Propagate modprinc -unlock from master to slave KDCs

Create a new tl-data type to hold the time of the last administrative
unlock, and factor it into decisions about account lockout.  Since
tl-data values are propagated from master to slave, this will cause
modprinc -unlock operations to reach slave KDCs on the next
propagation.

ticket: 6795

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24424 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 52 insertions, 26 deletions

diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index 9e5bc44796..ff6eeca6b7 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -815,6 +815,55 @@ kadmin_free_tl_data(kadm5_principal_ent_t princ)
     }
 }
 
+/* Construct a tl_data element and add it to the tail of princ->tl_data. */
+static void
+add_tl_data(kadm5_principal_ent_t princ, krb5_int16 tl_type, krb5_ui_2 len,
+            krb5_octet *contents)
+{
+    krb5_tl_data *tl_data, **tlp;
+    krb5_octet *copy;
+
+    copy = malloc(len);
+    tl_data = calloc(1, sizeof(*tl_data));
+    if (copy == NULL || tl_data == NULL) {
+        fprintf(stderr, "Not enough memory\n");
+        exit(1);
+    }
+    memcpy(copy, contents, len);
+
+    tl_data->tl_data_type = tl_type;
+    tl_data->tl_data_length = len;
+    tl_data->tl_data_contents = copy;
+    tl_data->tl_data_next = NULL;
+
+    for (tlp = &princ->tl_data; *tlp != NULL; tlp = &(*tlp)->tl_data_next);
+    *tlp = tl_data;
+    princ->n_tl_data++;
+}
+
+static void
+unlock_princ(kadm5_principal_ent_t princ, long *mask, const char *caller)
+{
+    krb5_error_code retval;
+    krb5_timestamp now;
+    krb5_octet timebuf[4];
+
+    /* Zero out the failed auth count. */
+    princ->fail_auth_count = 0;
+    *mask |= KADM5_FAIL_AUTH_COUNT;
+
+    /* Record the timestamp of this unlock operation so that slave KDCs will
+     * see it, since fail_auth_count is unreplicated. */
+    retval = krb5_timeofday(context, &now);
+    if (retval) {
+        com_err(caller, retval, "while getting time");
+        exit(1);
+    }
+    store_32_le((krb5_int32)now, timebuf);
+    add_tl_data(princ, KRB5_TL_LAST_ADMIN_UNLOCK, 4, timebuf);
+    *mask |= KADM5_TL_DATA;
+}
+
 /*
  * Parse addprinc or modprinc arguments.  Some output fields may be
  * filled in on error.
@@ -834,7 +883,6 @@ kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc,
     time_t date;
     time_t now;
     krb5_error_code retval;
-    krb5_tl_data *tl_data, *tail = NULL;
 
     *mask = 0;
     *pass = NULL;
@@ -851,29 +899,8 @@ kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc,
             if (++i > argc - 2)
                 return -1;
 
-            tl_data = malloc(sizeof(krb5_tl_data));
-            if (tl_data == NULL) {
-                fprintf(stderr, "Not enough memory\n");
-                exit(1);
-            }
-
-            memset(tl_data, 0, sizeof(krb5_tl_data));
-            tl_data->tl_data_type = KRB5_TL_DB_ARGS;
-            tl_data->tl_data_length = strlen(argv[i])+1;
-            tl_data->tl_data_contents = (krb5_octet *) strdup(argv[i]);
-
-            if (tail) {
-                tail->tl_data_next = tl_data;
-            } else {
-                oprinc->tl_data = tl_data;
-            }
-            tail = tl_data;
-            oprinc->n_tl_data++;
-
-            if (tl_data->tl_data_contents == NULL) {
-                fprintf(stderr, "Not enough memory\n");
-                exit(1);
-            }
+            add_tl_data(oprinc, KRB5_TL_DB_ARGS, strlen(argv[i]) + 1,
+                        (krb5_octet *)argv[i]);
             *mask |= KADM5_TL_DATA;
             continue;
         }
@@ -983,8 +1010,7 @@ kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc,
         }
 #endif /* APPLE_PKINIT */
         if (strlen(argv[i]) == 7 && !strcmp("-unlock", argv[i])) {
-            oprinc->fail_auth_count = 0;
-            *mask |= KADM5_FAIL_AUTH_COUNT;
+            unlock_princ(oprinc, mask, caller);
             continue;
         }
         if (!strcmp("-e", argv[i])) {