2 * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kadm5_locl.h"
35 #include <sys/types.h>
36 #ifdef HAVE_SYS_SOCKET_H
37 #include <sys/socket.h>
39 #ifdef HAVE_NETINET_IN_H
40 #include <netinet/in.h>
49 kadm5_c_lock(void *server_handle
)
55 kadm5_c_unlock(void *server_handle
)
61 set_funcs(kadm5_client_context
*c
)
63 #define SET(C, F) (C)->funcs.F = kadm5 ## _c_ ## F
64 #define SETNOTIMP(C, F) (C)->funcs.F = 0
65 SET(c
, chpass_principal
);
66 SET(c
, chpass_principal_with_key
);
67 SET(c
, create_principal
);
68 SET(c
, delete_principal
);
71 SET(c
, get_principal
);
72 SET(c
, get_principals
);
74 SET(c
, modify_principal
);
75 SET(c
, randkey_principal
);
76 SET(c
, rename_principal
);
79 SETNOTIMP(c
, setkey_principal_3
);
83 _kadm5_c_init_context(kadm5_client_context
**ctx
,
84 kadm5_config_params
*params
,
90 *ctx
= malloc(sizeof(**ctx
));
93 memset(*ctx
, 0, sizeof(**ctx
));
94 krb5_add_et_list (context
, initialize_kadm5_error_table_r
);
96 (*ctx
)->context
= context
;
97 if(params
->mask
& KADM5_CONFIG_REALM
) {
99 (*ctx
)->realm
= strdup(params
->realm
);
100 if ((*ctx
)->realm
== NULL
)
103 ret
= krb5_get_default_realm((*ctx
)->context
, &(*ctx
)->realm
);
108 if(params
->mask
& KADM5_CONFIG_ADMIN_SERVER
)
109 (*ctx
)->admin_server
= strdup(params
->admin_server
);
113 ret
= krb5_get_krb_admin_hst (context
, &(*ctx
)->realm
, &hostlist
);
119 (*ctx
)->admin_server
= strdup(*hostlist
);
120 krb5_free_krbhst (context
, hostlist
);
123 if ((*ctx
)->admin_server
== NULL
) {
128 colon
= strchr ((*ctx
)->admin_server
, ':');
132 (*ctx
)->kadmind_port
= 0;
134 if(params
->mask
& KADM5_CONFIG_KADMIND_PORT
)
135 (*ctx
)->kadmind_port
= params
->kadmind_port
;
136 else if (colon
!= NULL
) {
139 (*ctx
)->kadmind_port
= htons(strtol (colon
, &end
, 0));
141 if ((*ctx
)->kadmind_port
== 0)
142 (*ctx
)->kadmind_port
= krb5_getportbyname (context
, "kerberos-adm",
147 static krb5_error_code
148 get_kadm_ticket(krb5_context context
,
150 krb5_principal client
,
151 const char *server_name
)
156 memset(&in
, 0, sizeof(in
));
158 ret
= krb5_parse_name(context
, server_name
, &in
.server
);
161 ret
= krb5_get_credentials(context
, 0, id
, &in
, &out
);
163 krb5_free_creds(context
, out
);
164 krb5_free_principal(context
, in
.server
);
168 static krb5_error_code
169 get_new_cache(krb5_context context
,
170 krb5_principal client
,
171 const char *password
,
172 krb5_prompter_fct prompter
,
174 const char *server_name
,
175 krb5_ccache
*ret_cache
)
179 krb5_get_init_creds_opt
*opt
;
182 ret
= krb5_get_init_creds_opt_alloc (context
, &opt
);
186 krb5_get_init_creds_opt_set_default_flags(context
, "kadmin",
187 krb5_principal_get_realm(context
,
192 krb5_get_init_creds_opt_set_forwardable (opt
, FALSE
);
193 krb5_get_init_creds_opt_set_proxiable (opt
, FALSE
);
195 if(password
== NULL
&& prompter
== NULL
) {
198 ret
= krb5_kt_default(context
, &kt
);
200 ret
= krb5_kt_resolve(context
, keytab
, &kt
);
202 krb5_get_init_creds_opt_free(context
, opt
);
205 ret
= krb5_get_init_creds_keytab (context
,
212 krb5_kt_close(context
, kt
);
214 ret
= krb5_get_init_creds_password (context
,
224 krb5_get_init_creds_opt_free(context
, opt
);
228 case KRB5_LIBOS_PWDINTR
: /* don't print anything if it was just C-c:ed */
229 case KRB5KRB_AP_ERR_BAD_INTEGRITY
:
230 case KRB5KRB_AP_ERR_MODIFIED
:
231 return KADM5_BAD_PASSWORD
;
235 ret
= krb5_cc_new_unique(context
, krb5_cc_type_memory
, NULL
, &id
);
238 ret
= krb5_cc_initialize (context
, id
, cred
.client
);
241 ret
= krb5_cc_store_cred (context
, id
, &cred
);
244 krb5_free_cred_contents (context
, &cred
);
250 * Check the credential cache `id´ to figure out what principal to use
251 * when talking to the kadmind. If there is a initial kadmin/admin@
252 * credential in the cache, use that client principal. Otherwise, use
253 * the client principals first component and add /admin to the
257 static krb5_error_code
258 get_cache_principal(krb5_context context
,
260 krb5_principal
*client
)
263 const char *name
, *inst
;
264 krb5_principal p1
, p2
;
266 ret
= krb5_cc_default(context
, id
);
272 ret
= krb5_cc_get_principal(context
, *id
, &p1
);
274 krb5_cc_close(context
, *id
);
279 ret
= krb5_make_principal(context
, &p2
, NULL
,
280 "kadmin", "admin", NULL
);
282 krb5_cc_close(context
, *id
);
284 krb5_free_principal(context
, p1
);
290 krb5_kdc_flags flags
;
293 memset(&in
, 0, sizeof(in
));
298 /* check for initial ticket kadmin/admin */
299 ret
= krb5_get_credentials_with_flags(context
, KRB5_GC_CACHED
, flags
,
301 krb5_free_principal(context
, p2
);
303 if (out
->flags
.b
.initial
) {
305 krb5_free_creds(context
, out
);
308 krb5_free_creds(context
, out
);
311 krb5_cc_close(context
, *id
);
314 name
= krb5_principal_get_comp_string(context
, p1
, 0);
315 inst
= krb5_principal_get_comp_string(context
, p1
, 1);
316 if(inst
== NULL
|| strcmp(inst
, "admin") != 0) {
317 ret
= krb5_make_principal(context
, &p2
, NULL
, name
, "admin", NULL
);
318 krb5_free_principal(context
, p1
);
332 _kadm5_c_get_cred_cache(krb5_context context
,
333 const char *client_name
,
334 const char *server_name
,
335 const char *password
,
336 krb5_prompter_fct prompter
,
339 krb5_ccache
*ret_cache
)
342 krb5_ccache id
= NULL
;
343 krb5_principal default_client
= NULL
, client
= NULL
;
345 /* treat empty password as NULL */
346 if(password
&& *password
== '\0')
348 if(server_name
== NULL
)
349 server_name
= KADM5_ADMIN_SERVICE
;
351 if(client_name
!= NULL
) {
352 ret
= krb5_parse_name(context
, client_name
, &client
);
359 ret
= krb5_cc_get_principal(context
, id
, &client
);
363 /* get principal from default cache, ok if this doesn't work */
365 ret
= get_cache_principal(context
, &id
, &default_client
);
368 * No client was specified by the caller and we cannot
369 * determine the client from a credentials cache.
373 user
= get_default_username ();
376 krb5_set_error_message(context
, KADM5_FAILURE
, "Unable to find local user name");
377 return KADM5_FAILURE
;
379 ret
= krb5_make_principal(context
, &default_client
,
380 NULL
, user
, "admin", NULL
);
388 * No client was specified by the caller, but we have a client
389 * from the default credentials cache.
391 if (client
== NULL
&& default_client
!= NULL
)
392 client
= default_client
;
395 if(id
&& client
&& (default_client
== NULL
||
396 krb5_principal_compare(context
, client
, default_client
) != 0)) {
397 ret
= get_kadm_ticket(context
, id
, client
, server_name
);
400 krb5_free_principal(context
, default_client
);
401 if (default_client
!= client
)
402 krb5_free_principal(context
, client
);
406 /* couldn't get ticket from cache */
409 /* get creds via AS request */
410 if(id
&& (id
!= ccache
))
411 krb5_cc_close(context
, id
);
412 if (client
!= default_client
)
413 krb5_free_principal(context
, default_client
);
415 ret
= get_new_cache(context
, client
, password
, prompter
, keytab
,
416 server_name
, ret_cache
);
417 krb5_free_principal(context
, client
);
422 kadm_connect(kadm5_client_context
*ctx
)
425 krb5_principal server
;
427 rk_socket_t s
= rk_INVALID_SOCKET
;
428 struct addrinfo
*ai
, *a
;
429 struct addrinfo hints
;
431 char portstr
[NI_MAXSERV
];
432 char *hostname
, *slash
;
434 krb5_context context
= ctx
->context
;
436 memset (&hints
, 0, sizeof(hints
));
437 hints
.ai_socktype
= SOCK_STREAM
;
438 hints
.ai_protocol
= IPPROTO_TCP
;
440 snprintf (portstr
, sizeof(portstr
), "%u", ntohs(ctx
->kadmind_port
));
442 hostname
= ctx
->admin_server
;
443 slash
= strchr (hostname
, '/');
445 hostname
= slash
+ 1;
447 error
= getaddrinfo (hostname
, portstr
, &hints
, &ai
);
449 krb5_clear_error_message(context
);
450 return KADM5_BAD_SERVER_NAME
;
453 for (a
= ai
; a
!= NULL
; a
= a
->ai_next
) {
454 s
= socket (a
->ai_family
, a
->ai_socktype
, a
->ai_protocol
);
457 if (connect (s
, a
->ai_addr
, a
->ai_addrlen
) < 0) {
458 krb5_clear_error_message(context
);
459 krb5_warn (context
, errno
, "connect(%s)", hostname
);
467 krb5_clear_error_message(context
);
468 krb5_warnx (context
, "failed to contact %s", hostname
);
469 return KADM5_FAILURE
;
471 ret
= _kadm5_c_get_cred_cache(context
,
474 NULL
, ctx
->prompter
, ctx
->keytab
,
484 error
= asprintf(&service_name
, "%s@%s", KADM5_ADMIN_SERVICE
,
487 error
= asprintf(&service_name
, "%s", KADM5_ADMIN_SERVICE
);
489 if (error
== -1 || service_name
== NULL
) {
492 krb5_clear_error_message(context
);
496 ret
= krb5_parse_name(context
, service_name
, &server
);
500 if(ctx
->ccache
== NULL
)
501 krb5_cc_close(context
, cc
);
507 ret
= krb5_sendauth(context
, &ctx
->ac
, &s
,
508 KADMIN_APPL_VERSION
, NULL
,
509 server
, AP_OPTS_MUTUAL_REQUIRED
,
510 NULL
, NULL
, cc
, NULL
, NULL
, NULL
);
513 kadm5_config_params p
;
514 memset(&p
, 0, sizeof(p
));
516 p
.mask
|= KADM5_CONFIG_REALM
;
517 p
.realm
= ctx
->realm
;
519 ret
= _kadm5_marshal_params(context
, &p
, ¶ms
);
521 ret
= krb5_write_priv_message(context
, ctx
->ac
, &s
, ¶ms
);
522 krb5_data_free(¶ms
);
526 if(ctx
->ccache
== NULL
)
527 krb5_cc_close(context
, cc
);
530 } else if(ret
== KRB5_SENDAUTH_BADAPPLVERS
) {
533 s
= socket (a
->ai_family
, a
->ai_socktype
, a
->ai_protocol
);
536 krb5_clear_error_message(context
);
539 if (connect (s
, a
->ai_addr
, a
->ai_addrlen
) < 0) {
542 krb5_clear_error_message(context
);
545 ret
= krb5_sendauth(context
, &ctx
->ac
, &s
,
546 KADMIN_OLD_APPL_VERSION
, NULL
,
547 server
, AP_OPTS_MUTUAL_REQUIRED
,
548 NULL
, NULL
, cc
, NULL
, NULL
, NULL
);
556 krb5_free_principal(context
, server
);
557 if(ctx
->ccache
== NULL
)
558 krb5_cc_close(context
, cc
);
565 _kadm5_connect(void *handle
)
567 kadm5_client_context
*ctx
= handle
;
569 return kadm_connect(ctx
);
574 kadm5_c_init_with_context(krb5_context context
,
575 const char *client_name
,
576 const char *password
,
577 krb5_prompter_fct prompter
,
580 const char *service_name
,
581 kadm5_config_params
*realm_params
,
582 unsigned long struct_version
,
583 unsigned long api_version
,
584 void **server_handle
)
587 kadm5_client_context
*ctx
;
590 ret
= _kadm5_c_init_context(&ctx
, realm_params
, context
);
594 if(password
!= NULL
&& *password
!= '\0') {
595 ret
= _kadm5_c_get_cred_cache(context
,
598 password
, prompter
, keytab
, ccache
, &cc
);
600 return ret
; /* XXX */
605 if (client_name
!= NULL
)
606 ctx
->client_name
= strdup(client_name
);
608 ctx
->client_name
= NULL
;
609 if (service_name
!= NULL
)
610 ctx
->service_name
= strdup(service_name
);
612 ctx
->service_name
= NULL
;
613 ctx
->prompter
= prompter
;
614 ctx
->keytab
= keytab
;
615 ctx
->ccache
= ccache
;
616 /* maybe we should copy the params here */
619 *server_handle
= ctx
;
624 init_context(const char *client_name
,
625 const char *password
,
626 krb5_prompter_fct prompter
,
629 const char *service_name
,
630 kadm5_config_params
*realm_params
,
631 unsigned long struct_version
,
632 unsigned long api_version
,
633 void **server_handle
)
635 krb5_context context
;
637 kadm5_server_context
*ctx
;
639 ret
= krb5_init_context(&context
);
642 ret
= kadm5_c_init_with_context(context
,
654 krb5_free_context(context
);
657 ctx
= *server_handle
;
663 kadm5_c_init_with_password_ctx(krb5_context context
,
664 const char *client_name
,
665 const char *password
,
666 const char *service_name
,
667 kadm5_config_params
*realm_params
,
668 unsigned long struct_version
,
669 unsigned long api_version
,
670 void **server_handle
)
672 return kadm5_c_init_with_context(context
,
686 kadm5_c_init_with_password(const char *client_name
,
687 const char *password
,
688 const char *service_name
,
689 kadm5_config_params
*realm_params
,
690 unsigned long struct_version
,
691 unsigned long api_version
,
692 void **server_handle
)
694 return init_context(client_name
,
707 kadm5_c_init_with_skey_ctx(krb5_context context
,
708 const char *client_name
,
710 const char *service_name
,
711 kadm5_config_params
*realm_params
,
712 unsigned long struct_version
,
713 unsigned long api_version
,
714 void **server_handle
)
716 return kadm5_c_init_with_context(context
,
731 kadm5_c_init_with_skey(const char *client_name
,
733 const char *service_name
,
734 kadm5_config_params
*realm_params
,
735 unsigned long struct_version
,
736 unsigned long api_version
,
737 void **server_handle
)
739 return init_context(client_name
,
752 kadm5_c_init_with_creds_ctx(krb5_context context
,
753 const char *client_name
,
755 const char *service_name
,
756 kadm5_config_params
*realm_params
,
757 unsigned long struct_version
,
758 unsigned long api_version
,
759 void **server_handle
)
761 return kadm5_c_init_with_context(context
,
775 kadm5_c_init_with_creds(const char *client_name
,
777 const char *service_name
,
778 kadm5_config_params
*realm_params
,
779 unsigned long struct_version
,
780 unsigned long api_version
,
781 void **server_handle
)
783 return init_context(client_name
,
797 kadm5_init(char *client_name
, char *pass
,
799 kadm5_config_params
*realm_params
,
800 unsigned long struct_version
,
801 unsigned long api_version
,
802 void **server_handle
)