diff options
Diffstat (limited to 'src/kadmin/cli/kadmin.c')
-rw-r--r-- | src/kadmin/cli/kadmin.c | 49 |
1 files changed, 35 insertions, 14 deletions
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c index 649bbc17e4..151f3165a9 100644 --- a/src/kadmin/cli/kadmin.c +++ b/src/kadmin/cli/kadmin.c @@ -232,6 +232,17 @@ randkey_princ(krb5_principal princ, krb5_boolean keepold, int n_ks, return kadm5_randkey_principal(handle, princ, NULL, NULL); } +static krb5_boolean +policy_exists(const char *name) +{ + kadm5_policy_ent_rec pol; + + if (kadm5_get_policy(handle, (char *)name, &pol) != 0) + return FALSE; + kadm5_free_policy_ent(handle, &pol); + return TRUE; +} + char * kadmin_startup(int argc, char *argv[]) { @@ -1158,7 +1169,6 @@ void kadmin_addprinc(int argc, char *argv[]) { kadm5_principal_ent_rec princ; - kadm5_policy_ent_rec defpol; long mask; krb5_boolean randkey = FALSE, old_style_randkey = FALSE; int n_ks_tuple; @@ -1184,23 +1194,24 @@ kadmin_addprinc(int argc, char *argv[]) goto cleanup; } - /* - * If -policy was not specified, and -clearpolicy was not - * specified, and the policy "default" exists, assign it. If - * -clearpolicy was specified, then KADM5_POLICY_CLR should be - * unset, since it is never valid for kadm5_create_principal. - */ - if (!(mask & KADM5_POLICY) && !(mask & KADM5_POLICY_CLR)) { - if (!kadm5_get_policy(handle, "default", &defpol)) { + if (mask & KADM5_POLICY) { + /* Warn if the specified policy does not exist. */ + if (!policy_exists(princ.policy)) { + fprintf(stderr, _("WARNING: policy \"%s\" does not exist\n"), + princ.policy); + } + } else if (!(mask & KADM5_POLICY_CLR)) { + /* If the policy "default" exists, assign it. */ + if (policy_exists("default")) { fprintf(stderr, _("NOTICE: no policy specified for %s; " "assigning \"default\"\n"), canon); princ.policy = "default"; mask |= KADM5_POLICY; - kadm5_free_policy_ent(handle, &defpol); } else fprintf(stderr, _("WARNING: no policy specified for %s; " "defaulting to no policy\n"), canon); } + /* Don't send KADM5_POLICY_CLR to the server. */ mask &= ~KADM5_POLICY_CLR; if (randkey) { @@ -1312,6 +1323,13 @@ kadmin_modprinc(int argc, char *argv[]) kadmin_modprinc_usage(); goto cleanup; } + if (mask & KADM5_POLICY) { + /* Warn if the specified policy does not exist. */ + if (!policy_exists(princ.policy)) { + fprintf(stderr, _("WARNING: policy \"%s\" does not exist\n"), + princ.policy); + } + } if (mask) { /* Skip this if all we're doing is setting certhash. */ retval = kadm5_modify_principal(handle, &princ, mask); @@ -1336,6 +1354,7 @@ kadmin_getprinc(int argc, char *argv[]) kadm5_principal_ent_rec dprinc; krb5_principal princ = NULL; krb5_error_code retval; + const char *polname, *noexist; char *canon = NULL, *princstr = NULL, *modprincstr = NULL; int i; size_t j; @@ -1422,7 +1441,10 @@ kadmin_getprinc(int argc, char *argv[]) printf(" %s", prflags[j]); } printf("\n"); - printf(_("Policy: %s\n"), dprinc.policy ? dprinc.policy : _("[none]")); + polname = (dprinc.policy != NULL) ? dprinc.policy : _("[none]"); + noexist = (dprinc.policy != NULL && !policy_exists(dprinc.policy)) ? + _(" [does not exist]") : ""; + printf(_("Policy: %s%s\n"), polname, noexist); } else { printf("\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"" "\t%d\t%d\t%d\t%d\t%d", @@ -1699,7 +1721,6 @@ kadmin_getpol(int argc, char *argv[]) printf(_("Minimum number of password character classes: %ld\n"), policy.pw_min_classes); printf(_("Number of old keys kept: %ld\n"), policy.pw_history_num); - printf(_("Reference count: %ld\n"), policy.policy_refcnt); printf(_("Maximum password failures before lockout: %lu\n"), (unsigned long)policy.pw_max_fail); printf(_("Password failure count reset interval: %s\n"), @@ -1709,11 +1730,11 @@ kadmin_getpol(int argc, char *argv[]) if (policy.allowed_keysalts != NULL) printf(_("Allowed key/salt types: %s\n"), policy.allowed_keysalts); } else { + /* Output 0 where we used to output policy_refcnt. */ printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\t%lu\t%ld\t%ld\t%s\n", policy.policy, policy.pw_max_life, policy.pw_min_life, policy.pw_min_length, policy.pw_min_classes, - policy.pw_history_num, policy.policy_refcnt, - (unsigned long)policy.pw_max_fail, + policy.pw_history_num, 0, (unsigned long)policy.pw_max_fail, (long)policy.pw_failcnt_interval, (long)policy.pw_lockout_duration, (policy.allowed_keysalts == NULL) ? "-" : |