2 * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kadm5_locl.h"
35 #include <sys/types.h>
36 #ifdef HAVE_SYS_SOCKET_H
37 #include <sys/socket.h>
39 #ifdef HAVE_NETINET_IN_H
40 #include <netinet/in.h>
49 kadm5_c_lock(void *server_handle
)
55 kadm5_c_unlock(void *server_handle
)
61 set_funcs(kadm5_client_context
*c
)
63 #define SET(C, F) (C)->funcs.F = kadm5 ## _c_ ## F
64 SET(c
, chpass_principal
);
65 SET(c
, chpass_principal_with_key
);
66 SET(c
, create_principal
);
67 SET(c
, delete_principal
);
70 SET(c
, get_principal
);
71 SET(c
, get_principals
);
73 SET(c
, modify_principal
);
74 SET(c
, randkey_principal
);
75 SET(c
, rename_principal
);
81 _kadm5_c_init_context(kadm5_client_context
**ctx
,
82 kadm5_config_params
*params
,
88 *ctx
= malloc(sizeof(**ctx
));
91 memset(*ctx
, 0, sizeof(**ctx
));
92 krb5_add_et_list (context
, initialize_kadm5_error_table_r
);
94 (*ctx
)->context
= context
;
95 if(params
->mask
& KADM5_CONFIG_REALM
) {
97 (*ctx
)->realm
= strdup(params
->realm
);
98 if ((*ctx
)->realm
== NULL
)
101 ret
= krb5_get_default_realm((*ctx
)->context
, &(*ctx
)->realm
);
106 if(params
->mask
& KADM5_CONFIG_ADMIN_SERVER
)
107 (*ctx
)->admin_server
= strdup(params
->admin_server
);
111 ret
= krb5_get_krb_admin_hst (context
, &(*ctx
)->realm
, &hostlist
);
117 (*ctx
)->admin_server
= strdup(*hostlist
);
118 krb5_free_krbhst (context
, hostlist
);
121 if ((*ctx
)->admin_server
== NULL
) {
126 colon
= strchr ((*ctx
)->admin_server
, ':');
130 (*ctx
)->kadmind_port
= 0;
132 if(params
->mask
& KADM5_CONFIG_KADMIND_PORT
)
133 (*ctx
)->kadmind_port
= params
->kadmind_port
;
134 else if (colon
!= NULL
) {
137 (*ctx
)->kadmind_port
= htons(strtol (colon
, &end
, 0));
139 if ((*ctx
)->kadmind_port
== 0)
140 (*ctx
)->kadmind_port
= krb5_getportbyname (context
, "kerberos-adm",
145 static krb5_error_code
146 get_kadm_ticket(krb5_context context
,
148 krb5_principal client
,
149 const char *server_name
)
154 memset(&in
, 0, sizeof(in
));
156 ret
= krb5_parse_name(context
, server_name
, &in
.server
);
159 ret
= krb5_get_credentials(context
, 0, id
, &in
, &out
);
161 krb5_free_creds(context
, out
);
162 krb5_free_principal(context
, in
.server
);
166 static krb5_error_code
167 get_new_cache(krb5_context context
,
168 krb5_principal client
,
169 const char *password
,
170 krb5_prompter_fct prompter
,
172 const char *server_name
,
173 krb5_ccache
*ret_cache
)
177 krb5_get_init_creds_opt
*opt
;
180 ret
= krb5_get_init_creds_opt_alloc (context
, &opt
);
184 krb5_get_init_creds_opt_set_default_flags(context
, "kadmin",
185 krb5_principal_get_realm(context
,
190 krb5_get_init_creds_opt_set_forwardable (opt
, FALSE
);
191 krb5_get_init_creds_opt_set_proxiable (opt
, FALSE
);
193 if(password
== NULL
&& prompter
== NULL
) {
196 ret
= krb5_kt_default(context
, &kt
);
198 ret
= krb5_kt_resolve(context
, keytab
, &kt
);
200 krb5_get_init_creds_opt_free(context
, opt
);
203 ret
= krb5_get_init_creds_keytab (context
,
210 krb5_kt_close(context
, kt
);
212 ret
= krb5_get_init_creds_password (context
,
222 krb5_get_init_creds_opt_free(context
, opt
);
226 case KRB5_LIBOS_PWDINTR
: /* don't print anything if it was just C-c:ed */
227 case KRB5KRB_AP_ERR_BAD_INTEGRITY
:
228 case KRB5KRB_AP_ERR_MODIFIED
:
229 return KADM5_BAD_PASSWORD
;
233 ret
= krb5_cc_new_unique(context
, krb5_cc_type_memory
, NULL
, &id
);
236 ret
= krb5_cc_initialize (context
, id
, cred
.client
);
239 ret
= krb5_cc_store_cred (context
, id
, &cred
);
242 krb5_free_cred_contents (context
, &cred
);
248 * Check the credential cache `id´ to figure out what principal to use
249 * when talking to the kadmind. If there is a initial kadmin/admin@
250 * credential in the cache, use that client principal. Otherwise, use
251 * the client principals first component and add /admin to the
255 static krb5_error_code
256 get_cache_principal(krb5_context context
,
258 krb5_principal
*client
)
261 const char *name
, *inst
;
262 krb5_principal p1
, p2
;
264 ret
= krb5_cc_default(context
, id
);
270 ret
= krb5_cc_get_principal(context
, *id
, &p1
);
272 krb5_cc_close(context
, *id
);
277 ret
= krb5_make_principal(context
, &p2
, NULL
,
278 "kadmin", "admin", NULL
);
280 krb5_cc_close(context
, *id
);
282 krb5_free_principal(context
, p1
);
288 krb5_kdc_flags flags
;
291 memset(&in
, 0, sizeof(in
));
296 /* check for initial ticket kadmin/admin */
297 ret
= krb5_get_credentials_with_flags(context
, KRB5_GC_CACHED
, flags
,
299 krb5_free_principal(context
, p2
);
301 if (out
->flags
.b
.initial
) {
303 krb5_free_creds(context
, out
);
306 krb5_free_creds(context
, out
);
309 krb5_cc_close(context
, *id
);
312 name
= krb5_principal_get_comp_string(context
, p1
, 0);
313 inst
= krb5_principal_get_comp_string(context
, p1
, 1);
314 if(inst
== NULL
|| strcmp(inst
, "admin") != 0) {
315 ret
= krb5_make_principal(context
, &p2
, NULL
, name
, "admin", NULL
);
316 krb5_free_principal(context
, p1
);
330 _kadm5_c_get_cred_cache(krb5_context context
,
331 const char *client_name
,
332 const char *server_name
,
333 const char *password
,
334 krb5_prompter_fct prompter
,
337 krb5_ccache
*ret_cache
)
340 krb5_ccache id
= NULL
;
341 krb5_principal default_client
= NULL
, client
= NULL
;
343 /* treat empty password as NULL */
344 if(password
&& *password
== '\0')
346 if(server_name
== NULL
)
347 server_name
= KADM5_ADMIN_SERVICE
;
349 if(client_name
!= NULL
) {
350 ret
= krb5_parse_name(context
, client_name
, &client
);
357 ret
= krb5_cc_get_principal(context
, id
, &client
);
361 /* get principal from default cache, ok if this doesn't work */
363 ret
= get_cache_principal(context
, &id
, &default_client
);
366 * No client was specified by the caller and we cannot
367 * determine the client from a credentials cache.
371 user
= get_default_username ();
374 krb5_set_error_message(context
, KADM5_FAILURE
, "Unable to find local user name");
375 return KADM5_FAILURE
;
377 ret
= krb5_make_principal(context
, &default_client
,
378 NULL
, user
, "admin", NULL
);
386 * No client was specified by the caller, but we have a client
387 * from the default credentials cache.
389 if (client
== NULL
&& default_client
!= NULL
)
390 client
= default_client
;
393 if(id
&& client
&& (default_client
== NULL
||
394 krb5_principal_compare(context
, client
, default_client
) != 0)) {
395 ret
= get_kadm_ticket(context
, id
, client
, server_name
);
398 krb5_free_principal(context
, default_client
);
399 if (default_client
!= client
)
400 krb5_free_principal(context
, client
);
404 /* couldn't get ticket from cache */
407 /* get creds via AS request */
408 if(id
&& (id
!= ccache
))
409 krb5_cc_close(context
, id
);
410 if (client
!= default_client
)
411 krb5_free_principal(context
, default_client
);
413 ret
= get_new_cache(context
, client
, password
, prompter
, keytab
,
414 server_name
, ret_cache
);
415 krb5_free_principal(context
, client
);
420 kadm_connect(kadm5_client_context
*ctx
)
423 krb5_principal server
;
425 rk_socket_t s
= rk_INVALID_SOCKET
;
426 struct addrinfo
*ai
, *a
;
427 struct addrinfo hints
;
429 char portstr
[NI_MAXSERV
];
430 char *hostname
, *slash
;
432 krb5_context context
= ctx
->context
;
434 memset (&hints
, 0, sizeof(hints
));
435 hints
.ai_socktype
= SOCK_STREAM
;
436 hints
.ai_protocol
= IPPROTO_TCP
;
438 snprintf (portstr
, sizeof(portstr
), "%u", ntohs(ctx
->kadmind_port
));
440 hostname
= ctx
->admin_server
;
441 slash
= strchr (hostname
, '/');
443 hostname
= slash
+ 1;
445 error
= getaddrinfo (hostname
, portstr
, &hints
, &ai
);
447 krb5_clear_error_message(context
);
448 return KADM5_BAD_SERVER_NAME
;
451 for (a
= ai
; a
!= NULL
; a
= a
->ai_next
) {
452 s
= socket (a
->ai_family
, a
->ai_socktype
, a
->ai_protocol
);
455 if (connect (s
, a
->ai_addr
, a
->ai_addrlen
) < 0) {
456 krb5_clear_error_message(context
);
457 krb5_warn (context
, errno
, "connect(%s)", hostname
);
465 krb5_clear_error_message(context
);
466 krb5_warnx (context
, "failed to contact %s", hostname
);
467 return KADM5_FAILURE
;
469 ret
= _kadm5_c_get_cred_cache(context
,
472 NULL
, ctx
->prompter
, ctx
->keytab
,
482 error
= asprintf(&service_name
, "%s@%s", KADM5_ADMIN_SERVICE
,
485 error
= asprintf(&service_name
, "%s", KADM5_ADMIN_SERVICE
);
487 if (error
== -1 || service_name
== NULL
) {
490 krb5_clear_error_message(context
);
494 ret
= krb5_parse_name(context
, service_name
, &server
);
498 if(ctx
->ccache
== NULL
)
499 krb5_cc_close(context
, cc
);
505 ret
= krb5_sendauth(context
, &ctx
->ac
, &s
,
506 KADMIN_APPL_VERSION
, NULL
,
507 server
, AP_OPTS_MUTUAL_REQUIRED
,
508 NULL
, NULL
, cc
, NULL
, NULL
, NULL
);
511 kadm5_config_params p
;
512 memset(&p
, 0, sizeof(p
));
514 p
.mask
|= KADM5_CONFIG_REALM
;
515 p
.realm
= ctx
->realm
;
517 ret
= _kadm5_marshal_params(context
, &p
, ¶ms
);
519 ret
= krb5_write_priv_message(context
, ctx
->ac
, &s
, ¶ms
);
520 krb5_data_free(¶ms
);
524 if(ctx
->ccache
== NULL
)
525 krb5_cc_close(context
, cc
);
528 } else if(ret
== KRB5_SENDAUTH_BADAPPLVERS
) {
531 s
= socket (a
->ai_family
, a
->ai_socktype
, a
->ai_protocol
);
534 krb5_clear_error_message(context
);
537 if (connect (s
, a
->ai_addr
, a
->ai_addrlen
) < 0) {
540 krb5_clear_error_message(context
);
543 ret
= krb5_sendauth(context
, &ctx
->ac
, &s
,
544 KADMIN_OLD_APPL_VERSION
, NULL
,
545 server
, AP_OPTS_MUTUAL_REQUIRED
,
546 NULL
, NULL
, cc
, NULL
, NULL
, NULL
);
554 krb5_free_principal(context
, server
);
555 if(ctx
->ccache
== NULL
)
556 krb5_cc_close(context
, cc
);
563 _kadm5_connect(void *handle
)
565 kadm5_client_context
*ctx
= handle
;
567 return kadm_connect(ctx
);
572 kadm5_c_init_with_context(krb5_context context
,
573 const char *client_name
,
574 const char *password
,
575 krb5_prompter_fct prompter
,
578 const char *service_name
,
579 kadm5_config_params
*realm_params
,
580 unsigned long struct_version
,
581 unsigned long api_version
,
582 void **server_handle
)
585 kadm5_client_context
*ctx
;
588 ret
= _kadm5_c_init_context(&ctx
, realm_params
, context
);
592 if(password
!= NULL
&& *password
!= '\0') {
593 ret
= _kadm5_c_get_cred_cache(context
,
596 password
, prompter
, keytab
, ccache
, &cc
);
598 return ret
; /* XXX */
603 if (client_name
!= NULL
)
604 ctx
->client_name
= strdup(client_name
);
606 ctx
->client_name
= NULL
;
607 if (service_name
!= NULL
)
608 ctx
->service_name
= strdup(service_name
);
610 ctx
->service_name
= NULL
;
611 ctx
->prompter
= prompter
;
612 ctx
->keytab
= keytab
;
613 ctx
->ccache
= ccache
;
614 /* maybe we should copy the params here */
617 *server_handle
= ctx
;
622 init_context(const char *client_name
,
623 const char *password
,
624 krb5_prompter_fct prompter
,
627 const char *service_name
,
628 kadm5_config_params
*realm_params
,
629 unsigned long struct_version
,
630 unsigned long api_version
,
631 void **server_handle
)
633 krb5_context context
;
635 kadm5_server_context
*ctx
;
637 ret
= krb5_init_context(&context
);
640 ret
= kadm5_c_init_with_context(context
,
652 krb5_free_context(context
);
655 ctx
= *server_handle
;
661 kadm5_c_init_with_password_ctx(krb5_context context
,
662 const char *client_name
,
663 const char *password
,
664 const char *service_name
,
665 kadm5_config_params
*realm_params
,
666 unsigned long struct_version
,
667 unsigned long api_version
,
668 void **server_handle
)
670 return kadm5_c_init_with_context(context
,
684 kadm5_c_init_with_password(const char *client_name
,
685 const char *password
,
686 const char *service_name
,
687 kadm5_config_params
*realm_params
,
688 unsigned long struct_version
,
689 unsigned long api_version
,
690 void **server_handle
)
692 return init_context(client_name
,
705 kadm5_c_init_with_skey_ctx(krb5_context context
,
706 const char *client_name
,
708 const char *service_name
,
709 kadm5_config_params
*realm_params
,
710 unsigned long struct_version
,
711 unsigned long api_version
,
712 void **server_handle
)
714 return kadm5_c_init_with_context(context
,
729 kadm5_c_init_with_skey(const char *client_name
,
731 const char *service_name
,
732 kadm5_config_params
*realm_params
,
733 unsigned long struct_version
,
734 unsigned long api_version
,
735 void **server_handle
)
737 return init_context(client_name
,
750 kadm5_c_init_with_creds_ctx(krb5_context context
,
751 const char *client_name
,
753 const char *service_name
,
754 kadm5_config_params
*realm_params
,
755 unsigned long struct_version
,
756 unsigned long api_version
,
757 void **server_handle
)
759 return kadm5_c_init_with_context(context
,
773 kadm5_c_init_with_creds(const char *client_name
,
775 const char *service_name
,
776 kadm5_config_params
*realm_params
,
777 unsigned long struct_version
,
778 unsigned long api_version
,
779 void **server_handle
)
781 return init_context(client_name
,
795 kadm5_init(char *client_name
, char *pass
,
797 kadm5_config_params
*realm_params
,
798 unsigned long struct_version
,
799 unsigned long api_version
,
800 void **server_handle
)