[2081] in Kerberos-V5-bugs
K5b6 and kadmind5
daemon@ATHENA.MIT.EDU (Doug Engert)
Mon Jul 8 14:48:00 1996
Date: Mon, 8 Jul 1996 13:47:43 -0500
From: Doug Engert <DEEngert@anl.gov>
To: krb5-bugs@MIT.EDU
The ./kadmin/v5server/srv_main.c program left off the "s:" in the
getopt_string in two places, which means kadmind5 would not accept the -s
option.
------- srv_main.c -------
48c48
< static const char *getopt_string = "a:d:e:k:l:mnp:r:t:D:M:T:";
---
> static const char *getopt_string = "a:d:e:k:l:mnp:r:s:t:D:M:T:";
51c51
< static const char *getopt_string = "a:d:e:k:mnp:r:t:D:M:T:";
---
> static const char *getopt_string = "a:d:e:k:mnp:r:s:t:D:M:T:";
As you already know, I am most interested in using the DCE security
registry as the KDC with unmodified MIT clients, and slightly modified MIT
daemons such as krlogind.
One of the unmodified clients is the new kpasswd and the Windows
CNS.EXE which need communicate with the kadmind5 daemon or other
similar daemon which can update the DCE security database.
I don't expect you to accept this modification to proto_serv.c as is,
but I am sending it to let you know what I and others are up to. You
may want to consider similar functionality in the future.
In our case we don't need the K5b6 database, only the DCE database.
Other sites may wish to do similar things, i.e. Sandia has a K5.2
database and a DCE database and has code to update both when a kpasswd
is issued. Another site wants to keep an AFS database in sync.
The bulk of this modification in effect turns off most of the
functionality of the kadmind5, but does accept change password. It
then issues a DCE dcecp command on the user's behalf to change his
password. DCE then uses it password checking rules etc.
It still requires a dummy database, and a stashed master
password. The database is created by the kdb5_create without any extra
entries. Its crude, but will work. I have tried it on HPUX 10.0, and
AIX 4.1.4 and have built it for Solaris 2.4.
*** ./kadmin/v5server/,proto_serv.c Thu Aug 17 12:55:24 1995
--- ./kadmin/v5server/proto_serv.c Tue Jul 2 14:24:38 1996
***************
*** 35,40 ****
--- 35,44 ----
#include "adm.h"
#include "adm_proto.h"
#include <setjmp.h>
+ #ifdef ANL_DCE
+ #include <sys/wait.h>
+ #include <fcntl.h>
+ #endif
static const char *proto_addrs_msg = "\004%d: cannot get memory for addresses";
static const char *proto_rcache_msg = "\004%d: cannot get replay cache";
***************
*** 378,389 ****
--- 382,395 ----
if (num_args == 2) {
DPRINT(DEBUG_REQUESTS, proto_debug_level,
("> %d:CHECKPW command syntax OK\n", my_id));
+ #ifndef ANL_DCE
cmd_error = passwd_check(kcontext,
proto_debug_level,
auth_context,
ticket,
&arglist[1],
&err_aux);
+ #endif /* ANL_DCE */
}
else {
DPRINT(DEBUG_REQUESTS, proto_debug_level,
***************
*** 401,406 ****
--- 407,491 ----
if (num_args == 3) {
DPRINT(DEBUG_REQUESTS, proto_debug_level,
("> %d:CHANGEPW command syntax OK\n", my_id));
+ #ifdef ANL_DCE
+ {
+ char cmdbuf[BUFSIZ];
+ char *namep = NULL;
+ char *cp;
+ krb5_principal princp = NULL;
+ int fd[2];
+ FILE *fpout;
+ #ifdef WAIT_USES_INT
+ int wait_status;
+ #else /* WAIT_USES_INT */
+ union wait wait_status;
+ #endif /* WAIT_USES_INT */
+
+
+ if (cmd_error = krb5_copy_principal(kcontext,
+ ticket->enc_part2->client,
+ &princp))
+ goto dce_cleanup;
+
+ if (cmd_error = krb5_unparse_name(kcontext, princp, &namep))
+ goto dce_cleanup;
+
+ if ((cp = strchr(namep,'@')))
+ *cp++ = '\0'; /* seperate realm name for DCE */
+
+
+ if ((ticket->enc_part2->flags & TKT_FLG_INITIAL) == 0) {
+ err_aux = KADM_BAD_ARGS;
+ cmd_error = KRB5_ADM_NOT_IN_TKT;
+ goto dce_cleanup;
+ }
+
+ if (pipe(fd) == -1) {
+ cmd_error = KRB5_ADM_CMD_UNKNOWN;
+ goto dce_cleanup;
+ }
+ if (fork() == 0) { /* child process */
+ close(0); /* close stdin */
+ dup(fd[0]); /* point stdin at pipe here */
+ close(fd[1]); /* don't use end of pipe here */
+ close(fd[0]); /* pipe now as stdin */
+ /* could close 1, 2. output to out stdout */
+ execl("/usr/bin/dcecp", "dcecp", (char *)0);
+ exit(127); /* incase execl fails */
+ }
+ fpout = fdopen(fd[1],"w");
+ fprintf(fpout, "login %s -password %s\n",
+ namep, arglist[1].data);
+ fprintf(fpout,
+ "account modify %s -mypwd %s -password %s\n",
+ namep, arglist[1].data, arglist[2].data);
+ fclose(fpout);
+ #ifdef HAVE_WAITPID
+ waitpid((pid_t) -1, &wait_status, WNOHANG);
+ #else /* HAVE_WAITPID */
+ wait3(&wait_status, WNOHANG, (struct rusage *) NULL);
+ #endif /* HAVE_WAITPID */
+ if (WIFEXITED(wait_status)){
+ if (WEXITSTATUS(wait_status) == 0)
+ cmd_error = 0;
+ }
+ else
+ cmd_error = KRB5_ADM_CANT_CHANGE;
+ #if 0
+ sprintf(cmdbuf,"/krb5/sbin/dcecpcpw %s %s %s",
+ namep, arglist[1].data, arglist[2].data);
+
+ if (system(cmdbuf))
+ cmd_error = KRB5_ADM_CANT_CHANGE;
+ #endif
+
+ dce_cleanup:
+ if (namep)
+ krb5_xfree(namep);
+ if (princp)
+ krb5_free_principal(kcontext, princp);
+ }
+ #else
cmd_error = passwd_change(kcontext,
proto_debug_level,
auth_context,
***************
*** 408,413 ****
--- 493,499 ----
&arglist[1],
&arglist[2],
&err_aux);
+ #endif
}
else {
DPRINT(DEBUG_REQUESTS, proto_debug_level,
***************
*** 416,421 ****
--- 502,508 ----
err_aux = KADM_BAD_ARGS;
}
}
+ #ifndef ANL_DCE
#ifdef MOTD_SUPPORTED
else if (!strcasecmp(arglist[0].data, KRB5_ADM_MOTD_CMD)) {
/*
***************
*** 719,724 ****
--- 806,812 ----
err_aux = KADM_BAD_ARGS;
}
}
+ #endif /* ANL_DCE */
else {
DPRINT(DEBUG_REQUESTS, proto_debug_level,
("> %d:UNKNOWN command %s\n", my_id,
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
PGP Key fingerprint = 20 2B 0C 78 43 8A 9C A6 29 F7 A3 6D 5E 30 A6 7F
