[594] in Kerberos-V5-bugs
Using Aklog with Kerberos 5.4.1 to get an AFS Token
daemon@ATHENA.MIT.EDU (Doug Engert)
Fri Jul 22 17:37:15 1994
Date: Fri, 22 Jul 94 16:36:55 CDT
From: "Doug Engert" <DEEngert@anl.gov>
To: <krb5-bugs@MIT.EDU>
Cc: <auth-pilot@es.net>, <kerberos@MIT.EDU>
I would like to make the following suggestions for changes to the
krb425 routines, which makes a conversion of aklog trivial for
use with Kerberos 5.4.1. It also allows aklog to be built without
the need for K4 libs or source.
o Last week I asked about an aklog for K5.4.1 and got the usual
response of run krb524init, then the old aklog. (This requires you to
have K4 built, and the KDC responding to K4 requests. and leaves
a K4 tkt file around. This is not what I was looking for.)
o The week before, Ted explained the function of the krb425
routines. i.e. use K4 API to simplify conversions of older routines,
but use K5 protocols and caches etc.
o On March 4, 1993, Barry Jaspan gave a hint "Replace the
'get_cred' function in aklog_param.c with a version that calls
krb5_get_credentials() followed by krb524_convert_creds()."
With these directions, it was trivial to get aklog to build
using krb5/include and krb5/include/kerberosIV and the
AFS libs and libkrb425.a, libkrb524.a, libdes425.a,
libkrb5.a, libcrypto.a, and libisode.a
Rather then put all the code into aklog_params, I put the
krb524_convert_creds into the lib/krb425/get_cred.c function, so it
will convert the credentials, including the encrypted parts which
it did not do before.
In addition to the modifications to get_cred.c , I also copied
debug_decl.c and krb_err_txt.c from K4 to lib/krb425
with imake file changes for these.
I also wrote a krb_get_tf_realm routine and stuck it on the end
of the get_cred.c since aklog needs to get the realm. It should
probably be a separate module.
The attached diff file has these changes to get_cred.c Note the
test on the instance being a pointer to a null string. I ran into
a failure in the kdc in walk_rtree since the krb5_build_principal
routine added a zero length instance to the name, and this got
passed to the walk_rtree which could not handle it. Maybe the
krb5_build_principal should check for this.
With the call to krb524_convert_creds_kdc much of the code in
get_cred.c is skipped by a #if 0.
We are using the AFS Kaserver for the K4 KDC. I have a real
kludge to admin/edit/kdb5_edit.c which will stuff the
AFS DES key into the afs@realm entry. If anyone wants this,
let me know.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
---------------------------------------------------------
*** ,get_cred.c Tue Jun 28 17:10:01 1994
--- get_cred.c Fri Jul 22 14:09:13 1994
***************
*** 46,55 ****
krb5_ticket *ticket;
memset((char *)&creds, 0, sizeof(creds));
if (r = krb5_build_principal(&creds.server,
strlen(realm), realm,
service,
! instance,
0)) {
return(krb425error(r));
}
--- 46,56 ----
krb5_ticket *ticket;
memset((char *)&creds, 0, sizeof(creds));
+ /* ANL - instance may be ptr to a null string. Pass null then */
if (r = krb5_build_principal(&creds.server,
strlen(realm), realm,
service,
! (instance && strlen(instance)) ? instance : 0,
0)) {
return(krb425error(r));
}
***************
*** 66,72 ****
r = krb5_get_credentials(0, _krb425_ccache, &creds);
if (r)
return(krb425error(r));
!
#ifdef EBUG
{
int i;
--- 67,79 ----
r = krb5_get_credentials(0, _krb425_ccache, &creds);
if (r)
return(krb425error(r));
!
! /* ANL - use krb524 to convert so it converts encrypted parts too */
! /* This requires krb524d to be running with the KDC */
! r = krb524_convert_creds_kdc(&creds, c);
! return(krb425error(r));
! /* ANL - skip the rest of this module, since krb524 does this */
! #if 0
#ifdef EBUG
{
int i;
***************
*** 116,120 ****
--- 123,144 ----
decode_krb5_ticket(&creds.ticket, &ticket);
c->kvno = ticket->enc_part.kvno;
krb5_free_ticket(ticket);
+ return(KSUCCESS);
+ #endif /* ANL - skiping old stuff */
+ }
+
+ /* ANL - add krb_get_tf_realm here since it is used by aklog.
+ * Let MIT do it right
+ */
+ int krb_get_tf_realm(char *tktfile, char *realm)
+ {
+ static krb5_principal client_principal = 0;;
+
+ if (!_krb425_ccache)
+ krb5_cc_default(&_krb425_ccache);
+ if (!client_principal)
+ krb5_cc_get_principal(_krb425_ccache, &client_principal);
+
+ set_string(realm,REALM_SZ,krb5_princ_realm(client_principal));
return(KSUCCESS);
}
----------------------------------------------------------------------
*** ,aklog_param.c Fri Jul 15 13:35:26 1994
--- aklog_param.c Fri Jul 22 14:32:47 1994
***************
*** 62,73 ****
int status;
status = krb_get_cred(name, inst, realm, c);
- if (status != KSUCCESS) {
- status = get_ad_tkt(name, inst, realm, 255);
- if (status == KSUCCESS)
- status = krb_get_cred(name, inst, realm, c);
- }
return (status);
}
--- 62,83 ----
int status;
status = krb_get_cred(name, inst, realm, c);
+ /* ANL - all the K5 to K4 stuff is done in get_cred
+ * including the functions which used to be done by get_ad_tkt
+ * so we don't have to call get_ad_tkt then krb_get_cred
+ *
+ * By using the krb425 routines this is the only change needed
+ * to aklog to have it use the K5 protocols to get an AFS token.
+ * DEE 07/22/94
+ */
+
+ /* if (status != KSUCCESS) { */
+ /* status = get_ad_tkt(name, inst, realm, 255); */
+ /* if (status == KSUCCESS) */
+ /* status = krb_get_cred(name, inst, realm, c); */
+ /* } */
+
return (status);
}
***************
*** 79,85 ****
char *realm;
#endif /* __STDC__ */
{
! return (krb_get_tf_realm(TKT_FILE, realm));
}
--- 89,96 ----
char *realm;
#endif /* __STDC__ */
{
! /* ANL for krb425 dont have TKT_FILE not used, so skip it */
! return (krb_get_tf_realm(/*TKT_FILE*/ 0 , realm));
}
