diff options
| author | Greg Hudson <ghudson@mit.edu> | 2013-01-08 15:20:45 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2013-01-09 15:35:43 -0500 |
| commit | 0780e46fc13dbafa177525164997cd204cc50b51 (patch) | |
| tree | eacb2400a78bfab43bbc95cb8ab3055498da881b /src | |
| parent | 090f561c631db7e4970b71cbe1426d636c39c77a (diff) | |
| download | krb5-0780e46fc13dbafa177525164997cd204cc50b51.tar.gz krb5-0780e46fc13dbafa177525164997cd204cc50b51.tar.xz krb5-0780e46fc13dbafa177525164997cd204cc50b51.zip | |
Allow principals to refer to nonexistent policies
Stop using and maintaining the policy_refcnt field, and do not try to
prevent deletion of a policy which is still referenced by principals.
Instead, allow principals to refer to policy names which do not exist
as policy objects; treat those principals as having no associated
policy.
In the kadmin client, warn if addprinc or modprinc tries to reference
a policy which doesn't exist, since the server will no longer error
out in this case.
ticket: 7385
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/kdb.h | 2 | ||||
| -rw-r--r-- | src/kadmin/cli/kadmin.c | 49 | ||||
| -rw-r--r-- | src/kadmin/dbutil/dump.c | 29 | ||||
| -rw-r--r-- | src/lib/kadm5/admin.h | 2 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/svr_policy.c | 11 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/svr_principal.c | 229 | ||||
| -rw-r--r-- | src/lib/kadm5/unit-test/api.current/crte-principal.exp | 4 | ||||
| -rw-r--r-- | src/lib/kadm5/unit-test/api.current/dlte-policy.exp | 5 | ||||
| -rw-r--r-- | src/lib/kadm5/unit-test/api.current/dlte-principal.exp | 76 | ||||
| -rw-r--r-- | src/lib/kadm5/unit-test/api.current/mod-principal.exp | 369 | ||||
| -rw-r--r-- | src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 | ||||
| -rw-r--r-- | src/tests/dejagnu/krb-standalone/kadmin.exp | 3 | ||||
| -rw-r--r-- | src/tests/kdbtest.c | 3 |
13 files changed, 125 insertions, 664 deletions
diff --git a/src/include/kdb.h b/src/include/kdb.h index 1bfb5d0457..78d78c55cd 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -215,7 +215,7 @@ typedef struct _osa_policy_ent_t { krb5_ui_4 pw_min_length; krb5_ui_4 pw_min_classes; krb5_ui_4 pw_history_num; - krb5_ui_4 policy_refcnt; + krb5_ui_4 policy_refcnt; /* no longer used */ /* Only valid if version > 1 */ krb5_ui_4 pw_max_fail; /* pwdMaxFailure */ krb5_ui_4 pw_failcnt_interval; /* pwdFailureCountInterval */ diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c index 649bbc17e4..151f3165a9 100644 --- a/src/kadmin/cli/kadmin.c +++ b/src/kadmin/cli/kadmin.c @@ -232,6 +232,17 @@ randkey_princ(krb5_principal princ, krb5_boolean keepold, int n_ks, return kadm5_randkey_principal(handle, princ, NULL, NULL); } +static krb5_boolean +policy_exists(const char *name) +{ + kadm5_policy_ent_rec pol; + + if (kadm5_get_policy(handle, (char *)name, &pol) != 0) + return FALSE; + kadm5_free_policy_ent(handle, &pol); + return TRUE; +} + char * kadmin_startup(int argc, char *argv[]) { @@ -1158,7 +1169,6 @@ void kadmin_addprinc(int argc, char *argv[]) { kadm5_principal_ent_rec princ; - kadm5_policy_ent_rec defpol; long mask; krb5_boolean randkey = FALSE, old_style_randkey = FALSE; int n_ks_tuple; @@ -1184,23 +1194,24 @@ kadmin_addprinc(int argc, char *argv[]) goto cleanup; } - /* - * If -policy was not specified, and -clearpolicy was not - * specified, and the policy "default" exists, assign it. If - * -clearpolicy was specified, then KADM5_POLICY_CLR should be - * unset, since it is never valid for kadm5_create_principal. - */ - if (!(mask & KADM5_POLICY) && !(mask & KADM5_POLICY_CLR)) { - if (!kadm5_get_policy(handle, "default", &defpol)) { + if (mask & KADM5_POLICY) { + /* Warn if the specified policy does not exist. */ + if (!policy_exists(princ.policy)) { + fprintf(stderr, _("WARNING: policy \"%s\" does not exist\n"), + princ.policy); + } + } else if (!(mask & KADM5_POLICY_CLR)) { + /* If the policy "default" exists, assign it. */ + if (policy_exists("default")) { fprintf(stderr, _("NOTICE: no policy specified for %s; " "assigning \"default\"\n"), canon); princ.policy = "default"; mask |= KADM5_POLICY; - kadm5_free_policy_ent(handle, &defpol); } else fprintf(stderr, _("WARNING: no policy specified for %s; " "defaulting to no policy\n"), canon); } + /* Don't send KADM5_POLICY_CLR to the server. */ mask &= ~KADM5_POLICY_CLR; if (randkey) { @@ -1312,6 +1323,13 @@ kadmin_modprinc(int argc, char *argv[]) kadmin_modprinc_usage(); goto cleanup; } + if (mask & KADM5_POLICY) { + /* Warn if the specified policy does not exist. */ + if (!policy_exists(princ.policy)) { + fprintf(stderr, _("WARNING: policy \"%s\" does not exist\n"), + princ.policy); + } + } if (mask) { /* Skip this if all we're doing is setting certhash. */ retval = kadm5_modify_principal(handle, &princ, mask); @@ -1336,6 +1354,7 @@ kadmin_getprinc(int argc, char *argv[]) kadm5_principal_ent_rec dprinc; krb5_principal princ = NULL; krb5_error_code retval; + const char *polname, *noexist; char *canon = NULL, *princstr = NULL, *modprincstr = NULL; int i; size_t j; @@ -1422,7 +1441,10 @@ kadmin_getprinc(int argc, char *argv[]) printf(" %s", prflags[j]); } printf("\n"); - printf(_("Policy: %s\n"), dprinc.policy ? dprinc.policy : _("[none]")); + polname = (dprinc.policy != NULL) ? dprinc.policy : _("[none]"); + noexist = (dprinc.policy != NULL && !policy_exists(dprinc.policy)) ? + _(" [does not exist]") : ""; + printf(_("Policy: %s%s\n"), polname, noexist); } else { printf("\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"" "\t%d\t%d\t%d\t%d\t%d", @@ -1699,7 +1721,6 @@ kadmin_getpol(int argc, char *argv[]) printf(_("Minimum number of password character classes: %ld\n"), policy.pw_min_classes); printf(_("Number of old keys kept: %ld\n"), policy.pw_history_num); - printf(_("Reference count: %ld\n"), policy.policy_refcnt); printf(_("Maximum password failures before lockout: %lu\n"), (unsigned long)policy.pw_max_fail); printf(_("Password failure count reset interval: %s\n"), @@ -1709,11 +1730,11 @@ kadmin_getpol(int argc, char *argv[]) if (policy.allowed_keysalts != NULL) printf(_("Allowed key/salt types: %s\n"), policy.allowed_keysalts); } else { + /* Output 0 where we used to output policy_refcnt. */ printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\t%lu\t%ld\t%ld\t%s\n", policy.policy, policy.pw_max_life, policy.pw_min_life, policy.pw_min_length, policy.pw_min_classes, - policy.pw_history_num, policy.policy_refcnt, - (unsigned long)policy.pw_max_fail, + policy.pw_history_num, 0, (unsigned long)policy.pw_max_fail, (long)policy.pw_failcnt_interval, (long)policy.pw_lockout_duration, (policy.allowed_keysalts == NULL) ? "-" : diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c index 7b515bd702..af10c9cd49 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -1112,8 +1112,7 @@ void dump_k5beta7_policy(void *data, osa_policy_ent_t entry) arg = (struct dump_args *) data; fprintf(arg->ofile, "policy\t%s\t%d\t%d\t%d\t%d\t%d\t%d\n", entry->name, entry->pw_min_life, entry->pw_max_life, entry->pw_min_length, - entry->pw_min_classes, entry->pw_history_num, - entry->policy_refcnt); + entry->pw_min_classes, entry->pw_history_num, 0); } void dump_r1_8_policy(void *data, osa_policy_ent_t entry) @@ -1124,9 +1123,9 @@ void dump_r1_8_policy(void *data, osa_policy_ent_t entry) fprintf(arg->ofile, "policy\t%s\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\n", entry->name, entry->pw_min_life, entry->pw_max_life, entry->pw_min_length, - entry->pw_min_classes, entry->pw_history_num, - entry->policy_refcnt, entry->pw_max_fail, - entry->pw_failcnt_interval, entry->pw_lockout_duration); + entry->pw_min_classes, entry->pw_history_num, 0, + entry->pw_max_fail, entry->pw_failcnt_interval, + entry->pw_lockout_duration); } void @@ -1140,10 +1139,10 @@ dump_r1_11_policy(void *data, osa_policy_ent_t entry) "%d\t%d\t%d\t%s\t%d", entry->name, entry->pw_min_life, entry->pw_max_life, entry->pw_min_length, - entry->pw_min_classes, entry->pw_history_num, - entry->policy_refcnt, entry->pw_max_fail, - entry->pw_failcnt_interval, entry->pw_lockout_duration, - entry->attributes, entry->max_life, entry->max_renewable_life, + entry->pw_min_classes, entry->pw_history_num, 0, + entry->pw_max_fail, entry->pw_failcnt_interval, + entry->pw_lockout_duration, entry->attributes, entry->max_life, + entry->max_renewable_life, entry->allowed_keysalts ? entry->allowed_keysalts : "-", entry->n_tl_data); @@ -2301,7 +2300,7 @@ process_k5beta7_policy(fname, kcontext, filep, flags, linenop) { osa_policy_ent_rec rec; char namebuf[1024]; - int nread, ret; + int nread, refcnt, ret; memset(&rec, 0, sizeof(rec)); @@ -2311,7 +2310,7 @@ process_k5beta7_policy(fname, kcontext, filep, flags, linenop) nread = fscanf(filep, "%1023s\t%d\t%d\t%d\t%d\t%d\t%d", rec.name, &rec.pw_min_life, &rec.pw_max_life, &rec.pw_min_length, &rec.pw_min_classes, - &rec.pw_history_num, &rec.policy_refcnt); + &rec.pw_history_num, &refcnt); if (nread == EOF) return -1; else if (nread != 7) { @@ -2344,7 +2343,7 @@ process_r1_8_policy(fname, kcontext, filep, flags, linenop) { osa_policy_ent_rec rec; char namebuf[1024]; - int nread, ret; + int nread, refcnt, ret; memset(&rec, 0, sizeof(rec)); @@ -2355,7 +2354,7 @@ process_r1_8_policy(fname, kcontext, filep, flags, linenop) rec.name, &rec.pw_min_life, &rec.pw_max_life, &rec.pw_min_length, &rec.pw_min_classes, - &rec.pw_history_num, &rec.policy_refcnt, + &rec.pw_history_num, &refcnt, &rec.pw_max_fail, &rec.pw_failcnt_interval, &rec.pw_lockout_duration); if (nread == EOF) @@ -2388,7 +2387,7 @@ process_r1_11_policy(char *fname, krb5_context kcontext, FILE *filep, krb5_tl_data *tl, *tl_next; char namebuf[1024]; char keysaltbuf[KRB5_KDB_MAX_ALLOWED_KS_LEN + 1]; - int nread; + int nread, refcnt; int ret = 0; const char *try2read = NULL; @@ -2406,7 +2405,7 @@ process_r1_11_policy(char *fname, krb5_context kcontext, FILE *filep, rec.name, &rec.pw_min_life, &rec.pw_max_life, &rec.pw_min_length, &rec.pw_min_classes, - &rec.pw_history_num, &rec.policy_refcnt, + &rec.pw_history_num, &refcnt, &rec.pw_max_fail, &rec.pw_failcnt_interval, &rec.pw_lockout_duration, &rec.attributes, &rec.max_life, &rec.max_renewable_life, diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h index 9260cb5761..6c2efbcf4a 100644 --- a/src/lib/kadm5/admin.h +++ b/src/lib/kadm5/admin.h @@ -219,7 +219,7 @@ typedef struct _kadm5_policy_ent_t { long pw_min_length; long pw_min_classes; long pw_history_num; - long policy_refcnt; + long policy_refcnt; /* no longer used */ /* version 3 fields */ krb5_kvno pw_max_fail; diff --git a/src/lib/kadm5/srv/svr_policy.c b/src/lib/kadm5/srv/svr_policy.c index 0d79f86dce..69d2fea78d 100644 --- a/src/lib/kadm5/srv/svr_policy.c +++ b/src/lib/kadm5/srv/svr_policy.c @@ -158,10 +158,6 @@ kadm5_create_policy_internal(void *server_handle, else pent.pw_history_num = entry->pw_history_num; } - if (!(mask & KADM5_REF_COUNT)) - pent.policy_refcnt = 0; - else - pent.policy_refcnt = entry->policy_refcnt; if (handle->api_version >= KADM5_API_VERSION_4) { if (!(mask & KADM5_POLICY_ATTRIBUTES)) @@ -230,10 +226,6 @@ kadm5_delete_policy(void *server_handle, kadm5_policy_t name) else if (ret) return ret; - if(entry->policy_refcnt != 0) { - krb5_db_free_policy(handle->context, entry); - return KADM5_POLICY_REF; - } krb5_db_free_policy(handle->context, entry); ret = krb5_db_delete_policy(handle->context, name); if (ret == KRB5_KDB_POLICY_REF) @@ -368,8 +360,6 @@ kadm5_modify_policy_internal(void *server_handle, } p->pw_history_num = entry->pw_history_num; } - if ((mask & KADM5_REF_COUNT)) - p->policy_refcnt = entry->policy_refcnt; if (handle->api_version >= KADM5_API_VERSION_3) { if ((mask & KADM5_PW_MAX_FAILURE)) p->pw_max_fail = entry->pw_max_fail; @@ -448,7 +438,6 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name, entry->pw_min_length = t->pw_min_length; entry->pw_min_classes = t->pw_min_classes; entry->pw_history_num = t->pw_history_num; - entry->policy_refcnt = t->policy_refcnt; if (handle->api_version >= KADM5_API_VERSION_3) { entry->pw_max_fail = t->pw_max_fail; entry->pw_failcnt_interval = t->pw_failcnt_interval; diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index ae36841a78..2000fe441c 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -188,6 +188,23 @@ ks_tuple_present(int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, return FALSE; } +/* Fetch a policy if it exists; set *have_pol_out appropriately. Return + * success whether or not the policy exists. */ +static kadm5_ret_t +get_policy(kadm5_server_handle_t handle, const char *name, + kadm5_policy_ent_t policy_out, krb5_boolean *have_pol_out) +{ + kadm5_ret_t ret; + + *have_pol_out = FALSE; + if (name == NULL) + return 0; + ret = kadm5_get_policy(handle->lhandle, (char *)name, policy_out); + if (ret == 0) + *have_pol_out = TRUE; + return (ret == KADM5_UNK_POLICY) ? 0 : ret; +} + /* * Apply the -allowedkeysalts policy (see kadmin(1)'s addpol/modpol * commands). We use the allowed key/salt tuple list as a default if @@ -202,6 +219,7 @@ apply_keysalt_policy(kadm5_server_handle_t handle, const char *policy, { kadm5_ret_t ret; kadm5_policy_ent_rec polent; + krb5_boolean have_polent; int ak_n_ks_tuple = 0; int new_n_ks_tuple = 0; krb5_key_salt_tuple *ak_ks_tuple = NULL; @@ -215,14 +233,9 @@ apply_keysalt_policy(kadm5_server_handle_t handle, const char *policy, } memset(&polent, 0, sizeof(polent)); - if (policy != NULL && - (ret = kadm5_get_policy(handle->lhandle, (char *)policy, - &polent)) != KADM5_OK) { - if (ret == EINVAL) - ret = KADM5_BAD_POLICY; - if (ret) - goto cleanup; - } + ret = get_policy(handle, policy, &polent, &have_polent); + if (ret) + goto cleanup; if (polent.allowed_keysalts == NULL) { /* Requested keysalts allowed or default to supported_enctypes. */ @@ -292,7 +305,8 @@ apply_keysalt_policy(kadm5_server_handle_t handle, const char *policy, ret = 0; cleanup: - kadm5_free_policy_ent(handle->lhandle, &polent); + if (have_polent) + kadm5_free_policy_ent(handle->lhandle, &polent); free(ak_ks_tuple); if (new_n_kstp != NULL) { @@ -407,14 +421,9 @@ kadm5_create_principal_3(void *server_handle, * If we can not find the one specified return an error */ if ((mask & KADM5_POLICY)) { - if ((ret = kadm5_get_policy(handle->lhandle, entry->policy, - &polent)) != KADM5_OK) { - if (ret == EINVAL) - ret = KADM5_BAD_POLICY; - if (ret) - goto cleanup; - } - have_polent = TRUE; + ret = get_policy(handle, entry->policy, &polent, &have_polent); + if (ret) + goto cleanup; } if (password) { ret = passwd_check(handle, password, have_polent ? &polent : NULL, @@ -538,7 +547,7 @@ kadm5_create_principal_3(void *server_handle, single tl_data record, */ adb.admin_history_kvno = INITIAL_HIST_KVNO; - if (have_polent) { + if (mask & KADM5_POLICY) { adb.aux_attributes = KADM5_POLICY; /* this does *not* need to be strdup'ed, because adb is xdr */ @@ -547,37 +556,12 @@ kadm5_create_principal_3(void *server_handle, adb.policy = entry->policy; } - /* increment the policy ref count, if any */ - - if (have_polent) { - polent.policy_refcnt++; - if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent, - KADM5_REF_COUNT)) - != KADM5_OK) - goto cleanup; - } - /* In all cases key and the principal data is set, let the database provider know */ kdb->mask = mask | KADM5_KEY_DATA | KADM5_PRINCIPAL ; /* store the new db entry */ ret = kdb_put_entry(handle, kdb, &adb); - - if (ret) { - if (have_polent) { - /* decrement the policy ref count */ - - polent.policy_refcnt--; - /* - * if this fails, there's nothing we can do anyway. the - * policy refcount wil be too high. - */ - (void) kadm5_modify_policy_internal(handle->lhandle, &polent, - KADM5_REF_COUNT); - } - } - (void) k5_kadm5_hook_create(handle->context, handle->hook_handles, KADM5_HOOK_STAGE_POSTCOMMIT, entry, mask, new_n_ks_tuple, new_ks_tuple, password); @@ -595,7 +579,6 @@ kadm5_ret_t kadm5_delete_principal(void *server_handle, krb5_principal principal) { unsigned int ret; - kadm5_policy_ent_rec polent; krb5_db_entry *kdb; osa_princ_ent_rec adb; kadm5_server_handle_t handle = server_handle; @@ -616,25 +599,6 @@ kadm5_delete_principal(void *server_handle, krb5_principal principal) return ret; } - if ((adb.aux_attributes & KADM5_POLICY)) { - if ((ret = kadm5_get_policy(handle->lhandle, - adb.policy, &polent)) - == KADM5_OK) { - polent.policy_refcnt--; - if ((ret = kadm5_modify_policy_internal(handle->lhandle, &polent, - KADM5_REF_COUNT)) - != KADM5_OK) { - (void) kadm5_free_policy_ent(handle->lhandle, &polent); - kdb_free_entry(handle, kdb, &adb); - return(ret); - } - } - if ((ret = kadm5_free_policy_ent(handle->lhandle, &polent))) { - kdb_free_entry(handle, kdb, &adb); - return ret; - } - } - ret = kdb_delete_entry(handle, principal); kdb_free_entry(handle, kdb, &adb); @@ -652,8 +616,8 @@ kadm5_modify_principal(void *server_handle, kadm5_principal_ent_t entry, long mask) { int ret, ret2, i; - kadm5_policy_ent_rec npol, opol; - int have_npol = 0, have_opol = 0; + kadm5_policy_ent_rec pol; + krb5_boolean have_pol = FALSE; krb5_db_entry *kdb; krb5_tl_data *tl_data_orig; osa_princ_ent_rec adb; @@ -693,99 +657,36 @@ kadm5_modify_principal(void *server_handle, */ if ((mask & KADM5_POLICY)) { - /* get the new policy */ - ret = kadm5_get_policy(handle->lhandle, entry->policy, &npol); - if (ret) { - switch (ret) { - case EINVAL: - ret = KADM5_BAD_POLICY; - break; - case KADM5_UNK_POLICY: - case KADM5_BAD_POLICY: - ret = KADM5_UNK_POLICY; - break; - } + ret = get_policy(handle, entry->policy, &pol, &have_pol); + if (ret) goto done; - } - have_npol = 1; - - /* if we already have a policy, get it to decrement the refcnt */ - if(adb.aux_attributes & KADM5_POLICY) { - /* ... but not if the old and new are the same */ - if(strcmp(adb.policy, entry->policy)) { - ret = kadm5_get_policy(handle->lhandle, - adb.policy, &opol); - switch(ret) { - case EINVAL: - case KADM5_BAD_POLICY: - case KADM5_UNK_POLICY: - break; - case KADM5_OK: - have_opol = 1; - opol.policy_refcnt--; - break; - default: - goto done; - break; - } - npol.policy_refcnt++; - } - } else npol.policy_refcnt++; /* set us up to use the new policy */ adb.aux_attributes |= KADM5_POLICY; if (adb.policy) free(adb.policy); adb.policy = strdup(entry->policy); - + } + if (have_pol) { /* set pw_max_life based on new policy */ - if (npol.pw_max_life) { + if (pol.pw_max_life) { ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &(kdb->pw_expiration)); if (ret) goto done; - kdb->pw_expiration += npol.pw_max_life; + kdb->pw_expiration += pol.pw_max_life; } else { kdb->pw_expiration = 0; } } - if ((mask & KADM5_POLICY_CLR) && - (adb.aux_attributes & KADM5_POLICY)) { - ret = kadm5_get_policy(handle->lhandle, adb.policy, &opol); - switch(ret) { - case EINVAL: - case KADM5_BAD_POLICY: - case KADM5_UNK_POLICY: - ret = KADM5_BAD_DB; - goto done; - break; - case KADM5_OK: - have_opol = 1; - if (adb.policy) - free(adb.policy); - adb.policy = NULL; - adb.aux_attributes &= ~KADM5_POLICY; - kdb->pw_expiration = 0; - opol.policy_refcnt--; - break; - default: - goto done; - break; - } + if ((mask & KADM5_POLICY_CLR) && (adb.aux_attributes & KADM5_POLICY)) { + free(adb.policy); + adb.policy = NULL; + adb.aux_attributes &= ~KADM5_POLICY; + kdb->pw_expiration = 0; } - if (((mask & KADM5_POLICY) || (mask & KADM5_POLICY_CLR)) && - (((have_opol) && - (ret = - kadm5_modify_policy_internal(handle->lhandle, &opol, - KADM5_REF_COUNT))) || - ((have_npol) && - (ret = - kadm5_modify_policy_internal(handle->lhandle, &npol, - KADM5_REF_COUNT))))) - goto done; - if ((mask & KADM5_ATTRIBUTES)) kdb->attributes = entry->attributes; if ((mask & KADM5_MAX_LIFE)) @@ -847,12 +748,8 @@ kadm5_modify_principal(void *server_handle, ret = KADM5_OK; done: - if (have_opol) { - ret2 = kadm5_free_policy_ent(handle->lhandle, &opol); - ret = ret ? ret : ret2; - } - if (have_npol) { - ret2 = kadm5_free_policy_ent(handle->lhandle, &npol); + if (have_pol) { + ret2 = kadm5_free_policy_ent(handle->lhandle, &pol); ret = ret ? ret : ret2; } kdb_free_entry(handle, kdb, &adb); @@ -1480,7 +1377,7 @@ kadm5_chpass_principal_3(void *server_handle, osa_princ_ent_rec adb; krb5_db_entry *kdb; int ret, ret2, last_pwd, hist_added; - int have_pol = 0; + krb5_boolean have_pol = FALSE; kadm5_server_handle_t handle = server_handle; osa_pw_hist_ent hist; krb5_keyblock *act_mkey, *hist_keyblocks = NULL; @@ -1510,10 +1407,11 @@ kadm5_chpass_principal_3(void *server_handle, goto done; if ((adb.aux_attributes & KADM5_POLICY)) { - if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, &pol))) + ret = get_policy(handle, adb.policy, &pol, &have_pol); + if (ret) goto done; - have_pol = 1; - + } + if (have_pol) { /* Create a password history entry before we change kdb's key_data. */ ret = kdb_get_hist_key(handle, &hist_keyblocks, &hist_kvno); if (ret) @@ -1693,7 +1591,8 @@ kadm5_randkey_principal_3(void *server_handle, osa_princ_ent_rec adb; krb5_int32 now; kadm5_policy_ent_rec pol; - int ret, last_pwd, have_pol = 0; + int ret, last_pwd; + krb5_boolean have_pol = FALSE; kadm5_server_handle_t handle = server_handle; krb5_keyblock *act_mkey; int new_n_ks_tuple = 0; @@ -1742,11 +1641,11 @@ kadm5_randkey_principal_3(void *server_handle, goto done; if ((adb.aux_attributes & KADM5_POLICY)) { - if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, - &pol)) != KADM5_OK) + ret = get_policy(handle, adb.policy, &pol, &have_pol); + if (ret) goto done; - have_pol = 1; - + } + if (have_pol) { ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd); if (ret) goto done; @@ -1830,7 +1729,8 @@ kadm5_setv4key_principal(void *server_handle, krb5_int32 now; kadm5_policy_ent_rec pol; krb5_keysalt keysalt; - int i, k, kvno, ret, have_pol = 0; + int i, k, kvno, ret; + krb5_boolean have_pol = FALSE; #if 0 int last_pwd; #endif @@ -1915,11 +1815,11 @@ kadm5_setv4key_principal(void *server_handle, goto done; if ((adb.aux_attributes & KADM5_POLICY)) { - if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, - &pol)) != KADM5_OK) + ret = get_policy(handle, adb.policy, &pol, &have_pol); + if (ret) goto done; - have_pol = 1; - + } + if (have_pol) { #if 0 /* * The spec says this check is overridden if the caller has @@ -2015,7 +1915,8 @@ kadm5_setkey_principal_3(void *server_handle, kadm5_policy_ent_rec pol; krb5_key_data *old_key_data; int n_old_keys; - int i, j, k, kvno, ret, have_pol = 0; + int i, j, k, kvno, ret; + krb5_boolean have_pol = FALSE; #if 0 int last_pwd; #endif @@ -2178,11 +2079,11 @@ kadm5_setkey_principal_3(void *server_handle, goto done; if ((adb.aux_attributes & KADM5_POLICY)) { - if ((ret = kadm5_get_policy(handle->lhandle, adb.policy, - &pol)) != KADM5_OK) + ret = get_policy(handle, adb.policy, &pol, &have_pol); + if (ret) goto done; - have_pol = 1; - + } + if (have_pol) { #if 0 /* * The spec says this check is overridden if the caller has diff --git a/src/lib/kadm5/unit-test/api.current/crte-principal.exp b/src/lib/kadm5/unit-test/api.current/crte-principal.exp index 774e20414a..52dda78a38 100644 --- a/src/lib/kadm5/unit-test/api.current/crte-principal.exp +++ b/src/lib/kadm5/unit-test/api.current/crte-principal.exp @@ -536,11 +536,11 @@ proc test21 {} { perror "$test: unexpected failure in init" return } - one_line_fail_test [format { + one_line_succeed_test [format { kadm5_create_principal $server_handle \ [princ_w_pol "%s/a" non-existant-pol] \ {KADM5_PRINCIPAL KADM5_POLICY} NotinTheDictionary - } $test] "UNK_POLICY" + } $test] if { ! [cmd {kadm5_destroy $server_handle}]} { perror "$test: unexpected failure in destroy" return diff --git a/src/lib/kadm5/unit-test/api.current/dlte-policy.exp b/src/lib/kadm5/unit-test/api.current/dlte-policy.exp index cecb5c3be6..4ba40fd496 100644 --- a/src/lib/kadm5/unit-test/api.current/dlte-policy.exp +++ b/src/lib/kadm5/unit-test/api.current/dlte-policy.exp @@ -181,8 +181,9 @@ proc test12 {} { perror "$test: unexpected failure in init" return } - one_line_fail_test \ - {kadm5_delete_policy $server_handle test-pol} "POLICY_REF" + one_line_succeed_test [format { + kadm5_delete_policy $server_handle "%s/a" + } $test] if { ! [cmd {kadm5_destroy $server_handle}]} { perror "$test: unexpected failure in destroy" return diff --git a/src/lib/kadm5/unit-test/api.current/dlte-principal.exp b/src/lib/kadm5/unit-test/api.current/dlte-principal.exp index f6d267fae2..6604685346 100644 --- a/src/lib/kadm5/unit-test/api.current/dlte-principal.exp +++ b/src/lib/kadm5/unit-test/api.current/dlte-principal.exp @@ -236,82 +236,6 @@ proc test11 {} { } test11 -test "delete-principal 12" -proc test12 {} { - global test - global prompt - - if {! (( [principal_exists "$test/a"]) || - [create_principal_pol "$test/a" test-pol])} { - error_and_restart "$test: couldn't delete principal \"$test/a\"" - return - } - if {! [cmd { - kadm5_init admin admin $KADM5_ADMIN_SERVICE null \ - $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \ - server_handle - }]} { - perror "$test: unexpected failure in init" - return - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]} { - perror "$test: unexpected failure on get policy" - return - } - if { ! [cmd [format { - kadm5_delete_principal $server_handle "%s/a" - } $test]]} { - fail "$test: delete failed" - return - } - if { [cmd [format { - kadm5_get_principal $server_handle "%s/a" p KADM5_PRINCIPAL_NORMAL_MASK - } $test]]} { - fail "$test: principal still exists" - return - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} { - perror "$test: unexpected failure on get policy" - return - } - send "lindex \$p1 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - - send "lindex \$p2 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - if { [expr "$oldref - 1"] != $newref } { - fail "$test: policy reference count is wrong" - return; - } - pass "$test" - if { ! [cmd {kadm5_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" - return - } -} - -test12 - test "delete-principal 13" proc test13 {} { global test diff --git a/src/lib/kadm5/unit-test/api.current/mod-principal.exp b/src/lib/kadm5/unit-test/api.current/mod-principal.exp index 25fb272b5a..44f8548df1 100644 --- a/src/lib/kadm5/unit-test/api.current/mod-principal.exp +++ b/src/lib/kadm5/unit-test/api.current/mod-principal.exp @@ -380,10 +380,10 @@ proc test17 {} { perror "$test: unexpected failure in init" return } - one_line_fail_test [format { + one_line_succeed_test [format { kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \ no-policy] {KADM5_POLICY} - } $test] "UNK_POLICY" + } $test] if { ! [cmd {kadm5_destroy $server_handle}]} { perror "$test: unexpected failure in destroy" return @@ -391,371 +391,6 @@ proc test17 {} { } test17 -test "modify-principal 18" -proc test18 {} { - global test - global prompt - if {! (( ! [principal_exists "$test/a"]) || - [delete_principal "$test/a"])} { - error_and_restart "$test: couldn't delete principal \"$test/a\"" - return - } - if { !( [create_principal "$test/a"])} { - error_and_restart "$test: could not create principal \"$test/a\"" - return - } - if {! [cmd { - kadm5_init admin admin $KADM5_ADMIN_SERVICE null \ - $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \ - server_handle - }]} { - perror "$test: unexpected failure in init" - return - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]} { - perror "$test: unexpected failure on get policy" - return - } - if {! [cmd [format { - kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \ - test-pol] {KADM5_POLICY} - } $test]]} { - fail "$test: modify failed" - return - } - if {! [cmd [format { - kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK - } $test]]} { - error_and_restart "$test: could not retrieve principal" - return - } - send "lindex \$principal 10\n" - expect { - -re "test-pol\n$prompt$" { pass "$test" } - timeout { fail "$test" } - } - send "lindex \$p1 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} { - perror "$test: unexpected failure on get policy" - return - } - - send "lindex \$p2 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - if { [expr "$oldref + 1"] != $newref } { - fail "$test: policy reference count is wrong" - return; - } - if { ! [cmd {kadm5_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" - return - } -} -test18 - -test "modify-principal 19" -proc test19 {} { - global test - global prompt - if {! (( ! [principal_exists "$test/a"]) || - [delete_principal "$test/a"])} { - error_and_restart "$test: couldn't delete principal \"$test/a\"" - return - } - if { !( [create_principal "$test/a"])} { - error_and_restart "$test: could not create principal \"$test/a\"" - return - } - if {! [cmd { - kadm5_init admin admin $KADM5_ADMIN_SERVICE null \ - $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \ - server_handle - }]} { - perror "$test: unexpected failure in init" - return - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]} { - perror "$test: unexpected failure on get policy" - return - } - if {! [cmd [format { - kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \ - test-pol] {KADM5_POLICY} - } $test]]} { - fail "$test: modify failed" - return - } - if {! [cmd [format { - kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK - } $test]]} { - error_and_restart "$test: could not retrieve principal" - return - } - send "lindex \$principal 10\n" - expect { - -re "test-pol\n$prompt$" { pass "$test" } - timeout { fail "$test" } - } - send "lindex \$p1 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} { - perror "$test: unexpected failure on get policy" - return - } - - send "lindex \$p2 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - if { [expr "$oldref + 1"] != $newref } { - fail "$test: policy reference count is wrong" - return; - } - if { ! [cmd {kadm5_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" - return - } -} -test19 - -test "modify-principal 20" -proc test20 {} { - global test - global prompt - if {! (( ! [principal_exists "$test/a"]) || - [delete_principal "$test/a"])} { - error_and_restart "$test: couldn't delete principal \"$test/a\"" - return - } - if { !( [create_principal_pol "$test/a" "test-pol"])} { - error_and_restart "$test: could not create principal \"$test/a\"" - return - } - if {! [cmd { - kadm5_init admin admin $KADM5_ADMIN_SERVICE null \ - $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \ - server_handle - }]} { - perror "$test: unexpected failure in init" - return - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]} { - perror "$test: unexpected failure on get policy" - return - } - if {! [cmd [format { - kadm5_modify_principal $server_handle [simple_principal "%s/a"] \ - {KADM5_POLICY_CLR} - } $test]]} { - perror "$test: modify failed" - return - } - if {! [cmd [format { - kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK - } $test]]} { - error_and_restart "$test: could not retrieve principal" - return - } - send "lindex \$principal 10\n" - expect { - -re "test-pol\n$prompt$" { fail "$test" } - -re "null\n$prompt$" { pass "$test" } - timeout { pass "$test" } - } - send "lindex \$p1 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} { - perror "$test: unexpected failure on get policy" - return - } - - send "lindex \$p2 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - if { [expr "$oldref - 1"] != $newref } { - fail "$test: policy reference count is wrong" - return; - } - if { ! [cmd {kadm5_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" - return - } -} -test20 - -test "modify-principal 21" -proc test21 {} { - global test - global prompt - if {! (( ! [principal_exists "$test/a"]) || - [delete_principal "$test/a"])} { - error_and_restart "$test: couldn't delete principal \"$test/a\"" - return - } - if { !( [create_principal_pol "$test/a" "test-pol"])} { - error_and_restart "$test: could not create principal \"$test/a\"" - return - } - if {! [cmd { - kadm5_init admin admin $KADM5_ADMIN_SERVICE null \ - $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 \ - server_handle - }]} { - perror "$test: unexpected failure in init" - return - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol old_p1}]} { - perror "$test: unexpected failure on get policy" - return - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol-nopw old_p2}]} { - perror "$test: unexpected failure on get policy" - return - } - if {! [cmd [format { - kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \ - test-pol-nopw] {KADM5_POLICY} - } $test]]} { - fail "$test: modify failed" - return - } - if {! [cmd [format { - kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK - } $test]]} { - error_and_restart "$test: could not retrieve principal" - return - } - send "lindex \$old_p1 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set old_p1_ref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - send "lindex \$old_p2 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set old_p2_ref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - - if { ! [cmd {kadm5_get_policy $server_handle test-pol new_p1}]} { - perror "$test: unexpected failure on get policy" - return - } - if { ! [cmd {kadm5_get_policy $server_handle test-pol-nopw new_p2}]} { - perror "$test: unexpected failure on get policy" - return - } - - send "lindex \$new_p1 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set new_p1_ref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - send "lindex \$new_p2 6\n" - expect { - -re "(\[0-9\]+)\n$prompt$" {set new_p2_ref $expect_out(1,string) } - timeout { - error_and_restart "$test: timeout getting principal kvno (second time)" - return - } - eof { - error_and_restart "$test: eof getting principal kvno (second time)" - return - } - } - if { [expr "$old_p1_ref - 1"] != $new_p1_ref } { - fail "$test: policy reference count is wrong" - return; - } - if { [expr "$old_p2_ref + 1"] != $new_p2_ref } { - fail "$test: policy reference count is wrong" - return; - } - if { ! [cmd {kadm5_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" - return - } -} -test21 - test "modify-principal 21.5" proc test21.5 {} { global test diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c index e955f8e404..011b2a04e0 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c @@ -384,13 +384,6 @@ krb5_ldap_delete_password_policy(krb5_context context, char *policy) if (st != 0) goto cleanup; - st = krb5_ldap_get_reference_count(context, policy_dn, - "krbPwdPolicyReference", &refcount, ld); - if (st == 0 && refcount != 0) - st = KRB5_KDB_POLICY_REF; - if (st != 0) - goto cleanup; - /* Ensure that the object is a password policy */ if ((st=checkattributevalue(ld, policy_dn, "objectclass", class, &mask)) != 0) goto cleanup; diff --git a/src/tests/dejagnu/krb-standalone/kadmin.exp b/src/tests/dejagnu/krb-standalone/kadmin.exp index 1822bc38a8..c62e183e75 100644 --- a/src/tests/dejagnu/krb-standalone/kadmin.exp +++ b/src/tests/dejagnu/krb-standalone/kadmin.exp @@ -711,7 +711,6 @@ proc kadmin_addpol { pname } { expect "Minimum number of password character classes:" { verbose "got min pw character classes" } expect "Number of old keys kept:" { verbose "got num old keys kept" } - expect "Reference count:" { verbose "got refcount" } expect "kadmin.local: " { send "q\r" } expect_after @@ -924,7 +923,7 @@ proc kadmin_showpol { pname } { } expect -re "assword\[^\r\n\]*: *" send "adminpass$KEY\r" - expect -re "\r.*Policy: $pname.*Number of old keys kept: .*Reference count: .*\r" + expect -re "\r.*Policy: $pname.*Number of old keys kept: .*\r" expect_after expect eof set k_stat [wait -i $spawn_id] diff --git a/src/tests/kdbtest.c b/src/tests/kdbtest.c index b569b56235..93de07be87 100644 --- a/src/tests/kdbtest.c +++ b/src/tests/kdbtest.c @@ -167,7 +167,7 @@ static osa_policy_ent_rec sample_policy = { 6, /* pw_min_length */ 2, /* pw_min_classes */ 3, /* pw_history_num */ - 1, /* policy_refcnt */ + 0, /* policy_refcnt */ 2, /* pw_max_fail */ 60, /* pw_failcnt_interval */ 120, /* pw_lockout_duration */ @@ -377,7 +377,6 @@ main() CHECK(krb5_dbe_update_tl_data(ctx, ent, &tl_no_policy)); ent->mask = KADM5_POLICY_CLR | KADM5_KEY_DATA; CHECK(krb5_db_put_principal(ctx, ent)); - /* Deleting polname should work now that the reference is gone. */ CHECK(krb5_db_delete_policy(ctx, polname)); /* Put the modified entry again (with KDB_TL_USER_INFO tl-data for LDAP) as |