2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "kuser_locl.h"
39 #include <Security/Security.h>
46 int forwardable_flag
= -1;
47 int proxiable_flag
= -1;
48 int renewable_flag
= -1;
51 int validate_flag
= 0;
55 struct getarg_strings extra_addresses
;
56 int anonymous_flag
= 0;
57 char *lifetime
= NULL
;
58 char *renew_life
= NULL
;
59 char *server_str
= NULL
;
60 char *cred_cache
= NULL
;
61 char *start_str
= NULL
;
62 static int switch_cache_flags
= 1;
63 struct getarg_strings etype_str
;
65 char *keytab_str
= NULL
;
68 char *password_file
= NULL
;
69 char *pk_user_id
= NULL
;
70 int pk_enterprise_flag
= 0;
71 struct hx509_certs_data
*ent_user_id
= NULL
;
72 char *pk_x509_anchors
= NULL
;
73 int pk_use_enckey
= 0;
74 static int canonicalize_flag
= 0;
75 static int enterprise_flag
= 0;
76 static int ok_as_delegate_flag
= 0;
77 static char *fast_armor_cache_string
= NULL
;
78 static int use_referrals_flag
= 0;
79 static int windows_flag
= 0;
81 static char *ntlm_domain
;
85 static struct getargs args
[] = {
99 { "afslog", 0 , arg_flag
, &do_afslog
,
100 NP_("obtain afs tokens", ""), NULL
},
102 { "cache", 'c', arg_string
, &cred_cache
,
103 NP_("credentials cache", ""), "cachename" },
105 { "forwardable", 0, arg_negative_flag
, &forwardable_flag
,
106 NP_("get tickets not forwardable", ""), NULL
},
108 { NULL
, 'f', arg_flag
, &forwardable_flag
,
109 NP_("get forwardable tickets", ""), NULL
},
111 { "keytab", 't', arg_string
, &keytab_str
,
112 NP_("keytab to use", ""), "keytabname" },
114 { "lifetime", 'l', arg_string
, &lifetime
,
115 NP_("lifetime of tickets", ""), "time" },
117 { "proxiable", 'p', arg_flag
, &proxiable_flag
,
118 NP_("get proxiable tickets", ""), NULL
},
120 { "renew", 'R', arg_flag
, &renew_flag
,
121 NP_("renew TGT", ""), NULL
},
123 { "renewable", 0, arg_flag
, &renewable_flag
,
124 NP_("get renewable tickets", ""), NULL
},
126 { "renewable-life", 'r', arg_string
, &renew_life
,
127 NP_("renewable lifetime of tickets", ""), "time" },
129 { "server", 'S', arg_string
, &server_str
,
130 NP_("server to get ticket for", ""), "principal" },
132 { "start-time", 's', arg_string
, &start_str
,
133 NP_("when ticket gets valid", ""), "time" },
135 { "use-keytab", 'k', arg_flag
, &use_keytab
,
136 NP_("get key from keytab", ""), NULL
},
138 { "validate", 'v', arg_flag
, &validate_flag
,
139 NP_("validate TGT", ""), NULL
},
141 { "enctypes", 'e', arg_strings
, &etype_str
,
142 NP_("encryption types to use", ""), "enctypes" },
144 { "fcache-version", 0, arg_integer
, &fcache_version
,
145 NP_("file cache version to create", ""), NULL
},
147 { "addresses", 'A', arg_negative_flag
, &addrs_flag
,
148 NP_("request a ticket with no addresses", ""), NULL
},
150 { "extra-addresses",'a', arg_strings
, &extra_addresses
,
151 NP_("include these extra addresses", ""), "addresses" },
153 { "anonymous", 0, arg_flag
, &anonymous_flag
,
154 NP_("request an anonymous ticket", ""), NULL
},
156 { "request-pac", 0, arg_flag
, &pac_flag
,
157 NP_("request a Windows PAC", ""), NULL
},
159 { "password-file", 0, arg_string
, &password_file
,
160 NP_("read the password from a file", ""), NULL
},
162 { "canonicalize",0, arg_flag
, &canonicalize_flag
,
163 NP_("canonicalize client principal", ""), NULL
},
165 { "enterprise",0, arg_flag
, &enterprise_flag
,
166 NP_("parse principal as a KRB5-NT-ENTERPRISE name", ""), NULL
},
168 { "pk-enterprise", 0, arg_flag
, &pk_enterprise_flag
,
169 NP_("use enterprise name from certificate", ""), NULL
},
171 { "pk-user", 'C', arg_string
, &pk_user_id
,
172 NP_("principal's public/private/certificate identifier", ""), "id" },
174 { "x509-anchors", 'D', arg_string
, &pk_x509_anchors
,
175 NP_("directory with CA certificates", ""), "directory" },
177 { "pk-use-enckey", 0, arg_flag
, &pk_use_enckey
,
178 NP_("Use RSA encrypted reply (instead of DH)", ""), NULL
},
181 { "ntlm-domain", 0, arg_string
, &ntlm_domain
,
182 NP_("NTLM domain", ""), "domain" },
185 { "change-default", 0, arg_negative_flag
, &switch_cache_flags
,
186 NP_("switch the default cache to the new credentials cache", ""), NULL
},
188 { "ok-as-delegate", 0, arg_flag
, &ok_as_delegate_flag
,
189 NP_("honor ok-as-delegate on tickets", ""), NULL
},
191 { "fast-armor-cache", 0, arg_string
, &fast_armor_cache_string
,
192 NP_("use this credential cache as FAST armor cache", ""), "cache" },
194 { "use-referrals", 0, arg_flag
, &use_referrals_flag
,
195 NP_("only use referrals, no dns canalisation", ""), NULL
},
197 { "windows", 0, arg_flag
, &windows_flag
,
198 NP_("get windows behavior", ""), NULL
},
200 { "version", 0, arg_flag
, &version_flag
, NULL
, NULL
},
201 { "help", 0, arg_flag
, &help_flag
, NULL
, NULL
}
207 arg_printusage_i18n (args
,
208 sizeof(args
)/sizeof(*args
),
211 "[principal [command]]",
216 static krb5_error_code
217 get_server(krb5_context context
,
218 krb5_principal client
,
220 krb5_principal
*princ
)
222 krb5_const_realm realm
;
224 return krb5_parse_name(context
, server
, princ
);
226 realm
= krb5_principal_get_realm(context
, client
);
227 return krb5_make_principal(context
, princ
, realm
,
228 KRB5_TGS_NAME
, realm
, NULL
);
232 renew_validate(krb5_context context
,
240 krb5_creds in
, *out
= NULL
;
241 krb5_kdc_flags flags
;
243 memset(&in
, 0, sizeof(in
));
245 ret
= krb5_cc_get_principal(context
, cache
, &in
.client
);
247 krb5_warn(context
, ret
, "krb5_cc_get_principal");
250 ret
= get_server(context
, in
.client
, server
, &in
.server
);
252 krb5_warn(context
, ret
, "get_server");
258 * no need to check the error here, it's only to be
259 * friendly to the user
261 krb5_get_credentials(context
, KRB5_GC_CACHED
, cache
, &in
, &out
);
265 flags
.b
.renewable
= flags
.b
.renew
= renew
;
266 flags
.b
.validate
= validate
;
268 if (forwardable_flag
!= -1)
269 flags
.b
.forwardable
= forwardable_flag
;
271 flags
.b
.forwardable
= out
->flags
.b
.forwardable
;
273 if (proxiable_flag
!= -1)
274 flags
.b
.proxiable
= proxiable_flag
;
276 flags
.b
.proxiable
= out
->flags
.b
.proxiable
;
279 flags
.b
.request_anonymous
= anonymous_flag
;
281 in
.times
.endtime
= time(NULL
) + life
;
284 krb5_free_creds (context
, out
);
289 ret
= krb5_get_kdc_cred(context
,
297 krb5_warn(context
, ret
, "krb5_get_kdc_cred");
300 ret
= krb5_cc_initialize(context
, cache
, in
.client
);
302 krb5_free_creds (context
, out
);
303 krb5_warn(context
, ret
, "krb5_cc_initialize");
306 ret
= krb5_cc_store_cred(context
, cache
, out
);
308 if(ret
== 0 && server
== NULL
) {
309 /* only do this if it's a general renew-my-tgt request */
311 if(do_afslog
&& k_hasafs())
312 krb5_afslog(context
, cache
, NULL
, NULL
);
316 krb5_free_creds (context
, out
);
318 krb5_warn(context
, ret
, "krb5_cc_store_cred");
322 krb5_free_cred_contents(context
, &in
);
328 static krb5_error_code
329 store_ntlmkey(krb5_context context
, krb5_ccache id
,
330 const char *domain
, struct ntlm_buf
*buf
)
337 aret
= asprintf(&name
, "ntlm-key-%s", domain
);
338 if (aret
== -1 || name
== NULL
) {
339 krb5_clear_error_message(context
);
343 data
.length
= buf
->length
;
344 data
.data
= buf
->data
;
346 ret
= krb5_cc_set_config(context
, id
, NULL
, name
, &data
);
352 static krb5_error_code
353 get_new_tickets(krb5_context context
,
354 krb5_principal principal
,
356 krb5_deltat ticket_life
,
360 krb5_get_init_creds_opt
*opt
;
363 krb5_deltat start_time
= 0;
364 krb5_deltat renew
= 0;
365 const char *renewstr
= NULL
;
366 krb5_enctype
*enctype
= NULL
;
367 krb5_ccache tempccache
;
368 krb5_keytab kt
= NULL
;
369 krb5_init_creds_context ctx
;
371 struct ntlm_buf ntlmkey
;
372 memset(&ntlmkey
, 0, sizeof(ntlmkey
));
379 if (strcasecmp("STDIN", password_file
) == 0)
382 f
= fopen(password_file
, "r");
384 krb5_errx(context
, 1, "Failed to open the password file %s",
387 if (fgets(passwd
, sizeof(passwd
), f
) == NULL
)
388 krb5_errx(context
, 1,
389 N_("Failed to read password from file %s", ""),
393 passwd
[strcspn(passwd
, "\n")] = '\0';
397 if (passwd
[0] == '\0') {
404 realm
= krb5_principal_get_realm(context
, principal
);
406 ret
= krb5_unparse_name_flags(context
, principal
,
407 KRB5_PRINCIPAL_UNPARSE_NO_REALM
, &name
);
411 osret
= SecKeychainFindGenericPassword(NULL
, strlen(realm
), realm
,
413 &length
, &buffer
, NULL
);
415 if (osret
== noErr
&& length
< sizeof(passwd
) - 1) {
416 memcpy(passwd
, buffer
, length
);
417 passwd
[length
] = '\0';
424 memset(&cred
, 0, sizeof(cred
));
426 ret
= krb5_get_init_creds_opt_alloc (context
, &opt
);
428 krb5_err(context
, 1, ret
, "krb5_get_init_creds_opt_alloc");
430 krb5_get_init_creds_opt_set_default_flags(context
, "kinit",
431 krb5_principal_get_realm(context
, principal
), opt
);
433 if(forwardable_flag
!= -1)
434 krb5_get_init_creds_opt_set_forwardable (opt
, forwardable_flag
);
435 if(proxiable_flag
!= -1)
436 krb5_get_init_creds_opt_set_proxiable (opt
, proxiable_flag
);
438 krb5_get_init_creds_opt_set_anonymous (opt
, anonymous_flag
);
440 krb5_get_init_creds_opt_set_pac_request(context
, opt
,
441 pac_flag
? TRUE
: FALSE
);
442 if (canonicalize_flag
)
443 krb5_get_init_creds_opt_set_canonicalize(context
, opt
, TRUE
);
444 if (pk_enterprise_flag
|| enterprise_flag
|| canonicalize_flag
|| windows_flag
)
445 krb5_get_init_creds_opt_set_win2k(context
, opt
, TRUE
);
446 if (pk_user_id
|| ent_user_id
|| anonymous_flag
) {
447 ret
= krb5_get_init_creds_opt_set_pkinit(context
, opt
,
453 pk_use_enckey
? 2 : 0 |
454 anonymous_flag
? 4 : 0,
459 krb5_err(context
, 1, ret
, "krb5_get_init_creds_opt_set_pkinit");
461 krb5_get_init_creds_opt_set_pkinit_user_certs(context
, opt
, ent_user_id
);
464 if (addrs_flag
!= -1)
465 krb5_get_init_creds_opt_set_addressless(context
, opt
,
466 addrs_flag
? FALSE
: TRUE
);
468 if (renew_life
== NULL
&& renewable_flag
)
469 renewstr
= "1 month";
471 renewstr
= renew_life
;
473 renew
= parse_time (renewstr
, "s");
475 errx (1, "unparsable time: %s", renewstr
);
477 krb5_get_init_creds_opt_set_renew_life (opt
, renew
);
481 krb5_get_init_creds_opt_set_tkt_life (opt
, ticket_life
);
484 int tmp
= parse_time (start_str
, "s");
486 errx (1, N_("unparsable time: %s", ""), start_str
);
491 if(etype_str
.num_strings
) {
494 enctype
= malloc(etype_str
.num_strings
* sizeof(*enctype
));
496 errx(1, "out of memory");
497 for(i
= 0; i
< etype_str
.num_strings
; i
++) {
498 ret
= krb5_string_to_enctype(context
,
499 etype_str
.strings
[i
],
502 errx(1, "unrecognized enctype: %s", etype_str
.strings
[i
]);
504 krb5_get_init_creds_opt_set_etype_list(opt
, enctype
,
505 etype_str
.num_strings
);
508 ret
= krb5_init_creds_init(context
, principal
, krb5_prompter_posix
, NULL
, start_time
, opt
, &ctx
);
510 krb5_err(context
, 1, ret
, "krb5_init_creds_init");
513 ret
= krb5_init_creds_set_service(context
, ctx
, server_str
);
515 krb5_err(context
, 1, ret
, "krb5_init_creds_set_service");
518 if (fast_armor_cache_string
) {
521 ret
= krb5_cc_resolve(context
, fast_armor_cache_string
, &fastid
);
523 krb5_err(context
, 1, ret
, "krb5_cc_resolve(FAST cache)");
525 ret
= krb5_init_creds_set_fast_ccache(context
, ctx
, fastid
);
527 krb5_err(context
, 1, ret
, "krb5_init_creds_set_fast_ccache");
530 if(use_keytab
|| keytab_str
) {
533 ret
= krb5_kt_resolve(context
, keytab_str
, &kt
);
535 ret
= krb5_kt_default(context
, &kt
);
537 krb5_err(context
, 1, ret
, "resolving keytab");
539 ret
= krb5_init_creds_set_keytab(context
, ctx
, kt
);
541 krb5_err(context
, 1, ret
, "krb5_init_creds_set_keytab");
543 } else if (pk_user_id
|| ent_user_id
|| anonymous_flag
) {
545 } else if (!interactive
) {
546 krb5_warnx(context
, "Not interactive, failed to get initial ticket");
547 krb5_get_init_creds_opt_free(context
, opt
);
551 if (passwd
[0] == '\0') {
555 ret
= krb5_unparse_name (context
, principal
, &p
);
557 aret
= asprintf (&prompt
, N_("%s's Password: ", ""), p
);
560 if (ret
|| aret
== -1)
561 errx(1, "failed to generate passwd prompt: not enough memory");
563 if (UI_UTIL_read_pw_string(passwd
, sizeof(passwd
)-1, prompt
, 0)){
564 memset(passwd
, 0, sizeof(passwd
));
565 errx(1, "failed to read password");
571 ret
= krb5_init_creds_set_password(context
, ctx
, passwd
);
573 krb5_err(context
, 1, ret
, "krb5_init_creds_set_password");
577 ret
= krb5_init_creds_get(context
, ctx
);
580 if (ntlm_domain
&& passwd
[0])
581 heim_ntlm_nt_key(passwd
, &ntlmkey
);
583 memset(passwd
, 0, sizeof(passwd
));
588 case KRB5_LIBOS_PWDINTR
: /* don't print anything if it was just C-c:ed */
590 case KRB5KRB_AP_ERR_BAD_INTEGRITY
:
591 case KRB5KRB_AP_ERR_MODIFIED
:
592 case KRB5KDC_ERR_PREAUTH_FAILED
:
593 krb5_errx(context
, 1, N_("Password incorrect", ""));
595 case KRB5KRB_AP_ERR_V4_REPLY
:
596 krb5_errx(context
, 1, N_("Looks like a Kerberos 4 reply", ""));
599 krb5_err(context
, 1, ret
, "krb5_get_init_creds");
602 krb5_process_last_request(context
, opt
, ctx
);
604 ret
= krb5_init_creds_get_creds(context
, ctx
, &cred
);
606 krb5_err(context
, 1, ret
, "krb5_init_creds_get_creds");
608 if(ticket_life
!= 0) {
609 if(abs(cred
.times
.endtime
- cred
.times
.starttime
- ticket_life
) > 30) {
611 unparse_time_approx(cred
.times
.endtime
- cred
.times
.starttime
,
613 krb5_warnx(context
, N_("NOTICE: ticket lifetime is %s", ""), life
);
617 if(abs(cred
.times
.renew_till
- cred
.times
.starttime
- renew
) > 30) {
619 unparse_time_approx(cred
.times
.renew_till
- cred
.times
.starttime
,
622 N_("NOTICE: ticket renewable lifetime is %s", ""),
627 ret
= krb5_cc_new_unique(context
, krb5_cc_get_type(context
, ccache
),
630 krb5_err (context
, 1, ret
, "krb5_cc_new_unique");
632 ret
= krb5_init_creds_store(context
, ctx
, tempccache
);
634 krb5_err(context
, 1, ret
, "krb5_init_creds_store");
636 krb5_init_creds_free(context
, ctx
);
638 ret
= krb5_cc_move(context
, tempccache
, ccache
);
640 krb5_err (context
, 1, ret
, "krb5_cc_move");
642 if (switch_cache_flags
)
643 krb5_cc_switch(context
, ccache
);
646 if (ntlm_domain
&& ntlmkey
.data
)
647 store_ntlmkey(context
, ccache
, ntlm_domain
, &ntlmkey
);
650 if (ok_as_delegate_flag
|| windows_flag
|| use_referrals_flag
) {
654 if (ok_as_delegate_flag
|| windows_flag
)
656 if (use_referrals_flag
|| windows_flag
)
662 krb5_cc_set_config(context
, ccache
, NULL
, "realm-config", &data
);
665 krb5_get_init_creds_opt_free(context
, opt
);
668 krb5_kt_close(context
, kt
);
676 ticket_lifetime(krb5_context context
, krb5_ccache cache
,
677 krb5_principal client
, const char *server
)
679 krb5_creds in_cred
, *cred
;
683 memset(&in_cred
, 0, sizeof(in_cred
));
685 ret
= krb5_cc_get_principal(context
, cache
, &in_cred
.client
);
687 krb5_warn(context
, ret
, "krb5_cc_get_principal");
690 ret
= get_server(context
, in_cred
.client
, server
, &in_cred
.server
);
692 krb5_free_principal(context
, in_cred
.client
);
693 krb5_warn(context
, ret
, "get_server");
697 ret
= krb5_get_credentials(context
, KRB5_GC_CACHED
,
698 cache
, &in_cred
, &cred
);
699 krb5_free_principal(context
, in_cred
.client
);
700 krb5_free_principal(context
, in_cred
.server
);
702 krb5_warn(context
, ret
, "krb5_get_credentials");
705 timeout
= cred
->times
.endtime
- cred
->times
.starttime
;
708 krb5_free_creds(context
, cred
);
713 krb5_context context
;
715 krb5_principal principal
;
716 krb5_deltat ticket_life
;
720 renew_func(void *ptr
)
722 struct renew_ctx
*ctx
= ptr
;
727 if (renewable_flag
) {
728 ret
= renew_validate(ctx
->context
, renewable_flag
, validate_flag
,
729 ctx
->ccache
, server_str
, ctx
->ticket_life
);
736 get_new_tickets(ctx
->context
, ctx
->principal
,
737 ctx
->ccache
, ctx
->ticket_life
, 0);
740 if(do_afslog
&& k_hasafs())
741 krb5_afslog(ctx
->context
, ctx
->ccache
, NULL
, NULL
);
744 expire
= ticket_lifetime(ctx
->context
, ctx
->ccache
, ctx
->principal
,
750 main (int argc
, char **argv
)
753 krb5_context context
;
755 krb5_principal principal
;
757 krb5_deltat ticket_life
= 0;
760 setprogname (argv
[0]);
762 setlocale (LC_ALL
, "");
763 bindtextdomain ("heimdal_kuser", HEIMDAL_LOCALEDIR
);
764 textdomain("heimdal_kuser");
766 ret
= krb5_init_context (&context
);
767 if (ret
== KRB5_CONFIG_BADFORMAT
)
768 errx (1, "krb5_init_context failed to parse configuration file");
770 errx(1, "krb5_init_context failed: %d", ret
);
772 if(getarg(args
, sizeof(args
) / sizeof(args
[0]), argc
, argv
, &optidx
))
786 if (canonicalize_flag
|| enterprise_flag
)
787 parseflags
|= KRB5_PRINCIPAL_PARSE_ENTERPRISE
;
789 if (pk_enterprise_flag
) {
790 ret
= krb5_pk_enterprise_cert(context
, pk_user_id
,
794 krb5_err(context
, 1, ret
, "krb5_pk_enterprise_certs");
798 } else if (anonymous_flag
) {
800 ret
= krb5_make_principal(context
, &principal
, argv
[0],
801 KRB5_WELLKNOWN_NAME
, KRB5_ANON_NAME
,
804 krb5_err(context
, 1, ret
, "krb5_make_principal");
805 krb5_principal_set_type(context
, principal
, KRB5_NT_WELLKNOWN
);
809 ret
= krb5_parse_name_flags (context
, argv
[0], parseflags
,
812 krb5_err (context
, 1, ret
, "krb5_parse_name");
814 ret
= krb5_get_default_principal (context
, &principal
);
816 krb5_err (context
, 1, ret
, "krb5_get_default_principal");
821 krb5_set_fcache_version(context
, fcache_version
);
823 if(renewable_flag
== -1)
824 /* this seems somewhat pointless, but whatever */
825 krb5_appdefault_boolean(context
, "kinit",
826 krb5_principal_get_realm(context
, principal
),
827 "renewable", FALSE
, &renewable_flag
);
829 krb5_appdefault_boolean(context
, "kinit",
830 krb5_principal_get_realm(context
, principal
),
831 "afslog", TRUE
, &do_afslog
);
834 ret
= krb5_cc_resolve(context
, cred_cache
, &ccache
);
838 ret
= krb5_cc_new_unique(context
, NULL
, NULL
, &ccache
);
840 krb5_err(context
, 1, ret
, "creating cred cache");
841 snprintf(s
, sizeof(s
), "%s:%s",
842 krb5_cc_get_type(context
, ccache
),
843 krb5_cc_get_name(context
, ccache
));
844 setenv("KRB5CCNAME", s
, 1);
846 ret
= krb5_cc_cache_match(context
, principal
, &ccache
);
849 ret
= krb5_cc_default (context
, &ccache
);
851 krb5_err (context
, 1, ret
, N_("resolving credentials cache", ""));
854 * Check if the type support switching, and we do,
855 * then do that instead over overwriting the current
858 type
= krb5_cc_get_type(context
, ccache
);
859 if (krb5_cc_support_switch(context
, type
)) {
860 krb5_cc_close(context
, ccache
);
861 ret
= krb5_cc_new_unique(context
, type
, NULL
, &ccache
);
867 krb5_err (context
, 1, ret
, N_("resolving credentials cache", ""));
870 if(argc
> 1 && k_hasafs ())
875 int tmp
= parse_time (lifetime
, "s");
877 errx (1, N_("unparsable time: %s", ""), lifetime
);
882 if(addrs_flag
== 0 && extra_addresses
.num_strings
> 0)
883 krb5_errx(context
, 1,
884 N_("specifying both extra addresses and "
885 "no addresses makes no sense", ""));
888 krb5_addresses addresses
;
889 memset(&addresses
, 0, sizeof(addresses
));
890 for(i
= 0; i
< extra_addresses
.num_strings
; i
++) {
891 ret
= krb5_parse_address(context
, extra_addresses
.strings
[i
],
894 krb5_add_extra_addresses(context
, &addresses
);
895 krb5_free_addresses(context
, &addresses
);
898 free_getarg_strings(&extra_addresses
);
901 if(renew_flag
|| validate_flag
) {
902 ret
= renew_validate(context
, renew_flag
, validate_flag
,
903 ccache
, server_str
, ticket_life
);
907 get_new_tickets(context
, principal
, ccache
, ticket_life
, 1);
910 if(do_afslog
&& k_hasafs())
911 krb5_afslog(context
, ccache
, NULL
, NULL
);
914 struct renew_ctx ctx
;
917 timeout
= ticket_lifetime(context
, ccache
, principal
, server_str
) / 2;
919 ctx
.context
= context
;
921 ctx
.principal
= principal
;
922 ctx
.ticket_life
= ticket_life
;
924 ret
= simple_execvp_timed(argv
[1], argv
+1,
925 renew_func
, &ctx
, timeout
);
926 #define EX_NOEXEC 126
927 #define EX_NOTFOUND 127
929 krb5_warnx(context
, N_("permission denied: %s", ""), argv
[1]);
930 else if(ret
== EX_NOTFOUND
)
931 krb5_warnx(context
, N_("command not found: %s", ""), argv
[1]);
933 krb5_cc_destroy(context
, ccache
);
939 krb5_cc_close (context
, ccache
);
942 krb5_free_principal(context
, principal
);
943 krb5_free_context (context
);