home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Fri, 1 Aug 2014 18:24:32 -0400 From: Greg Hudson <ghudson@mit.edu> Message-Id: <201408012224.s71MOWZb027765@drugstore.mit.edu> To: cvs-krb5@mit.edu Reply-To: krbdev@mit.edu MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: cvs-krb5-bounces@mit.edu https://github.com/krb5/krb5/commit/0279b74c6744a8841eba8d16dbfbebb2592718e9 commit 0279b74c6744a8841eba8d16dbfbebb2592718e9 Author: Neng Xue <xnsuda@yahoo.com> Date: Fri Jul 11 16:04:42 2014 -0700 Add kiprop/<master-hostname> during KDB creation To reduce the number of steps in the deployment of iprop, create the kiprop/hostname principal for the master KDC during KDB creation. Adjust tests to match the new behavior. [ghudson@mit.edu: clarified commit message; avoided applying kadmin flags/lifetime to kiprop principal] ticket: 7979 (new) doc/admin/admin_commands/kadmind.rst | 5 +++-- doc/admin/database.rst | 4 +++- src/kadmin/dbutil/kadm5_create.c | 19 +++++++++++++++---- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c | 7 +++++++ src/tests/dejagnu/config/default.exp | 14 +------------- src/tests/t_iprop.py | 1 - 6 files changed, 29 insertions(+), 21 deletions(-) diff --git a/doc/admin/admin_commands/kadmind.rst b/doc/admin/admin_commands/kadmind.rst index 88f5566..acf25e3 100644 --- a/doc/admin/admin_commands/kadmind.rst +++ b/doc/admin/admin_commands/kadmind.rst @@ -53,8 +53,9 @@ and policy updates incrementally instead of receiving full dumps of the database. This facility can be enabled in the :ref:`kdc.conf(5)` file with the **iprop_enable** option. Incremental propagation requires the principal ``kiprop/MASTER\@REALM`` (where MASTER is the -master KDC's canonical host name, and REALM the realm name) to be -registered in the database. +master KDC's canonical host name, and REALM the realm name). In +release 1.13, this principal is automatically created and registered +into the datebase. OPTIONS diff --git a/doc/admin/database.rst b/doc/admin/database.rst index 0d8bfa5..c7abc1b 100644 --- a/doc/admin/database.rst +++ b/doc/admin/database.rst @@ -805,7 +805,9 @@ Both master and slave sides must have a principal named ``kiprop/hostname`` (where *hostname* is the lowercase, fully-qualified, canonical name for the host) registered in the Kerberos database, and have keys for that principal stored in the -default keytab file (|keytab|). +default keytab file (|keytab|). In release 1.13, the +``kiprop/hostname`` principal is created automatically for the master +KDC, but it must still be created for slave KDCs. On the master KDC side, the ``kiprop/hostname`` principal must be listed in the kadmind ACL file :ref:`kadm5.acl(5)`, and given the diff --git a/src/kadmin/dbutil/kadm5_create.c b/src/kadmin/dbutil/kadm5_create.c index fffc64d..159a419 100644 --- a/src/kadmin/dbutil/kadm5_create.c +++ b/src/kadmin/dbutil/kadm5_create.c @@ -145,7 +145,7 @@ int kadm5_create_magic_princs(kadm5_config_params *params, static int add_admin_princs(void *handle, krb5_context context, char *realm) { krb5_error_code ret = 0; - char *service_name = 0, *p; + char *service_name = 0, *kiprop_name = 0, *p; char localname[MAXHOSTNAMELEN]; struct addrinfo *ai, ai_hints; int gai_error; @@ -191,6 +191,12 @@ static int add_admin_princs(void *handle, krb5_context context, char *realm) freeaddrinfo(ai); goto clean_and_exit; } + if (asprintf(&kiprop_name, "kiprop/%s", ai->ai_canonname) < 0) { + ret = ENOMEM; + fprintf(stderr, _("Out of memory\n")); + freeaddrinfo(ai); + goto clean_and_exit; + } freeaddrinfo(ai); if ((ret = add_admin_princ(handle, context, @@ -212,8 +218,11 @@ static int add_admin_princs(void *handle, krb5_context context, char *realm) CHANGEPW_LIFETIME))) goto clean_and_exit; + ret = add_admin_princ(handle, context, kiprop_name, realm, 0, 0); + clean_and_exit: free(service_name); + free(kiprop_name); return ret; } @@ -253,6 +262,7 @@ int add_admin_princ(void *handle, krb5_context context, char *fullname; krb5_error_code ret; kadm5_principal_ent_rec ent; + long flags; memset(&ent, 0, sizeof(ent)); @@ -268,9 +278,10 @@ int add_admin_princ(void *handle, krb5_context context, ent.max_life = lifetime; ent.attributes = attrs; - ret = kadm5_create_principal(handle, &ent, - (KADM5_PRINCIPAL | KADM5_MAX_LIFE | - KADM5_ATTRIBUTES), NULL); + flags = KADM5_PRINCIPAL | KADM5_ATTRIBUTES; + if (lifetime) + flags |= KADM5_MAX_LIFE; + ret = kadm5_create_principal(handle, &ent, flags, NULL); if (ret && ret != KADM5_DUP) { com_err(progname, ret, _("while creating principal %s"), fullname); krb5_free_principal(context, ent.principal); diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c index 4cbb57c..4d30700 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c @@ -371,6 +371,13 @@ create_special_princs(krb5_context context, krb5_principal master_princ, if (ret) return ret; + /* Create kiprop/<hostname>. */ + rblock.max_life = global_params.max_life; + rblock.flags = 0; + ret = create_hostbased_special(context, &rblock, mkey, "kiprop"); + if (ret) + return ret; + /* Create kadmin/changepw. */ rblock.max_life = CHANGEPW_LIFETIME; rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE; diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp index 5d4bcfc..0c7a0c7 100644 --- a/src/tests/dejagnu/config/default.exp +++ b/src/tests/dejagnu/config/default.exp @@ -1254,7 +1254,7 @@ proc setup_kerberos_db { standalone } { } # Add an incremental-propagation service. - set test "kadmin.local ank kiprop/$hostname" + set test "kadmin.local ank krbtest/fast" set body { if $failall { break @@ -1264,18 +1264,6 @@ proc setup_kerberos_db { standalone } { expect_after $def_exp_after expect "kadmin.local: " - send "ank kiprop/$hostname@$REALMNAME\r" - # It echos... - expect "ank kiprop/$hostname@$REALMNAME\r" - expect "Enter password for principal \"kiprop/$hostname@$REALMNAME\":" - send "kiproppass$KEY\r" - expect "Re-enter password for principal \"kiprop/$hostname@$REALMNAME\":" - send "kiproppass$KEY\r" - expect { - "Principal \"kiprop/$hostname@$REALMNAME\" created" { } - "Principal or policy already exists while creating*" { } - } - expect "kadmin.local: " send "ank +requires_preauth krbtest/fast@$REALMNAME\r" expect "Enter password for principal \"krbtest/fast@$REALMNAME\":" send "adminpass$KEY\r" diff --git a/src/tests/t_iprop.py b/src/tests/t_iprop.py index d08081c..51e18a8 100644 --- a/src/tests/t_iprop.py +++ b/src/tests/t_iprop.py @@ -153,7 +153,6 @@ if not os.path.exists(ulog): # Create the principal used to authenticate kpropd to kadmind. kiprop_princ = 'kiprop/' + hostname -realm.addprinc(kiprop_princ) realm.extract_keytab(kiprop_princ, realm.keytab) # Create the initial slave1 and slave2 databases. _______________________________________________ cvs-krb5 mailing list cvs-krb5@mit.edu https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home | help | back | first | fref | pref | prev | next | nref | lref | last | post |