2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kuser_locl.h"
36 #ifndef HEIMDAL_SMALLER
37 #include "krb5-v4compat.h"
40 struct krb5_dh_moduli
;
41 struct AlgorithmIdentifier
;
42 struct _krb5_krb_auth_data
;
43 struct hx509_certs_data
;
44 #include <krb5-private.h>
50 int forwardable_flag
= -1;
51 int proxiable_flag
= -1;
52 int renewable_flag
= -1;
55 int validate_flag
= 0;
59 struct getarg_strings extra_addresses
;
60 int anonymous_flag
= 0;
61 char *lifetime
= NULL
;
62 char *renew_life
= NULL
;
63 char *server_str
= NULL
;
64 char *cred_cache
= NULL
;
65 char *start_str
= NULL
;
66 static int switch_cache_flags
= 1;
67 struct getarg_strings etype_str
;
69 char *keytab_str
= NULL
;
71 #ifndef HEIMDAL_SMALLER
74 static char *krb4_cc_name
;
77 char *password_file
= NULL
;
78 char *pk_user_id
= NULL
;
79 int pk_enterprise_flag
= 0;
80 struct hx509_certs_data
*ent_user_id
= NULL
;
81 char *pk_x509_anchors
= NULL
;
82 int pk_use_enckey
= 0;
83 static int canonicalize_flag
= 0;
84 static int enterprise_flag
= 0;
85 static int ok_as_delegate_flag
= 0;
86 static int use_referrals_flag
= 0;
87 static int windows_flag
= 0;
89 static char *ntlm_domain
;
93 static struct getargs args
[] = {
103 #ifndef HEIMDAL_SMALLER
104 { "524init", '4', arg_flag
, &get_v4_tgt
,
105 NP_("obtain version 4 TGT", "") },
107 { "524convert", '9', arg_flag
, &convert_524
,
108 NP_("only convert ticket to version 4", "") },
110 { "afslog", 0 , arg_flag
, &do_afslog
,
111 NP_("obtain afs tokens", "") },
113 { "cache", 'c', arg_string
, &cred_cache
,
114 NP_("credentials cache", ""), "cachename" },
116 { "forwardable", 'f', arg_flag
, &forwardable_flag
,
117 NP_("get forwardable tickets", "")},
119 { "keytab", 't', arg_string
, &keytab_str
,
120 NP_("keytab to use", ""), "keytabname" },
122 { "lifetime", 'l', arg_string
, &lifetime
,
123 NP_("lifetime of tickets", ""), "time"},
125 { "proxiable", 'p', arg_flag
, &proxiable_flag
,
126 NP_("get proxiable tickets", "") },
128 { "renew", 'R', arg_flag
, &renew_flag
,
129 NP_("renew TGT", "") },
131 { "renewable", 0, arg_flag
, &renewable_flag
,
132 NP_("get renewable tickets", "") },
134 { "renewable-life", 'r', arg_string
, &renew_life
,
135 NP_("renewable lifetime of tickets", ""), "time" },
137 { "server", 'S', arg_string
, &server_str
,
138 NP_("server to get ticket for", ""), "principal" },
140 { "start-time", 's', arg_string
, &start_str
,
141 NP_("when ticket gets valid", ""), "time" },
143 { "use-keytab", 'k', arg_flag
, &use_keytab
,
144 NP_("get key from keytab", "") },
146 { "validate", 'v', arg_flag
, &validate_flag
,
147 NP_("validate TGT", "") },
149 { "enctypes", 'e', arg_strings
, &etype_str
,
150 NP_("encryption types to use", ""), "enctypes" },
152 { "fcache-version", 0, arg_integer
, &fcache_version
,
153 NP_("file cache version to create", "") },
155 { "addresses", 'A', arg_negative_flag
, &addrs_flag
,
156 NP_("request a ticket with no addresses", "") },
158 { "extra-addresses",'a', arg_strings
, &extra_addresses
,
159 NP_("include these extra addresses", ""), "addresses" },
161 { "anonymous", 0, arg_flag
, &anonymous_flag
,
162 NP_("request an anonymous ticket", "") },
164 { "request-pac", 0, arg_flag
, &pac_flag
,
165 NP_("request a Windows PAC", "") },
167 { "password-file", 0, arg_string
, &password_file
,
168 NP_("read the password from a file", "") },
170 { "canonicalize",0, arg_flag
, &canonicalize_flag
,
171 NP_("canonicalize client principal", "") },
173 { "enterprise",0, arg_flag
, &enterprise_flag
,
174 NP_("parse principal as a KRB5-NT-ENTERPRISE name", "") },
176 { "pk-enterprise", 0, arg_flag
, &pk_enterprise_flag
,
177 NP_("use enterprise name from certificate", "") },
179 { "pk-user", 'C', arg_string
, &pk_user_id
,
180 NP_("principal's public/private/certificate identifier", ""), "id" },
182 { "x509-anchors", 'D', arg_string
, &pk_x509_anchors
,
183 NP_("directory with CA certificates", ""), "directory" },
185 { "pk-use-enckey", 0, arg_flag
, &pk_use_enckey
,
186 NP_("Use RSA encrypted reply (instead of DH)", "") },
189 { "ntlm-domain", 0, arg_string
, &ntlm_domain
,
190 NP_("NTLM domain", ""), "domain" },
193 { "change-default", 0, arg_negative_flag
, &switch_cache_flags
,
194 NP_("switch the default cache to the new credentials cache", "") },
196 { "ok-as-delegate", 0, arg_flag
, &ok_as_delegate_flag
,
197 NP_("honor ok-as-delegate on tickets", "") },
199 { "use-referrals", 0, arg_flag
, &use_referrals_flag
,
200 NP_("only use referrals, no dns canalisation", "") },
202 { "windows", 0, arg_flag
, &windows_flag
,
203 NP_("get windows behavior", "") },
205 { "version", 0, arg_flag
, &version_flag
},
206 { "help", 0, arg_flag
, &help_flag
}
212 arg_printusage_i18n (args
,
213 sizeof(args
)/sizeof(*args
),
216 "[principal [command]]",
221 static krb5_error_code
222 get_server(krb5_context context
,
223 krb5_principal client
,
225 krb5_principal
*princ
)
227 krb5_const_realm realm
;
229 return krb5_parse_name(context
, server
, princ
);
231 realm
= krb5_principal_get_realm(context
, client
);
232 return krb5_make_principal(context
, princ
, realm
,
233 KRB5_TGS_NAME
, realm
, NULL
);
236 #ifndef HEIMDAL_SMALLER
238 static krb5_error_code
239 do_524init(krb5_context context
, krb5_ccache ccache
,
240 krb5_creds
*creds
, const char *server
)
244 struct credentials c
;
245 krb5_creds in_creds
, *real_creds
;
250 krb5_principal client
;
251 krb5_cc_get_principal(context
, ccache
, &client
);
252 memset(&in_creds
, 0, sizeof(in_creds
));
253 ret
= get_server(context
, client
, server
, &in_creds
.server
);
255 krb5_free_principal(context
, client
);
258 in_creds
.client
= client
;
259 ret
= krb5_get_credentials(context
, 0, ccache
, &in_creds
, &real_creds
);
260 krb5_free_principal(context
, client
);
261 krb5_free_principal(context
, in_creds
.server
);
265 ret
= krb524_convert_creds_kdc_ccache(context
, ccache
, real_creds
, &c
);
267 krb5_warn(context
, ret
, "converting creds");
269 krb5_error_code tret
= _krb5_krb_tf_setup(context
, &c
, NULL
, 0);
271 krb5_warn(context
, tret
, "saving v4 creds");
275 krb5_free_creds(context
, real_creds
);
276 memset(&c
, 0, sizeof(c
));
284 renew_validate(krb5_context context
,
292 krb5_creds in
, *out
= NULL
;
293 krb5_kdc_flags flags
;
295 memset(&in
, 0, sizeof(in
));
297 ret
= krb5_cc_get_principal(context
, cache
, &in
.client
);
299 krb5_warn(context
, ret
, "krb5_cc_get_principal");
302 ret
= get_server(context
, in
.client
, server
, &in
.server
);
304 krb5_warn(context
, ret
, "get_server");
310 * no need to check the error here, it's only to be
311 * friendly to the user
313 krb5_get_credentials(context
, KRB5_GC_CACHED
, cache
, &in
, &out
);
317 flags
.b
.renewable
= flags
.b
.renew
= renew
;
318 flags
.b
.validate
= validate
;
320 if (forwardable_flag
!= -1)
321 flags
.b
.forwardable
= forwardable_flag
;
323 flags
.b
.forwardable
= out
->flags
.b
.forwardable
;
325 if (proxiable_flag
!= -1)
326 flags
.b
.proxiable
= proxiable_flag
;
328 flags
.b
.proxiable
= out
->flags
.b
.proxiable
;
331 flags
.b
.request_anonymous
= anonymous_flag
;
333 in
.times
.endtime
= time(NULL
) + life
;
336 krb5_free_creds (context
, out
);
341 ret
= krb5_get_kdc_cred(context
,
349 krb5_warn(context
, ret
, "krb5_get_kdc_cred");
352 ret
= krb5_cc_initialize(context
, cache
, in
.client
);
354 krb5_free_creds (context
, out
);
355 krb5_warn(context
, ret
, "krb5_cc_initialize");
358 ret
= krb5_cc_store_cred(context
, cache
, out
);
360 if(ret
== 0 && server
== NULL
) {
361 /* only do this if it's a general renew-my-tgt request */
362 #ifndef HEIMDAL_SMALLER
364 do_524init(context
, cache
, out
, NULL
);
367 if(do_afslog
&& k_hasafs())
368 krb5_afslog(context
, cache
, NULL
, NULL
);
372 krb5_free_creds (context
, out
);
374 krb5_warn(context
, ret
, "krb5_cc_store_cred");
378 krb5_free_cred_contents(context
, &in
);
384 static krb5_error_code
385 store_ntlmkey(krb5_context context
, krb5_ccache id
,
386 const char *domain
, struct ntlm_buf
*buf
)
392 asprintf(&name
, "ntlm-key-%s", domain
);
394 krb5_clear_error_message(context
);
398 data
.length
= buf
->length
;
399 data
.data
= buf
->data
;
401 ret
= krb5_cc_set_config(context
, id
, NULL
, name
, &data
);
407 static krb5_error_code
408 get_new_tickets(krb5_context context
,
409 krb5_principal principal
,
411 krb5_deltat ticket_life
,
415 krb5_get_init_creds_opt
*opt
;
418 krb5_deltat start_time
= 0;
419 krb5_deltat renew
= 0;
420 const char *renewstr
= NULL
;
421 krb5_enctype
*enctype
= NULL
;
422 krb5_ccache tempccache
;
424 struct ntlm_buf ntlmkey
;
425 memset(&ntlmkey
, 0, sizeof(ntlmkey
));
432 if (strcasecmp("STDIN", password_file
) == 0)
435 f
= fopen(password_file
, "r");
437 krb5_errx(context
, 1, "Failed to open the password file %s",
440 if (fgets(passwd
, sizeof(passwd
), f
) == NULL
)
441 krb5_errx(context
, 1,
442 N_("Failed to read password from file %s", ""),
446 passwd
[strcspn(passwd
, "\n")] = '\0';
450 memset(&cred
, 0, sizeof(cred
));
452 ret
= krb5_get_init_creds_opt_alloc (context
, &opt
);
454 krb5_err(context
, 1, ret
, "krb5_get_init_creds_opt_alloc");
456 krb5_get_init_creds_opt_set_default_flags(context
, "kinit",
457 krb5_principal_get_realm(context
, principal
), opt
);
459 if(forwardable_flag
!= -1)
460 krb5_get_init_creds_opt_set_forwardable (opt
, forwardable_flag
);
461 if(proxiable_flag
!= -1)
462 krb5_get_init_creds_opt_set_proxiable (opt
, proxiable_flag
);
464 krb5_get_init_creds_opt_set_anonymous (opt
, anonymous_flag
);
466 krb5_get_init_creds_opt_set_pac_request(context
, opt
,
467 pac_flag
? TRUE
: FALSE
);
468 if (canonicalize_flag
)
469 krb5_get_init_creds_opt_set_canonicalize(context
, opt
, TRUE
);
470 if (pk_enterprise_flag
&& windows_flag
)
471 krb5_get_init_creds_opt_set_win2k(context
, opt
, TRUE
);
472 if (pk_user_id
|| ent_user_id
|| anonymous_flag
) {
473 ret
= krb5_get_init_creds_opt_set_pkinit(context
, opt
,
479 pk_use_enckey
? 2 : 0 |
480 anonymous_flag
? 4 : 0,
485 krb5_err(context
, 1, ret
, "krb5_get_init_creds_opt_set_pkinit");
487 _krb5_get_init_creds_opt_set_pkinit_user_certs(context
, opt
, ent_user_id
);
490 if (addrs_flag
!= -1)
491 krb5_get_init_creds_opt_set_addressless(context
, opt
,
492 addrs_flag
? FALSE
: TRUE
);
494 if (renew_life
== NULL
&& renewable_flag
)
495 renewstr
= "1 month";
497 renewstr
= renew_life
;
499 renew
= parse_time (renewstr
, "s");
501 errx (1, "unparsable time: %s", renewstr
);
503 krb5_get_init_creds_opt_set_renew_life (opt
, renew
);
507 krb5_get_init_creds_opt_set_tkt_life (opt
, ticket_life
);
510 int tmp
= parse_time (start_str
, "s");
512 errx (1, N_("unparsable time: %s", ""), start_str
);
517 if(etype_str
.num_strings
) {
520 enctype
= malloc(etype_str
.num_strings
* sizeof(*enctype
));
522 errx(1, "out of memory");
523 for(i
= 0; i
< etype_str
.num_strings
; i
++) {
524 ret
= krb5_string_to_enctype(context
,
525 etype_str
.strings
[i
],
528 errx(1, "unrecognized enctype: %s", etype_str
.strings
[i
]);
530 krb5_get_init_creds_opt_set_etype_list(opt
, enctype
,
531 etype_str
.num_strings
);
534 if(use_keytab
|| keytab_str
) {
537 ret
= krb5_kt_resolve(context
, keytab_str
, &kt
);
539 ret
= krb5_kt_default(context
, &kt
);
541 krb5_err (context
, 1, ret
, "resolving keytab");
542 ret
= krb5_get_init_creds_keytab (context
,
549 krb5_kt_close(context
, kt
);
550 } else if (pk_user_id
|| ent_user_id
|| anonymous_flag
) {
551 ret
= krb5_get_init_creds_password (context
,
560 } else if (!interactive
) {
561 krb5_warnx(context
, "Not interactive, failed to get initial ticket");
562 krb5_get_init_creds_opt_free(context
, opt
);
566 if (passwd
[0] == '\0') {
569 krb5_unparse_name (context
, principal
, &p
);
570 asprintf (&prompt
, N_("%s's Password: ", ""), p
);
573 if (UI_UTIL_read_pw_string(passwd
, sizeof(passwd
)-1, prompt
, 0)){
574 memset(passwd
, 0, sizeof(passwd
));
581 ret
= krb5_get_init_creds_password (context
,
591 krb5_get_init_creds_opt_free(context
, opt
);
593 if (ntlm_domain
&& passwd
[0])
594 heim_ntlm_nt_key(passwd
, &ntlmkey
);
596 memset(passwd
, 0, sizeof(passwd
));
601 case KRB5_LIBOS_PWDINTR
: /* don't print anything if it was just C-c:ed */
603 case KRB5KRB_AP_ERR_BAD_INTEGRITY
:
604 case KRB5KRB_AP_ERR_MODIFIED
:
605 case KRB5KDC_ERR_PREAUTH_FAILED
:
606 krb5_errx(context
, 1, N_("Password incorrect", ""));
608 case KRB5KRB_AP_ERR_V4_REPLY
:
609 krb5_errx(context
, 1, N_("Looks like a Kerberos 4 reply", ""));
612 krb5_err(context
, 1, ret
, "krb5_get_init_creds");
615 if(ticket_life
!= 0) {
616 if(abs(cred
.times
.endtime
- cred
.times
.starttime
- ticket_life
) > 30) {
618 unparse_time_approx(cred
.times
.endtime
- cred
.times
.starttime
,
620 krb5_warnx(context
, N_("NOTICE: ticket lifetime is %s", ""), life
);
624 if(abs(cred
.times
.renew_till
- cred
.times
.starttime
- renew
) > 30) {
626 unparse_time_approx(cred
.times
.renew_till
- cred
.times
.starttime
,
629 N_("NOTICE: ticket renewable lifetime is %s", ""),
634 ret
= krb5_cc_new_unique(context
, krb5_cc_get_type(context
, ccache
),
637 krb5_err (context
, 1, ret
, "krb5_cc_new_unique");
639 ret
= krb5_cc_initialize (context
, tempccache
, cred
.client
);
641 krb5_err (context
, 1, ret
, "krb5_cc_initialize");
643 ret
= krb5_cc_store_cred (context
, tempccache
, &cred
);
645 krb5_err (context
, 1, ret
, "krb5_cc_store_cred");
647 krb5_free_cred_contents (context
, &cred
);
649 ret
= krb5_cc_move(context
, tempccache
, ccache
);
651 krb5_err (context
, 1, ret
, "krb5_cc_move");
653 if (switch_cache_flags
)
654 krb5_cc_switch(context
, ccache
);
657 if (ntlm_domain
&& ntlmkey
.data
)
658 store_ntlmkey(context
, ccache
, ntlm_domain
, &ntlmkey
);
661 if (ok_as_delegate_flag
|| windows_flag
|| use_referrals_flag
) {
665 if (ok_as_delegate_flag
|| windows_flag
)
667 if (use_referrals_flag
|| windows_flag
)
673 krb5_cc_set_config(context
, ccache
, NULL
, "realm-config", &data
);
684 ticket_lifetime(krb5_context context
, krb5_ccache cache
,
685 krb5_principal client
, const char *server
)
687 krb5_creds in_cred
, *cred
;
691 memset(&in_cred
, 0, sizeof(in_cred
));
693 ret
= krb5_cc_get_principal(context
, cache
, &in_cred
.client
);
695 krb5_warn(context
, ret
, "krb5_cc_get_principal");
698 ret
= get_server(context
, in_cred
.client
, server
, &in_cred
.server
);
700 krb5_free_principal(context
, in_cred
.client
);
701 krb5_warn(context
, ret
, "get_server");
705 ret
= krb5_get_credentials(context
, KRB5_GC_CACHED
,
706 cache
, &in_cred
, &cred
);
707 krb5_free_principal(context
, in_cred
.client
);
708 krb5_free_principal(context
, in_cred
.server
);
710 krb5_warn(context
, ret
, "krb5_get_credentials");
713 timeout
= cred
->times
.endtime
- cred
->times
.starttime
;
716 krb5_free_creds(context
, cred
);
721 krb5_context context
;
723 krb5_principal principal
;
724 krb5_deltat ticket_life
;
728 renew_func(void *ptr
)
730 struct renew_ctx
*ctx
= ptr
;
735 if (renewable_flag
) {
736 ret
= renew_validate(ctx
->context
, renewable_flag
, validate_flag
,
737 ctx
->ccache
, server_str
, ctx
->ticket_life
);
744 get_new_tickets(ctx
->context
, ctx
->principal
,
745 ctx
->ccache
, ctx
->ticket_life
, 0);
747 #ifndef HEIMDAL_SMALLER
748 if(get_v4_tgt
|| convert_524
)
749 do_524init(ctx
->context
, ctx
->ccache
, NULL
, server_str
);
752 if(do_afslog
&& k_hasafs())
753 krb5_afslog(ctx
->context
, ctx
->ccache
, NULL
, NULL
);
756 expire
= ticket_lifetime(ctx
->context
, ctx
->ccache
, ctx
->principal
,
762 main (int argc
, char **argv
)
765 krb5_context context
;
767 krb5_principal principal
;
769 krb5_deltat ticket_life
= 0;
772 setprogname (argv
[0]);
774 setlocale (LC_ALL
, "");
775 bindtextdomain ("heimdal_kuser", HEIMDAL_LOCALEDIR
);
776 textdomain("heimdal_kuser");
778 ret
= krb5_init_context (&context
);
779 if (ret
== KRB5_CONFIG_BADFORMAT
)
780 errx (1, "krb5_init_context failed to parse configuration file");
782 errx(1, "krb5_init_context failed: %d", ret
);
784 if(getarg(args
, sizeof(args
) / sizeof(args
[0]), argc
, argv
, &optidx
))
798 if (canonicalize_flag
|| enterprise_flag
)
799 parseflags
|= KRB5_PRINCIPAL_PARSE_ENTERPRISE
;
801 if (pk_enterprise_flag
) {
802 ret
= _krb5_pk_enterprise_cert(context
, pk_user_id
,
806 krb5_err(context
, 1, ret
, "krb5_pk_enterprise_certs");
810 } else if (anonymous_flag
) {
812 ret
= krb5_make_principal(context
, &principal
, argv
[0],
813 KRB5_WELLKNOWN_NAME
, KRB5_ANON_NAME
,
816 krb5_err(context
, 1, ret
, "krb5_make_principal");
817 krb5_principal_set_type(context
, principal
, KRB5_NT_WELLKNOWN
);
821 ret
= krb5_parse_name_flags (context
, argv
[0], parseflags
,
824 krb5_err (context
, 1, ret
, "krb5_parse_name");
826 ret
= krb5_get_default_principal (context
, &principal
);
828 krb5_err (context
, 1, ret
, "krb5_get_default_principal");
833 krb5_set_fcache_version(context
, fcache_version
);
835 if(renewable_flag
== -1)
836 /* this seems somewhat pointless, but whatever */
837 krb5_appdefault_boolean(context
, "kinit",
838 krb5_principal_get_realm(context
, principal
),
839 "renewable", FALSE
, &renewable_flag
);
840 #ifndef HEIMDAL_SMALLER
842 krb5_appdefault_boolean(context
, "kinit",
843 krb5_principal_get_realm(context
, principal
),
844 "krb4_get_tickets", FALSE
, &get_v4_tgt
);
847 krb5_appdefault_boolean(context
, "kinit",
848 krb5_principal_get_realm(context
, principal
),
849 "afslog", TRUE
, &do_afslog
);
852 ret
= krb5_cc_resolve(context
, cred_cache
, &ccache
);
856 ret
= krb5_cc_new_unique(context
, NULL
, NULL
, &ccache
);
858 krb5_err(context
, 1, ret
, "creating cred cache");
859 snprintf(s
, sizeof(s
), "%s:%s",
860 krb5_cc_get_type(context
, ccache
),
861 krb5_cc_get_name(context
, ccache
));
862 setenv("KRB5CCNAME", s
, 1);
863 #ifndef HEIMDAL_SMALLER
866 if (asprintf(&krb4_cc_name
, "%s_XXXXXX", TKT_ROOT
) < 0)
867 krb5_errx(context
, 1, "out of memory");
868 if((fd
= mkstemp(krb4_cc_name
)) >= 0) {
870 setenv("KRBTKFILE", krb4_cc_name
, 1);
878 ret
= krb5_cc_cache_match(context
, principal
, &ccache
);
880 ret
= krb5_cc_default (context
, &ccache
);
884 krb5_err (context
, 1, ret
, N_("resolving credentials cache", ""));
887 if(argc
> 1 && k_hasafs ())
892 int tmp
= parse_time (lifetime
, "s");
894 errx (1, N_("unparsable time: %s", ""), lifetime
);
899 if(addrs_flag
== 0 && extra_addresses
.num_strings
> 0)
900 krb5_errx(context
, 1,
901 N_("specifying both extra addresses and "
902 "no addresses makes no sense", ""));
905 krb5_addresses addresses
;
906 memset(&addresses
, 0, sizeof(addresses
));
907 for(i
= 0; i
< extra_addresses
.num_strings
; i
++) {
908 ret
= krb5_parse_address(context
, extra_addresses
.strings
[i
],
911 krb5_add_extra_addresses(context
, &addresses
);
912 krb5_free_addresses(context
, &addresses
);
915 free_getarg_strings(&extra_addresses
);
918 if(renew_flag
|| validate_flag
) {
919 ret
= renew_validate(context
, renew_flag
, validate_flag
,
920 ccache
, server_str
, ticket_life
);
924 #ifndef HEIMDAL_SMALLER
927 get_new_tickets(context
, principal
, ccache
, ticket_life
, 1);
929 #ifndef HEIMDAL_SMALLER
930 if(get_v4_tgt
|| convert_524
)
931 do_524init(context
, ccache
, NULL
, server_str
);
934 if(do_afslog
&& k_hasafs())
935 krb5_afslog(context
, ccache
, NULL
, NULL
);
938 struct renew_ctx ctx
;
941 timeout
= ticket_lifetime(context
, ccache
, principal
, server_str
) / 2;
943 ctx
.context
= context
;
945 ctx
.principal
= principal
;
946 ctx
.ticket_life
= ticket_life
;
948 ret
= simple_execvp_timed(argv
[1], argv
+1,
949 renew_func
, &ctx
, timeout
);
950 #define EX_NOEXEC 126
951 #define EX_NOTFOUND 127
953 krb5_warnx(context
, N_("permission denied: %s", ""), argv
[1]);
954 else if(ret
== EX_NOTFOUND
)
955 krb5_warnx(context
, N_("command not found: %s", ""), argv
[1]);
957 krb5_cc_destroy(context
, ccache
);
958 #ifndef HEIMDAL_SMALLER
959 _krb5_krb_dest_tkt(context
, krb4_cc_name
);
966 krb5_cc_close (context
, ccache
);
969 krb5_free_principal(context
, principal
);
970 krb5_free_context (context
);