[1953] in Moira Commits
/svn/moira r4092 - in trunk/moira: gen incremental/afs incremental/ldap incremental/winad server update
daemon@ATHENA.MIT.EDU (Garry Zacheiss)
Fri Jan 18 10:36:40 2013
Date: Fri, 18 Jan 2013 10:36:33 -0500
From: Garry Zacheiss <zacheiss@MIT.EDU>
Message-Id: <201301181536.r0IFaXMx029546@drugstore.mit.edu>
To: moira-commits@MIT.EDU
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Author: zacheiss
Date: 2013-01-18 10:36:33 -0500 (Fri, 18 Jan 2013)
New Revision: 4092
Modified:
trunk/moira/gen/acl.pc
trunk/moira/gen/cups-print.pc
trunk/moira/gen/genacl.pc
trunk/moira/incremental/afs/afs.c
trunk/moira/incremental/ldap/setpw.c
trunk/moira/incremental/ldap/winad.c
trunk/moira/incremental/winad/setpw.c
trunk/moira/server/mr_sauth.c
trunk/moira/update/auth_003.c
Log:
Begin using krb5-style strings for KERBEROS list members, etc. Convert to krb4 where needed (AFS, Discuss).
Modified: trunk/moira/gen/acl.pc
===================================================================
--- trunk/moira/gen/acl.pc 2013-01-18 15:35:41 UTC (rev 4091)
+++ trunk/moira/gen/acl.pc 2013-01-18 15:36:33 UTC (rev 4092)
@@ -106,9 +106,7 @@
*/
out = tarfile_start(tf, target, 0644, 0, 0, "root", "root", now);
- if (!strcasecmp(kind, "kerberos4"))
- dump_krb_acl(out, "LIST", lid, 4);
- else if (!strcasecmp(kind, "kerberos5"))
+ if (!strcasecmp(kind, "kerberos5"))
dump_krb_acl(out, "LIST", lid, 5);
else if (!strcasecmp(kind, "access"))
dump_access_file(out, lid);
Modified: trunk/moira/gen/cups-print.pc
===================================================================
--- trunk/moira/gen/cups-print.pc 2013-01-18 15:35:41 UTC (rev 4091)
+++ trunk/moira/gen/cups-print.pc 2013-01-18 15:36:33 UTC (rev 4092)
@@ -21,6 +21,8 @@
#include <time.h>
#ifdef HAVE_KRB4
#include <krb.h>
+#else
+#include <mr_krb.h>
#endif
#include <krb5.h>
Modified: trunk/moira/gen/genacl.pc
===================================================================
--- trunk/moira/gen/genacl.pc 2013-01-18 15:35:41 UTC (rev 4091)
+++ trunk/moira/gen/genacl.pc 2013-01-18 15:36:33 UTC (rev 4092)
@@ -93,9 +93,7 @@
break;
case 'K':
- /* We assume we have a krb4-style namespace. If we want a krb5 acl, we need to
- * krb5_425_conv_principal() on it. For krb4, do nothing special.
- */
+
at = strchr(m->name, '@');
if (!at)
at = strchr(m->name, '\0');
@@ -107,45 +105,36 @@
snprintf(kbuf + plen, len - plen, "@%s", defaultrealm);
}
- if (vers == 5)
+ /* Assume a v5 namespace, convert if krb4 requested. */
+ if (vers == 4)
{
- char name[ANAME_SZ] = "\0", inst[INST_SZ] = "\0", realm[REALM_SZ] = "\0";
- char *kuser = NULL;
krb5_context context = NULL;
- krb5_principal client = NULL;
- int status = 0;
+ krb5_principal client = NULL;
+ int status = 0;
+ char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ];
- if (mr_kname_parse(name, inst, realm, kbuf) != 0)
- goto out;
-
status = krb5_init_context(&context);
- if (status)
- goto out;
+ if (status)
+ goto out;
- status = krb5_425_conv_principal(context, name, inst, realm, &client);
+ status = krb5_parse_name(context, kbuf, &client);
if (status)
goto out;
- status = krb5_unparse_name(context, client, &kuser);
+ status = krb5_524_conv_principal(context, client, name, inst, realm);
if (status)
goto out;
- strncpy(buf, kuser, MAX_K_NAME_SZ);
- buf[MAX_K_NAME_SZ - 1] = '\0';
+ snprintf(buf, len, "%s", mr_kname_unparse(name, inst, realm));
out:
- if (kuser)
- krb5_free_unparsed_name(context, kuser);
if (client)
krb5_free_principal(context, client);
if (context)
krb5_free_context(context);
}
else
- {
- /* v4 output, and we should already have added a realm. */
- snprintf(buf, len, "%s", kbuf);
- }
+ snprintf(buf, len, "%s", kbuf);
break;
}
}
Modified: trunk/moira/incremental/afs/afs.c
===================================================================
--- trunk/moira/incremental/afs/afs.c 2013-01-18 15:35:41 UTC (rev 4091)
+++ trunk/moira/incremental/afs/afs.c 2013-01-18 15:36:33 UTC (rev 4092)
@@ -23,6 +23,8 @@
#include <com_err.h>
#ifdef HAVE_KRB4
#include <krb.h>
+#else
+#include <mr_krb.h>
#endif
#include <krb5.h>
@@ -581,6 +583,9 @@
static char *local_realm = NULL;
struct member *m;
krb5_context context = NULL;
+ krb5_principal client = NULL;
+ char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ];
+ char canon_member[MAX_K_NAME_SZ];
/* The following KERBEROS code allows for the use of entities
* user@foreign_cell.
@@ -598,6 +603,18 @@
if (!strcmp(type, "KERBEROS"))
{
+ /* AFS still uses a v4-style namespace, so convert. */
+ code = krb5_parse_name(context, member, &client);
+ if (code)
+ goto out;
+
+ code = krb5_524_conv_principal(context, client, name, inst, realm);
+ if (code)
+ goto out;
+
+ strcpy(canon_member, mr_kname_unparse(name, inst, realm));
+ member = canon_member;
+
p = strchr(member, '@');
if (p && !strcasecmp(p+1, local_realm))
*p = 0;
@@ -669,6 +686,8 @@
}
out:
+ if (client)
+ krb5_free_principal(context, client);
if (context)
krb5_free_context(context);
if (local_realm)
Modified: trunk/moira/incremental/ldap/setpw.c
===================================================================
--- trunk/moira/incremental/ldap/setpw.c 2013-01-18 15:35:41 UTC (rev 4091)
+++ trunk/moira/incremental/ldap/setpw.c 2013-01-18 15:36:33 UTC (rev 4092)
@@ -46,7 +46,6 @@
#define NEED_SOCKETS
#include <krb5.h>
-#include <krb.h>
#include <stdio.h>
/* #include "changepasswd.h" */
#include <sys/timeb.h>
Modified: trunk/moira/incremental/ldap/winad.c
===================================================================
--- trunk/moira/incremental/ldap/winad.c 2013-01-18 15:35:41 UTC (rev 4091)
+++ trunk/moira/incremental/ldap/winad.c 2013-01-18 15:36:33 UTC (rev 4092)
@@ -5995,7 +5995,7 @@
static int illegalchars[] = {
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* ^@ - ^O */
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* ^P - ^_ */
- 1, 1, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 1, /* SPACE - / */
+ 1, 1, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 0, /* SPACE - / */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, /* 0 - ? */
0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* @ - O */
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, /* P - _ */
@@ -6014,7 +6014,7 @@
static int illegalchars_ldap[] = {
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* ^@ - ^O */
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* ^P - ^_ */
- 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, /* SPACE - / */
+ 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, /* SPACE - / */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, /* 0 - ? */
0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /* @ - O */
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, /* P - _ */
Modified: trunk/moira/incremental/winad/setpw.c
===================================================================
--- trunk/moira/incremental/winad/setpw.c 2013-01-18 15:35:41 UTC (rev 4091)
+++ trunk/moira/incremental/winad/setpw.c 2013-01-18 15:36:33 UTC (rev 4092)
@@ -46,7 +46,6 @@
#define NEED_SOCKETS
#include <krb5.h>
-#include <krb.h>
#include <stdio.h>
#include <sys/timeb.h>
#include <string.h>
Modified: trunk/moira/server/mr_sauth.c
===================================================================
--- trunk/moira/server/mr_sauth.c 2013-01-18 15:35:41 UTC (rev 4091)
+++ trunk/moira/server/mr_sauth.c 2013-01-18 15:36:33 UTC (rev 4092)
@@ -196,7 +196,7 @@
krb5_auth_context auth_con = NULL;
krb5_principal server = NULL, client = NULL;
krb5_ticket *ticket;
- char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ];
+ char *pname = NULL, *name = NULL, *instance = NULL, *realm = NULL;
int status;
ticket = NULL;
@@ -238,17 +238,34 @@
goto out;
}
- /* Always convert to krb4 style principal name for now. */
- status = krb5_524_conv_principal(context, client, name, inst, realm);
+ status = krb5_unparse_name(context, client, &pname);
if (status)
{
client_reply(cl, status);
- com_err(whoami, status, " (krb5_524_conv_principal failed)");
+ com_err(whoami, status, " (krb5_unparse_name failed)");
goto out;
}
- status = set_client(cl, mr_kname_unparse(name, inst, realm), name, inst,
- realm);
+ name = xmalloc(krb5_princ_component(context, client, 0)->length + 1);
+ strncpy(name, krb5_princ_component(context, client, 0)->data,
+ krb5_princ_component(context, client, 0)->length);
+ name[krb5_princ_component(context, client, 0)->length] = '\0';
+
+ if (krb5_princ_size(context, client) > 1)
+ {
+ instance = xmalloc(krb5_princ_component(context, client, 1)->length + 1);
+ strncpy(instance, krb5_princ_component(context, client, 1)->data,
+ krb5_princ_component(context, client, 1)->length);
+ instance[krb5_princ_component(context, client, 1)->length] = '\0';
+ }
+
+ realm = xmalloc(krb5_princ_realm(context, client)->length + 1);
+ strncpy(realm, krb5_princ_realm(context, client)->data,
+ krb5_princ_realm(context, client)->length);
+ realm[krb5_princ_realm(context, client)->length] = '\0';
+
+ status = set_client(cl, pname, name, instance, realm);
+
strncpy(cl->entity, cl->req.mr_argv[1], sizeof(cl->entity) - 1);
cl->entity[sizeof(cl->entity) - 1] = 0;
@@ -261,6 +278,14 @@
client_reply(cl, MR_USER_AUTH);
out:
+ if (realm)
+ free(realm);
+ if (instance)
+ free(instance);
+ if (name)
+ free(name);
+ if (pname)
+ krb5_free_unparsed_name(context, pname);
if (client)
krb5_free_principal(context, client);
if (server)
Modified: trunk/moira/update/auth_003.c
===================================================================
--- trunk/moira/update/auth_003.c 2013-01-18 15:35:41 UTC (rev 4091)
+++ trunk/moira/update/auth_003.c 2013-01-18 15:36:33 UTC (rev 4092)
@@ -43,12 +43,11 @@
krb5_context context = NULL;
krb5_auth_context auth_con = NULL;
krb5_data auth;
- krb5_principal server = NULL, client = NULL;
+ krb5_principal server = NULL, client = NULL, allowed = NULL;
krb5_ticket *ticket;
- char *p, *first, *data;
+ char *p, *first, *data, *pname = NULL, *mname = NULL, *lrealm = NULL;
char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ];
char aname[ANAME_SZ], ainst[INST_SZ], arealm[REALM_SZ];
- char *lrealm = NULL;
size_t size;
long code;
struct utsname uts;
@@ -118,14 +117,6 @@
goto out;
}
- code = krb5_524_conv_principal(context, client, name, inst, realm);
- if (code)
- {
- com_err(whoami, code, "(krb5_524_conv_principal_failed)");
- send_int(conn, code);
- goto out;
- }
-
/* If there is an auth record in the config file matching the
* authenticator we received, then accept it. If there's no
* auth record, assume [master]@[local realm].
@@ -134,11 +125,18 @@
{
do
{
- kname_parse(aname, ainst, arealm, p);
- if (strcmp(aname, name) ||
- strcmp(ainst, inst) ||
- strcmp(arealm, realm))
- p = config_lookup("auth");
+ code = krb5_parse_name(context, p, &allowed);
+ if (code)
+ {
+ com_err(whoami, code, "(krb5_parse_name failed)");
+ send_int(conn, code);
+ goto out;
+ }
+ if (!krb5_principal_compare(context, client, allowed))
+ {
+ krb5_free_principal(context, allowed);
+ p = config_lookup("auth");
+ }
else
p = first;
}
@@ -146,30 +144,58 @@
}
else
{
- strcpy(aname, master);
- strcpy(ainst, "");
+ mname = malloc(strlen(master) + 1);
+ if (!mname)
+ goto out;
+
+ strcpy(mname, master);
+
if (!krb5_get_default_realm(context, &lrealm))
- {
- strcpy(arealm, lrealm);
- }
+ {
+ mname = realloc(mname, strlen(master) + strlen(lrealm) + 2);
+ if (!mname)
+ goto out;
+ strncat(mname, "@", 1);
+ strncat(mname, lrealm, strlen(lrealm));
+ }
else
- strcpy(arealm, KRB_REALM);
+ {
+ mname = realloc(mname, strlen(master) + strlen(KRB_REALM) + 2);
+ if (!mname)
+ goto out;
+ strncat(mname, "@", 1);
+ strncat(mname, KRB_REALM, strlen(KRB_REALM));
+ }
+
+ code = krb5_parse_name(context, mname, &allowed);
+ free(mname);
+
+ if (code)
+ {
+ com_err(whoami, code, "(krb5_parse_name failed)");
+ send_int(conn, code);
+ goto out;
+ }
}
+
code = EPERM;
- if (strcmp(aname, name) ||
- strcmp(ainst, inst) ||
- strcmp(arealm, realm))
+ if (!krb5_principal_compare(context, client, allowed))
{
- com_err(whoami, code, "auth for %s.%s@%s failed", name, inst, realm);
+ krb5_unparse_name(context, client, &pname);
+ com_err(whoami, code, "auth for %s failed", pname);
send_int(conn, code);
goto out;
}
send_ok(conn);
have_authorization = 1;
-
+
out:
+ if (pname)
+ krb5_free_unparsed_name(context, pname);
if (lrealm)
free(lrealm);
+ if (allowed)
+ krb5_free_principal(context, allowed);
if (client)
krb5_free_principal(context, client);
if (server)
