[28496] in CVS-changelog-for-Kerberos-V5
krb5 commit: Add kiprop/ during KDB creation
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Aug 1 18:24:36 2014
Date: Fri, 1 Aug 2014 18:24:32 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201408012224.s71MOWZb027765@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/0279b74c6744a8841eba8d16dbfbebb2592718e9
commit 0279b74c6744a8841eba8d16dbfbebb2592718e9
Author: Neng Xue <xnsuda@yahoo.com>
Date: Fri Jul 11 16:04:42 2014 -0700
Add kiprop/<master-hostname> during KDB creation
To reduce the number of steps in the deployment of iprop, create the
kiprop/hostname principal for the master KDC during KDB creation.
Adjust tests to match the new behavior.
[ghudson@mit.edu: clarified commit message; avoided applying kadmin
flags/lifetime to kiprop principal]
ticket: 7979 (new)
doc/admin/admin_commands/kadmind.rst | 5 +++--
doc/admin/database.rst | 4 +++-
src/kadmin/dbutil/kadm5_create.c | 19 +++++++++++++++----
src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c | 7 +++++++
src/tests/dejagnu/config/default.exp | 14 +-------------
src/tests/t_iprop.py | 1 -
6 files changed, 29 insertions(+), 21 deletions(-)
diff --git a/doc/admin/admin_commands/kadmind.rst b/doc/admin/admin_commands/kadmind.rst
index 88f5566..acf25e3 100644
--- a/doc/admin/admin_commands/kadmind.rst
+++ b/doc/admin/admin_commands/kadmind.rst
@@ -53,8 +53,9 @@ and policy updates incrementally instead of receiving full dumps of
the database. This facility can be enabled in the :ref:`kdc.conf(5)`
file with the **iprop_enable** option. Incremental propagation
requires the principal ``kiprop/MASTER\@REALM`` (where MASTER is the
-master KDC's canonical host name, and REALM the realm name) to be
-registered in the database.
+master KDC's canonical host name, and REALM the realm name). In
+release 1.13, this principal is automatically created and registered
+into the datebase.
OPTIONS
diff --git a/doc/admin/database.rst b/doc/admin/database.rst
index 0d8bfa5..c7abc1b 100644
--- a/doc/admin/database.rst
+++ b/doc/admin/database.rst
@@ -805,7 +805,9 @@ Both master and slave sides must have a principal named
``kiprop/hostname`` (where *hostname* is the lowercase,
fully-qualified, canonical name for the host) registered in the
Kerberos database, and have keys for that principal stored in the
-default keytab file (|keytab|).
+default keytab file (|keytab|). In release 1.13, the
+``kiprop/hostname`` principal is created automatically for the master
+KDC, but it must still be created for slave KDCs.
On the master KDC side, the ``kiprop/hostname`` principal must be
listed in the kadmind ACL file :ref:`kadm5.acl(5)`, and given the
diff --git a/src/kadmin/dbutil/kadm5_create.c b/src/kadmin/dbutil/kadm5_create.c
index fffc64d..159a419 100644
--- a/src/kadmin/dbutil/kadm5_create.c
+++ b/src/kadmin/dbutil/kadm5_create.c
@@ -145,7 +145,7 @@ int kadm5_create_magic_princs(kadm5_config_params *params,
static int add_admin_princs(void *handle, krb5_context context, char *realm)
{
krb5_error_code ret = 0;
- char *service_name = 0, *p;
+ char *service_name = 0, *kiprop_name = 0, *p;
char localname[MAXHOSTNAMELEN];
struct addrinfo *ai, ai_hints;
int gai_error;
@@ -191,6 +191,12 @@ static int add_admin_princs(void *handle, krb5_context context, char *realm)
freeaddrinfo(ai);
goto clean_and_exit;
}
+ if (asprintf(&kiprop_name, "kiprop/%s", ai->ai_canonname) < 0) {
+ ret = ENOMEM;
+ fprintf(stderr, _("Out of memory\n"));
+ freeaddrinfo(ai);
+ goto clean_and_exit;
+ }
freeaddrinfo(ai);
if ((ret = add_admin_princ(handle, context,
@@ -212,8 +218,11 @@ static int add_admin_princs(void *handle, krb5_context context, char *realm)
CHANGEPW_LIFETIME)))
goto clean_and_exit;
+ ret = add_admin_princ(handle, context, kiprop_name, realm, 0, 0);
+
clean_and_exit:
free(service_name);
+ free(kiprop_name);
return ret;
}
@@ -253,6 +262,7 @@ int add_admin_princ(void *handle, krb5_context context,
char *fullname;
krb5_error_code ret;
kadm5_principal_ent_rec ent;
+ long flags;
memset(&ent, 0, sizeof(ent));
@@ -268,9 +278,10 @@ int add_admin_princ(void *handle, krb5_context context,
ent.max_life = lifetime;
ent.attributes = attrs;
- ret = kadm5_create_principal(handle, &ent,
- (KADM5_PRINCIPAL | KADM5_MAX_LIFE |
- KADM5_ATTRIBUTES), NULL);
+ flags = KADM5_PRINCIPAL | KADM5_ATTRIBUTES;
+ if (lifetime)
+ flags |= KADM5_MAX_LIFE;
+ ret = kadm5_create_principal(handle, &ent, flags, NULL);
if (ret && ret != KADM5_DUP) {
com_err(progname, ret, _("while creating principal %s"), fullname);
krb5_free_principal(context, ent.principal);
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
index 4cbb57c..4d30700 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
@@ -371,6 +371,13 @@ create_special_princs(krb5_context context, krb5_principal master_princ,
if (ret)
return ret;
+ /* Create kiprop/<hostname>. */
+ rblock.max_life = global_params.max_life;
+ rblock.flags = 0;
+ ret = create_hostbased_special(context, &rblock, mkey, "kiprop");
+ if (ret)
+ return ret;
+
/* Create kadmin/changepw. */
rblock.max_life = CHANGEPW_LIFETIME;
rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED | KRB5_KDB_PWCHANGE_SERVICE;
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
index 5d4bcfc..0c7a0c7 100644
--- a/src/tests/dejagnu/config/default.exp
+++ b/src/tests/dejagnu/config/default.exp
@@ -1254,7 +1254,7 @@ proc setup_kerberos_db { standalone } {
}
# Add an incremental-propagation service.
- set test "kadmin.local ank kiprop/$hostname"
+ set test "kadmin.local ank krbtest/fast"
set body {
if $failall {
break
@@ -1264,18 +1264,6 @@ proc setup_kerberos_db { standalone } {
expect_after $def_exp_after
expect "kadmin.local: "
- send "ank kiprop/$hostname@$REALMNAME\r"
- # It echos...
- expect "ank kiprop/$hostname@$REALMNAME\r"
- expect "Enter password for principal \"kiprop/$hostname@$REALMNAME\":"
- send "kiproppass$KEY\r"
- expect "Re-enter password for principal \"kiprop/$hostname@$REALMNAME\":"
- send "kiproppass$KEY\r"
- expect {
- "Principal \"kiprop/$hostname@$REALMNAME\" created" { }
- "Principal or policy already exists while creating*" { }
- }
- expect "kadmin.local: "
send "ank +requires_preauth krbtest/fast@$REALMNAME\r"
expect "Enter password for principal \"krbtest/fast@$REALMNAME\":"
send "adminpass$KEY\r"
diff --git a/src/tests/t_iprop.py b/src/tests/t_iprop.py
index d08081c..51e18a8 100644
--- a/src/tests/t_iprop.py
+++ b/src/tests/t_iprop.py
@@ -153,7 +153,6 @@ if not os.path.exists(ulog):
# Create the principal used to authenticate kpropd to kadmind.
kiprop_princ = 'kiprop/' + hostname
-realm.addprinc(kiprop_princ)
realm.extract_keytab(kiprop_princ, realm.keytab)
# Create the initial slave1 and slave2 databases.
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
