->tl_data; tl_data; 2124*54925bf6Swillf tl_data = tl_data->tl_data_next) 2125*54925bf6Swillf if (tl_data->tl_data_type == new_tl_data->tl_data_type) 2126*54925bf6Swillf break; 2127*54925bf6Swillf } 2128*54925bf6Swillf 2129*54925bf6Swillf /* if necessary, chain a new record in the beginning and point at it */ 2130*54925bf6Swillf 2131*54925bf6Swillf if (!tl_data) { 2132*54925bf6Swillf /* 2133*54925bf6Swillf if ((tl_data = 2134*54925bf6Swillf (krb5_tl_data *) krb5_db_alloc(context, NULL, 2135*54925bf6Swillf sizeof(krb5_tl_data))) 2136*54925bf6Swillf == NULL) { 2137*54925bf6Swillf */ 2138*54925bf6Swillf if ((tl_data = (krb5_tl_data *) malloc (sizeof(krb5_tl_data))) == NULL) { 2139*54925bf6Swillf free(tmp); 2140*54925bf6Swillf return (ENOMEM); 2141*54925bf6Swillf } 2142*54925bf6Swillf memset(tl_data, 0, sizeof(krb5_tl_data)); 2143*54925bf6Swillf tl_data->tl_data_next = entry->tl_data; 2144*54925bf6Swillf entry->tl_data = tl_data; 2145*54925bf6Swillf entry->n_tl_data++; 2146*54925bf6Swillf } 2147*54925bf6Swillf 2148*54925bf6Swillf /* fill in the record */ 2149*54925bf6Swillf 2150*54925bf6Swillf if (tl_data->tl_data_contents) 2151*54925bf6Swillf krb5_db_free(context, tl_data->tl_data_contents); 2152*54925bf6Swillf 2153*54925bf6Swillf tl_data->tl_data_type = new_tl_data->tl_data_type; 2154*54925bf6Swillf tl_data->tl_data_length = new_tl_data->tl_data_length; 2155*54925bf6Swillf tl_data->tl_data_contents = tmp; 2156*54925bf6Swillf memcpy(tmp, new_tl_data->tl_data_contents, tl_data->tl_data_length); 2157*54925bf6Swillf 2158*54925bf6Swillf return (0); 2159*54925bf6Swillf } 2160*54925bf6Swillf 2161*54925bf6Swillf static krb5_error_code 2162*54925bf6Swillf krb5_dbe_update_mod_princ_data_new(context, entry, mod_date, mod_princ) 2163*54925bf6Swillf krb5_context context; 2164*54925bf6Swillf krb5_db_entry * entry; 2165*54925bf6Swillf krb5_timestamp mod_date; 2166*54925bf6Swillf krb5_const_principal mod_princ; 2167*54925bf6Swillf { 2168*54925bf6Swillf krb5_tl_data tl_data; 2169*54925bf6Swillf 2170*54925bf6Swillf krb5_error_code retval = 0; 2171*54925bf6Swillf krb5_octet * nextloc = 0; 2172*54925bf6Swillf char * unparse_mod_princ = 0; 2173*54925bf6Swillf unsigned int unparse_mod_princ_size; 2174*54925bf6Swillf 2175*54925bf6Swillf if ((retval = krb5_unparse_name(context, mod_princ, 2176*54925bf6Swillf &unparse_mod_princ))) 2177*54925bf6Swillf return(retval); 2178*54925bf6Swillf 2179*54925bf6Swillf unparse_mod_princ_size = strlen(unparse_mod_princ) + 1; 2180*54925bf6Swillf 2181*54925bf6Swillf if ((nextloc = (krb5_octet *) malloc(unparse_mod_princ_size + 4)) 2182*54925bf6Swillf == NULL) { 2183*54925bf6Swillf free(unparse_mod_princ); 2184*54925bf6Swillf return(ENOMEM); 2185*54925bf6Swillf } 2186*54925bf6Swillf 2187*54925bf6Swillf tl_data.tl_data_type = KRB5_TL_MOD_PRINC; 2188*54925bf6Swillf tl_data.tl_data_length = unparse_mod_princ_size + 4; 2189*54925bf6Swillf tl_data.tl_data_contents = nextloc; 2190*54925bf6Swillf 2191*54925bf6Swillf /* Mod Date */ 2192*54925bf6Swillf krb5_kdb_encode_int32(mod_date, nextloc); 2193*54925bf6Swillf 2194*54925bf6Swillf /* Mod Princ */ 2195*54925bf6Swillf memcpy(nextloc+4, unparse_mod_princ, unparse_mod_princ_size); 2196*54925bf6Swillf 2197*54925bf6Swillf retval = krb5_dbe_update_tl_data_new(context, entry, &tl_data); 2198*54925bf6Swillf 2199*54925bf6Swillf free(unparse_mod_princ); 2200*54925bf6Swillf free(nextloc); 2201*54925bf6Swillf 2202*54925bf6Swillf return(retval); 2203*54925bf6Swillf } 2204*54925bf6Swillf 2205*54925bf6Swillf static krb5_error_code 2206*54925bf6Swillf kdb_ldap_tgt_keysalt_iterate(ksent, ptr) 2207*54925bf6Swillf krb5_key_salt_tuple *ksent; 2208*54925bf6Swillf krb5_pointer ptr; 2209*54925bf6Swillf { 2210*54925bf6Swillf krb5_context context; 2211*54925bf6Swillf krb5_error_code kret; 2212*54925bf6Swillf struct iterate_args *iargs; 2213*54925bf6Swillf krb5_keyblock key; 2214*54925bf6Swillf krb5_int32 ind; 2215*54925bf6Swillf krb5_data pwd; 2216*54925bf6Swillf krb5_db_entry *entry; 2217*54925bf6Swillf 2218*54925bf6Swillf iargs = (struct iterate_args *) ptr; 2219*54925bf6Swillf kret = 0; 2220*54925bf6Swillf 2221*54925bf6Swillf context = iargs->ctx; 2222*54925bf6Swillf entry = iargs->dbentp; 2223*54925bf6Swillf 2224*54925bf6Swillf /* 2225*54925bf6Swillf * Convert the master key password into a key for this particular 2226*54925bf6Swillf * encryption system. 2227*54925bf6Swillf */ 2228*54925bf6Swillf pwd.data = mkey_password; 2229*54925bf6Swillf pwd.length = strlen(mkey_password); 2230*54925bf6Swillf kret = krb5_c_random_seed(context, &pwd); 2231*54925bf6Swillf if (kret) 2232*54925bf6Swillf return kret; 2233*54925bf6Swillf 2234*54925bf6Swillf /*if (!(kret = krb5_dbe_create_key_data(iargs->ctx, iargs->dbentp))) {*/ 2235*54925bf6Swillf if ((entry->key_data = 2236*54925bf6Swillf (krb5_key_data *) realloc(entry->key_data, 2237*54925bf6Swillf (sizeof(krb5_key_data) * 2238*54925bf6Swillf (entry->n_key_data + 1)))) == NULL) 2239*54925bf6Swillf return (ENOMEM); 2240*54925bf6Swillf 2241*54925bf6Swillf memset(entry->key_data + entry->n_key_data, 0, sizeof(krb5_key_data)); 2242*54925bf6Swillf ind = entry->n_key_data++; 2243*54925bf6Swillf 2244*54925bf6Swillf if (!(kret = krb5_c_make_random_key(context, ksent->ks_enctype, 2245*54925bf6Swillf &key))) { 2246*54925bf6Swillf kret = krb5_dbekd_encrypt_key_data(context, 2247*54925bf6Swillf iargs->rblock->key, 2248*54925bf6Swillf &key, 2249*54925bf6Swillf NULL, 2250*54925bf6Swillf 1, 2251*54925bf6Swillf &entry->key_data[ind]); 2252*54925bf6Swillf krb5_free_keyblock_contents(context, &key); 2253*54925bf6Swillf } 2254*54925bf6Swillf /*}*/ 2255*54925bf6Swillf 2256*54925bf6Swillf return(kret); 2257*54925bf6Swillf } 2258*54925bf6Swillf /* End duplicate code */ 2259*54925bf6Swillf 2260*54925bf6Swillf /* 2261*54925bf6Swillf * This function creates service principals when 2262*54925bf6Swillf * creating the realm object. 2263*54925bf6Swillf */ 2264*54925bf6Swillf static int 2265*54925bf6Swillf kdb_ldap_create_principal (context, princ, op, pblock) 2266*54925bf6Swillf krb5_context context; 2267*54925bf6Swillf krb5_principal princ; 2268*54925bf6Swillf enum ap_op op; 2269*54925bf6Swillf struct realm_info *pblock; 2270*54925bf6Swillf { 2271*54925bf6Swillf int retval=0, currlen=0, princtype = 2 /* Service Principal */; 2272*54925bf6Swillf unsigned char *curr=NULL; 2273*54925bf6Swillf krb5_tl_data *tl_data=NULL; 2274*54925bf6Swillf krb5_db_entry entry; 2275*54925bf6Swillf int nentry=1; 2276*54925bf6Swillf long mask = 0; 2277*54925bf6Swillf krb5_keyblock key; 2278*54925bf6Swillf int kvno = 0; 2279*54925bf6Swillf kdb5_dal_handle *dal_handle = NULL; 2280*54925bf6Swillf krb5_ldap_context *ldap_context=NULL; 2281*54925bf6Swillf struct iterate_args iargs; 2282*54925bf6Swillf krb5_data *pdata; 2283*54925bf6Swillf 2284*54925bf6Swillf if ((pblock == NULL) || (context == NULL)) { 2285*54925bf6Swillf retval = EINVAL; 2286*54925bf6Swillf goto cleanup; 2287*54925bf6Swillf } 2288*54925bf6Swillf dal_handle = (kdb5_dal_handle *) context->db_context; 2289*54925bf6Swillf ldap_context = (krb5_ldap_context *) dal_handle->db_context; 2290*54925bf6Swillf if (!(ldap_context)) { 2291*54925bf6Swillf retval = EINVAL; 2292*54925bf6Swillf goto cleanup; 2293*54925bf6Swillf } 2294*54925bf6Swillf 2295*54925bf6Swillf memset(&entry, 0, sizeof(entry)); 2296*54925bf6Swillf 2297*54925bf6Swillf tl_data = malloc(sizeof(*tl_data)); 2298*54925bf6Swillf if (tl_data == NULL) { 2299*54925bf6Swillf retval = ENOMEM; 2300*54925bf6Swillf goto cleanup; 2301*54925bf6Swillf } 2302*54925bf6Swillf memset(tl_data, 0, sizeof(*tl_data)); 2303*54925bf6Swillf tl_data->tl_data_length = 1 + 2 + 2 + 1 + 2 + 4; 2304*54925bf6Swillf tl_data->tl_data_type = 7; /* KDB_TL_USER_INFO */ 2305*54925bf6Swillf curr = tl_data->tl_data_contents = malloc(tl_data->tl_data_length); 2306*54925bf6Swillf if (tl_data->tl_data_contents == NULL) { 2307*54925bf6Swillf retval = ENOMEM; 2308*54925bf6Swillf goto cleanup; 2309*54925bf6Swillf } 2310*54925bf6Swillf 2311*54925bf6Swillf memset(curr, 1, 1); /* Passing the mask as principal type */ 2312*54925bf6Swillf curr += 1; 2313*54925bf6Swillf currlen = 2; 2314*54925bf6Swillf STORE16_INT(curr, currlen); 2315*54925bf6Swillf curr += currlen; 2316*54925bf6Swillf STORE16_INT(curr, princtype); 2317*54925bf6Swillf curr += currlen; 2318*54925bf6Swillf 2319*54925bf6Swillf mask |= KADM5_PRINCIPAL; 2320*54925bf6Swillf mask |= KADM5_ATTRIBUTES ; 2321*54925bf6Swillf mask |= KADM5_MAX_LIFE ; 2322*54925bf6Swillf mask |= KADM5_MAX_RLIFE ; 2323*54925bf6Swillf mask |= KADM5_PRINC_EXPIRE_TIME ; 2324*54925bf6Swillf mask |= KADM5_KEY_DATA; 2325*54925bf6Swillf 2326*54925bf6Swillf entry.tl_data = tl_data; 2327*54925bf6Swillf entry.n_tl_data += 1; 2328*54925bf6Swillf /* Set the creator's name */ 2329*54925bf6Swillf { 2330*54925bf6Swillf krb5_timestamp now; 2331*54925bf6Swillf if ((retval = krb5_timeofday(context, &now))) 2332*54925bf6Swillf goto cleanup; 2333*54925bf6Swillf if ((retval = krb5_dbe_update_mod_princ_data_new(context, &entry, 2334*54925bf6Swillf now, &db_create_princ))) 2335*54925bf6Swillf goto cleanup; 2336*54925bf6Swillf } 2337*54925bf6Swillf entry.attributes = pblock->flags; 2338*54925bf6Swillf entry.max_life = pblock->max_life; 2339*54925bf6Swillf entry.max_renewable_life = pblock->max_rlife; 2340*54925bf6Swillf entry.expiration = pblock->expiration; 2341*54925bf6Swillf entry.mask = mask; 2342*54925bf6Swillf if ((retval = krb5_copy_principal(context, princ, &entry.princ))) 2343*54925bf6Swillf goto cleanup; 2344*54925bf6Swillf 2345*54925bf6Swillf 2346*54925bf6Swillf switch (op) { 2347*54925bf6Swillf case TGT_KEY: 2348*54925bf6Swillf if ((pdata = krb5_princ_component(context, princ, 1)) && 2349*54925bf6Swillf pdata->length == strlen("history") && 2350*54925bf6Swillf !memcmp(pdata->data, "history", strlen("history"))) { 2351*54925bf6Swillf 2352*54925bf6Swillf /* Allocate memory for storing the key */ 2353*54925bf6Swillf if ((entry.key_data = (krb5_key_data *) malloc( 2354*54925bf6Swillf sizeof(krb5_key_data))) == NULL) { 2355*54925bf6Swillf retval = ENOMEM; 2356*54925bf6Swillf goto cleanup; 2357*54925bf6Swillf } 2358*54925bf6Swillf 2359*54925bf6Swillf memset(entry.key_data, 0, sizeof(krb5_key_data)); 2360*54925bf6Swillf entry.n_key_data++; 2361*54925bf6Swillf 2362*54925bf6Swillf retval = krb5_c_make_random_key(context, global_params.enctype, &key); 2363*54925bf6Swillf if (retval) { 2364*54925bf6Swillf goto cleanup; 2365*54925bf6Swillf } 2366*54925bf6Swillf kvno = 1; /* New key is getting set */ 2367*54925bf6Swillf retval = krb5_dbekd_encrypt_key_data(context, 2368*54925bf6Swillf &ldap_context->lrparams->mkey, 2369*54925bf6Swillf &key, NULL, kvno, 2370*54925bf6Swillf &entry.key_data[entry.n_key_data - 1]); 2371*54925bf6Swillf krb5_free_keyblock_contents(context, &key); 2372*54925bf6Swillf if (retval) { 2373*54925bf6Swillf goto cleanup; 2374*54925bf6Swillf } 2375*54925bf6Swillf } else { 2376*54925bf6Swillf /*retval = krb5_c_make_random_key(context, 16, &key) ;*/ 2377*54925bf6Swillf iargs.ctx = context; 2378*54925bf6Swillf iargs.rblock = pblock; 2379*54925bf6Swillf iargs.dbentp = &entry; 2380*54925bf6Swillf 2381*54925bf6Swillf /* 2382*54925bf6Swillf * create a set of random keys by iterating through the key/salt 2383*54925bf6Swillf * list, ignoring salt types. 2384*54925bf6Swillf */ 2385*54925bf6Swillf if ((retval = krb5_keysalt_iterate(pblock->kslist, 2386*54925bf6Swillf pblock->nkslist, 2387*54925bf6Swillf 1, 2388*54925bf6Swillf kdb_ldap_tgt_keysalt_iterate, 2389*54925bf6Swillf (krb5_pointer) &iargs))) 2390*54925bf6Swillf return retval; 2391*54925bf6Swillf } 2392*54925bf6Swillf break; 2393*54925bf6Swillf 2394*54925bf6Swillf case MASTER_KEY: 2395*54925bf6Swillf /* Allocate memory for storing the key */ 2396*54925bf6Swillf if ((entry.key_data = (krb5_key_data *) malloc( 2397*54925bf6Swillf sizeof(krb5_key_data))) == NULL) { 2398*54925bf6Swillf retval = ENOMEM; 2399*54925bf6Swillf goto cleanup; 2400*54925bf6Swillf } 2401*54925bf6Swillf 2402*54925bf6Swillf memset(entry.key_data, 0, sizeof(krb5_key_data)); 2403*54925bf6Swillf entry.n_key_data++; 2404*54925bf6Swillf kvno = 1; /* New key is getting set */ 2405*54925bf6Swillf retval = krb5_dbekd_encrypt_key_data(context, pblock->key, 2406*54925bf6Swillf &ldap_context->lrparams->mkey, 2407*54925bf6Swillf NULL, kvno, 2408*54925bf6Swillf &entry.key_data[entry.n_key_data - 1]); 2409*54925bf6Swillf if (retval) { 2410*54925bf6Swillf goto cleanup; 2411*54925bf6Swillf } 2412*54925bf6Swillf break; 2413*54925bf6Swillf 2414*54925bf6Swillf case NULL_KEY: 2415*54925bf6Swillf default: 2416*54925bf6Swillf break; 2417*54925bf6Swillf } /* end of switch */ 2418*54925bf6Swillf 2419*54925bf6Swillf retval = krb5_ldap_put_principal(context, &entry, &nentry, NULL); 2420*54925bf6Swillf if (retval) { 2421*54925bf6Swillf com_err(NULL, retval, gettext("while adding entries to database")); 2422*54925bf6Swillf goto cleanup; 2423*54925bf6Swillf } 2424*54925bf6Swillf 2425*54925bf6Swillf cleanup: 2426*54925bf6Swillf krb5_dbe_free_contents(context, &entry); 2427*54925bf6Swillf return retval; 2428*54925bf6Swillf } 2429*54925bf6Swillf 2430*54925bf6Swillf 2431*54925bf6Swillf /* 2432*54925bf6Swillf * This function destroys the realm object and the associated principals 2433*54925bf6Swillf */ 2434*54925bf6Swillf void 2435*54925bf6Swillf kdb5_ldap_destroy(argc, argv) 2436*54925bf6Swillf int argc; 2437*54925bf6Swillf char *argv[]; 2438*54925bf6Swillf { 2439*54925bf6Swillf extern char *optarg; 2440*54925bf6Swillf extern int optind; 2441*54925bf6Swillf int optchar = 0; 2442*54925bf6Swillf char buf[5] = {0}; 2443*54925bf6Swillf krb5_error_code retval = 0; 2444*54925bf6Swillf int force = 0; 2445*54925bf6Swillf int mask = 0; 2446*54925bf6Swillf kdb5_dal_handle *dal_handle = NULL; 2447*54925bf6Swillf krb5_ldap_context *ldap_context = NULL; 2448*54925bf6Swillf #ifdef HAVE_EDIRECTORY 2449*54925bf6Swillf int i = 0, rightsmask = 0; 2450*54925bf6Swillf krb5_ldap_realm_params *rparams = NULL; 2451*54925bf6Swillf #endif 2452*54925bf6Swillf /* Solaris Kerberos: to remove stash file */ 2453*54925bf6Swillf char *stash_file = NULL; 2454*54925bf6Swillf struct stat stb; 2455*54925bf6Swillf 2456*54925bf6Swillf optind = 1; 2457*54925bf6Swillf while ((optchar = getopt(argc, argv, "f")) != -1) { 2458*54925bf6Swillf switch (optchar) { 2459*54925bf6Swillf case 'f': 2460*54925bf6Swillf force++; 2461*54925bf6Swillf break; 2462*54925bf6Swillf case '?': 2463*54925bf6Swillf default: 2464*54925bf6Swillf db_usage(DESTROY_REALM); 2465*54925bf6Swillf return; 2466*54925bf6Swillf /*NOTREACHED*/ 2467*54925bf6Swillf } 2468*54925bf6Swillf } 2469*54925bf6Swillf 2470*54925bf6Swillf if (!force) { 2471*54925bf6Swillf printf(gettext("Deleting KDC database of '%s', are you sure?\n"), global_params.realm); 2472*54925bf6Swillf printf(gettext("(type 'yes' to confirm)? ")); 2473*54925bf6Swillf if (fgets(buf, sizeof(buf), stdin) == NULL) { 2474*54925bf6Swillf exit_status++; 2475*54925bf6Swillf return; 2476*54925bf6Swillf } 2477*54925bf6Swillf if (strcmp(buf, yes)) { 2478*54925bf6Swillf exit_status++; 2479*54925bf6Swillf return; 2480*54925bf6Swillf } 2481*54925bf6Swillf printf(gettext("OK, deleting database of '%s'...\n"), global_params.realm); 2482*54925bf6Swillf } 2483*54925bf6Swillf 2484*54925bf6Swillf dal_handle = (kdb5_dal_handle *)util_context->db_context; 2485*54925bf6Swillf ldap_context = (krb5_ldap_context *) dal_handle->db_context; 2486*54925bf6Swillf if (!(ldap_context)) { 2487*54925bf6Swillf com_err(argv[0], EINVAL, gettext("while initializing database")); 2488*54925bf6Swillf exit_status++; 2489*54925bf6Swillf return; 2490*54925bf6Swillf } 2491*54925bf6Swillf 2492*54925bf6Swillf /* Read the kerberos container from the LDAP Server */ 2493*54925bf6Swillf if ((retval = krb5_ldap_read_krbcontainer_params(util_context, 2494*54925bf6Swillf &(ldap_context->krbcontainer))) != 0) { 2495*54925bf6Swillf com_err(argv[0], retval, gettext("while reading kerberos container information")); 2496*54925bf6Swillf exit_status++; 2497*54925bf6Swillf return; 2498*54925bf6Swillf } 2499*54925bf6Swillf 2500*54925bf6Swillf /* Read the Realm information from the LDAP Server */ 2501*54925bf6Swillf if ((retval = krb5_ldap_read_realm_params(util_context, global_params.realm, 2502*54925bf6Swillf &(ldap_context->lrparams), &mask)) != 0) { 2503*54925bf6Swillf com_err(argv[0], retval, gettext("while reading realm information")); 2504*54925bf6Swillf exit_status++; 2505*54925bf6Swillf return; 2506*54925bf6Swillf } 2507*54925bf6Swillf 2508*54925bf6Swillf #ifdef HAVE_EDIRECTORY 2509*54925bf6Swillf if ((mask & LDAP_REALM_KDCSERVERS) || (mask & LDAP_REALM_ADMINSERVERS) || 2510*54925bf6Swillf (mask & LDAP_REALM_PASSWDSERVERS)) { 2511*54925bf6Swillf 2512*54925bf6Swillf printf(gettext("Changing rights for the service object. Please wait ... ")); 2513*54925bf6Swillf fflush(stdout); 2514*54925bf6Swillf 2515*54925bf6Swillf rparams = ldap_context->lrparams; 2516*54925bf6Swillf rightsmask = 0; 2517*54925bf6Swillf rightsmask |= LDAP_REALM_RIGHTS; 2518*54925bf6Swillf rightsmask |= LDAP_SUBTREE_RIGHTS; 2519*54925bf6Swillf if ((rparams != NULL) && (rparams->kdcservers != NULL)) { 2520*54925bf6Swillf for (i=0; (rparams->kdcservers[i] != NULL); i++) { 2521*54925bf6Swillf if ((retval = krb5_ldap_delete_service_rights(util_context, 2522*54925bf6Swillf LDAP_KDC_SERVICE, rparams->kdcservers[i], 2523*54925bf6Swillf rparams->realm_name, rparams->subtree, rightsmask)) != 0) { 2524*54925bf6Swillf printf(gettext("failed\n")); 2525*54925bf6Swillf com_err(argv[0], retval, gettext("while assigning rights to '%s'"), 2526*54925bf6Swillf rparams->realm_name); 2527*54925bf6Swillf return; 2528*54925bf6Swillf } 2529*54925bf6Swillf } 2530*54925bf6Swillf } 2531*54925bf6Swillf rightsmask = 0; 2532*54925bf6Swillf rightsmask |= LDAP_REALM_RIGHTS; 2533*54925bf6Swillf rightsmask |= LDAP_SUBTREE_RIGHTS; 2534*54925bf6Swillf if ((rparams != NULL) && (rparams->adminservers != NULL)) { 2535*54925bf6Swillf for (i=0; (rparams->adminservers[i] != NULL); i++) { 2536*54925bf6Swillf if ((retval = krb5_ldap_delete_service_rights(util_context, 2537*54925bf6Swillf LDAP_ADMIN_SERVICE, rparams->adminservers[i], 2538*54925bf6Swillf rparams->realm_name, rparams->subtree, rightsmask)) != 0) { 2539*54925bf6Swillf printf(gettext("failed\n")); 2540*54925bf6Swillf com_err(argv[0], retval, gettext("while assigning rights to '%s'"), 2541*54925bf6Swillf rparams->realm_name); 2542*54925bf6Swillf return; 2543*54925bf6Swillf } 2544*54925bf6Swillf } 2545*54925bf6Swillf } 2546*54925bf6Swillf rightsmask = 0; 2547*54925bf6Swillf rightsmask |= LDAP_REALM_RIGHTS; 2548*54925bf6Swillf rightsmask |= LDAP_SUBTREE_RIGHTS; 2549*54925bf6Swillf if ((rparams != NULL) && (rparams->passwdservers != NULL)) { 2550*54925bf6Swillf for (i=0; (rparams->passwdservers[i] != NULL); i++) { 2551*54925bf6Swillf if ((retval = krb5_ldap_delete_service_rights(util_context, 2552*54925bf6Swillf LDAP_PASSWD_SERVICE, rparams->passwdservers[i], 2553*54925bf6Swillf rparams->realm_name, rparams->subtree, rightsmask)) != 0) { 2554*54925bf6Swillf printf(gettext("failed\n")); 2555*54925bf6Swillf com_err(argv[0], retval, gettext("while assigning rights to '%s'"), 2556*54925bf6Swillf rparams->realm_name); 2557*54925bf6Swillf return; 2558*54925bf6Swillf } 2559*54925bf6Swillf } 2560*54925bf6Swillf } 2561*54925bf6Swillf printf(gettext("done\n")); 2562*54925bf6Swillf } 2563*54925bf6Swillf #endif 2564*54925bf6Swillf /* Delete the realm container and all the associated principals */ 2565*54925bf6Swillf retval = krb5_ldap_delete_realm(util_context, global_params.realm); 2566*54925bf6Swillf if (retval) { 2567*54925bf6Swillf com_err(argv[0], retval, gettext("deleting database of '%s'"), global_params.realm); 2568*54925bf6Swillf exit_status++; 2569*54925bf6Swillf return; 2570*54925bf6Swillf } 2571*54925bf6Swillf 2572*54925bf6Swillf /* 2573*54925bf6Swillf * Solaris Kerberos: check for a stash file and delete it if necessary 2574*54925bf6Swillf * This behavior exists in the Solaris version of kdb5_util destroy. 2575*54925bf6Swillf */ 2576*54925bf6Swillf if (global_params.stash_file == NULL) { 2577*54925bf6Swillf char stashbuf[MAXPATHLEN+1]; 2578*54925bf6Swillf int realm_len = strlen(global_params.realm); 2579*54925bf6Swillf 2580*54925bf6Swillf (void) strlcpy(stashbuf, DEFAULT_KEYFILE_STUB, sizeof (stashbuf)); 2581*54925bf6Swillf 2582*54925bf6Swillf if (realm_len <= (MAXPATHLEN-strlen(stashbuf))) { 2583*54925bf6Swillf (void) strncat(stashbuf, global_params.realm, 2584*54925bf6Swillf (MAXPATHLEN-strlen(stashbuf))); 2585*54925bf6Swillf } else { 2586*54925bf6Swillf com_err(argv[0], EINVAL, 2587*54925bf6Swillf gettext("can not determine stash file name for '%s'"), 2588*54925bf6Swillf global_params.realm); 2589*54925bf6Swillf exit_status++; 2590*54925bf6Swillf return; 2591*54925bf6Swillf } 2592*54925bf6Swillf stash_file = stashbuf; 2593*54925bf6Swillf } else { 2594*54925bf6Swillf stash_file = global_params.stash_file; 2595*54925bf6Swillf } 2596*54925bf6Swillf /* Make sure stash_file is a regular file before unlinking */ 2597*54925bf6Swillf if (stat(stash_file, &stb) == 0) { 2598*54925bf6Swillf if ((stb.st_mode & S_IFMT) == S_IFREG) { 2599*54925bf6Swillf (void)unlink(stash_file); 2600*54925bf6Swillf } else { 2601*54925bf6Swillf com_err(argv[0], EINVAL, 2602*54925bf6Swillf gettext("stash file '%s' not a regular file, can not delete"), 2603*54925bf6Swillf stash_file); 2604*54925bf6Swillf exit_status++; 2605*54925bf6Swillf return; 2606*54925bf6Swillf } 2607*54925bf6Swillf } else if (errno != ENOENT) { 2608*54925bf6Swillf /* 2609*54925bf6Swillf * If the error is something other than the file doesn't exist set an 2610*54925bf6Swillf * error. 2611*54925bf6Swillf */ 2612*54925bf6Swillf com_err(argv[0], EINVAL, 2613*54925bf6Swillf gettext("could not stat stash file '%s', could not delete"), 2614*54925bf6Swillf stash_file); 2615*54925bf6Swillf exit_status++; 2616*54925bf6Swillf return; 2617*54925bf6Swillf } 2618*54925bf6Swillf 2619*54925bf6Swillf printf(gettext("** Database of '%s' destroyed.\n"), global_params.realm); 2620*54925bf6Swillf 2621*54925bf6Swillf return; 2622*54925bf6Swillf } 2623